ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(allowlist): allowlist a specific service (#2331)

Browse Source
This commit is contained in:
Sergio Garcia
2023-05-09 15:43:04 +02:00
committed by GitHub
parent 6273dd3d83
commit d344318dd4
4 changed files with 90 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/tutorials/allowlist.md
View File

@@ -22,6 +22,11 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
Resources:
- "user-1" # Will ignore user-1 in check iam_user_hardware_mfa_enabled
- "user-2" # Will ignore user-2 in check iam_user_hardware_mfa_enabled
"ec2_*":
Regions:
- "*"
Resources:
- "*" # Will ignore every EC2 check in every account and region
"*":
Regions:
- "*"

5
prowler/config/allowlist.yaml
View File

@@ -13,6 +13,11 @@ Allowlist:
Resources:
- "user-1" # Will ignore user-1 in check iam_user_hardware_mfa_enabled
- "user-2" # Will ignore user-2 in check iam_user_hardware_mfa_enabled
"ec2_*":
Regions:
- "*"
Resources:
- "*" # Will ignore every EC2 check in every account and region
"*":
Regions:
- "*"

40
prowler/providers/aws/lib/allowlist/allowlist.py
View File

@@ -130,19 +130,33 @@ def is_allowlisted(allowlist, audited_account, check, region, resource, tags):
def is_allowlisted_in_check(allowlist, audited_account, check, region, resource, tags):
try:
# If there is a *, it affects to all checks
if "*" in allowlist["Accounts"][audited_account]["Checks"]:
check = "*"
if is_allowlisted_in_region(
allowlist, audited_account, check, region, resource, tags
):
return True
# Check if there is the specific check
if check in allowlist["Accounts"][audited_account]["Checks"]:
if is_allowlisted_in_region(
allowlist, audited_account, check, region, resource, tags
):
return True
for allowlisted_check in allowlist["Accounts"][audited_account][
"Checks"
].keys():
# If there is a *, it affects to all checks
if "*" == allowlisted_check:
check = "*"
if is_allowlisted_in_region(
allowlist, audited_account, check, region, resource, tags
):
return True
# Check if there is the specific check
elif check == allowlisted_check:
if is_allowlisted_in_region(
allowlist, audited_account, check, region, resource, tags
):
return True
# Check if check is a regex
elif re.search(allowlisted_check, check):
if is_allowlisted_in_region(
allowlist,
audited_account,
allowlisted_check,
region,
resource,
tags,
):
return True
return False
except Exception as error:
logger.critical(

53
tests/providers/aws/lib/allowlist/allowlist_test.py
View File

@@ -323,6 +323,59 @@ class Test_Allowlist:
)
)
def test_is_allowlisted_in_check_regex(self):
# Allowlist example
allowlist = {
"Accounts": {
AWS_ACCOUNT_NUMBER: {
"Checks": {
"s3_*": {
"Regions": ["us-east-1", "eu-west-1"],
"Resources": ["*"],
}
}
}
}
}
assert is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
"s3_bucket_public_access",
AWS_REGION,
"prowler",
[],
)
assert is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
"s3_bucket_public_access",
AWS_REGION,
"prowler-test",
[],
)
assert is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
"s3_bucket_public_access",
AWS_REGION,
"test-prowler",
[],
)
assert not (
is_allowlisted_in_check(
allowlist,
AWS_ACCOUNT_NUMBER,
"iam_user_hardware_mfa_enabled",
AWS_REGION,
"test",
[],
)
)
def test_is_allowlisted_tags(self):
# Allowlist example
allowlist = {