PROWLER GROUPS, CHECKS, AND WHAT THEY MEAN, PART 4
As spoken prior in PROWLING WITH S.A.F.H. (OR THE HANGOVER.) Prowler is heavily based on the CIS benchmarks for AWS. Those benchmarks are broken into a series of groups:
- Check11 to Check122 – From section 1 (Identity and Access Management)
- Check21 to Check29 – From Section 2 (Logging)
- Check31 to Check314 – From Section 3 (Monitoring)
- Check41 to Check46 – From Section 4 (Networking)
- Check71 to Check799 – From the InfoSec Community, GASSP-based checks are specific to the AWS environment.
Also, as spoken prior, “If your security practitioner makes a suggestion, it is a recommendation based on his knowledge, experience, and the standards provided by various standards committees and the infosec community; again, NOT A SUBSTITUTE for advice from a compliance attorney.”
We will start a prowler run with my default profile, linked to a test account, and specify group 34. This maps to the CIS AWS Foundation benchmark, Networks. This section is short and sweet, and several recommendations have been previously covered and expanded.
I will invoke prowler from the prowler directory of my space heater server with the following command:
./prowler -g group4 -f 'us-east-1'
This will start a prowler run, limiting it to the us-east-1 region and using only the checks from group 4.
We have the results as follows:
Color code for results:
- INFO (Information)
- PASS (Recommended value)
- WARNING (Ignored by allowlist)
- FAIL (Fix required)
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS API Region: [us-east-1] AWS Filter Region: [us-east-1]
AWS Account: [REDACTED] UserId: [REDACTED]
Caller Identity ARN: [arn:aws:iam::REDACTED]
4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 - ec2 [High]
PASS! us-east-1: No Security Groups found with port 22 TCP open to 0.0.0.0/0
4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 - ec2 [High]
PASS! us-east-1: No Security Groups found with port 3389 TCP open to 0.0.0.0/0
4.3 [check43] Ensure the default security group of every VPC restricts all traffic - ec2 [High]
PASS! us-east-1: No Default Security Groups (sg-REDACTED) open to 0.0.0.0 found
4.4 [check44] Ensure routing tables for VPC peering are "least access" - vpc [Medium]
PASS! us-east-1: No VPC peering found
4.5 [check45] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22 - ec2 [High]
INFO! us-east-1: Found Network ACL: acl-REDACTED open to 0.0.0.0/0 for SSH port 22
4.6 [check46] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389 - ec2 [High]
INFO! us-east-1: Found Network ACL: acl-REDACTED open to 0.0.0.0/0 for Microsoft RDP port 3389Check 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22; this was addressed in our post on PROWLER GROUPS, CHECKS, AND WHAT THEY MEAN, PART 3, section 3.10.
For the record and from the CIS Benchmark:
For the record and from the CIS Benchmark:
Check 4.3 Ensure VPC flow logging is enabled in all VPCs; there seems to be a disconnect between prowler and the Benchmark. Prowler does not run this check at this time, but it is reviewed in check 2.9 as discussed in PROWLER GROUPS, CHECKS, AND WHAT THEY MEAN, PART 2
For the record and from the CIS Benchmark:
Check 4.3 (4.4). Ensure the default security group of every VPC restricts all traffic; I think that default VPCs and default security groups should be deleted. If that is not possible, remove all rules in both inbound and outbound sections.
For the record and from the CIS Benchmark:
Check 4.4 (4.5) 4.5 Ensure routing tables for VPC peering are “least access.“
For the record and from the CIS Benchmark:
The checks shown as prowler checks 4.5 and 4.6 have no corresponding CIS benchmark recommendations, and as you see, the results in lines 21-24 are marked as INFO, as yes, my NACLs are open. I use them to suppress all traffic from specific IPs causing annoyances as determined by my vpc flowlogs and/or my SIEM. One can use these to limit traffic, but they are packet-filtering firewalls and limit the number of rule entries.
This concludes the review of prowler as it pertains to the CIS AWS Foundations Benchmark; when we return, we will examine the extra prowler checks.
General Notes:
While these seem “Common Sense,” whence explained, it has been my experience that many of these items are not implemented. This seems to occur most frequently in the born-in-cloud start-up community, where the drive is to launch a product.
Also, in my experience, there will be some pushback on the recommendations, hence my direct quotation of the benchmarks. (I.E., Don’t take my word for it, read the Benchmark yourself.)
I will specifically acknowledge The Center for Internet Security and urge the reader to visit their site and support them as they can. Their works and benchmarks have become the foundation for many of the existing governmental and commercial standards in place today.
