From ce7e07d66d7fc9d8a1b7b8d4ad80f138ff97c2d9 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 22 Nov 2019 11:29:16 +0100 Subject: [PATCH] consolidated ProwlerReadOnlyPolicy and available json --- README.md | 143 +---------------- iam/prowler-policy.json | 329 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 332 insertions(+), 140 deletions(-) create mode 100644 iam/prowler-policy.json diff --git a/README.md b/README.md index e3371c51..fb112c82 100644 --- a/README.md +++ b/README.md @@ -271,148 +271,11 @@ There are some helpfull tools to save time in this process like [aws-mfa-script] ### Custom IAM Policy -Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list, not change!) here you go a good example for a "ProwlerPolicyReadOnly": +Some new and specific checks require Prowler to inherit more permissions than SecurityAudit to work properly. Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list and additional services mostly). Here you go a good example for a "ProwlerReadOnlyPolicy": -```json -{ - "Version": "2012-10-17", - "Statement": [{ - "Action": [ - "acm:describecertificate", - "acm:listcertificates", - "apigateway:get", - "autoscaling:describe*", - "cloudformation:describestack*", - "cloudformation:getstackpolicy", - "cloudformation:gettemplate", - "cloudformation:liststack*", - "cloudfront:get*", - "cloudfront:list*", - "cloudtrail:describetrails", - "cloudtrail:geteventselectors", - "cloudtrail:gettrailstatus", - "cloudtrail:listtags", - "cloudwatch:describe*", - "codecommit:batchgetrepositories", - "codecommit:getbranch", - "codecommit:getobjectidentifier", - "codecommit:getrepository", - "codecommit:list*", - "codedeploy:batch*", - "codedeploy:get*", - "codedeploy:list*", - "config:deliver*", - "config:describe*", - "config:get*", - "datapipeline:describeobjects", - "datapipeline:describepipelines", - "datapipeline:evaluateexpression", - "datapipeline:getpipelinedefinition", - "datapipeline:listpipelines", - "datapipeline:queryobjects", - "datapipeline:validatepipelinedefinition", - "directconnect:describe*", - "dynamodb:listtables", - "ec2:describe*", - "ec2:GetEbsEncryptionByDefault", - "ecr:describe*", - "ecs:describe*", - "ecs:list*", - "elasticache:describe*", - "elasticbeanstalk:describe*", - "elasticloadbalancing:describe*", - "elasticmapreduce:describejobflows", - "elasticmapreduce:listclusters", - "es:describeelasticsearchdomainconfig", - "es:listdomainnames", - "firehose:describe*", - "firehose:list*", - "glacier:listvaults", - "guardduty:GetDetector", - "guardduty:listdetectors", - "iam:generatecredentialreport", - "iam:get*", - "iam:list*", - "kms:describe*", - "kms:get*", - "kms:list*", - "lambda:getpolicy", - "lambda:listfunctions", - "logs:DescribeLogGroups", - "logs:DescribeMetricFilters", - "rds:describe*", - "rds:downloaddblogfileportion", - "rds:listtagsforresource", - "redshift:describe*", - "route53domains:getdomaindetail", - "route53domains:getoperationdetail", - "route53domains:listdomains", - "route53domains:listoperations", - "route53domains:listtagsfordomain", - "route53:getchange", - "route53:getcheckeripranges", - "route53:getgeolocation", - "route53:gethealthcheck", - "route53:gethealthcheckcount", - "route53:gethealthchecklastfailurereason", - "route53:gethostedzone", - "route53:gethostedzonecount", - "route53:getreusabledelegationset", - "route53:listgeolocations", - "route53:listhealthchecks", - "route53:listhostedzones", - "route53:listhostedzonesbyname", - "route53:listqueryloggingconfigs", - "route53:listresourcerecordsets", - "route53:listreusabledelegationsets", - "route53:listtagsforresource", - "route53:listtagsforresources", - "s3:getbucket*", - "s3:GetEncryptionConfiguration", - "s3:getlifecycleconfiguration", - "s3:getobjectacl", - "s3:getobjectversionacl", - "s3:listallmybuckets", - "sdb:domainmetadata", - "sdb:listdomains", - "ses:getidentitydkimattributes", - "ses:getidentityverificationattributes", - "ses:listidentities", - "ses:listverifiedemailaddresses", - "ses:sendemail", - "sns:gettopicattributes", - "sns:listsubscriptionsbytopic", - "sns:listtopics", - "sqs:getqueueattributes", - "sqs:listqueues", - "support:describetrustedadvisorchecks", - "tag:getresources", - "tag:gettagkeys" - ], - "Effect": "Allow", - "Resource": "*" - }] -} -``` +[iam/prowler-policy.json](iam/prowler-policy.json) -### Incremental IAM Policy - -Alternatively, here is a policy which defines the permissions which are NOT present in the AWS Managed SecurityAudit policy. Attach both this policy and the [AWS Managed SecurityAudit policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/SecurityAudit$jsonEditor) to the group and you're good to go. - -```sh -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "support:DescribeTrustedAdvisorChecks" - ], - "Effect": "Allow", - "Resource": "*" - } - ] -} -``` +> Note: `ec2:get*` is included in ProwlerReadOnlyPolicy policy above, that includes `get-password-data`, type `aws ec2 get-password-data help` to better understand its implications. ### Bootstrap Script diff --git a/iam/prowler-policy.json b/iam/prowler-policy.json new file mode 100644 index 00000000..2f7a4f83 --- /dev/null +++ b/iam/prowler-policy.json @@ -0,0 +1,329 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "acm:describe*", + "acm:list*", + "apigateway:get*", + "apigatewayv2:get*", + "application-autoscaling:describe*", + "appmesh:describe*", + "appmesh:list*", + "appsync:list*", + "athena:list*", + "autoscaling:describe*", + "aws-marketplace:viewsubscriptions", + "batch:describecomputeenvironments", + "batch:describejobdefinitions", + "batch:listjobs", + "chime:list*", + "cloud9:describe*", + "cloud9:listenvironments", + "clouddirectory:listappliedschemaarns", + "clouddirectory:listdevelopmentschemaarns", + "clouddirectory:listdirectories", + "clouddirectory:listpublishedschemaarns", + "cloudformation:describestack*", + "cloudformation:getstackpolicy", + "cloudformation:gettemplate", + "cloudformation:list*", + "cloudfront:get*", + "cloudfront:list*", + "cloudhsm:listavailablezones", + "cloudhsm:listhapgs", + "cloudhsm:listhsms", + "cloudhsm:listlunaclients", + "cloudsearch:describedomains", + "cloudsearch:describeserviceaccesspolicies", + "cloudsearch:list*", + "cloudtrail:describetrails", + "cloudtrail:geteventselectors", + "cloudtrail:gettrailstatus", + "cloudtrail:listtags", + "cloudtrail:lookupevents", + "cloudwatch:describe*", + "cloudwatch:get*", + "cloudwatch:list*", + "codebuild:listbuilds*", + "codebuild:listprojects", + "codecommit:batchgetrepositories", + "codecommit:getbranch", + "codecommit:getobjectidentifier", + "codecommit:getrepository", + "codecommit:list*", + "codedeploy:batch*", + "codedeploy:get*", + "codedeploy:list*", + "codepipeline:listpipelines", + "codestar:describe*", + "codestar:list*", + "codestar:verify*", + "cognito-identity:listidentities", + "cognito-identity:listidentitypools", + "cognito-idp:list*", + "cognito-idp:listuserpools", + "cognito-sync:describe*", + "cognito-sync:list*", + "cognito-sync:listdatasets", + "comprehend:describe*", + "comprehend:list*", + "config:batchgetaggregateresourceconfig", + "config:batchgetresourceconfig", + "config:deliver*", + "config:describe*", + "config:get*", + "config:list*", + "connect:list*", + "datapipeline:describeobjects", + "datapipeline:describepipelines", + "datapipeline:evaluateexpression", + "datapipeline:getaccountlimits", + "datapipeline:getpipelinedefinition", + "datapipeline:listpipelines", + "datapipeline:queryobjects", + "datapipeline:validatepipelinedefinition", + "datasync:describe*", + "datasync:list*", + "dax:describe*", + "dax:describeclusters", + "dax:describedefaultparameters", + "dax:describeevents", + "dax:describeparametergroups", + "dax:describeparameters", + "dax:describesubnetgroups", + "dax:describetable", + "dax:listtables", + "dax:listtags", + "devicefarm:list*", + "directconnect:describe*", + "discovery:list*", + "dms:describe*", + "dms:list*", + "dms:listtagsforresource", + "ds:describedirectories", + "dynamodb:describebackup", + "dynamodb:describecontinuousbackups", + "dynamodb:describeglobaltable", + "dynamodb:describeglobaltablesettings", + "dynamodb:describelimits", + "dynamodb:describereservedcapacity", + "dynamodb:describereservedcapacityofferings", + "dynamodb:describestream", + "dynamodb:describetable", + "dynamodb:describetimetolive", + "dynamodb:listbackups", + "dynamodb:listglobaltables", + "dynamodb:liststreams", + "dynamodb:listtables", + "dynamodb:listtagsofresource", + "ec2:describe*", + "ec2:get*", + "ecr:describe*", + "ecr:getrepositorypolicy", + "ecr:listimages", + "ecs:describe*", + "ecs:list*", + "eks:describecluster", + "eks:listclusters", + "elasticache:describe*", + "elasticbeanstalk:describe*", + "elasticbeanstalk:listavailablesolutionstacks", + "elasticfilesystem:describefilesystems", + "elasticfilesystem:describemounttargets", + "elasticfilesystem:describemounttargetsecuritygroups", + "elasticloadbalancing:describe*", + "elasticmapreduce:describe*", + "elasticmapreduce:list*", + "elastictranscoder:list*", + "es:describe*", + "es:listdomainnames", + "events:describe*", + "events:list*", + "firehose:describe*", + "firehose:list*", + "fms:listcompliancestatus", + "fms:listpolicies", + "fsx:describe*", + "fsx:list*", + "gamelift:list*", + "glacier:describevault", + "glacier:getvaultaccesspolicy", + "glacier:list*", + "globalaccelerator:describe*", + "globalaccelerator:list*", + "greengrass:list*", + "guardduty:get*", + "guardduty:list*", + "iam:generatecredentialreport", + "iam:generateservicelastaccesseddetails", + "iam:get*", + "iam:list*", + "iam:simulatecustompolicy", + "iam:simulateprincipalpolicy", + "importexport:listjobs", + "inspector:describe*", + "inspector:get*", + "inspector:list*", + "inspector:preview*", + "iot:describe*", + "iot:getpolicy", + "iot:getpolicyversion", + "iot:list*", + "kinesis:describestream", + "kinesis:liststreams", + "kinesis:listtagsforstream", + "kinesisanalytics:listapplications", + "kms:describe*", + "kms:get*", + "kms:list*", + "lambda:getaccountsettings", + "lambda:getfunctionconfiguration", + "lambda:getlayerversionpolicy", + "lambda:getpolicy", + "lambda:list*", + "lex:getbotaliases", + "lex:getbotchannelassociations", + "lex:getbots", + "lex:getbotversions", + "lex:getintents", + "lex:getintentversions", + "lex:getslottypes", + "lex:getslottypeversions", + "lex:getutterancesview", + "license-manager:list*", + "lightsail:getblueprints", + "lightsail:getbundles", + "lightsail:getinstances", + "lightsail:getinstancesnapshots", + "lightsail:getkeypair", + "lightsail:getloadbalancers", + "lightsail:getregions", + "lightsail:getstaticips", + "lightsail:isvpcpeered", + "logs:describe*", + "logs:listtagsloggroup", + "machinelearning:describe*", + "mediaconnect:describe*", + "mediaconnect:list*", + "mediastore:getcontainerpolicy", + "mediastore:listcontainers", + "mobilehub:listavailablefeatures", + "mobilehub:listavailableregions", + "mobilehub:listprojects", + "mobiletargeting:getapplicationsettings", + "mobiletargeting:getcampaigns", + "mobiletargeting:getimportjobs", + "mobiletargeting:getsegments", + "opsworks-cm:describe*", + "opsworks-cm:describeservers", + "opsworks:describe*", + "opsworks:describestacks", + "organizations:describe*", + "organizations:list*", + "polly:describe*", + "polly:list*", + "quicksight:describe*", + "quicksight:list*", + "ram:list*", + "rds:describe*", + "rds:downloaddblogfileportion", + "rds:listtagsforresource", + "redshift:describe*", + "redshift:viewqueriesinconsole", + "rekognition:describe*", + "rekognition:list*", + "robomaker:describe*", + "robomaker:list*", + "route53:get*", + "route53:list*", + "route53domains:getdomaindetail", + "route53domains:getoperationdetail", + "route53domains:list*", + "route53resolver:get*", + "route53resolver:list*", + "s3:getaccelerateconfiguration", + "s3:getaccountpublicaccessblock", + "s3:getanalyticsconfiguration", + "s3:getbucket*", + "s3:getencryptionconfiguration", + "s3:getinventoryconfiguration", + "s3:getlifecycleconfiguration", + "s3:getmetricsconfiguration", + "s3:getobjectacl", + "s3:getobjectversionacl", + "s3:getreplicationconfiguration", + "s3:listallmybuckets", + "s3:listbucket", + "sagemaker:describe*", + "sagemaker:list*", + "sdb:domainmetadata", + "sdb:list*", + "secretsmanager:getresourcepolicy", + "secretsmanager:listsecrets", + "secretsmanager:listsecretversionids", + "securityhub:describe*", + "securityhub:get*", + "securityhub:list*", + "serverlessrepo:getapplicationpolicy", + "serverlessrepo:list*", + "servicecatalog:list*", + "ses:getidentitydkimattributes", + "ses:getidentitypolicies", + "ses:getidentityverificationattributes", + "ses:list*", + "ses:sendemail", + "shield:describe*", + "shield:list*", + "snowball:listclusters", + "snowball:listjobs", + "sns:gettopicattributes", + "sns:list*", + "sqs:getqueueattributes", + "sqs:listdeadlettersourcequeues", + "sqs:listqueues", + "sqs:listqueuetags", + "ssm:describe*", + "ssm:getautomationexecution", + "ssm:listassociations", + "ssm:listdocuments", + "sso:describepermissionspolicies", + "sso:list*", + "states:listactivities", + "states:liststatemachines", + "storagegateway:describebandwidthratelimit", + "storagegateway:describecache", + "storagegateway:describecachediscsivolumes", + "storagegateway:describegatewayinformation", + "storagegateway:describemaintenancestarttime", + "storagegateway:describenfsfileshares", + "storagegateway:describesnapshotschedule", + "storagegateway:describestorediscsivolumes", + "storagegateway:describetapearchives", + "storagegateway:describetaperecoverypoints", + "storagegateway:describetapes", + "storagegateway:describeuploadbuffer", + "storagegateway:describevtldevices", + "storagegateway:describeworkingstorage", + "storagegateway:list*", + "support:describe*", + "swf:list*", + "tag:getresources", + "tag:gettagkeys", + "transfer:describe*", + "transfer:list*", + "translate:list*", + "trustedadvisor:describe*", + "waf-regional:list*", + "waf-regional:listwebacls", + "waf:list*", + "workdocs:describeavailabledirectories", + "workdocs:describeinstances", + "workmail:describe*", + "workspaces:describe*" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +}