PROWLER GROUPS, CHECKS, AND WHAT THEY MEAN, PART X

by Posted on

And at the end of your journey through the Prowler and CIS benchmarks, we come to the Communal Standards (GASSP), where we find it is truly an extra mile.

General Note(s):

I have attempted to keep my greasy fingers off any recommendations and leave the acceptance or rejection of a recommendation to the reader. If I have influenced you in any way, may it be in the fact that regular security reviews and report reviews can be key tools in securing an AWS Environment.

Please note that this is tagged under the tag Level 300; this means that I will not spoon-feed the answers, nor will I provide direct links to the answers; one must actually expend the effort to type in the search phrases and read the results. These are advanced topics, and some understanding is required.

My reluctance in issuing fiats is based on several things:

  • I am NOT a compliance attorney, and recommendations may be considered legal advice.
  • Security is to enable the business, not disable it.
  • The memory of a Junior Admin screaming, “Hackers, Hacker, Hackers…”

In keeping with my proclamation of innocence in issuing recommendations, I will simply list the 197 separate checks ranked by severity. One MAY input the description into a good search engine to find results similar to:

I will note that many of these checks may be based on various audit standards, HIPAA, SOC, SOC II, HiTRUST, GDPR, etc., etc.

Prowler Extra Checks, with Critical Designations:

7.100 [extra7100] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) – iam [Critical]
7.141 [extra7141] Find secrets in SSM Documents – ssm [Critical]
7.143 [extra7143] Check if EFS have policies which allow access to everyone – efs [Critical]
7.145 [extra7145] Check if Lambda functions have policies which allow access to any AWS account – lambda [Critical]
7.147 [extra7147] Check if S3 Glacier vaults have policies which allow access to everyone – glacier [Critical]
7.16 [extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access – es [Critical]
7.195 [extra7195] Ensure CodeArtifact internal packages do not allow external public source publishing. – codeartifact [Critical]
7.2 [extra72] Ensure there are no EBS Snapshots set as Public – ec2 [Critical]
7.23 [extra723] Check if RDS Snapshots and Cluster Snapshots are public – rds [Critical]
7.27 [extra727] Check if SQS queues have policy set as Public – sqs [Critical]
7.3 [extra73] Ensure there are no S3 buckets open to Everyone or Any AWS user – s3 [Critical]
7.31 [extra731] Check if SNS topics have policy set as Public – sns [Critical]
7.36 [extra736] Check exposed KMS keys – kms [Critical]
7.41 [extra741] Find secrets in EC2 User Data – ec2 [Critical]
7.42 [extra742] Find secrets in CloudFormation outputs – cloudformation [Critical]
7.59 [extra759] Find secrets in Lambda functions variables – lambda [Critical]
7.6 [extra76] Ensure there are no EC2 AMIs set as Public – ec2 [Critical]
7.60 [extra760] Find secrets in Lambda functions code – lambda [Critical]
7.68 [extra768] Find secrets in ECS task definitions environment variables – ecs [Critical]
7.7 [extra77] Ensure there are no ECR repositories set as Public – ecr [Critical]
7.71 [extra771] Check if S3 buckets have policies which allow WRITE access – s3 [Critical]
7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration – autoscaling [Critical]
7.8 [extra78] Ensure there are no Public Accessible RDS instances – rds [Critical]
7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports – es [Critical]
7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains – es [Critical]
7.98 [extra798] Check if Lambda functions have resource-based policy set as Public – lambda [Critical]

Prowler Extra Checks, with High Designations:

