Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR Checks #385

Closed
ShadySQL opened this issue Sep 17, 2019 · 4 comments
Closed

GDPR Checks #385

ShadySQL opened this issue Sep 17, 2019 · 4 comments

Comments

@ShadySQL
Copy link

Just ran a gdpr scan with the tool and curious to know what the field: TITLE_ID maps to.

For example for TITLE_ID 7.18 does that map to Article 7 of the GDPR articles?

How about for TITLE_ID 7.XXX ... does that mean those map to Article 7 of the GDPR article?

You can find the articles here: http://www.privacy-regulation.eu/en/

@toniblyx
Copy link
Member

Hi @ShadySQL and thanks for your question. What I did for GDPR can be found here #189. Basically I mapped GDPR requirements to current Prowler checks (some are CIS and some are custom ones). Btw, Prowler is not a compliance or certification tool, it just try to help to understand what to improve in your AWS account security. Let me know if that clarifies your question.

@ShadySQL
Copy link
Author

ShadySQL commented Sep 17, 2019

Thanks for this! I would like to further contribute but want to understand how you got there.
If you look at the image you'll see

image

TITLE_ID - What Prawler check mapped to GDPR? Do you have the existing table?
RESULT - This is clear
SCORED - This is clear
LEVEL - EXTRA, Level 1, Level 2 (What is Level 1 and what is Level 2????)

Issue 189 is great btw thanks for your contribution there. I was hoping to map the items you grouped by checks to GDPR articles. It appears that based on this:

https://aws.amazon.com/blogs/security/introducing-the-new-gdpr-center-and-navigating-gdpr-compliance-on-aws-whitepaper/

We can deduct that these fall under two articles:

Article 25 and Article 32

So I can work that on my end and provide a table on where the prawler checks map to those articles. This would make things a little bit more understandable

@toniblyx
Copy link
Member

From where is that table coming from? It looks like the csv output for check_extra718 in a spreadsheet.

TITLE_ID is the unique identifier to every check in Prowler. All CIS benchmark related titles are in group 1, 2, 3 and 4 (based on its number on the CIS benchmark documentation). I used group 7 for all customs checks beyond CIS. Group 5 and 6 are not used, they are free just in case CIS adds more groups to the benchmark in the future. I added other groups of checks as you can see in the groups folders. Basically a group is a way to customize your set of checks, for example GDPR is a group with checks from other groups.

SCORED is also part of CIS, some checks result may be scored to use in a scoring report, I have scoring report implemented in Prowler as a proof of concept (use -s to see it) but it doesn't take the scored or not from the results, it is my own testing implementation.

LEVEL is CIS as well, all CIS benchmarks come with two levels, level1 is a practical and prudent type of security level and level2 it is for more comprehensive or defense in depth security. I have them implemented also as groups in Prowler (./prowler -g level2), basically level2 contains all CIS checks and level1 a smaller number of CIS checks. None of level1 or level2 contain checks from the extras group.

Is that now more clear?

The list of checks was taken from https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf as stated in #189 and I didn't know about that blog post to be honest. I agree that the output could be more GDPR related than just the checks original tittles but you can create your own reports based on the csv output. In any case, let me know what type of improvements you would make to Prowler to better fit your needs and we can add it to the enchancements list.
Thanks!

@ShadySQL
Copy link
Author

This was great info! Thanks all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants