ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix (extra7148 and add action #1017 (#1021)

Browse Source
This commit is contained in:
Toni de la Fuente
2022-02-04 11:58:22 -05:00
committed by GitHub
parent 679414418e
commit 1d409d04f2
7 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
checks/check_extra7148
View File

@@ -33,7 +33,11 @@ extra7148() {
if [[ $LIST_OF_EFS_SYSTEMS ]]; then if [[ $LIST_OF_EFS_SYSTEMS ]]; then
for filesystem in $LIST_OF_EFS_SYSTEMS; do for filesystem in $LIST_OF_EFS_SYSTEMS; do
# if retention is 0 then is disabled # if retention is 0 then is disabled
BACKUP_POLICY=$($AWSCLI efs describe-backup-policy $PROFILE_OPT --region $regx --file-system-id $filesystem --query BackupPolicy --output text) BACKUP_POLICY=$($AWSCLI efs describe-backup-policy $PROFILE_OPT --region $regx --file-system-id $filesystem --query BackupPolicy --output text 2>&1)
if [[ $(echo "$BACKUP_POLICY" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
textInfo "$regx: Access Denied trying to describe backup policy" "$regx"
continue
fi
if [[ $BACKUP_POLICY == "DISABLED" ]]; then if [[ $BACKUP_POLICY == "DISABLED" ]]; then
textFail "$regx: File system $filesystem does not have backup enabled!" "$regx" "$filesystem" textFail "$regx: File system $filesystem does not have backup enabled!" "$regx" "$filesystem"
else else

1
iam/create_role_to_assume_cfn.yaml
View File

@@ -67,4 +67,5 @@ Resources:
- 's3:GetAccountPublicAccessBlock' - 's3:GetAccountPublicAccessBlock'
- 'shield:GetSubscriptionState' - 'shield:GetSubscriptionState'
- 'shield:DescribeProtection' - 'shield:DescribeProtection'
- 'elasticfilesystem:DescribeBackupPolicy'
Resource: '*' Resource: '*'

3
iam/prowler-additions-policy.json
View File

@@ -14,7 +14,8 @@
"glue:SearchTables", "glue:SearchTables",
"s3:GetAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock",
"shield:GetSubscriptionState", "shield:GetSubscriptionState",
"shield:DescribeProtection" "shield:DescribeProtection",
"elasticfilesystem:DescribeBackupPolicy"
], ],
"Resource": "*", "Resource": "*",
"Effect": "Allow", "Effect": "Allow",

1
util/codebuild/codebuild-prowler-audit-account-cfn.yaml
View File

@@ -196,6 +196,7 @@ Resources:
- s3:GetAccountPublicAccessBlock - s3:GetAccountPublicAccessBlock
- shield:GetSubscriptionState - shield:GetSubscriptionState
- shield:DescribeProtection - shield:DescribeProtection
- elasticfilesystem:DescribeBackupPolicy
Effect: Allow Effect: Allow
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog' Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- PolicyName: CodeBuild - PolicyName: CodeBuild

1
util/org-multi-account/ProwlerRole.yaml
View File

@@ -98,6 +98,7 @@ Resources:
- tag:GetTagKeys - tag:GetTagKeys
- shield:GetSubscriptionState - shield:GetSubscriptionState
- shield:DescribeProtection - shield:DescribeProtection
- elasticfilesystem:DescribeBackupPolicy
- PolicyName: Prowler-S3-Reports - PolicyName: Prowler-S3-Reports
PolicyDocument: PolicyDocument:
Version: 2012-10-17 Version: 2012-10-17

1
util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml
View File

@@ -99,6 +99,7 @@ Resources:
- tag:GetTagKeys - tag:GetTagKeys
- shield:GetSubscriptionState - shield:GetSubscriptionState
- shield:DescribeProtection - shield:DescribeProtection
- elasticfilesystem:DescribeBackupPolicy
- PolicyName: Prowler-S3-Reports - PolicyName: Prowler-S3-Reports
PolicyDocument: PolicyDocument:
Version: 2012-10-17 Version: 2012-10-17

3
util/terraform-kickstarter/main.tf
View File

@@ -322,7 +322,8 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" {
"glue:SearchTables", "glue:SearchTables",
"s3:GetAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock",
"shield:GetSubscriptionState", "shield:GetSubscriptionState",
"shield:DescribeProtection" "shield:DescribeProtection",
"elasticfilesystem:DescribeBackupPolicy"
] ]
Effect = "Allow" Effect = "Allow"
Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog" Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"