diff --git a/README.md b/README.md index 8743e53e..c58689ba 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX -f specify an AWS region to run checks against (i.e.: us-west-1) -m specify the maximum number of items to return for long-running requests (default: 100) - -M output mode: text (default), mono, json, json-asff, junit-xml, csv. They can be used combined comma separated. + -M output mode: text (default), mono, html, json, json-asff, junit-xml, csv. They can be used combined comma separated. (separator is ,; data is on stdout; progress on stderr). -k keep the credential report -n show check numbers to sort easier @@ -298,7 +298,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX ### Assume Role: -Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. +Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. To create a role to assume in multiple accounts easier eather as CFN Stack or StackSet, look at [this CloudFormation template](iam/create_role_to_assume_cfn.yaml) and adapt it. ```sh ./prowler -A 123456789012 -R ProwlerRole diff --git a/groups/group19_eks-cis b/groups/group19_eks-cis new file mode 100644 index 00000000..6194457a --- /dev/null +++ b/groups/group19_eks-cis @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (c) by Toni de la Fuente +# +# This Prowler check is licensed under a +# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. +# +# You should have received a copy of the license along with this +# work. If not, see . + +GROUP_ID[19]='eks-cis' +GROUP_NUMBER[19]='19.0' +GROUP_TITLE[19]='CIS EKS Benchmark *****************************************' +GROUP_RUN_BY_DEFAULT[19]='N' # run it when execute_all is called +GROUP_CHECKS[19]='extra765,extra794,extra795,extra796,extra797' diff --git a/groups/group7_extras b/groups/group7_extras index 34b4c0a7..f490879a 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` diff --git a/prowler b/prowler index 7ffe651f..45d52f6a 100755 --- a/prowler +++ b/prowler @@ -67,7 +67,7 @@ USAGE: -f specify an AWS region to run checks against (i.e.: us-west-1) -m specify the maximum number of items to return for long-running requests (default: 100) - -M output mode: text (default), mono, json, json-asff, junit-xml, csv. They can be used combined comma separated. + -M output mode: text (default), mono, html, json, json-asff, junit-xml, csv. They can be used combined comma separated. (separator is ","; data is on stdout; progress on stderr). -k keep the credential report -n show check numbers to sort easier @@ -564,4 +564,4 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then unset AWS_SESSION_TOKEN fi -exit $EXITCODE \ No newline at end of file +exit $EXITCODE