feat(S3_in_w_x_flags): Support S3 URIs for custom checks paths and whitelist files. (#1090)

* feat(S3_in_w_x_flags): Support S3 URIs for custom checks paths and whitelist files. * feat(S3_in_w_x_flags): README document was updated. * Update README.md * Update README.md * Update README.md * Update README.md Co-authored-by: Toni de la Fuente <toni@blyx.com> Co-authored-by: Sergio Garcia Garcia
2026-02-10 14:55:00 +00:00 · 2022-04-07 14:37:02 -04:00
parent 07b2b0de5a
commit 28fff104a1
4 changed files with 118 additions and 18 deletions
--- a/README.md
+++ b/README.md
@@ -292,11 +292,12 @@ Prowler has two parameters related to regions: `-r` that is used query AWS servi

    >Note about output formats to use with `-M`: "text" is the default one with colors, "mono" is like default one but monochrome, "csv" is comma separated values, "json" plain basic json (without comma between lines) and "json-asff" is also json with Amazon Security Finding Format that you can ship to Security Hub using `-S`.

-    or save your report in an S3 bucket (this only works for text or mono. For csv, json or json-asff it has to be copied afterwards):
+    To save your report in an S3 bucket, use `-B` to define a custom output bucket along with `-M` to define the output format that is going to be uploaded to S3:

    ```sh
-    ./prowler -M mono | aws s3 cp - s3://bucket-name/prowler-report.txt
+    ./prowler -M csv -B my-bucket/folder/
    ```
+    >In the case you do not want to use the assumed role credentials but the initial credentials to put the reports into the S3 bucket, use `-D` instead of `-B`. Make sure that the used credentials have s3:PutObject permissions in the S3 path where the reports are going to be uploaded.

    When generating multiple formats and running using Docker, to retrieve the reports, bind a local directory to the container, e.g.:

@@ -399,7 +400,10 @@ Prowler runs in GovCloud regions as well. To make sure it points to the right AP

 ### Custom folder for custom checks

-Flag `-x /my/own/checks` will include any check in that particular directory. To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
+Flag `-x /my/own/checks` will include any check in that particular directory (files must start by check). To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
+
+S3 URIs are also supported as custom folders for custom checks, e.g. `s3://bucket/prefix/checks`. Prowler will download the folder locally and run the checks as they are called with default execution,`-c` or `-g`.
+>Make sure that the used credentials have s3:GetObject permissions in the S3 path where the custom checks are located.

 ### Show or log only FAILs

@@ -488,6 +492,9 @@ Sometimes you may find resources that are intentionally configured in a certain
 ./prowler -w whitelist_sample.txt
 ```

+S3 URIs are also supported as allowlist file, e.g. `s3://bucket/prefix/allowlist_sample.txt`
+>Make sure that the used credentials have s3:GetObject permissions in the S3 path where the whitelist file is located.
+
 Whitelist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`.

 ## How to fix every FAIL