mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
New folder structure phase 1
This commit is contained in:
Toni de la Fuente
@@ -0,0 +1,214 @@
|
||||
---
|
||||
AWSTemplateFormatVersion: 2010-09-09
|
||||
Description: Creates a CodeBuild project to audit an AWS account with Prowler and stores the html report in a S3 bucket.
|
||||
Parameters:
|
||||
AwsOrgId:
|
||||
Type: String
|
||||
Description: Enter AWS Organizations ID
|
||||
AllowedPattern: ^o-[a-z0-9]{10,32}$
|
||||
ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
|
||||
Default: o-itdezkbz6h
|
||||
CodeBuildRole:
|
||||
Description: Enter Name for CodeBuild Role to create
|
||||
Type: String
|
||||
AllowedPattern: ^[\w+=,.@-]{1,64}$
|
||||
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
|
||||
Default: ProwlerCodeBuild-Role
|
||||
CodeBuildSourceS3:
|
||||
Type: String
|
||||
Description: Enter like <bucket-name>/<path>/<object-name>.zip
|
||||
ConstraintDescription: Max 63 characters. Can't start or end with dash. Can use numbers and lowercase letters.
|
||||
Default: prowler-util-411267690458-ap-northeast-2/run-prowler-reports.sh.zip
|
||||
ProwlerReportS3:
|
||||
Type: String
|
||||
Description: Enter S3 Bucket for Prowler Reports. prefix-awsaccount-awsregion
|
||||
AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
|
||||
ConstraintDescription: Max 63 characters. Can't start or end with dash. Can use numbers and lowercase letters.
|
||||
Default: prowler-954896828174-ap-northeast-2
|
||||
ProwlerReportS3Account:
|
||||
Type: String
|
||||
Description: Enter AWS Account Number where Prowler S3 Bucket resides.
|
||||
AllowedPattern: ^\d{12}$
|
||||
ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
|
||||
Default: 954896828174
|
||||
CrossAccountRole:
|
||||
Type: String
|
||||
Description: Enter CrossAccount Role Prowler will be using to assess AWS Accounts in the AWS Organization. (ProwlerCrossAccountRole)
|
||||
AllowedPattern: ^[\w+=,.@-]{1,64}$
|
||||
ConstraintDescription: Max 64 alphanumeric characters. Also special characters [+, =, ., @, -]
|
||||
Default: ProwlerXA-CBRole
|
||||
ProwlerReportFormat:
|
||||
Type: String
|
||||
Description: Enter Prowler Option like html, csv, json
|
||||
Default: html
|
||||
|
||||
Resources:
|
||||
ProwlerCodeBuildRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
Description: Prowler CodeBuild Role
|
||||
RoleName: !Ref CodeBuildRole
|
||||
Tags:
|
||||
- Key: App
|
||||
Value: Prowler
|
||||
AssumeRolePolicyDocument:
|
||||
Version: 2012-10-17
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
Service:
|
||||
- codebuild.amazonaws.com
|
||||
Action:
|
||||
- sts:AssumeRole
|
||||
Policies:
|
||||
- PolicyName: Prowler-S3
|
||||
PolicyDocument:
|
||||
Version: 2012-10-17
|
||||
Statement:
|
||||
- Sid: AllowGetPutListObject
|
||||
Effect: Allow
|
||||
Resource:
|
||||
- !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}
|
||||
- !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}/*
|
||||
Action:
|
||||
- s3:GetObject
|
||||
- s3:PutObject
|
||||
- s3:ListBucket
|
||||
- s3:PutObjectAcl
|
||||
- Sid: AllowReadOnlyS3Access
|
||||
Effect: Allow
|
||||
Resource: "*"
|
||||
Action:
|
||||
- "s3:Get*"
|
||||
- "s3:List*"
|
||||
- PolicyName: Prowler-CrossAccount-AssumeRole
|
||||
PolicyDocument:
|
||||
Version: 2012-10-17
|
||||
Statement:
|
||||
- Sid: AllowStsAssumeRole
|
||||
Effect: Allow
|
||||
Resource: !Sub arn:${AWS::Partition}:iam::*:role/${CrossAccountRole}
|
||||
Action: sts:AssumeRole
|
||||
Condition:
|
||||
StringEquals:
|
||||
aws:PrincipalOrgId: !Ref AwsOrgId
|
||||
- PolicyName: Prowler-CloudWatch
|
||||
PolicyDocument:
|
||||
Version: 2012-10-17
|
||||
Statement:
|
||||
- Sid: AllowCreateLogs
|
||||
Effect: Allow
|
||||
Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*
|
||||
Action:
|
||||
- logs:CreateLogGroup
|
||||
- logs:CreateLogStream
|
||||
- Sid: AllowPutevent
|
||||
Effect: Allow
|
||||
Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*:log-stream:*
|
||||
Action:
|
||||
- logs:PutLogEvents
|
||||
|
||||
ProwlerCodeBuild:
|
||||
Type: AWS::CodeBuild::Project
|
||||
Properties:
|
||||
Artifacts:
|
||||
Type: NO_ARTIFACTS
|
||||
Source:
|
||||
Type: S3
|
||||
Location: !Ref CodeBuildSourceS3
|
||||
BuildSpec: |
|
||||
version: 0.2
|
||||
phases:
|
||||
install:
|
||||
runtime-versions:
|
||||
python: 3.8
|
||||
commands:
|
||||
- echo "Updating yum ..."
