feat(allowlist): AWS Lambda function support (#1793)

2026-02-10 06:45:08 +00:00 · 2023-01-30 11:30:29 +01:00
parent 35d6b8bbc6
commit cb7439a831
3 changed files with 44 additions and 1 deletions
--- a/docs/tutorials/allowlist.md
+++ b/docs/tutorials/allowlist.md
@@ -74,3 +74,35 @@ prowler aws -w arn:aws:dynamodb:<region_name>:<account_id>:table/<table_name>
 <img src="../img/allowlist-row.png"/>

 > Make sure that the used AWS credentials have `dynamodb:PartiQLSelect` permissions in the table.
+
+### AWS Lambda ARN
+
+You will need to pass the AWS Lambda Function ARN:
+
+```
+prowler aws -w arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
+```
+
+Make sure that the credentials that Prowler uses can invoke the Lambda Function:
+
+```
+- PolicyName: GetAllowList
+  PolicyDocument:
+    Version: '2012-10-17'
+    Statement:
+      - Action: 'lambda:InvokeFunction'
+        Effect: Allow
+        Resource: arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
+```
+
+The Lambda Function can then generate an Allowlist dynamically. Here is the code an example Python Lambda Function that
+generates an Allowlist:
+
+```
+def handler(event, context):
+  checks = {}
+  checks["vpc_flow_logs_enabled"] = { "Regions": [ "*" ], "Resources": [ "" ] }
+
+  al = { "Allowlist": { "Accounts": { "*": { "Checks": checks } } } }
+  return al
+```
--- a/prowler/lib/cli/parser.py
+++ b/prowler/lib/cli/parser.py
@@ -341,7 +341,7 @@ Detailed documentation at https://docs.prowler.cloud
            "--allowlist-file",
            nargs="?",
            default=None,
-            help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table ARN or S3 URI, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
+            help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
        )

    def __init_azure_parser__(self):
--- a/prowler/providers/aws/lib/allowlist/allowlist.py
+++ b/prowler/providers/aws/lib/allowlist/allowlist.py
@@ -22,6 +22,17 @@ def parse_allowlist_file(audit_info, allowlist_file):
            allowlist = yaml.safe_load(
                s3_client.get_object(Bucket=bucket, Key=key)["Body"]
            )["Allowlist"]
+        # Check if file is a Lambda Function ARN
+        elif re.search("^arn:(\w+):lambda:", allowlist_file):
+            lambda_region = allowlist_file.split(":")[3]
+            lambda_client = audit_info.audit_session.client(
+                "lambda", region_name=lambda_region
+            )
+            lambda_response = lambda_client.invoke(
+                FunctionName=allowlist_file, InvocationType="RequestResponse"
+            )
+            lambda_payload = lambda_response["Payload"].read()
+            allowlist = yaml.safe_load(lambda_payload)["Allowlist"]
        # Check if file is a DynamoDB ARN
        elif re.search(
            r"^arn:aws(-cn|-us-gov)?:dynamodb:[a-z]{2}-[a-z-]+-[1-9]{1}:[0-9]{12}:table\/[a-zA-Z0-9._-]+$",