feat(deployment): Serverless multi account Prowler with SecurityHub Integration (#1113)

2026-02-10 23:05:05 +00:00 · 2022-05-03 08:41:56 -03:00
parent de77a33341
commit 13c96a80db
7 changed files with 532 additions and 0 deletions
--- a/util/multi-account-securityhub/templates/CF-Prowler-CrossAccountRole.yml
+++ b/util/multi-account-securityhub/templates/CF-Prowler-CrossAccountRole.yml
@@ -0,0 +1,97 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create the Cross-Account IAM Prowler Role
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: ECS Settings
+        Parameters:
+          - ProwlerEcsAccount
+          - ProwlerTaskRoleName
+      - Label:
+          default: CrossAccount Role
+        Parameters:
+          - ProwlerCrossAccountRole
+Parameters:
+  ProwlerEcsAccount:
+    Type: String
+    Description: Enter AWS Account Number where Prowler ECS Task will reside.
+    AllowedPattern: ^\d{12}$
+    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
+  ProwlerTaskRoleName:
+    Type: String
+    Description: Enter Instance Role that will be given to the Prowler ECS Instance (needed to grant sts:AssumeRole rights).
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerECSTask-Role
+  ProwlerCrossAccountRole:
+    Type: String
+    Description: Enter Name for CrossAccount Role to be created for Prowler to assess all Accounts in the AWS Organization.
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerXA-Role
+Resources:
+  ProwlerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Provides Prowler ECS tasks permissions to assess security of Accounts in AWS Organization
+      RoleName: !Ref ProwlerCrossAccountRole
+      Tags:
+        - Key: App
+          Value: Prowler
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Sub arn:${AWS::Partition}:iam::${ProwlerEcsAccount}:role/${ProwlerTaskRoleName}
+            Action:
+              - sts:AssumeRole
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess
+      Policies:
+        - PolicyName: Prowler-Additions-Policy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowMoreReadForProwler
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - ds:ListAuthorizedApplications
+                  - ec2:GetEbsEncryptionByDefault
+                  - ecr:Describe*
+                  - elasticfilesystem:DescribeBackupPolicy
+                  - glue:GetConnections
+                  - glue:GetSecurityConfiguration
+                  - glue:SearchTables
+                  - lambda:GetFunction
+                  - s3:GetAccountPublicAccessBlock
+                  - shield:DescribeProtection
+                  - shield:GetSubscriptionState
+                  - ssm:GetDocument
+                  - support:Describe*
+                  - tag:GetTagKeys
+        - PolicyName: Prowler-Security-Hub
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowProwlerSecurityHub
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - securityhub:BatchImportFindings
+                  - securityhub:GetFindings
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: "Prowler requires these rights to perform its Security Assessment."
+          - id: W28
+            reason: "Using a defined Role Name."
+Outputs:
+  ProwlerCrossAccountRole:
+    Description: CrossAccount Role to be used by Prowler to assess AWS Accounts in the AWS Organization.
+    Value: !Ref ProwlerCrossAccountRole
--- a/util/multi-account-securityhub/templates/CF-Prowler-ECS.yml
+++ b/util/multi-account-securityhub/templates/CF-Prowler-ECS.yml
@@ -0,0 +1,102 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This Template will create the infrastructure for Prowler with ECS Fargate
+Parameters:
+  ProwlerClusterName:
+    Type: String
+    Description: Name of the ECS Cluster that the Prowler Fargate Task will run in
+    Default: ProwlerCluster
+  ProwlerContainerName: 
+    Type: String
+    Description: Name of the Prowler Container Definition within the ECS Task
+    Default: prowler
+  ProwlerContainerInfo: 
+    Type: String
+    Description: ECR URI of the Prowler container
+  ProwlerECSLogGroupName: 
+    Type: String
+    Description: Name for the log group to be created
+    Default: /aws/ecs/SecurityHub-Prowler
+  SecurityGroupVPCId:
+    Type: String
+    Description: VPC Id for the Security Group to be created
+  ProwlerScheduledSubnet1:
+    Type: String
+    Description: Subnet Id in which Prowler can be scheduled to Run
+  ProwlerScheduledSubnet2:
+    Type: String
+    Description: A secondary Subnet Id in which Prowler can be scheduled to Run
+  ECSExecutionRole:
+    Type: String
+    Description: ECS Execution Task Role ARN.
+  ProwlerTaskRole:
+    Type: String
+    Description: Prowler ECS Task Role ARN.
+  ECSEventRole:
+    Type: String
+    Description: Eventbridge Task Role ARN.
+  CronExpression:
+    Type: String
+    Description: Cron schedule for the event rule.
+    Default: cron(0 23 * * ? *)
+Resources:
+  ProwlerECSCloudWatchLogsGroup:
+    Type: AWS::Logs::LogGroup
+    Properties: 
+      LogGroupName: !Ref ProwlerECSLogGroupName
+      RetentionInDays: 90
+  ProwlerECSCluster:
+    Type: AWS::ECS::Cluster
+    Properties: 
+      ClusterName: !Ref ProwlerClusterName
+  ProwlerECSTaskDefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties: 
+      ContainerDefinitions: 
+        - Image: !Ref ProwlerContainerInfo
+          Name: !Ref ProwlerContainerName
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-group: !Ref ProwlerECSCloudWatchLogsGroup
+              awslogs-region: !Ref 'AWS::Region'
+              awslogs-stream-prefix: ecs
+      Cpu: 1024
+      ExecutionRoleArn: !Ref ECSExecutionRole
+      Memory: 2048
+      NetworkMode: awsvpc
+      TaskRoleArn: !Ref ProwlerTaskRole
+      Family: SecurityHubProwlerTask
+      RequiresCompatibilities:
+        - FARGATE
+  ProwlerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+        GroupDescription: Allow HTTPS Out - Prowler
+        VpcId: !Ref SecurityGroupVPCId
+        SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: 0.0.0.0/0
+  ProwlerTaskScheduler:
+    Type: AWS::Events::Rule
+    Properties:
+      ScheduleExpression: !Ref CronExpression
+      State: ENABLED
+      Targets:
+        - Arn: !GetAtt ProwlerECSCluster.Arn
+          RoleArn: !Ref ECSEventRole
+          Id: prowlerTaskScheduler
+          EcsParameters:
+            TaskDefinitionArn: !Ref ProwlerECSTaskDefinition
+            TaskCount: 1
+            LaunchType: FARGATE
+            PlatformVersion: 'LATEST'
+            NetworkConfiguration:
+              AwsVpcConfiguration:
+                AssignPublicIp: DISABLED
+                SecurityGroups:
+                  - !Ref ProwlerSecurityGroup
+                Subnets:
+                  - !Ref ProwlerScheduledSubnet1
+                  - !Ref ProwlerScheduledSubnet2
--- a/util/multi-account-securityhub/templates/CF-Prowler-IAM.yml
+++ b/util/multi-account-securityhub/templates/CF-Prowler-IAM.yml
@@ -0,0 +1,105 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This Template will create the IAM Roles needed for the Prowler infrastructure
+Parameters:
+  ProwlerCrossAccountRoleName:
+    Type: String
+    Description: Name of the cross account Prowler IAM Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerXA-Role
+  ECSExecutionRoleName:
+    Type: String
+    Description: Name for the ECS Task Execution Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ECSTaskExecution-Role
+  ProwlerTaskRoleName:
+    Type: String
+    Description: Name for the ECS Prowler Task Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerECSTask-Role
+  ECSEventRoleName:
+    Type: String
+    Description: Name for the Eventbridge Task Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerEvents-Role
+Resources:
+  ECSExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ECSExecutionRoleName
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: ECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: ecs-tasks.amazonaws.com
+          Action: sts:AssumeRole
+  ProwlerTaskRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ProwlerTaskRoleName
+      Policies:
+      - PolicyName: ProwlerAssumeRole
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Sid: AllowProwlerAssumeRole
+            Effect: Allow
+            Action: sts:AssumeRole
+            Resource:
+            - !Sub arn:aws:iam::*:role/${ProwlerCrossAccountRoleName}
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: ECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: ecs-tasks.amazonaws.com
+          Action: sts:AssumeRole
+  ECSEventRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ECSEventRoleName
+      Policies:
+      - PolicyName: AllowProwlerEventsECS
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - ecs:RunTask
+            Resource:
+            - "*"
+            Sid: EventRunECS
+          - Effect: Allow
+            Action: iam:PassRole
+            Resource:
+            - "*"
+            Sid: EventPassRole
+            Condition:
+              StringLike:
+                iam:PassedToService: ecs-tasks.amazonaws.com
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: EventsECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: events.amazonaws.com
+          Action: sts:AssumeRole
+Outputs:
+  ECSExecutionRoleARN:
+    Description: ARN of the ECS Task Execution Role
+    Value: !GetAtt ECSExecutionRole.Arn
+  ProwlerTaskRoleARN:
+    Description: ARN of the ECS Prowler Task Role
+    Value: !GetAtt ProwlerTaskRole.Arn
+  ECSEventRoleARN:
+    Description: ARN of the Eventbridge Task Role
+    Value: !GetAtt ECSEventRole.Arn