diff --git a/docs/tutorials/allowlist.md b/docs/tutorials/allowlist.md index 2d488338..0158e0f1 100644 --- a/docs/tutorials/allowlist.md +++ b/docs/tutorials/allowlist.md @@ -82,7 +82,12 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b Tags: - "environment=prod" # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod - +## AWS Control Tower Allowlist +When using Control Tower, guardrails prevent access to certain protected resources. Prowler has an allowlist that ensures that warnings instead of errors are reported for all resources created by AWS Control Tower when setting up a landing zone. +You can execute Prowler with the AWS Control Tower allowlist using the following command: +```sh +prowler aws --allowlist prowler/config/aws_controltower_allowlist.yaml +``` ## Supported Allowlist Locations The allowlisting flag supports the following locations: diff --git a/prowler/config/allowlist.yaml b/prowler/config/aws_allowlist.yaml similarity index 100% rename from prowler/config/allowlist.yaml rename to prowler/config/aws_allowlist.yaml diff --git a/prowler/config/aws_controltower_allowlist.yaml b/prowler/config/aws_controltower_allowlist.yaml new file mode 100644 index 00000000..65af6111 --- /dev/null +++ b/prowler/config/aws_controltower_allowlist.yaml @@ -0,0 +1,65 @@ +# When using Control Tower, guardrails prevent access to certain protected resources. +# The allowlist below ensures that warnings instead of errors are reported for the affected resources. +# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html +########################### CONTROL TOWER ALLOWLIST ########################### +### The following file includes all resources created by AWS Control Tower ### +Allowlist: + Accounts: + "*": + Checks: + "cloudwatch_log_group_*": + Regions: + - "*" + Resources: + - "/aws/lambda/aws-controltower-NotificationForwarder" + - "StackSet-AWSControlTowerBP-*" + "awslambda_function_*": + Regions: + - "*" + Resources: + - "aws-controltower-NotificationForwarder" + "cloudformation_stacks_*": + Regions: + - "*" + Resources: + - "StackSet-AWSControlTowerGuardrailAWS-*" + - "StackSet-AWSControlTowerBP-*" + "cloudtrail_*": + Regions: + - "*" + Resources: + - "aws-controltower-BaselineCloudTrail" + "iam_role_*": + Regions: + - "*" + Resources: + - "aws-controltower-AdministratorExecutionRole" + - "aws-controltower-CloudWatchLogsRole" + - "aws-controltower-ConfigRecorderRole" + - "aws-controltower-ForwardSnsNotificationRole" + - "aws-controltower-ReadOnlyExecutionRole" + - "AWSControlTower_VPCFlowLogsRole" + - "AWSControlTowerExecution" + "iam_policy_*": + Regions: + - "*" + Resources: + - "AWSControlTowerServiceRolePolicy" + "s3_bucket_*": + Regions: + - "*" + Resources: + - "aws-controltower-logs-*" + - "aws-controltower-s3-access-logs-*" + "sns_*": + Regions: + - "*" + Resources: + - "aws-controltower-SecurityNotifications" + "vpc_*": + Regions: + - "*" + Resources: + - "*" + Tags: + - "Name=aws-controltower-VPC" diff --git a/prowler/providers/aws/lib/arguments/arguments.py b/prowler/providers/aws/lib/arguments/arguments.py index b9ba388c..9ffe46a2 100644 --- a/prowler/providers/aws/lib/arguments/arguments.py +++ b/prowler/providers/aws/lib/arguments/arguments.py @@ -124,7 +124,7 @@ def init_parser(self): "--allowlist-file", nargs="?", default=None, - help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/", + help="Path for allowlist yaml file. See example prowler/config/aws_allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/", ) # Based Scans aws_based_scans_subparser = aws_parser.add_argument_group("AWS Based Scans")