prowler-cloud · MrCloudSec · Dec 18, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024
@@ -314,10 +314,12 @@ aws:
   # AWS ACM Configuration
   # aws.acm_certificates_expiration_check
   days_to_expire_threshold: 7
-  # aws.acm_certificates_rsa_key_length
+  # aws.acm_certificates_with_secure_key_algorithms
   insecure_key_algorithms:
     [
       "RSA-1024",
+      "P-192",
+      "SHA-1",
     ]
 
   # AWS EKS Configuration

@@ -17,7 +17,7 @@ def execute(self):
                 report.status = "PASS"
                 report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} uses a secure key algorithm ({certificate.key_algorithm})."
                 if certificate.key_algorithm in acm_client.audit_config.get(
-                    "insecure_algorithms", ["RSA-1024"]
+                    "insecure_key_algorithms", ["RSA-1024", "P-192", "SHA-1"]
                 ):
                     report.status = "FAIL"
                     report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} does not use a secure key algorithm ({certificate.key_algorithm})."

@@ -1,6 +1,32 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client
 
+default_obsolete_lambda_runtimes = [
+    "java8",
+    "go1.x",
+    "provided",
+    "python3.6",
+    "python2.7",
+    "python3.7",
+    "nodejs4.3",
+    "nodejs4.3-edge",
+    "nodejs6.10",
+    "nodejs",
+    "nodejs8.10",
+    "nodejs10.x",
+    "nodejs12.x",
+    "nodejs14.x",
+    "nodejs16.x",
+    "dotnet5.0",
+    "dotnet7",
+    "dotnetcore1.0",
+    "dotnetcore2.0",
+    "dotnetcore2.1",
+    "dotnetcore3.1",
+    "ruby2.5",
+    "ruby2.7",
+]
+
 
 class awslambda_function_using_supported_runtimes(Check):
     def execute(self):
@@ -14,7 +40,7 @@ def execute(self):
                 report.resource_tags = function.tags
 
                 if function.runtime in awslambda_client.audit_config.get(
-                    "obsolete_lambda_runtimes", []
+                    "obsolete_lambda_runtimes", default_obsolete_lambda_runtimes
                 ):
                     report.status = "FAIL"
                     report.status_extended = f"Lambda function {function.name} is using {function.runtime} which is obsolete."

@@ -5,6 +5,99 @@
     cloudtrail_client,
 )
 
+default_threat_detection_enumeration_actions = [
+    "DescribeAccessEntry",
+    "DescribeAccountAttributes",
+    "DescribeAvailabilityZones",
+    "DescribeBundleTasks",
+    "DescribeCarrierGateways",
+    "DescribeClientVpnRoutes",
+    "DescribeCluster",
+    "DescribeDhcpOptions",
+    "DescribeFlowLogs",
+    "DescribeImages",
+    "DescribeInstanceAttribute",
+    "DescribeInstanceInformation",
+    "DescribeInstanceTypes",
+    "DescribeInstances",
+    "DescribeInstances",
+    "DescribeKeyPairs",
+    "DescribeLogGroups",
+    "DescribeLogStreams",
+    "DescribeOrganization",
+    "DescribeRegions",
+    "DescribeSecurityGroups",
+    "DescribeSnapshotAttribute",
+    "DescribeSnapshotTierStatus",
+    "DescribeSubscriptionFilters",
+    "DescribeTransitGatewayMulticastDomains",
+    "DescribeVolumes",
+    "DescribeVolumesModifications",
+    "DescribeVpcEndpointConnectionNotifications",
+    "DescribeVpcs",
+    "GetAccount",
+    "GetAccountAuthorizationDetails",
+    "GetAccountSendingEnabled",
+    "GetBucketAcl",
+    "GetBucketLogging",
+    "GetBucketPolicy",
+    "GetBucketReplication",
+    "GetBucketVersioning",
+    "GetCallerIdentity",
+    "GetCertificate",
+    "GetConsoleScreenshot",
+    "GetCostAndUsage",
+    "GetDetector",
+    "GetEbsDefaultKmsKeyId",
+    "GetEbsEncryptionByDefault",
+    "GetFindings",
+    "GetFlowLogsIntegrationTemplate",
+    "GetIdentityVerificationAttributes",
+    "GetInstances",
+    "GetIntrospectionSchema",
+    "GetLaunchTemplateData",
+    "GetLaunchTemplateData",
+    "GetLogRecord",
+    "GetParameters",
+    "GetPolicyVersion",
+    "GetPublicAccessBlock",
+    "GetQueryResults",
+    "GetRegions",
+    "GetSMSAttributes",
+    "GetSMSSandboxAccountStatus",
+    "GetSendQuota",
+    "GetTransitGatewayRouteTableAssociations",
+    "GetUserPolicy",
+    "HeadObject",
+    "ListAccessKeys",
+    "ListAccounts",
+    "ListAllMyBuckets",
+    "ListAssociatedAccessPolicies",
+    "ListAttachedUserPolicies",
+    "ListClusters",
+    "ListDetectors",
+    "ListDomains",
+    "ListFindings",
+    "ListHostedZones",
+    "ListIPSets",
+    "ListIdentities",
+    "ListInstanceProfiles",
+    "ListObjects",
+    "ListOrganizationalUnitsForParent",
+    "ListOriginationNumbers",
+    "ListPolicyVersions",
+    "ListRoles",
+    "ListRoles",
+    "ListRules",
+    "ListServiceQuotas",
+    "ListSubscriptions",
+    "ListTargetsByRule",
+    "ListTopics",
+    "ListUsers",
+    "LookupEvents",
+    "Search",
+]
+
 
