From 30c3a8aa76e6f1469bc5e26185bba310064e6b8b Mon Sep 17 00:00:00 2001
From: Ben Allen <ballen@sans.org>
Date: Tue, 11 Jul 2017 10:48:37 -0500
Subject: [PATCH 1/6] correct typo in permission name

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 55caac6d..87dea0e6 100644
--- a/README.md
+++ b/README.md
@@ -465,7 +465,7 @@ Instead of using default policy SecurityAudit for the account you use for checks
             "redshift:describe*",
             "route53:getchange",
             "route53:getcheckeripranges",
-            "route53:getgeolocations",
+            "route53:getgeolocation",
             "route53:gethealthcheck",
             "route53:gethealthcheckcount",
             "route53:gethealthchecklastfailurereason",

From 1cbedb1eb62f8e00c152196dcff74394806091c0 Mon Sep 17 00:00:00 2001
From: Ben Allen <ballen@sans.org>
Date: Tue, 11 Jul 2017 10:49:11 -0500
Subject: [PATCH 2/6] add incremental policy file; update readme to show use
 case

---
 README.md                     | 38 +++++++++++++++++++++++++++++++++++
 prowler-policy-additions.json | 18 +++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 prowler-policy-additions.json

diff --git a/README.md b/README.md
index 87dea0e6..670b3766 100644
--- a/README.md
+++ b/README.md
@@ -510,3 +510,41 @@ Instead of using default policy SecurityAudit for the account you use for checks
     }]
 }
 ```
+
+Alternatively, here is a policy which defines the permissions which are NOT present in the AWS Managed SecurityAudit policy. Attach both this policy and the AWS Managed SecurityAudit policy to the group and you're good to go.  
+
+```
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "acm:DescribeCertificate",
+        "acm:ListCertificates",
+        "cloudwatchlogs:describeLogGroups",
+        "cloudwatchlogs:DescribeMetricFilters",
+        "es:DescribeElasticsearchDomainConfig",
+        "ses:GetIdentityVerificationAttributes",
+        "sns:ListSubscriptionsByTopic",
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+Quick bash script to set up a "prowler" IAM user and "SecurityAudit" group with the required permissions. To run the script below, you need user with administrative permissions; set the AWS_DEFAULT_PROFILE to use that account.
+
+```
+export AWS_DEFAULT_PROFILE=default
+export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"')
+aws iam create-group --group-name SecurityAudit
+aws iam create-policy --policy-name ProwlerAuditAdditions --policy-document file://$(pwd)/prowler-policy-additions.json
+aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit
+aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerAuditAdditions
+aws iam create-user --user-name prowler
+aws iam add-user-to-group --user-name prowler --group-name SecurityAudit
+aws iam create-access-key --user-name prowler
+unset ACCOUNT_ID AWS_DEFAULT_PROFILE
+```
diff --git a/prowler-policy-additions.json b/prowler-policy-additions.json
new file mode 100644
index 00000000..643cda1a
--- /dev/null
+++ b/prowler-policy-additions.json
@@ -0,0 +1,18 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "acm:describecertificate",
+        "acm:listcertificates",
+        "cloudwatchlogs:describeloggroups",
+        "cloudwatchlogs:describemetricfilters",
+        "es:describeelasticsearchdomainconfig",
+        "ses:getidentityverificationattributes",
+        "sns:listsubscriptionsbytopic",
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}

From ca012ebf764f9c6552dcec6bd6585e8601580d87 Mon Sep 17 00:00:00 2001
From: Ben Allen <ballen@sans.org>
Date: Tue, 11 Jul 2017 10:55:26 -0500
Subject: [PATCH 3/6] fix policy document syntax error

---
 prowler-policy-additions.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/prowler-policy-additions.json b/prowler-policy-additions.json
index 643cda1a..9104c6da 100644
--- a/prowler-policy-additions.json
+++ b/prowler-policy-additions.json
@@ -9,7 +9,7 @@
         "cloudwatchlogs:describemetricfilters",
         "es:describeelasticsearchdomainconfig",
         "ses:getidentityverificationattributes",
-        "sns:listsubscriptionsbytopic",
+        "sns:listsubscriptionsbytopic"
       ],
       "Effect": "Allow",
       "Resource": "*"

From c8a2e16a1c745a5b3c171c27ed189eded21b75fd Mon Sep 17 00:00:00 2001
From: Ben Allen <ballen@sans.org>
Date: Tue, 11 Jul 2017 11:01:07 -0500
Subject: [PATCH 4/6] add note about saving the key material

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 670b3766..529dd007 100644
--- a/README.md
+++ b/README.md
@@ -548,3 +548,5 @@ aws iam add-user-to-group --user-name prowler --group-name SecurityAudit
 aws iam create-access-key --user-name prowler
 unset ACCOUNT_ID AWS_DEFAULT_PROFILE
 ```
+
+The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown.  If you loose it, you will need to generate a replacement.

From 02a4ab665f60769d8f9c8d5ec1a2dd8133662b58 Mon Sep 17 00:00:00 2001
From: Ben Allen <ballen@sans.org>
Date: Tue, 11 Jul 2017 11:02:01 -0500
Subject: [PATCH 5/6] fix policy document syntax error in README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 529dd007..c65b510e 100644
--- a/README.md
+++ b/README.md
@@ -525,7 +525,7 @@ Alternatively, here is a policy which defines the permissions which are NOT pres
         "cloudwatchlogs:DescribeMetricFilters",
         "es:DescribeElasticsearchDomainConfig",
         "ses:GetIdentityVerificationAttributes",
-        "sns:ListSubscriptionsByTopic",
+        "sns:ListSubscriptionsByTopic"
       ],
       "Effect": "Allow",
       "Resource": "*"

From 118da69eb56c82b78a8943c8eee95d85f01ed6df Mon Sep 17 00:00:00 2001
From: Ben Allen <ballen@sans.org>
Date: Tue, 11 Jul 2017 11:08:30 -0500
Subject: [PATCH 6/6] add headings for incremental policy and bootstrap script

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index c65b510e..6a91e85b 100644
--- a/README.md
+++ b/README.md
@@ -511,6 +511,8 @@ Instead of using default policy SecurityAudit for the account you use for checks
 }
 ```
 
+### Incremental IAM Policy
+
 Alternatively, here is a policy which defines the permissions which are NOT present in the AWS Managed SecurityAudit policy. Attach both this policy and the AWS Managed SecurityAudit policy to the group and you're good to go.  
 
 ```
@@ -534,6 +536,8 @@ Alternatively, here is a policy which defines the permissions which are NOT pres
 }
 ```
 
+### Bootstrap Script
+
 Quick bash script to set up a "prowler" IAM user and "SecurityAudit" group with the required permissions. To run the script below, you need user with administrative permissions; set the AWS_DEFAULT_PROFILE to use that account.
 
 ```