ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated Patterns,Defaults,Tags,BucketPolicy

Browse Source
This commit is contained in:
Julio Delgado Jr
2020-05-03 11:43:50 -04:00
parent ac5212990a
commit 29378a1339
1 changed files with 33 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
util/org-multi-account/ProwlerS3.yaml
View File

@@ -9,13 +9,16 @@ Parameters:
This is used to restrict permissions to least privilege. This is used to restrict permissions to least privilege.
AllowedPattern: ^o-[a-z0-9]{10,32}$ AllowedPattern: ^o-[a-z0-9]{10,32}$
ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters. ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
Default: o-nbfb46ay7u Default: o-abcde12345
# Default: o-abcde12345
S3Prefix: S3Prefix:
Type: String Type: String
Description: > Description: >
Enter S3 Bucket Name Prefix (in lowercase). Enter S3 Bucket Name Prefix (in lowercase).
Bucket will be named: prefix-accountid-region Bucket will be named: prefix-awsaccount-awsregion (i.e., prowler-123456789012-us-east-1)
AllowedPattern: ^[a-z0-9][a-z0-9-]{1,33}[a-z0-9]$
ConstraintDescription: >
Max 35 characters, as "-awsaccount-awsregion" will be added, and max name is 63 characters.
Can't start or end with dash. Can use numbers and lowercase letters.
Default: prowler Default: prowler
Resources: Resources:
@@ -35,6 +38,9 @@ Resources:
RestrictPublicBuckets: True RestrictPublicBuckets: True
VersioningConfiguration: VersioningConfiguration:
Status: Enabled Status: Enabled
Tags:
- Key: App
Value: Prowler
Metadata: Metadata:
cfn_nag: cfn_nag:
rules_to_suppress: rules_to_suppress:
@@ -60,12 +66,36 @@ Resources:
Condition: Condition:
StringEquals: StringEquals:
aws:PrincipalOrgId: !Ref AwsOrgId aws:PrincipalOrgId: !Ref AwsOrgId
- Sid: DenyNonSSLRequests
Effect: Deny
Action: s3:*
Resource:
- !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
- !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
- Sid: DenyIncorrectEncryptionHeader
Effect: Deny
Principal: "*"
Action: s3:PutObject
Resource:
- !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
# Allow uploads with No Encryption, as S3 Default Encryption still applies.
# If Encryption is set, only allow uploads with AES256.
Condition:
"Null":
s3:x-amz-server-side-encryption: false
StringNotEquals:
s3:x-amz-server-side-encryption: AES256
Metadata: Metadata:
cfn_nag: cfn_nag:
rules_to_suppress: rules_to_suppress:
- id: F16 - id: F16
reason: "This S3 Bucket Policy has a condition that only allows access to the AWS Organization." reason: "This S3 Bucket Policy has a condition that only allows access to the AWS Organization."
Outputs: Outputs:
ProwlerS3: ProwlerS3:
Description: S3 Bucket for Prowler Reports Description: S3 Bucket for Prowler Reports