 class cloudtrail_threat_detection_enumeration(Check):
     def execute(self):
@@ -16,7 +109,8 @@ def execute(self):
             "threat_detection_enumeration_minutes", 1440
         )
         enumeration_actions = cloudtrail_client.audit_config.get(
-            "threat_detection_enumeration_actions", []
+            "threat_detection_enumeration_actions",
+            default_threat_detection_enumeration_actions,
         )
         potential_enumeration = {}
         found_potential_enumeration = False

@@ -5,6 +5,21 @@
     cloudtrail_client,
 )
 
+default_threat_detection_llm_jacking_actions = [
+    "PutUseCaseForModelAccess",
+    "PutFoundationModelEntitlement",
+    "PutModelInvocationLoggingConfiguration",
+    "CreateFoundationModelAgreement",
+    "InvokeModel",
+    "InvokeModelWithResponseStream",
+    "GetUseCaseForModelAccess",
+    "GetModelInvocationLoggingConfiguration",
+    "GetFoundationModelAvailability",
+    "ListFoundationModelAgreementOffers",
+    "ListFoundationModels",
+    "ListProvisionedModelThroughputs",
+]
+
 
 class cloudtrail_threat_detection_llm_jacking(Check):
     def execute(self):
@@ -16,7 +31,8 @@ def execute(self):
             "threat_detection_llm_jacking_minutes", 1440
         )
         llm_jacking_actions = cloudtrail_client.audit_config.get(
-            "threat_detection_llm_jacking_actions", []
+            "threat_detection_llm_jacking_actions",
+            default_threat_detection_llm_jacking_actions,
         )
         potential_llm_jacking = {}
         found_potential_llm_jacking = False

@@ -5,6 +5,60 @@
     cloudtrail_client,
 )
 
+default_threat_detection_privilege_escalation_actions = [
+    "AddPermission",
+    "AddRoleToInstanceProfile",
+    "AddUserToGroup",
+    "AssociateAccessPolicy",
+    "AssumeRole",
+    "AttachGroupPolicy",
+    "AttachRolePolicy",
+    "AttachUserPolicy",
+    "ChangePassword",
+    "CreateAccessEntry",
+    "CreateAccessKey",
+    "CreateDevEndpoint",
+    "CreateEventSourceMapping",
+    "CreateFunction",
+    "CreateGroup",
+    "CreateJob",
+    "CreateKeyPair",
+    "CreateLoginProfile",
+    "CreatePipeline",
+    "CreatePolicyVersion",
+    "CreateRole",
+    "CreateStack",
+    "DeleteRolePermissionsBoundary",
+    "DeleteRolePolicy",
+    "DeleteUserPermissionsBoundary",
+    "DeleteUserPolicy",
+    "DetachRolePolicy",
+    "DetachUserPolicy",
+    "GetCredentialsForIdentity",
+    "GetId",
+    "GetPolicyVersion",
+    "GetUserPolicy",
+    "Invoke",
+    "ModifyInstanceAttribute",
+    "PassRole",
+    "PutGroupPolicy",
+    "PutPipelineDefinition",
+    "PutRolePermissionsBoundary",
+    "PutRolePolicy",
+    "PutUserPermissionsBoundary",
+    "PutUserPolicy",
+    "ReplaceIamInstanceProfileAssociation",
+    "RunInstances",
+    "SetDefaultPolicyVersion",
+    "UpdateAccessKey",
+    "UpdateAssumeRolePolicy",
+    "UpdateDevEndpoint",
+    "UpdateEventSourceMapping",
+    "UpdateFunctionCode",
+    "UpdateJob",
+    "UpdateLoginProfile",
+]
+
 
