feat(allowlist): AWS Lambda function support (#1793)

docs/tutorials/allowlist.md

@@ -74,3 +74,35 @@ prowler aws -w arn:aws:dynamodb:<region_name>:<account_id>:table/<table_name>
 <img src="../img/allowlist-row.png"/>
 
 > Make sure that the used AWS credentials have `dynamodb:PartiQLSelect` permissions in the table.
+
+### AWS Lambda ARN
+
+You will need to pass the AWS Lambda Function ARN:
+
+```
+prowler aws -w arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
+```
+
+Make sure that the credentials that Prowler uses can invoke the Lambda Function:
+
+```
+- PolicyName: GetAllowList
+  PolicyDocument:
+    Version: '2012-10-17'
+    Statement:
+      - Action: 'lambda:InvokeFunction'
+        Effect: Allow
+        Resource: arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
+```
+
+The Lambda Function can then generate an Allowlist dynamically. Here is the code an example Python Lambda Function that
+generates an Allowlist:
+
+```
+def handler(event, context):
+  checks = {}
+  checks["vpc_flow_logs_enabled"] = { "Regions": [ "*" ], "Resources": [ "" ] }
+
+  al = { "Allowlist": { "Accounts": { "*": { "Checks": checks } } } }
+  return al
+```

prowler/lib/cli/parser.py

@@ -341,7 +341,7 @@ Detailed documentation at https://docs.prowler.cloud
             "--allowlist-file",
             nargs="?",
             default=None,
-            help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table ARN or S3 URI, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
+            help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
         )
 
     def __init_azure_parser__(self):

prowler/providers/aws/lib/allowlist/allowlist.py

@@ -22,6 +22,17 @@ def parse_allowlist_file(audit_info, allowlist_file):
             allowlist = yaml.safe_load(
                 s3_client.get_object(Bucket=bucket, Key=key)["Body"]
             )["Allowlist"]
+        # Check if file is a Lambda Function ARN
+        elif re.search("^arn:(\w+):lambda:", allowlist_file):
+            lambda_region = allowlist_file.split(":")[3]
+            lambda_client = audit_info.audit_session.client(
+                "lambda", region_name=lambda_region
+            )
+            lambda_response = lambda_client.invoke(
+                FunctionName=allowlist_file, InvocationType="RequestResponse"
+            )
+            lambda_payload = lambda_response["Payload"].read()
+            allowlist = yaml.safe_load(lambda_payload)["Allowlist"]
         # Check if file is a DynamoDB ARN
         elif re.search(
             r"^arn:aws(-cn|-us-gov)?:dynamodb:[a-z]{2}-[a-z-]+-[1-9]{1}:[0-9]{12}:table\/[a-zA-Z0-9._-]+$",