diff --git a/docs/tutorials/allowlist.md b/docs/tutorials/allowlist.md index db0d3062..0c0e44af 100644 --- a/docs/tutorials/allowlist.md +++ b/docs/tutorials/allowlist.md @@ -22,6 +22,11 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b Resources: - "user-1" # Will ignore user-1 in check iam_user_hardware_mfa_enabled - "user-2" # Will ignore user-2 in check iam_user_hardware_mfa_enabled + "ec2_*": + Regions: + - "*" + Resources: + - "*" # Will ignore every EC2 check in every account and region "*": Regions: - "*" diff --git a/prowler/config/allowlist.yaml b/prowler/config/allowlist.yaml index d936759d..ff9bdec6 100644 --- a/prowler/config/allowlist.yaml +++ b/prowler/config/allowlist.yaml @@ -13,6 +13,11 @@ Allowlist: Resources: - "user-1" # Will ignore user-1 in check iam_user_hardware_mfa_enabled - "user-2" # Will ignore user-2 in check iam_user_hardware_mfa_enabled + "ec2_*": + Regions: + - "*" + Resources: + - "*" # Will ignore every EC2 check in every account and region "*": Regions: - "*" diff --git a/prowler/providers/aws/lib/allowlist/allowlist.py b/prowler/providers/aws/lib/allowlist/allowlist.py index c8eefe8a..376e1666 100644 --- a/prowler/providers/aws/lib/allowlist/allowlist.py +++ b/prowler/providers/aws/lib/allowlist/allowlist.py @@ -130,19 +130,33 @@ def is_allowlisted(allowlist, audited_account, check, region, resource, tags): def is_allowlisted_in_check(allowlist, audited_account, check, region, resource, tags): try: - # If there is a *, it affects to all checks - if "*" in allowlist["Accounts"][audited_account]["Checks"]: - check = "*" - if is_allowlisted_in_region( - allowlist, audited_account, check, region, resource, tags - ): - return True - # Check if there is the specific check - if check in allowlist["Accounts"][audited_account]["Checks"]: - if is_allowlisted_in_region( - allowlist, audited_account, check, region, resource, tags - ): - return True + for allowlisted_check in allowlist["Accounts"][audited_account][ + "Checks" + ].keys(): + # If there is a *, it affects to all checks + if "*" == allowlisted_check: + check = "*" + if is_allowlisted_in_region( + allowlist, audited_account, check, region, resource, tags + ): + return True + # Check if there is the specific check + elif check == allowlisted_check: + if is_allowlisted_in_region( + allowlist, audited_account, check, region, resource, tags + ): + return True + # Check if check is a regex + elif re.search(allowlisted_check, check): + if is_allowlisted_in_region( + allowlist, + audited_account, + allowlisted_check, + region, + resource, + tags, + ): + return True return False except Exception as error: logger.critical( diff --git a/tests/providers/aws/lib/allowlist/allowlist_test.py b/tests/providers/aws/lib/allowlist/allowlist_test.py index b9f0e230..72be950c 100644 --- a/tests/providers/aws/lib/allowlist/allowlist_test.py +++ b/tests/providers/aws/lib/allowlist/allowlist_test.py @@ -323,6 +323,59 @@ class Test_Allowlist: ) ) + def test_is_allowlisted_in_check_regex(self): + # Allowlist example + allowlist = { + "Accounts": { + AWS_ACCOUNT_NUMBER: { + "Checks": { + "s3_*": { + "Regions": ["us-east-1", "eu-west-1"], + "Resources": ["*"], + } + } + } + } + } + + assert is_allowlisted_in_check( + allowlist, + AWS_ACCOUNT_NUMBER, + "s3_bucket_public_access", + AWS_REGION, + "prowler", + [], + ) + + assert is_allowlisted_in_check( + allowlist, + AWS_ACCOUNT_NUMBER, + "s3_bucket_public_access", + AWS_REGION, + "prowler-test", + [], + ) + + assert is_allowlisted_in_check( + allowlist, + AWS_ACCOUNT_NUMBER, + "s3_bucket_public_access", + AWS_REGION, + "test-prowler", + [], + ) + + assert not ( + is_allowlisted_in_check( + allowlist, + AWS_ACCOUNT_NUMBER, + "iam_user_hardware_mfa_enabled", + AWS_REGION, + "test", + [], + ) + ) + def test_is_allowlisted_tags(self): # Allowlist example allowlist = {