From a191a4eae619fa90a9dc146ac097dbcb4e7279af Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 22 Nov 2019 11:41:13 +0100 Subject: [PATCH] consolidated ProwlerReadOnlyPolicy and available json --- README.md | 10 ++++++---- iam/prowler-policy-additions.json | 26 -------------------------- 2 files changed, 6 insertions(+), 30 deletions(-) delete mode 100644 iam/prowler-policy-additions.json diff --git a/README.md b/README.md index fb112c82..c313291d 100644 --- a/README.md +++ b/README.md @@ -275,25 +275,27 @@ Some new and specific checks require Prowler to inherit more permissions than Se [iam/prowler-policy.json](iam/prowler-policy.json) -> Note: `ec2:get*` is included in ProwlerReadOnlyPolicy policy above, that includes `get-password-data`, type `aws ec2 get-password-data help` to better understand its implications. +> Note: Action `ec2:get*` is included in "ProwlerReadOnlyPolicy" policy above, that includes `get-password-data`, type `aws ec2 get-password-data help` to better understand its implications. ### Bootstrap Script -Quick bash script to set up a "prowler" IAM user and "SecurityAudit" group with the required permissions. To run the script below, you need user with administrative permissions; set the `AWS_DEFAULT_PROFILE` to use that account. +Quick bash script to set up a "prowler" IAM user with "SecurityAudit" group with the required permissions (including "ProwlerReadOnlyPolicy"). To run the script below, you need user with administrative permissions; set the `AWS_DEFAULT_PROFILE` to use that account: ```sh export AWS_DEFAULT_PROFILE=default export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"') aws iam create-group --group-name SecurityAudit -aws iam create-policy --policy-name ProwlerAuditAdditions --policy-document file://$(pwd)/iam/prowler-policy-additions.json +aws iam create-policy --policy-name ProwlerReadOnlyPolicy --policy-document file://$(pwd)/iam/prowler-policy.json aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit -aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerAuditAdditions +aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerReadOnlyPolicy aws iam create-user --user-name prowler aws iam add-user-to-group --user-name prowler --group-name SecurityAudit aws iam create-access-key --user-name prowler unset ACCOUNT_ID AWS_DEFAULT_PROFILE ``` +> Note: most of the actions included in the managed policy "SecurityAudit" are already in "ProwlerReadOnlyPolicy", but adding both for compatibility with future services or additions to "SecurityAudit". + The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you lose it, you will need to generate a replacement. ## Extras diff --git a/iam/prowler-policy-additions.json b/iam/prowler-policy-additions.json deleted file mode 100644 index 49c7287c..00000000 --- a/iam/prowler-policy-additions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "acm:describecertificate", - "acm:listcertificates", - "apigateway:GET", - "cloudtrail:GetEventSelectors", - "ec2:GetEbsEncryptionByDefault", - "es:describeelasticsearchdomainconfig", - "guardduty:GetDetector", - "guardduty:ListDetectors", - "logs:DescribeLogGroups", - "logs:DescribeMetricFilters", - "s3:GetEncryptionConfiguration", - "ses:getidentityverificationattributes", - "sns:listsubscriptionsbytopic", - "support:*", - "trustedadvisor:Describe*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] -}