From 41085049e28b9376aaa1f2a4f6521ff71d499b1b Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:58:59 +0200 Subject: [PATCH] chore(docs): add STS Endpoint and Allowlist updates (#2964) --- docs/tutorials/allowlist.md | 8 ++++---- docs/tutorials/aws/role-assumption.md | 4 ++++ prowler/config/aws_allowlist.yaml | 8 +++----- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/tutorials/allowlist.md b/docs/tutorials/allowlist.md index 0158e0f1..900da86f 100644 --- a/docs/tutorials/allowlist.md +++ b/docs/tutorials/allowlist.md @@ -82,11 +82,11 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b Tags: - "environment=prod" # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod -## AWS Control Tower Allowlist -When using Control Tower, guardrails prevent access to certain protected resources. Prowler has an allowlist that ensures that warnings instead of errors are reported for all resources created by AWS Control Tower when setting up a landing zone. -You can execute Prowler with the AWS Control Tower allowlist using the following command: +## Default AWS Allowlist +Prowler provides you a Default AWS Allowlist with the AWS Resources that should be allowlisted such as all resources created by AWS Control Tower when setting up a landing zone. +You can execute Prowler with this allowlist using the following command: ```sh -prowler aws --allowlist prowler/config/aws_controltower_allowlist.yaml +prowler aws --allowlist prowler/config/aws_allowlist.yaml ``` ## Supported Allowlist Locations diff --git a/docs/tutorials/aws/role-assumption.md b/docs/tutorials/aws/role-assumption.md index 834b2ee3..977868c1 100644 --- a/docs/tutorials/aws/role-assumption.md +++ b/docs/tutorials/aws/role-assumption.md @@ -27,6 +27,10 @@ prowler aws -T/--session-duration -I/--external-id -R ar If you are using Prowler in AWS regions that are not enabled by default you need to use the argument `--sts-endpoint-region` to point the AWS STS API calls `assume-role` and `get-caller-identity` to the non-default region, e.g.: `prowler aws --sts-endpoint-region eu-south-2`. +> Since v3.11.0, Prowler uses a regional token in STS sessions so it can scan all AWS regions without needing the `--sts-endpoint-region` argument. + +> Make sure that you have enabled the AWS Region you want to scan in BOTH AWS Accounts (assumed role account and account from which you assume the role). + ## Role MFA If your IAM Role has MFA configured you can use `--mfa` along with `-R`/`--role ` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided: diff --git a/prowler/config/aws_allowlist.yaml b/prowler/config/aws_allowlist.yaml index 65af6111..6ba4dc9f 100644 --- a/prowler/config/aws_allowlist.yaml +++ b/prowler/config/aws_allowlist.yaml @@ -1,11 +1,9 @@ -# When using Control Tower, guardrails prevent access to certain protected resources. -# The allowlist below ensures that warnings instead of errors are reported for the affected resources. -# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html -########################### CONTROL TOWER ALLOWLIST ########################### -### The following file includes all resources created by AWS Control Tower ### Allowlist: Accounts: "*": + ########################### AWS CONTROL TOWER ########################### + ### The following entries includes all resources created by AWS Control Tower when setting up a landing zone ### + # https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html # Checks: "cloudwatch_log_group_*": Regions: