ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

consolidated ProwlerReadOnlyPolicy and available json

Browse Source
This commit is contained in:
Toni de la Fuente
2019-11-22 11:29:16 +01:00
parent ab5ed2c527
commit ce7e07d66d
2 changed files with 332 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

143
README.md
View File

@@ -271,148 +271,11 @@ There are some helpfull tools to save time in this process like [aws-mfa-script]
### Custom IAM Policy
Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list, not change!) here you go a good example for a "ProwlerPolicyReadOnly":
Some new and specific checks require Prowler to inherit more permissions than SecurityAudit to work properly. Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list and additional services mostly). Here you go a good example for a "ProwlerReadOnlyPolicy":
```json
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"acm:describecertificate",
"acm:listcertificates",
"apigateway:get",
"autoscaling:describe*",
"cloudformation:describestack*",
"cloudformation:getstackpolicy",
"cloudformation:gettemplate",
"cloudformation:liststack*",
"cloudfront:get*",
"cloudfront:list*",
"cloudtrail:describetrails",
"cloudtrail:geteventselectors",
"cloudtrail:gettrailstatus",
"cloudtrail:listtags",
"cloudwatch:describe*",
"codecommit:batchgetrepositories",
"codecommit:getbranch",
"codecommit:getobjectidentifier",
"codecommit:getrepository",
"codecommit:list*",
"codedeploy:batch*",
"codedeploy:get*",
"codedeploy:list*",
"config:deliver*",
"config:describe*",
"config:get*",
"datapipeline:describeobjects",
"datapipeline:describepipelines",
"datapipeline:evaluateexpression",
"datapipeline:getpipelinedefinition",
"datapipeline:listpipelines",
"datapipeline:queryobjects",
"datapipeline:validatepipelinedefinition",
"directconnect:describe*",
"dynamodb:listtables",
"ec2:describe*",
"ec2:GetEbsEncryptionByDefault",
"ecr:describe*",
"ecs:describe*",
"ecs:list*",
"elasticache:describe*",
"elasticbeanstalk:describe*",
"elasticloadbalancing:describe*",
"elasticmapreduce:describejobflows",
"elasticmapreduce:listclusters",
"es:describeelasticsearchdomainconfig",
"es:listdomainnames",
"firehose:describe*",
"firehose:list*",
"glacier:listvaults",
"guardduty:GetDetector",
"guardduty:listdetectors",
"iam:generatecredentialreport",
"iam:get*",
"iam:list*",
"kms:describe*",
"kms:get*",
"kms:list*",
"lambda:getpolicy",
"lambda:listfunctions",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"rds:describe*",
"rds:downloaddblogfileportion",
"rds:listtagsforresource",
"redshift:describe*",
"route53domains:getdomaindetail",
"route53domains:getoperationdetail",
"route53domains:listdomains",
"route53domains:listoperations",
"route53domains:listtagsfordomain",
"route53:getchange",
"route53:getcheckeripranges",
"route53:getgeolocation",
"route53:gethealthcheck",
"route53:gethealthcheckcount",
"route53:gethealthchecklastfailurereason",
"route53:gethostedzone",
"route53:gethostedzonecount",
"route53:getreusabledelegationset",
"route53:listgeolocations",
"route53:listhealthchecks",
"route53:listhostedzones",
"route53:listhostedzonesbyname",
"route53:listqueryloggingconfigs",
"route53:listresourcerecordsets",
"route53:listreusabledelegationsets",
"route53:listtagsforresource",
"route53:listtagsforresources",
"s3:getbucket*",
"s3:GetEncryptionConfiguration",
"s3:getlifecycleconfiguration",
"s3:getobjectacl",
"s3:getobjectversionacl",
"s3:listallmybuckets",
"sdb:domainmetadata",
"sdb:listdomains",
"ses:getidentitydkimattributes",
"ses:getidentityverificationattributes",
"ses:listidentities",
"ses:listverifiedemailaddresses",
"ses:sendemail",
"sns:gettopicattributes",
"sns:listsubscriptionsbytopic",
"sns:listtopics",
"sqs:getqueueattributes",
"sqs:listqueues",
"support:describetrustedadvisorchecks",
"tag:getresources",
"tag:gettagkeys"
],
"Effect": "Allow",
"Resource": "*"
}]
}
```
[iam/prowler-policy.json](iam/prowler-policy.json)
### Incremental IAM Policy
Alternatively, here is a policy which defines the permissions which are NOT present in the AWS Managed SecurityAudit policy. Attach both this policy and the [AWS Managed SecurityAudit policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/SecurityAudit$jsonEditor) to the group and you're good to go.
```sh
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"support:DescribeTrustedAdvisorChecks"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
> Note: `ec2:get*` is included in ProwlerReadOnlyPolicy policy above, that includes `get-password-data`, type `aws ec2 get-password-data help` to better understand its implications.
### Bootstrap Script

329
iam/prowler-policy.json Normal file
View File

@@ -0,0 +1,329 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:describe*",
"acm:list*",
"apigateway:get*",
"apigatewayv2:get*",
"application-autoscaling:describe*",
"appmesh:describe*",
"appmesh:list*",
"appsync:list*",
"athena:list*",
"autoscaling:describe*",
"aws-marketplace:viewsubscriptions",
"batch:describecomputeenvironments",
"batch:describejobdefinitions",
"batch:listjobs",
"chime:list*",
"cloud9:describe*",
"cloud9:listenvironments",
"clouddirectory:listappliedschemaarns",
"clouddirectory:listdevelopmentschemaarns",
"clouddirectory:listdirectories",
"clouddirectory:listpublishedschemaarns",
"cloudformation:describestack*",
"cloudformation:getstackpolicy",
"cloudformation:gettemplate",
"cloudformation:list*",
"cloudfront:get*",
"cloudfront:list*",
"cloudhsm:listavailablezones",
"cloudhsm:listhapgs",
"cloudhsm:listhsms",
"cloudhsm:listlunaclients",
"cloudsearch:describedomains",
"cloudsearch:describeserviceaccesspolicies",
"cloudsearch:list*",
"cloudtrail:describetrails",
"cloudtrail:geteventselectors",
"cloudtrail:gettrailstatus",
"cloudtrail:listtags",
"cloudtrail:lookupevents",
"cloudwatch:describe*",
"cloudwatch:get*",
"cloudwatch:list*",
"codebuild:listbuilds*",
"codebuild:listprojects",
"codecommit:batchgetrepositories",
"codecommit:getbranch",
"codecommit:getobjectidentifier",
"codecommit:getrepository",
"codecommit:list*",
"codedeploy:batch*",
"codedeploy:get*",
"codedeploy:list*",
"codepipeline:listpipelines",
"codestar:describe*",
"codestar:list*",
"codestar:verify*",
"cognito-identity:listidentities",
"cognito-identity:listidentitypools",
"cognito-idp:list*",
"cognito-idp:listuserpools",
"cognito-sync:describe*",
"cognito-sync:list*",
"cognito-sync:listdatasets",
"comprehend:describe*",
"comprehend:list*",
"config:batchgetaggregateresourceconfig",
"config:batchgetresourceconfig",
"config:deliver*",
"config:describe*",
"config:get*",
"config:list*",
"connect:list*",
"datapipeline:describeobjects",
"datapipeline:describepipelines",
"datapipeline:evaluateexpression",
"datapipeline:getaccountlimits",
"datapipeline:getpipelinedefinition",
"datapipeline:listpipelines",
"datapipeline:queryobjects",
"datapipeline:validatepipelinedefinition",
"datasync:describe*",
"datasync:list*",
"dax:describe*",
"dax:describeclusters",
"dax:describedefaultparameters",
"dax:describeevents",
"dax:describeparametergroups",
"dax:describeparameters",
"dax:describesubnetgroups",
"dax:describetable",
"dax:listtables",
"dax:listtags",
"devicefarm:list*",
"directconnect:describe*",
"discovery:list*",
"dms:describe*",
"dms:list*",
"dms:listtagsforresource",
"ds:describedirectories",
"dynamodb:describebackup",
"dynamodb:describecontinuousbackups",
"dynamodb:describeglobaltable",
"dynamodb:describeglobaltablesettings",
"dynamodb:describelimits",
"dynamodb:describereservedcapacity",
"dynamodb:describereservedcapacityofferings",
"dynamodb:describestream",
"dynamodb:describetable",
"dynamodb:describetimetolive",
"dynamodb:listbackups",
"dynamodb:listglobaltables",
"dynamodb:liststreams",
"dynamodb:listtables",
"dynamodb:listtagsofresource",
"ec2:describe*",
"ec2:get*",
"ecr:describe*",
"ecr:getrepositorypolicy",
"ecr:listimages",
"ecs:describe*",
"ecs:list*",
"eks:describecluster",
"eks:listclusters",
"elasticache:describe*",
"elasticbeanstalk:describe*",
"elasticbeanstalk:listavailablesolutionstacks",
"elasticfilesystem:describefilesystems",
"elasticfilesystem:describemounttargets",
"elasticfilesystem:describemounttargetsecuritygroups",
"elasticloadbalancing:describe*",
"elasticmapreduce:describe*",
"elasticmapreduce:list*",
"elastictranscoder:list*",
"es:describe*",
"es:listdomainnames",
"events:describe*",
"events:list*",
"firehose:describe*",
"firehose:list*",
"fms:listcompliancestatus",
"fms:listpolicies",
"fsx:describe*",
"fsx:list*",
"gamelift:list*",
"glacier:describevault",
"glacier:getvaultaccesspolicy",
"glacier:list*",
"globalaccelerator:describe*",
"globalaccelerator:list*",
"greengrass:list*",
"guardduty:get*",
"guardduty:list*",
"iam:generatecredentialreport",
"iam:generateservicelastaccesseddetails",
"iam:get*",
"iam:list*",
"iam:simulatecustompolicy",
"iam:simulateprincipalpolicy",
"importexport:listjobs",
"inspector:describe*",
"inspector:get*",
"inspector:list*",
"inspector:preview*",
"iot:describe*",
"iot:getpolicy",
"iot:getpolicyversion",
"iot:list*",
"kinesis:describestream",
"kinesis:liststreams",
"kinesis:listtagsforstream",
"kinesisanalytics:listapplications",
"kms:describe*",
"kms:get*",
"kms:list*",
"lambda:getaccountsettings",
"lambda:getfunctionconfiguration",
"lambda:getlayerversionpolicy",
"lambda:getpolicy",
"lambda:list*",
"lex:getbotaliases",
"lex:getbotchannelassociations",
"lex:getbots",
"lex:getbotversions",
"lex:getintents",
"lex:getintentversions",
"lex:getslottypes",
"lex:getslottypeversions",
"lex:getutterancesview",
"license-manager:list*",
"lightsail:getblueprints",
"lightsail:getbundles",
"lightsail:getinstances",
"lightsail:getinstancesnapshots",
"lightsail:getkeypair",
"lightsail:getloadbalancers",
"lightsail:getregions",
"lightsail:getstaticips",
"lightsail:isvpcpeered",
"logs:describe*",
"logs:listtagsloggroup",
"machinelearning:describe*",
"mediaconnect:describe*",
"mediaconnect:list*",
"mediastore:getcontainerpolicy",
"mediastore:listcontainers",
"mobilehub:listavailablefeatures",
"mobilehub:listavailableregions",
"mobilehub:listprojects",
"mobiletargeting:getapplicationsettings",
"mobiletargeting:getcampaigns",
"mobiletargeting:getimportjobs",
"mobiletargeting:getsegments",
"opsworks-cm:describe*",
"opsworks-cm:describeservers",
"opsworks:describe*",
"opsworks:describestacks",
"organizations:describe*",
"organizations:list*",
"polly:describe*",
"polly:list*",
"quicksight:describe*",
"quicksight:list*",
"ram:list*",
"rds:describe*",
"rds:downloaddblogfileportion",
"rds:listtagsforresource",
"redshift:describe*",
"redshift:viewqueriesinconsole",
"rekognition:describe*",
"rekognition:list*",
"robomaker:describe*",
"robomaker:list*",
"route53:get*",
"route53:list*",
"route53domains:getdomaindetail",
"route53domains:getoperationdetail",
"route53domains:list*",
"route53resolver:get*",
"route53resolver:list*",
"s3:getaccelerateconfiguration",
"s3:getaccountpublicaccessblock",
"s3:getanalyticsconfiguration",
"s3:getbucket*",
"s3:getencryptionconfiguration",
"s3:getinventoryconfiguration",
"s3:getlifecycleconfiguration",
"s3:getmetricsconfiguration",
"s3:getobjectacl",
"s3:getobjectversionacl",
"s3:getreplicationconfiguration",
"s3:listallmybuckets",
"s3:listbucket",
"sagemaker:describe*",
"sagemaker:list*",
"sdb:domainmetadata",
"sdb:list*",
"secretsmanager:getresourcepolicy",
"secretsmanager:listsecrets",
"secretsmanager:listsecretversionids",
"securityhub:describe*",
"securityhub:get*",
"securityhub:list*",
"serverlessrepo:getapplicationpolicy",
"serverlessrepo:list*",
"servicecatalog:list*",
"ses:getidentitydkimattributes",
"ses:getidentitypolicies",
"ses:getidentityverificationattributes",
"ses:list*",
"ses:sendemail",
"shield:describe*",
"shield:list*",
"snowball:listclusters",
"snowball:listjobs",
"sns:gettopicattributes",
"sns:list*",
"sqs:getqueueattributes",
"sqs:listdeadlettersourcequeues",
"sqs:listqueues",
"sqs:listqueuetags",
"ssm:describe*",
"ssm:getautomationexecution",
"ssm:listassociations",
"ssm:listdocuments",
"sso:describepermissionspolicies",
"sso:list*",
"states:listactivities",
"states:liststatemachines",
"storagegateway:describebandwidthratelimit",
"storagegateway:describecache",
"storagegateway:describecachediscsivolumes",
"storagegateway:describegatewayinformation",
"storagegateway:describemaintenancestarttime",
"storagegateway:describenfsfileshares",
"storagegateway:describesnapshotschedule",
"storagegateway:describestorediscsivolumes",
"storagegateway:describetapearchives",
"storagegateway:describetaperecoverypoints",
"storagegateway:describetapes",
"storagegateway:describeuploadbuffer",
"storagegateway:describevtldevices",
"storagegateway:describeworkingstorage",
"storagegateway:list*",
"support:describe*",
"swf:list*",
"tag:getresources",
"tag:gettagkeys",
"transfer:describe*",
"transfer:list*",
"translate:list*",
"trustedadvisor:describe*",
"waf-regional:list*",
"waf-regional:listwebacls",
"waf:list*",
"workdocs:describeavailabledirectories",
"workdocs:describeinstances",
"workmail:describe*",
"workspaces:describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}