ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

consolidated ProwlerReadOnlyPolicy and available json

Browse Source
This commit is contained in:
Toni de la Fuente
2019-11-22 12:42:57 +01:00
parent 8f91bfee24
commit e18cea213b
2 changed files with 3 additions and 334 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -271,9 +271,9 @@ There are some helpfull tools to save time in this process like [aws-mfa-script]
### Custom IAM Policy
Some new and specific checks require Prowler to inherit more permissions than SecurityAudit to work properly. Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list and additional services mostly). Here you go a good example for a "ProwlerReadOnlyPolicy":
Some new and specific checks require Prowler to inherit more permissions than SecurityAudit to work properly. In addition to the AWS managed policy "SecurityAudit" for the role you use for checks you may need to create a custom policy with a few more permissions (get and list and additional services mostly). Here you go a good example for a "ProwlerReadOnlyPolicy" (see below bootstrap script for set it up):
[iam/prowler-policy.json](iam/prowler-policy.json)
[iam/prowler-additions-policy.json](iam/prowler-additions-policy.json)
> Note: Action `ec2:get*` is included in "ProwlerReadOnlyPolicy" policy above, that includes `get-password-data`, type `aws ec2 get-password-data help` to better understand its implications.
@@ -285,7 +285,7 @@ Quick bash script to set up a "prowler" IAM user with "SecurityAudit" group with
export AWS_DEFAULT_PROFILE=default
export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"')
aws iam create-group --group-name SecurityAudit
aws iam create-policy --policy-name ProwlerReadOnlyPolicy --policy-document file://$(pwd)/iam/prowler-policy.json
aws iam create-policy --policy-name ProwlerReadOnlyPolicy --policy-document file://$(pwd)/iam/prowler-additions-policy.json
aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit
aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerReadOnlyPolicy
aws iam create-user --user-name prowler
@@ -294,8 +294,6 @@ aws iam create-access-key --user-name prowler
unset ACCOUNT_ID AWS_DEFAULT_PROFILE
```
> Note: most of the actions included in the managed policy "SecurityAudit" are already in "ProwlerReadOnlyPolicy", but adding both for compatibility with future services or additions to "SecurityAudit".
The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you lose it, you will need to generate a replacement.
## Extras

329
iam/prowler-policy.json
View File

@@ -1,329 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:describe*",
"acm:list*",
"apigateway:get*",
"apigatewayv2:get*",
"application-autoscaling:describe*",
"appmesh:describe*",
"appmesh:list*",
"appsync:list*",
"athena:list*",
"autoscaling:describe*",
"aws-marketplace:viewsubscriptions",
"batch:describecomputeenvironments",
"batch:describejobdefinitions",
"batch:listjobs",
"chime:list*",
"cloud9:describe*",
"cloud9:listenvironments",
"clouddirectory:listappliedschemaarns",
"clouddirectory:listdevelopmentschemaarns",
"clouddirectory:listdirectories",
"clouddirectory:listpublishedschemaarns",
"cloudformation:describestack*",
"cloudformation:getstackpolicy",
"cloudformation:gettemplate",
"cloudformation:list*",
"cloudfront:get*",
"cloudfront:list*",
"cloudhsm:listavailablezones",
"cloudhsm:listhapgs",
"cloudhsm:listhsms",
"cloudhsm:listlunaclients",
"cloudsearch:describedomains",
"cloudsearch:describeserviceaccesspolicies",
"cloudsearch:list*",
"cloudtrail:describetrails",
"cloudtrail:geteventselectors",
"cloudtrail:gettrailstatus",
"cloudtrail:listtags",
"cloudtrail:lookupevents",
"cloudwatch:describe*",
"cloudwatch:get*",
"cloudwatch:list*",
"codebuild:listbuilds*",
"codebuild:listprojects",
"codecommit:batchgetrepositories",
"codecommit:getbranch",
"codecommit:getobjectidentifier",
"codecommit:getrepository",
"codecommit:list*",
"codedeploy:batch*",
"codedeploy:get*",
"codedeploy:list*",
"codepipeline:listpipelines",
"codestar:describe*",
"codestar:list*",
"codestar:verify*",
"cognito-identity:listidentities",
"cognito-identity:listidentitypools",
"cognito-idp:list*",
"cognito-idp:listuserpools",
"cognito-sync:describe*",
"cognito-sync:list*",
"cognito-sync:listdatasets",
"comprehend:describe*",
"comprehend:list*",
"config:batchgetaggregateresourceconfig",
"config:batchgetresourceconfig",
"config:deliver*",
"config:describe*",
"config:get*",
"config:list*",
"connect:list*",
"datapipeline:describeobjects",
"datapipeline:describepipelines",
"datapipeline:evaluateexpression",
"datapipeline:getaccountlimits",
"datapipeline:getpipelinedefinition",
"datapipeline:listpipelines",
"datapipeline:queryobjects",
"datapipeline:validatepipelinedefinition",
"datasync:describe*",
"datasync:list*",
"dax:describe*",
"dax:describeclusters",
"dax:describedefaultparameters",
"dax:describeevents",
"dax:describeparametergroups",
"dax:describeparameters",
"dax:describesubnetgroups",
"dax:describetable",
"dax:listtables",
"dax:listtags",
"devicefarm:list*",
"directconnect:describe*",
"discovery:list*",
"dms:describe*",
"dms:list*",
"dms:listtagsforresource",
"ds:describedirectories",
"dynamodb:describebackup",
"dynamodb:describecontinuousbackups",
"dynamodb:describeglobaltable",
"dynamodb:describeglobaltablesettings",
"dynamodb:describelimits",
"dynamodb:describereservedcapacity",
"dynamodb:describereservedcapacityofferings",
"dynamodb:describestream",
"dynamodb:describetable",
"dynamodb:describetimetolive",
"dynamodb:listbackups",
"dynamodb:listglobaltables",
"dynamodb:liststreams",
"dynamodb:listtables",
"dynamodb:listtagsofresource",
"ec2:describe*",
"ec2:get*",
"ecr:describe*",
"ecr:getrepositorypolicy",
"ecr:listimages",
"ecs:describe*",
"ecs:list*",
"eks:describecluster",
"eks:listclusters",
"elasticache:describe*",
"elasticbeanstalk:describe*",
"elasticbeanstalk:listavailablesolutionstacks",
"elasticfilesystem:describefilesystems",
"elasticfilesystem:describemounttargets",
"elasticfilesystem:describemounttargetsecuritygroups",
"elasticloadbalancing:describe*",
"elasticmapreduce:describe*",
"elasticmapreduce:list*",
"elastictranscoder:list*",
"es:describe*",
"es:listdomainnames",
"events:describe*",
"events:list*",
"firehose:describe*",
"firehose:list*",
"fms:listcompliancestatus",
"fms:listpolicies",
"fsx:describe*",
"fsx:list*",
"gamelift:list*",
"glacier:describevault",
"glacier:getvaultaccesspolicy",
"glacier:list*",
"globalaccelerator:describe*",
"globalaccelerator:list*",
"greengrass:list*",
"guardduty:get*",
"guardduty:list*",
"iam:generatecredentialreport",
"iam:generateservicelastaccesseddetails",
"iam:get*",
"iam:list*",
"iam:simulatecustompolicy",
"iam:simulateprincipalpolicy",
"importexport:listjobs",
"inspector:describe*",
"inspector:get*",
"inspector:list*",
"inspector:preview*",
"iot:describe*",
"iot:getpolicy",
"iot:getpolicyversion",
"iot:list*",
"kinesis:describestream",
"kinesis:liststreams",
"kinesis:listtagsforstream",
"kinesisanalytics:listapplications",
"kms:describe*",
"kms:get*",
"kms:list*",
"lambda:getaccountsettings",
"lambda:getfunctionconfiguration",
"lambda:getlayerversionpolicy",
"lambda:getpolicy",
"lambda:list*",
"lex:getbotaliases",
"lex:getbotchannelassociations",
"lex:getbots",
"lex:getbotversions",
"lex:getintents",
"lex:getintentversions",
"lex:getslottypes",
"lex:getslottypeversions",
"lex:getutterancesview",
"license-manager:list*",
"lightsail:getblueprints",
"lightsail:getbundles",
"lightsail:getinstances",
"lightsail:getinstancesnapshots",
"lightsail:getkeypair",
"lightsail:getloadbalancers",
"lightsail:getregions",
"lightsail:getstaticips",
"lightsail:isvpcpeered",
"logs:describe*",
"logs:listtagsloggroup",
"machinelearning:describe*",
"mediaconnect:describe*",
"mediaconnect:list*",
"mediastore:getcontainerpolicy",
"mediastore:listcontainers",
"mobilehub:listavailablefeatures",
"mobilehub:listavailableregions",
"mobilehub:listprojects",
"mobiletargeting:getapplicationsettings",
"mobiletargeting:getcampaigns",
"mobiletargeting:getimportjobs",
"mobiletargeting:getsegments",
"opsworks-cm:describe*",
"opsworks-cm:describeservers",
"opsworks:describe*",
"opsworks:describestacks",
"organizations:describe*",
"organizations:list*",
"polly:describe*",
"polly:list*",
"quicksight:describe*",
"quicksight:list*",
"ram:list*",
"rds:describe*",
"rds:downloaddblogfileportion",
"rds:listtagsforresource",
"redshift:describe*",
"redshift:viewqueriesinconsole",
"rekognition:describe*",
"rekognition:list*",
"robomaker:describe*",
"robomaker:list*",
"route53:get*",
"route53:list*",
"route53domains:getdomaindetail",
"route53domains:getoperationdetail",
"route53domains:list*",
"route53resolver:get*",
"route53resolver:list*",
"s3:getaccelerateconfiguration",
"s3:getaccountpublicaccessblock",
"s3:getanalyticsconfiguration",
"s3:getbucket*",
"s3:getencryptionconfiguration",
"s3:getinventoryconfiguration",
"s3:getlifecycleconfiguration",
"s3:getmetricsconfiguration",
"s3:getobjectacl",
"s3:getobjectversionacl",
"s3:getreplicationconfiguration",
"s3:listallmybuckets",
"s3:listbucket",
"sagemaker:describe*",
"sagemaker:list*",
"sdb:domainmetadata",
"sdb:list*",
"secretsmanager:getresourcepolicy",
"secretsmanager:listsecrets",
"secretsmanager:listsecretversionids",
"securityhub:describe*",
"securityhub:get*",
"securityhub:list*",
"serverlessrepo:getapplicationpolicy",
"serverlessrepo:list*",
"servicecatalog:list*",
"ses:getidentitydkimattributes",
"ses:getidentitypolicies",
"ses:getidentityverificationattributes",
"ses:list*",
"ses:sendemail",
"shield:describe*",
"shield:list*",
"snowball:listclusters",
"snowball:listjobs",
"sns:gettopicattributes",
"sns:list*",
"sqs:getqueueattributes",
"sqs:listdeadlettersourcequeues",
"sqs:listqueues",
"sqs:listqueuetags",
"ssm:describe*",
"ssm:getautomationexecution",
"ssm:listassociations",
"ssm:listdocuments",
"sso:describepermissionspolicies",
"sso:list*",
"states:listactivities",
"states:liststatemachines",
"storagegateway:describebandwidthratelimit",
"storagegateway:describecache",
"storagegateway:describecachediscsivolumes",
"storagegateway:describegatewayinformation",
"storagegateway:describemaintenancestarttime",
"storagegateway:describenfsfileshares",
"storagegateway:describesnapshotschedule",
"storagegateway:describestorediscsivolumes",
"storagegateway:describetapearchives",
"storagegateway:describetaperecoverypoints",
"storagegateway:describetapes",
"storagegateway:describeuploadbuffer",
"storagegateway:describevtldevices",
"storagegateway:describeworkingstorage",
"storagegateway:list*",
"support:describe*",
"swf:list*",
"tag:getresources",
"tag:gettagkeys",
"transfer:describe*",
"transfer:list*",
"translate:list*",
"trustedadvisor:describe*",
"waf-regional:list*",
"waf-regional:listwebacls",
"waf:list*",
"workdocs:describeavailabledirectories",
"workdocs:describeinstances",
"workmail:describe*",
"workspaces:describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}