|
||||
- yum -y update --skip-broken
|
||||
- echo "Updating pip ..."
|
||||
- python -m pip install --upgrade pip
|
||||
- echo "Installing requirements ..."
|
||||
- pip install "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
|
||||
build:
|
||||
commands:
|
||||
- echo "Running Prowler with script"
|
||||
- chmod +x run-prowler-reports.sh
|
||||
- ./run-prowler-reports.sh
|
||||
post_build:
|
||||
commands:
|
||||
- echo "Done!"
|
||||
Environment:
|
||||
# AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month.
|
||||
# BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute.
|
||||
# BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute.
|
||||
# BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute.
|
||||
# BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute.
|
||||
ComputeType: "BUILD_GENERAL1_SMALL"
|
||||
Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
|
||||
Type: "LINUX_CONTAINER"
|
||||
EnvironmentVariables:
|
||||
- Name: "S3"
|
||||
Value: !Sub s3://${ProwlerReportS3}
|
||||
Type: PLAINTEXT
|
||||
- Name: "S3ACCOUNT"
|
||||
Value: !Ref ProwlerReportS3Account
|
||||
Type: PLAINTEXT
|
||||
- Name: "ROLE"
|
||||
Value: !Ref CrossAccountRole
|
||||
Type: PLAINTEXT
|
||||
- Name: "FORMAT"
|
||||
Value: !Ref ProwlerReportFormat
|
||||
Type: PLAINTEXT
|
||||
Description: Run Prowler assessment
|
||||
ServiceRole: !GetAtt ProwlerCodeBuildRole.Arn
|
||||
TimeoutInMinutes: 300
|
||||
|
||||
ProwlerCWRuleRole:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
AssumeRolePolicyDocument:
|
||||
Version: 2012-10-17
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
Service:
|
||||
- events.amazonaws.com
|
||||
Action:
|
||||
- sts:AssumeRole
|
||||
Description: ProwlerCWRuleRole
|
||||
RoleName: ProwlerCWRule-Role
|
||||
Policies:
|
||||
- PolicyName: Rule-Events
|
||||
PolicyDocument:
|
||||
Version: 2012-10-17
|
||||
Statement:
|
||||
- Sid: AWSEventInvokeCodeBuild
|
||||
Effect: Allow
|
||||
Resource: "*"
|
||||
Action:
|
||||
- codebuild:StartBuild
|
||||
|
||||
ProwlerRule:
|
||||
Type: AWS::Events::Rule
|
||||
Properties:
|
||||
Description: This rule will trigger CodeBuild to audit AWS Accounts in my Organization with Prowler
|
||||
ScheduleExpression: cron(0 21 * * ? *)
|
||||
RoleArn: !GetAtt ProwlerCWRuleRole.Arn
|
||||
Name: ProwlerExecuteRule
|
||||
State: ENABLED
|
||||
Targets:
|
||||
- Arn: !Sub ${ProwlerCodeBuild.Arn}
|
||||
Id: Prowler-CodeBuild-Target
|
||||
RoleArn: !GetAtt ProwlerCWRuleRole.Arn
|
||||
|
||||
|
||||
Outputs:
|
||||
ProwlerEc2Account:
|
||||
Description: AWS Account Number where Prowler EC2 Instance resides.
|
||||
Value: !Ref AWS::AccountId
|
||||
ProwlerCodeBuildRole:
|
||||
Description: Instance Role given to the Prowler EC2 Instance (needed to grant sts:AssumeRole rights).
|
||||
Value: !Ref ProwlerCodeBuildRole
|
||||
ProwlerReportS3:
|
||||
Description: S3 Bucket for Prowler Reports
|
||||
Value: !Ref ProwlerReportS3
|
||||
Reference in New Issue
Block a user