 class cloudtrail_threat_detection_privilege_escalation(Check):
     def execute(self):
@@ -16,7 +70,8 @@ def execute(self):
             "threat_detection_privilege_escalation_minutes", 1440
         )
         privilege_escalation_actions = cloudtrail_client.audit_config.get(
-            "threat_detection_privilege_escalation_actions", []
+            "threat_detection_privilege_escalation_actions",
+            default_threat_detection_privilege_escalation_actions,
         )
 
         potential_privilege_escalation = {}

@@ -58,24 +58,24 @@ def check_enis(
         report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but it is not attached to any network interface."
         for eni in enis:
             if eni.type in ec2_client.audit_config.get(
-                "ec2_allowed_interface_types", []
+                "ec2_allowed_interface_types", ["api_gateway_managed", "vpc_endpoint"]
             ):
                 report.status = "PASS"
                 report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet and it is attached to an allowed network interface type ({eni.type})."
                 continue
             if eni.attachment.instance_owner_id in ec2_client.audit_config.get(
-                "ec2_allowed_instance_owners", []
+                "ec2_allowed_instance_owners", ["amazon-elb"]
             ):
                 report.status = "PASS"
                 report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet and it is attached to an allowed network interface instance owner ({eni.attachment.instance_owner_id})."
                 continue
             if eni.type not in ec2_client.audit_config.get(
-                "ec2_allowed_interface_types", []
+                "ec2_allowed_interface_types", ["api_gateway_managed", "vpc_endpoint"]
             ):
                 report.status = "FAIL"
                 report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but its network interface type ({eni.type}) is not allowed."
             elif eni.attachment.instance_owner_id not in ec2_client.audit_config.get(
-                "ec2_allowed_instance_owners", []
+                "ec2_allowed_instance_owners", ["amazon-elb"]
             ):
                 report.status = "FAIL"
                 report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but its network interface instance owner ({eni.attachment.instance_owner_id}) is not allowed."

@@ -1,11 +1,21 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.eks.eks_client import eks_client
 
+default_eks_required_log_types = [
+    "api",
+    "audit",
+    "authenticator",
+    "controllerManager",
+    "scheduler",
+]
+
 
 class eks_control_plane_logging_all_types_enabled(Check):
     def execute(self):
         findings = []
-        required_log_types = eks_client.audit_config.get("eks_required_log_types", [])
+        required_log_types = eks_client.audit_config.get(
+            "eks_required_log_types", default_eks_required_log_types
+        )
         required_log_types_str = ", ".join(required_log_types)
 
         for cluster in eks_client.clusters:

@@ -3,6 +3,12 @@
     apiserver_client,
 )
 
+default_apiserver_strong_ciphers = [
+    "TLS_AES_128_GCM_SHA256",
+    "TLS_AES_256_GCM_SHA384",
+    "TLS_CHACHA20_POLY1305_SHA256",
+]
+
 
 class apiserver_strong_ciphers_only(Check):
     def execute(self) -> Check_Report_Kubernetes:
@@ -25,7 +31,8 @@ def execute(self) -> Check_Report_Kubernetes:
                             .split(",")
                             .issubset(
                                 apiserver_client.audit_config.get(
-                                    "apiserver_strong_ciphers", []
+                                    "apiserver_strong_ciphers",
+                                    default_apiserver_strong_ciphers,
                                 )
                             )
                         ):

@@ -1,6 +1,17 @@
 from prowler.lib.check.models import Check, Check_Report_Kubernetes
 from prowler.providers.kubernetes.services.kubelet.kubelet_client import kubelet_client
 
+default_kubelet_strong_ciphers = [
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_RSA_WITH_AES_128_GCM_SHA256",
+]
+
 
 class kubelet_strong_ciphers_only(Check):
     def execute(self) -> Check_Report_Kubernetes:
@@ -15,7 +26,9 @@ def execute(self) -> Check_Report_Kubernetes:
                 report.status_extended = f"Kubelet does not have the argument `tlsCipherSuites` in config file {cm.name}, verify it in the node's arguments."
             else:
                 if cm.kubelet_args["tlsCipherSuites"].issubset(
-                    kubelet_client.audit_config.get("kubelet_strong_ciphers", [])
+                    kubelet_client.audit_config.get(
+                        "kubelet_strong_ciphers", default_kubelet_strong_ciphers
+                    )
                 ):
                     report.status = "PASS"
                     report.status_extended = f"Kubelet is configured with strong cryptographic ciphers in config file {cm.name}."

@@ -296,6 +296,8 @@ def mock_prowler_get_latest_release(_, **kwargs):
     "days_to_expire_threshold": 7,
     "insecure_key_algorithms": [
         "RSA-1024",
+        "P-192",
+        "SHA-1",
     ],
     "eks_required_log_types": [
         "api",