7.1 [extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled – iam [High]
7.102 [extra7102] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY) – ec2 [High]
7.11 [extra711] Check for Publicly Accessible Redshift Clusters – redshift [High]
7.127 [extra7127] Check if EC2 instances managed by Systems Manager are compliant with patching requirements – ssm [High]
7.13 [extra713] Check if GuardDuty is enabled – guardduty [High]
7.134 [extra7134] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21 – ec2 [High]
7.135 [extra7135] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092 – ec2 [High]
7.136 [extra7136] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 – ec2 [High]
7.137 [extra7137] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434 – ec2 [High]
7.138 [extra7138] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port – ec2 [High]
7.139 [extra7139] There are High severity GuardDuty findings – guardduty [High]
7.140 [extra7140] Check if there are SSM Documents set as public – ssm [High]
7.174 [extra7174] CodeBuild Project last invoked greater than 90 days – codebuild [High]
7.175 [extra7175] CodeBuild Project with an user controlled buildspec – codebuild [High]
7.177 [extra7177] Publicly accessible EMR Cluster – emr [High]
7.178 [extra7178] EMR Account Public Access Block enabled – emr [High]
7.179 [extra7179] Check Public Lambda Function URL – lambda [High]
7.185 [extra7185] Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation – iam [High]
7.186 [extra7186] Check S3 Account Level Public Access Block – s3 [High]
7.187 [extra7187] Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements – workspaces [High]
7.30 [extra730] Check if ACM Certificates are about to expire in 7 days or less – acm [High]
7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used – ec2 [High]
7.48 [extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port – ec2 [High]
7.49 [extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 – ec2 [High]
7.50 [extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 – ec2 [High]
7.51 [extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 – ec2 [High]
7.52 [extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 – ec2 [High]
7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 – ec2 [High]
7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 – ec2 [High]
7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 – ec2 [High]
7.69 [extra769] Check if IAM Access Analyzer is enabled and its findings – accessanalyzer [High]
7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports – ec2 [High]
7.80 [extra780] Check if Amazon OpenSearch Service domains (formerly known as Elasticsearch or ES) has either Amazon Cognito authentication or SAML authentication for Kibana enabled – es [High]
7.95 [extra795] Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled – eks [High]
7.96 [extra796] Restrict Access to the EKS Control Plane Endpoint – eks [High]
7.99 [extra799] Check if Security Hub is enabled and its standard subscriptions – securityhub [High]

Prowler Extra Checks, with Medium Designations:

7.10 [extra710] Check for internet facing EC2 Instances – ec2 [Medium]
7.103 [extra7103] Check if Amazon SageMaker Notebook instances have root access disabled – sagemaker [Medium]
7.104 [extra7104] Check if Amazon SageMaker Notebook instances have VPC settings configured – sagemaker [Medium]
7.105 [extra7105] Check if Amazon SageMaker Models have network isolation enabled – sagemaker [Medium]
7.106 [extra7106] Check if Amazon SageMaker Models have VPC settings configured – sagemaker [Medium]
7.107 [extra7107] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled – sagemaker [Medium]
7.108 [extra7108] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled – sagemaker [Medium]
7.109 [extra7109] Check if Amazon SageMaker Training jobs have network isolation enabled – sagemaker [Medium]
7.110 [extra7110] Check if Amazon SageMaker Training job have VPC settings configured. – sagemaker [Medium]
7.111 [extra7111] Check if Amazon SageMaker Notebook instances have direct internet access – sagemaker [Medium]
7.112 [extra7112] Check if Amazon SageMaker Notebook instances have data encryption enabled – sagemaker [Medium]
7.113 [extra7113] Check if RDS instances have deletion protection enabled – rds [Medium]
7.114 [extra7114] Check if Glue development endpoints have S3 encryption enabled. – glue [Medium]
7.115 [extra7115] Check if Glue database connection has SSL connection enabled. – glue [Medium]
7.116 [extra7116] Check if Glue data catalog settings have metadata encryption enabled. – glue [Medium]
7.117 [extra7117] Check if Glue data catalog settings have encrypt connection password enabled. – glue [Medium]
7.118 [extra7118] Check if Glue ETL Jobs have S3 encryption enabled. – glue [Medium]
7.119 [extra7119] Check if Glue development endpoints have CloudWatch logs encryption enabled. – glue [Medium]
7.120 [extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled. – glue [Medium]
7.121 [extra7121] Check if Glue development endpoints have Job bookmark encryption enabled. – glue [Medium]
7.122 [extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled. – glue [Medium]
7.123 [extra7123] Check if IAM users have two active access keys – iam [Medium]
7.124 [extra7124] Check if EC2 instances are managed by Systems Manager. – ssm [Medium]
7.125 [extra7125] Check if IAM users have Hardware MFA enabled. – iam [Medium]
7.126 [extra7126] Check if there are CMK KMS keys not used – kms [Medium]
7.128 [extra7128] Check if DynamoDB table has encryption at rest enabled using CMK KMS – dynamodb [Medium]
7.129 [extra7129] Check if Application Load Balancer has a WAF ACL attached – elb [Medium]
7.130 [extra7130] Ensure there are no SNS Topics unencrypted – sns [Medium]
7.133 [extra7133] Check if RDS instances have multi-AZ enabled – rds [Medium]
7.14 [extra714] Check if CloudFront distributions have logging enabled – cloudfront [Medium]
7.142 [extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based HTTP request smuggling – elb [Medium]
7.144 [extra7144] Check if CloudWatch has allowed cross-account sharing – cloudwatch [Medium]
7.148 [extra7148] Check if EFS File systems have backup enabled – efs [Medium]
7.149 [extra7149] Check if Redshift Clusters have automated snapshots enabled – redshift [Medium]
7.15 [extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled – es [Medium]
7.150 [extra7150] Check if Elastic Load Balancers have deletion protection enabled – elb [Medium]
7.151 [extra7151] Check if DynamoDB tables point-in-time recovery (PITR) is enabled – dynamodb [Medium]
7.152 [extra7152] Enable Privacy Protection for for a Route53 Domain (us-east-1 only) – route53 [Medium]
7.153 [extra7153] Enable Transfer Lock for a Route53 Domain (us-east-1 only) – route53 [Medium]
7.154 [extra7154] Enable termination protection for Cloudformation Stacks – cloudformation [Medium]
7.155 [extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode – elb [Medium]
7.156 [extra7156] Checks if API Gateway V2 has Access Logging enabled – apigateway [Medium]
7.157 [extra7157] Check if API Gateway V2 has configured authorizers – apigateway [Medium]
7.158 [extra7158] Check if ELBV2 has listeners underneath – elb [Medium]
7.159 [extra7159] Check if ELB has listeners underneath – elb [Medium]
7.160 [extra7160] Check if Redshift has automatic upgrades enabled – redshift [Medium]
7.161 [extra7161] Check if EFS protects sensitive data with encryption at rest – efs [Medium]
7.162 [extra7162] Check if CloudWatch Log Groups have a retention policy of at least 365 days – cloudwatch [Medium]
7.163 [extra7163] Check if Secrets Manager key rotation is enabled – secretsmanager [Medium]
7.164 [extra7164] Check if CloudWatch log groups are protected by AWS KMS – logs [Medium]
7.165 [extra7165] Check if DynamoDB: DAX Clusters are encrypted at rest – dynamodb [Medium]
7.166 [extra7166] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced – shield [Medium]
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced – shield [Medium]
7.168 [extra7168] Check if Route53 hosted zones are protected by AWS Shield Advanced – shield [Medium]
7.169 [extra7169] Check if global accelerators are protected by AWS Shield Advanced – shield [Medium]
7.17 [extra717] Check if Elastic Load Balancers have logging enabled – elb [Medium]
7.170 [extra7170] Check if internet-facing application load balancers are protected by AWS Shield Advanced – shield [Medium]
7.171 [extra7171] Check if classic load balancers are protected by AWS Shield Advanced – shield [Medium]
7.172 [extra7172] Check if S3 buckets have ACLs enabled – s3 [Medium]
7.173 [extra7173] Security Groups created by EC2 Launch Wizard – ec2 [Medium]
7.176 [extra7176] EMR Cluster without Public IP – emr [Medium]
7.18 [extra718] Check if S3 buckets have server access logging enabled – s3 [Medium]
7.180 [extra7180] Check Lambda Function URL CORS configuration – lambda [Medium]
7.181 [extra7181] Directory Service monitoring with CloudWatch logs – ds [Medium]
7.182 [extra7182] Directory Service SNS Notifications – ds [Medium]
7.183 [extra7183] Directory Service LDAP Certificates expiration – ds [Medium]
7.188 [extra7188] Ensure Radius server in DS is using the recommended security protocol – ds [Medium]
7.189 [extra7189] Ensure Multi-Factor Authentication (MFA) using Radius Server is enabled in DS – ds [Medium]
7.19 [extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs – route53 [Medium]
7.190 [extra7190] Ensure user maximum session duration is no longer than 10 hours. – appstream [Medium]
7.191 [extra7191] Ensure session disconnect timeout is set to 5 minutes or less. – appstream [Medium]
7.192 [extra7192] Ensure session idle disconnect timeout is set to 10 minutes or less. – appstream [Medium]
7.193 [extra7193] Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked. – appstream [Medium]
7.21 [extra721] Check if Redshift cluster has audit logging enabled – redshift [Medium]
7.22 [extra722] Check if API Gateway has logging enabled – apigateway [Medium]
7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled – acm [Medium]
7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail – s3 [Medium]
7.26 [extra726] Check Trusted Advisor for errors and warnings – trustedadvisor [Medium]
7.28 [extra728] Check if SQS queues have Server Side Encryption enabled – sqs [Medium]
7.29 [extra729] Ensure there are no EBS Volumes unencrypted – ec2 [Medium]
7.34 [extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it – s3 [Medium]
7.35 [extra735] Check if RDS instances storage is encrypted – rds [Medium]
7.38 [extra738] Check if CloudFront distributions are set to HTTPS – cloudfront [Medium]
7.39 [extra739] Check if RDS instances have backup enabled – rds [Medium]
7.40 [extra740] Check if EBS snapshots are encrypted – ec2 [Medium]
7.43 [extra743] Check if API Gateway has client certificate enabled to access your backend endpoint – apigateway [Medium]
7.44 [extra744] Check if API Gateway has a WAF ACL attached – apigateway [Medium]
7.45 [extra745] Check if API Gateway endpoint is public or private – apigateway [Medium]
7.46 [extra746] Check if API Gateway has configured authorizers – apigateway [Medium]
7.47 [extra747] Check if RDS instances is integrated with CloudWatch Logs – rds [Medium]
7.57 [extra757] Check EC2 Instances older than 6 months – ec2 [Medium]
7.58 [extra758] Check EC2 Instances older than 12 months – ec2 [Medium]
7.61 [extra761] Check if EBS Default Encryption is activated – ec2 [Medium]
7.62 [extra762] Find obsolete Lambda runtimes – lambda [Medium]
7.63 [extra763] Check if S3 buckets have object versioning enabled – s3 [Medium]
7.64 [extra764] Check if S3 buckets have secure transport policy – s3 [Medium]
7.65 [extra765] Check if ECR image scan on push is enabled – ecr [Medium]
7.70 [extra770] Check for internet facing EC2 instances with Instance Profiles attached – ec2 [Medium]
7.73 [extra773] Check if CloudFront distributions are using WAF – cloudfront [Medium]
7.74 [extra774] Ensure credentials unused for 30 days or greater are disabled – iam [Medium]
7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version – ecr [Medium]
7.77 [extra777] Find VPC security groups with more than 50 ingress or egress rules – ec2 [Medium]
7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) – ec2 [Medium]
7.81 [extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled – es [Medium]
7.82 [extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled – es [Medium]
7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled – es [Medium]
7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled – es [Medium]
7.86 [extra786] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required – ec2 [Medium]
7.89 [extra789] Find trust boundaries in VPC endpoint services connections – vpc [Medium]
7.9 [extra79] Check for internet facing Elastic Load Balancers – elb [Medium]
7.90 [extra790] Find trust boundaries in VPC endpoint services allowlisted principles – vpc [Medium]
7.91 [extra791] Check if CloudFront distributions are using deprecated SSL protocols – cloudfront [Medium]
7.92 [extra792] Check if Elastic Load Balancers have insecure SSL ciphers – elb [Medium]
7.93 [extra793] Check if Elastic Load Balancers have SSL listeners – elb [Medium]
7.94 [extra794] Ensure EKS Control Plane Audit Logging is enabled for all log types – eks [Medium]
7.97 [extra797] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) – eks [Medium]

