Updated Patterns,Defaults,Tags,BucketPolicy

2026-02-10 14:55:00 +00:00 · 2020-05-03 11:43:50 -04:00
parent ac5212990a
commit 29378a1339
1 changed files with 33 additions and 3 deletions
--- a/util/org-multi-account/ProwlerS3.yaml
+++ b/util/org-multi-account/ProwlerS3.yaml
@@ -9,13 +9,16 @@ Parameters:
      This is used to restrict permissions to least privilege.
    AllowedPattern: ^o-[a-z0-9]{10,32}$
    ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
-    Default: o-nbfb46ay7u
-    # Default: o-abcde12345
+    Default: o-abcde12345
  S3Prefix:
    Type: String
    Description: >
      Enter S3 Bucket Name Prefix (in lowercase).
-      Bucket will be named: prefix-accountid-region
+      Bucket will be named: prefix-awsaccount-awsregion (i.e., prowler-123456789012-us-east-1)
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,33}[a-z0-9]$
+    ConstraintDescription: >
+      Max 35 characters, as "-awsaccount-awsregion" will be added, and max name is 63 characters.
+      Can't start or end with dash.  Can use numbers and lowercase letters.
    Default: prowler

 Resources:
@@ -35,6 +38,9 @@ Resources:
        RestrictPublicBuckets: True
      VersioningConfiguration:
        Status: Enabled
+      Tags:
+        - Key: App
+          Value: Prowler
    Metadata:
      cfn_nag:
        rules_to_suppress:
@@ -60,12 +66,36 @@ Resources:
            Condition:
              StringEquals:
                aws:PrincipalOrgId: !Ref AwsOrgId
+          - Sid: DenyNonSSLRequests
+            Effect: Deny
+            Action: s3:*
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            Principal: "*"
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+          - Sid: DenyIncorrectEncryptionHeader
+            Effect: Deny
+            Principal: "*"
+            Action: s3:PutObject
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            # Allow uploads with No Encryption, as S3 Default Encryption still applies.
+            # If Encryption is set, only allow uploads with AES256.
+            Condition:
+              "Null":
+                s3:x-amz-server-side-encryption: false
+              StringNotEquals:
+                s3:x-amz-server-side-encryption: AES256
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F16
            reason: "This S3 Bucket Policy has a condition that only allows access to the AWS Organization."

+
 Outputs:
  ProwlerS3:
    Description: S3 Bucket for Prowler Reports