ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(controltower): add AWS Control Tower resources to default Allowlist configuration file (#2953)

Browse Source 
Co-authored-by: Toni de la Fuente <toni@blyx.com>
This commit is contained in:
Sergio Garcia
2023-10-24 16:45:21 +02:00
committed by GitHub
parent 8533714cb2
commit 008534d839
4 changed files with 72 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/tutorials/allowlist.md
View File

@@ -82,7 +82,12 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
Tags:
- "environment=prod" # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
## AWS Control Tower Allowlist
When using Control Tower, guardrails prevent access to certain protected resources. Prowler has an allowlist that ensures that warnings instead of errors are reported for all resources created by AWS Control Tower when setting up a landing zone.
You can execute Prowler with the AWS Control Tower allowlist using the following command:
```sh
prowler aws --allowlist prowler/config/aws_controltower_allowlist.yaml
```
## Supported Allowlist Locations
The allowlisting flag supports the following locations:

0
prowler/config/allowlist.yaml → prowler/config/aws_allowlist.yaml
View File

65
prowler/config/aws_controltower_allowlist.yaml Normal file
View File

@@ -0,0 +1,65 @@
# When using Control Tower, guardrails prevent access to certain protected resources.
# The allowlist below ensures that warnings instead of errors are reported for the affected resources.
# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html
########################### CONTROL TOWER ALLOWLIST ###########################
### The following file includes all resources created by AWS Control Tower ###
Allowlist:
Accounts:
"*":
Checks:
"cloudwatch_log_group_*":
Regions:
- "*"
Resources:
- "/aws/lambda/aws-controltower-NotificationForwarder"
- "StackSet-AWSControlTowerBP-*"
"awslambda_function_*":
Regions:
- "*"
Resources:
- "aws-controltower-NotificationForwarder"
"cloudformation_stacks_*":
Regions:
- "*"
Resources:
- "StackSet-AWSControlTowerGuardrailAWS-*"
- "StackSet-AWSControlTowerBP-*"
"cloudtrail_*":
Regions:
- "*"
Resources:
- "aws-controltower-BaselineCloudTrail"
"iam_role_*":
Regions:
- "*"
Resources:
- "aws-controltower-AdministratorExecutionRole"
- "aws-controltower-CloudWatchLogsRole"
- "aws-controltower-ConfigRecorderRole"
- "aws-controltower-ForwardSnsNotificationRole"
- "aws-controltower-ReadOnlyExecutionRole"
- "AWSControlTower_VPCFlowLogsRole"
- "AWSControlTowerExecution"
"iam_policy_*":
Regions:
- "*"
Resources:
- "AWSControlTowerServiceRolePolicy"
"s3_bucket_*":
Regions:
- "*"
Resources:
- "aws-controltower-logs-*"
- "aws-controltower-s3-access-logs-*"
"sns_*":
Regions:
- "*"
Resources:
- "aws-controltower-SecurityNotifications"
"vpc_*":
Regions:
- "*"
Resources:
- "*"
Tags:
- "Name=aws-controltower-VPC"

2
prowler/providers/aws/lib/arguments/arguments.py
View File

@@ -124,7 +124,7 @@ def init_parser(self):
"--allowlist-file",
nargs="?",
default=None,
help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
help="Path for allowlist yaml file. See example prowler/config/aws_allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
)
# Based Scans
aws_based_scans_subparser = aws_parser.add_argument_group("AWS Based Scans")