From 5603af3bb6470686b13e79139da307b38c9f57af Mon Sep 17 00:00:00 2001 From: Sergio Date: Thu, 7 Nov 2024 08:54:27 -0500 Subject: [PATCH 1/3] fix(aws): update EKS check in compliance frameworks --- .../aws/aws_well_architected_framework_security_pillar_aws.json | 2 +- prowler/compliance/aws/kisa_isms_p_2023_aws.json | 2 +- prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json index 9dd4d1ccbdc..6e1fdbc5d46 100644 --- a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json +++ b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json @@ -664,7 +664,7 @@ "awslambda_function_not_publicly_accessible", "apigateway_restapi_waf_acl_attached", "cloudfront_distributions_using_waf", - "eks_control_plane_endpoint_access_restricted", + "eks_cluster_not_publicly_accessible", "sagemaker_models_network_isolation_enabled", "sagemaker_models_vpc_settings_configured", "sagemaker_notebook_instance_vpc_settings_configured", diff --git a/prowler/compliance/aws/kisa_isms_p_2023_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_aws.json index 2411836fc83..dd6a260fe40 100644 --- a/prowler/compliance/aws/kisa_isms_p_2023_aws.json +++ b/prowler/compliance/aws/kisa_isms_p_2023_aws.json @@ -1509,7 +1509,7 @@ "iam_user_mfa_enabled_console_access", "networkfirewall_in_all_vpc", "eks_cluster_network_policy_enabled", - "eks_control_plane_endpoint_access_restricted", + "eks_cluster_not_publicly_accessible", "eks_cluster_private_nodes_enabled", "eks_endpoints_not_publicly_accessible", "kafka_cluster_is_public", diff --git a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json index 767a450a626..390a6aa4a04 100644 --- a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json +++ b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json @@ -1509,7 +1509,7 @@ "iam_user_mfa_enabled_console_access", "networkfirewall_in_all_vpc", "eks_cluster_network_policy_enabled", - "eks_control_plane_endpoint_access_restricted", + "eks_cluster_not_publicly_accessible", "eks_cluster_private_nodes_enabled", "eks_endpoints_not_publicly_accessible", "kafka_cluster_is_public", From f3b6a568612a893c2cc2e44c9f94c2ed82f21e20 Mon Sep 17 00:00:00 2001 From: Sergio Date: Thu, 7 Nov 2024 09:00:07 -0500 Subject: [PATCH 2/3] fix more frameworks --- .../aws_well_architected_framework_security_pillar_aws.json | 2 +- prowler/compliance/aws/kisa_isms_p_2023_aws.json | 2 +- prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json | 2 +- prowler/compliance/aws/nist_800_171_revision_2_aws.json | 6 +++--- prowler/compliance/aws/nist_csf_1.1_aws.json | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json index 6e1fdbc5d46..b27a5b67127 100644 --- a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json +++ b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json @@ -485,7 +485,7 @@ "codeartifact_packages_external_public_publishing_disabled", "ecr_repositories_not_publicly_accessible", "efs_not_publicly_accessible", - "eks_endpoints_not_publicly_accessible", + "eks_cluster_not_publicly_accessible", "elb_internet_facing", "elbv2_internet_facing", "s3_account_level_public_access_blocks", diff --git a/prowler/compliance/aws/kisa_isms_p_2023_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_aws.json index dd6a260fe40..f4f9736e541 100644 --- a/prowler/compliance/aws/kisa_isms_p_2023_aws.json +++ b/prowler/compliance/aws/kisa_isms_p_2023_aws.json @@ -1511,7 +1511,7 @@ "eks_cluster_network_policy_enabled", "eks_cluster_not_publicly_accessible", "eks_cluster_private_nodes_enabled", - "eks_endpoints_not_publicly_accessible", + "eks_cluster_not_publicly_accessible", "kafka_cluster_is_public", "kafka_cluster_unrestricted_access_disabled", "vpc_peering_routing_tables_with_least_privilege", diff --git a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json index 390a6aa4a04..e8999d02d60 100644 --- a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json +++ b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json @@ -1511,7 +1511,7 @@ "eks_cluster_network_policy_enabled", "eks_cluster_not_publicly_accessible", "eks_cluster_private_nodes_enabled", - "eks_endpoints_not_publicly_accessible", + "eks_cluster_not_publicly_accessible", "kafka_cluster_is_public", "kafka_cluster_unrestricted_access_disabled", "vpc_peering_routing_tables_with_least_privilege", diff --git a/prowler/compliance/aws/nist_800_171_revision_2_aws.json b/prowler/compliance/aws/nist_800_171_revision_2_aws.json index 84925aba8b9..6b1f98eec1e 100644 --- a/prowler/compliance/aws/nist_800_171_revision_2_aws.json +++ b/prowler/compliance/aws/nist_800_171_revision_2_aws.json @@ -19,7 +19,7 @@ "ec2_ebs_public_snapshot", "ec2_instance_profile_attached", "ec2_instance_public_ip", - "eks_endpoints_not_publicly_accessible", + "eks_cluster_not_publicly_accessible", "emr_cluster_master_nodes_no_public_ip", "iam_aws_attached_policy_no_administrative_privileges", "iam_customer_attached_policy_no_administrative_privileges", @@ -61,7 +61,7 @@ "ec2_ebs_public_snapshot", "ec2_instance_profile_attached", "ec2_instance_public_ip", - "eks_endpoints_not_publicly_accessible", + "eks_cluster_not_publicly_accessible", "emr_cluster_master_nodes_no_public_ip", "iam_aws_attached_policy_no_administrative_privileges", "iam_customer_attached_policy_no_administrative_privileges", @@ -102,7 +102,7 @@ "Checks": [ "ec2_ebs_public_snapshot", "ec2_instance_public_ip", - "eks_endpoints_not_publicly_accessible", + "eks_cluster_not_publicly_accessible", "emr_cluster_master_nodes_no_public_ip", "awslambda_function_not_publicly_accessible", "awslambda_function_url_public", diff --git a/prowler/compliance/aws/nist_csf_1.1_aws.json b/prowler/compliance/aws/nist_csf_1.1_aws.json index 7d913a0e1d5..9756d843dc5 100644 --- a/prowler/compliance/aws/nist_csf_1.1_aws.json +++ b/prowler/compliance/aws/nist_csf_1.1_aws.json @@ -971,7 +971,7 @@ "Checks": [ "ec2_ebs_public_snapshot", "ec2_instance_public_ip", - "eks_endpoints_not_publicly_accessible", + "eks_cluster_not_publicly_accessible", "emr_cluster_master_nodes_no_public_ip", "awslambda_function_url_public", "rds_instance_no_public_access", From 5636e5ccfd2f69790078093d5a818fadd8b6e9af Mon Sep 17 00:00:00 2001 From: Sergio Date: Thu, 7 Nov 2024 09:09:00 -0500 Subject: [PATCH 3/3] fix(azure): remove blank lists in CIS --- prowler/compliance/azure/cis_2.1_azure.json | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/prowler/compliance/azure/cis_2.1_azure.json b/prowler/compliance/azure/cis_2.1_azure.json index 312e44d8cc3..0ed4d697191 100644 --- a/prowler/compliance/azure/cis_2.1_azure.json +++ b/prowler/compliance/azure/cis_2.1_azure.json @@ -3043,9 +3043,7 @@ { "Id": "9.4", "Description": "Ensure that Register with Entra ID is enabled on App Service", - "Checks": [ - "" - ], + "Checks": [], "Attributes": [ { "Section": "9. AppService", @@ -3175,9 +3173,7 @@ { "Id": "9.10", "Description": "Ensure Azure Key Vaults are Used to Store Secrets", - "Checks": [ - "" - ], + "Checks": [], "Attributes": [ { "Section": "9. AppService",