Prowler Extra Checks, with Low Designations:

7.101 [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled – es [Low]
7.12 [extra712] Check if Amazon Macie is enabled – macie [Low]
7.131 [extra7131] Ensure RDS instances have minor version upgrade enabled – rds [Low]
7.132 [extra7132] Check if RDS instances has enhanced monitoring enabled – rds [Low]
7.146 [extra7146] Check if there is any unassigned Elastic IP – ec2 [Low]
7.184 [extra7184] Directory Service Manual Snapshot Limit – ds [Low]
7.194 [extra7194] Check if ECR repositories have lifecycle policies enabled – ecr [Low]
7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail – lambda [Low]
7.32 [extra732] Check if Geo restrictions are enabled in CloudFront distributions – cloudfront [Low]
7.33 [extra733] Check if there are SAML Providers then STS can be used – iam [Low]
7.67 [extra767] Check if CloudFront distributions have Field Level Encryption enabled – cloudfront [Low]
7.72 [extra772] Check if elastic IPs are unused – ec2 [Low]
7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available – es [Low]

Closing the series:

Also, in my experience, there will be some pushback on the recommendations, hence my direct quotation of the benchmarks. (I.E., Don’t take my word for it, read the Benchmark yourself.)I will specifically acknowledge The Center for Internet Security and urge the reader to visit their site and support them as they can. Their works and benchmarks have become the foundation for many of the existing governmental and commercial standards in place today.

Published by crawls