ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(aws-orgs): Update syntax (#2703)

Browse Source
This commit is contained in:
Pepe Fagoaga
2023-08-10 12:40:17 +02:00
committed by GitHub
parent ade511df28
commit 3aba71ad2f
1 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docs/tutorials/aws/organizations.md
View File

@@ -5,14 +5,15 @@ Prowler allows you to get additional information of the scanned account in CSV a
If you have AWS Organizations Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and you will have them next to every finding in the CSV and JSON outputs. If you have AWS Organizations Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and you will have them next to every finding in the CSV and JSON outputs.
- In order to do that you can use the option `-O`/`--organizations-role <organizations_role_arn>`. See the following sample command: In order to do that you can use the option `-O`/`--organizations-role <organizations_role_arn>`. See the following sample command:
``` ```shell
prowler aws -O arn:aws:iam::<management_organizations_account_id>:role/<role_name> prowler aws \
-O arn:aws:iam::<management_organizations_account_id>:role/<role_name>
``` ```
> Make sure the role in your AWS Organizations management account has the permissions `organizations:ListAccounts*` and `organizations:ListTagsForResource`. > Make sure the role in your AWS Organizations management account has the permissions `organizations:ListAccounts*` and `organizations:ListTagsForResource`.
- In that command Prowler will scan the account and getting the account details from the AWS Organizations management account assuming a role and creating two reports with those details in JSON and CSV. In that command Prowler will scan the account and getting the account details from the AWS Organizations management account assuming a role and creating two reports with those details in JSON and CSV.
In the JSON output below (redacted) you can see tags coded in base64 to prevent breaking CSV or JSON due to its format: In the JSON output below (redacted) you can see tags coded in base64 to prevent breaking CSV or JSON due to its format:
@@ -34,16 +35,24 @@ ACCOUNT_DETAILS_EMAIL,ACCOUNT_DETAILS_NAME,ACCOUNT_DETAILS_ARN,ACCOUNT_DETAILS_O
If you want to run Prowler across all accounts of AWS Organizations you can do this: If you want to run Prowler across all accounts of AWS Organizations you can do this:
- First get a list of accounts that are not suspended: 1. First get a list of accounts that are not suspended:
``` ```shell
ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text) ACCOUNTS_IN_ORGS=$(aws organizations list-accounts \
``` --query "Accounts[?Status=='ACTIVE'].Id" \
--output text \
)
```
- Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check: 2. Then run Prowler to assume a role (same in all members) per each account:
``` ```shell
for accountId in $ACCOUNTS_IN_ORGS; do prowler aws -O arn:aws:iam::<management_organizations_account_id>:role/<role_name> -R arn:aws:iam::$accountId:role/<role_name>; done for accountId in $ACCOUNTS_IN_ORGS;
``` do
prowler aws \
-O arn:aws:iam::<management_organizations_account_id>:role/<role_name> \
-R arn:aws:iam::"${accountId}":role/<role_name>;
done
```
- Using the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'` > Using the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'`