feat(allowlist): AWS Lambda function support (#1793)

2026-02-10 14:55:00 +00:00 · 2023-01-30 11:30:29 +01:00
parent 35d6b8bbc6
commit cb7439a831
3 changed files with 44 additions and 1 deletions
--- a/docs/tutorials/allowlist.md
+++ b/docs/tutorials/allowlist.md
@@ -74,3 +74,35 @@ prowler aws -w arn:aws:dynamodb:<region_name>:<account_id>:table/<table_name>
 <img src="../img/allowlist-row.png"/>

 > Make sure that the used AWS credentials have `dynamodb:PartiQLSelect` permissions in the table.
+
+### AWS Lambda ARN
+
+You will need to pass the AWS Lambda Function ARN:
+
+```
+prowler aws -w arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
+```
+
+Make sure that the credentials that Prowler uses can invoke the Lambda Function:
+
+```
+- PolicyName: GetAllowList
+  PolicyDocument:
+    Version: '2012-10-17'
+    Statement:
+      - Action: 'lambda:InvokeFunction'
+        Effect: Allow
+        Resource: arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
+```
+
+The Lambda Function can then generate an Allowlist dynamically. Here is the code an example Python Lambda Function that
+generates an Allowlist:
+
+```
+def handler(event, context):
+  checks = {}
+  checks["vpc_flow_logs_enabled"] = { "Regions": [ "*" ], "Resources": [ "" ] }
+
+  al = { "Allowlist": { "Accounts": { "*": { "Checks": checks } } } }
+  return al
+```