prasincs/evident_search_buckets.rb

## evident_search_buckets.rb
# Requires ESP_ACCESS_KEY_ID, ESP_SECRET_ACCESS_KEY environment variables
require 'esp_sdk'
require 'open3'

def bucket_encrypted? (bucket)
  stdout, stderr, status = Open3.capture3("aws s3api get-bucket-encryption --bucket #{bucket}")
  status==0
end

reports = ESP::Report.all
report_id = reports[0].id
alerts = ESP::Alert.where(report_id:report_id, signature_identifier_cont:"AWS:SSS-014")
resources = alerts.map{ |x| x.resource }
while alerts.next_page?
  alerts.next_page!
  res = alerts.map{ |x| x.resource }
  resources.concat(res)
end

puts "Not encrypted at Rest"
puts "Evident Count: ", resources.count
without_default_encryption = resources.map { |r|
  r if not bucket_encrypted?(r)
}

without_default_encryption.compact!

puts "Without Default Encryption Count: ", without_default_encryption.count
without_default_encryption.each { |r|
  puts r
}

puts "Remediation:"
without_default_encryption.each { |r|
  puts <<~EOF
aws s3api put-bucket-encryption --bucket #{r} --server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
            }
        }
    ]}'
EOF
}


# Secure Data Transport Violation
alerts = ESP::Alert.where(report_id:report_id, signature_identifier_cont:"AWS:SSS-015")
resources = alerts.map{ |x| x.resource }
while alerts.next_page?
  alerts.next_page!
  res = alerts.map{ |x| x.resource }
  resources.concat(res)
end

puts "Count: ", resources.count
resources.each { |r|
  puts r
  puts "Remediation:"
  puts <<~EOF
  {
    "Version": "2012-10-17",
   "Id": "PutObjPolicy",
   "Statement": [
                  {
                    "Sid": "DenyAccessIfNotOverSecureTransport",
                   "Effect": "Deny",
                   "Principal": "*",
                   "Action": "s3:GetObject",
                   "Resource": "arn:aws:s3:::#{r}/*",
                   "Condition": {
                                  "Bool": {
                                            "aws:SecureTransport": "false"
                                          }
                                }
                  }
                ]
  }
  EOF
}
	# Requires ESP_ACCESS_KEY_ID, ESP_SECRET_ACCESS_KEY environment variables
	require 'esp_sdk'
	require 'open3'

	def bucket_encrypted? (bucket)
	stdout, stderr, status = Open3.capture3("aws s3api get-bucket-encryption --bucket #{bucket}")
	status==0
	end

	reports = ESP::Report.all
	report_id = reports[0].id
	alerts = ESP::Alert.where(report_id:report_id, signature_identifier_cont:"AWS:SSS-014")
	resources = alerts.map{ \|x\| x.resource }
	while alerts.next_page?
	alerts.next_page!
	res = alerts.map{ \|x\| x.resource }
	resources.concat(res)
	end

	puts "Not encrypted at Rest"
	puts "Evident Count: ", resources.count
	without_default_encryption = resources.map { \|r\|
	r if not bucket_encrypted?(r)
	}

	without_default_encryption.compact!

	puts "Without Default Encryption Count: ", without_default_encryption.count
	without_default_encryption.each { \|r\|
	puts r
	}

	puts "Remediation:"
	without_default_encryption.each { \|r\|
	puts <<~EOF
	aws s3api put-bucket-encryption --bucket #{r} --server-side-encryption-configuration '{
	"Rules": [
	{
	"ApplyServerSideEncryptionByDefault": {
	"SSEAlgorithm": "AES256"
	}
	}
	]}'
	EOF
	}


	# Secure Data Transport Violation
	alerts = ESP::Alert.where(report_id:report_id, signature_identifier_cont:"AWS:SSS-015")
	resources = alerts.map{ \|x\| x.resource }
	while alerts.next_page?
	alerts.next_page!
	res = alerts.map{ \|x\| x.resource }
	resources.concat(res)
	end

	puts "Count: ", resources.count
	resources.each { \|r\|
	puts r
	puts "Remediation:"
	puts <<~EOF
	{
	"Version": "2012-10-17",
	"Id": "PutObjPolicy",
	"Statement": [
	{
	"Sid": "DenyAccessIfNotOverSecureTransport",
	"Effect": "Deny",
	"Principal": "*",
	"Action": "s3:GetObject",
	"Resource": "arn:aws:s3:::#{r}/*",
	"Condition": {
	"Bool": {
	"aws:SecureTransport": "false"
	}
	}
	}
	]
	}
	EOF
	}