ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(docs): add STS Endpoint and Allowlist updates (#2964)

Browse Source
This commit is contained in:
Sergio Garcia
2023-10-25 13:58:59 +02:00
committed by GitHub
parent f7312db0c7
commit 41085049e2
3 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/tutorials/allowlist.md
View File

@@ -82,11 +82,11 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
Tags:
- "environment=prod" # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
## AWS Control Tower Allowlist
When using Control Tower, guardrails prevent access to certain protected resources. Prowler has an allowlist that ensures that warnings instead of errors are reported for all resources created by AWS Control Tower when setting up a landing zone.
You can execute Prowler with the AWS Control Tower allowlist using the following command:
## Default AWS Allowlist
Prowler provides you a Default AWS Allowlist with the AWS Resources that should be allowlisted such as all resources created by AWS Control Tower when setting up a landing zone.
You can execute Prowler with this allowlist using the following command:
```sh
prowler aws --allowlist prowler/config/aws_controltower_allowlist.yaml
prowler aws --allowlist prowler/config/aws_allowlist.yaml
```
## Supported Allowlist Locations

4
docs/tutorials/aws/role-assumption.md
View File

@@ -27,6 +27,10 @@ prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R ar
If you are using Prowler in AWS regions that are not enabled by default you need to use the argument `--sts-endpoint-region` to point the AWS STS API calls `assume-role` and `get-caller-identity` to the non-default region, e.g.: `prowler aws --sts-endpoint-region eu-south-2`.
> Since v3.11.0, Prowler uses a regional token in STS sessions so it can scan all AWS regions without needing the `--sts-endpoint-region` argument.
> Make sure that you have enabled the AWS Region you want to scan in BOTH AWS Accounts (assumed role account and account from which you assume the role).
## Role MFA
If your IAM Role has MFA configured you can use `--mfa` along with `-R`/`--role <role_arn>` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided: