From e18cea213bdab656dd7d1531c9547e2cee68cb66 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 22 Nov 2019 12:42:57 +0100 Subject: [PATCH] consolidated ProwlerReadOnlyPolicy and available json --- README.md | 8 +- iam/prowler-policy.json | 329 ---------------------------------------- 2 files changed, 3 insertions(+), 334 deletions(-) delete mode 100644 iam/prowler-policy.json diff --git a/README.md b/README.md index 533cab0d..c1bbfdbc 100644 --- a/README.md +++ b/README.md @@ -271,9 +271,9 @@ There are some helpfull tools to save time in this process like [aws-mfa-script] ### Custom IAM Policy -Some new and specific checks require Prowler to inherit more permissions than SecurityAudit to work properly. Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list and additional services mostly). Here you go a good example for a "ProwlerReadOnlyPolicy": +Some new and specific checks require Prowler to inherit more permissions than SecurityAudit to work properly. In addition to the AWS managed policy "SecurityAudit" for the role you use for checks you may need to create a custom policy with a few more permissions (get and list and additional services mostly). Here you go a good example for a "ProwlerReadOnlyPolicy" (see below bootstrap script for set it up): -[iam/prowler-policy.json](iam/prowler-policy.json) +[iam/prowler-additions-policy.json](iam/prowler-additions-policy.json) > Note: Action `ec2:get*` is included in "ProwlerReadOnlyPolicy" policy above, that includes `get-password-data`, type `aws ec2 get-password-data help` to better understand its implications. @@ -285,7 +285,7 @@ Quick bash script to set up a "prowler" IAM user with "SecurityAudit" group with export AWS_DEFAULT_PROFILE=default export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"') aws iam create-group --group-name SecurityAudit -aws iam create-policy --policy-name ProwlerReadOnlyPolicy --policy-document file://$(pwd)/iam/prowler-policy.json +aws iam create-policy --policy-name ProwlerReadOnlyPolicy --policy-document file://$(pwd)/iam/prowler-additions-policy.json aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerReadOnlyPolicy aws iam create-user --user-name prowler @@ -294,8 +294,6 @@ aws iam create-access-key --user-name prowler unset ACCOUNT_ID AWS_DEFAULT_PROFILE ``` -> Note: most of the actions included in the managed policy "SecurityAudit" are already in "ProwlerReadOnlyPolicy", but adding both for compatibility with future services or additions to "SecurityAudit". - The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you lose it, you will need to generate a replacement. ## Extras diff --git a/iam/prowler-policy.json b/iam/prowler-policy.json deleted file mode 100644 index 2f7a4f83..00000000 --- a/iam/prowler-policy.json +++ /dev/null @@ -1,329 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "acm:describe*", - "acm:list*", - "apigateway:get*", - "apigatewayv2:get*", - "application-autoscaling:describe*", - "appmesh:describe*", - "appmesh:list*", - "appsync:list*", - "athena:list*", - "autoscaling:describe*", - "aws-marketplace:viewsubscriptions", - "batch:describecomputeenvironments", - "batch:describejobdefinitions", - "batch:listjobs", - "chime:list*", - "cloud9:describe*", - "cloud9:listenvironments", - "clouddirectory:listappliedschemaarns", - "clouddirectory:listdevelopmentschemaarns", - "clouddirectory:listdirectories", - "clouddirectory:listpublishedschemaarns", - "cloudformation:describestack*", - "cloudformation:getstackpolicy", - "cloudformation:gettemplate", - "cloudformation:list*", - "cloudfront:get*", - "cloudfront:list*", - "cloudhsm:listavailablezones", - "cloudhsm:listhapgs", - "cloudhsm:listhsms", - "cloudhsm:listlunaclients", - "cloudsearch:describedomains", - "cloudsearch:describeserviceaccesspolicies", - "cloudsearch:list*", - "cloudtrail:describetrails", - "cloudtrail:geteventselectors", - "cloudtrail:gettrailstatus", - "cloudtrail:listtags", - "cloudtrail:lookupevents", - "cloudwatch:describe*", - "cloudwatch:get*", - "cloudwatch:list*", - "codebuild:listbuilds*", - "codebuild:listprojects", - "codecommit:batchgetrepositories", - "codecommit:getbranch", - "codecommit:getobjectidentifier", - "codecommit:getrepository", - "codecommit:list*", - "codedeploy:batch*", - "codedeploy:get*", - "codedeploy:list*", - "codepipeline:listpipelines", - "codestar:describe*", - "codestar:list*", - "codestar:verify*", - "cognito-identity:listidentities", - "cognito-identity:listidentitypools", - "cognito-idp:list*", - "cognito-idp:listuserpools", - "cognito-sync:describe*", - "cognito-sync:list*", - "cognito-sync:listdatasets", - "comprehend:describe*", - "comprehend:list*", - "config:batchgetaggregateresourceconfig", - "config:batchgetresourceconfig", - "config:deliver*", - "config:describe*", - "config:get*", - "config:list*", - "connect:list*", - "datapipeline:describeobjects", - "datapipeline:describepipelines", - "datapipeline:evaluateexpression", - "datapipeline:getaccountlimits", - "datapipeline:getpipelinedefinition", - "datapipeline:listpipelines", - "datapipeline:queryobjects", - "datapipeline:validatepipelinedefinition", - "datasync:describe*", - "datasync:list*", - "dax:describe*", - "dax:describeclusters", - "dax:describedefaultparameters", - "dax:describeevents", - "dax:describeparametergroups", - "dax:describeparameters", - "dax:describesubnetgroups", - "dax:describetable", - "dax:listtables", - "dax:listtags", - "devicefarm:list*", - "directconnect:describe*", - "discovery:list*", - "dms:describe*", - "dms:list*", - "dms:listtagsforresource", - "ds:describedirectories", - "dynamodb:describebackup", - "dynamodb:describecontinuousbackups", - "dynamodb:describeglobaltable", - "dynamodb:describeglobaltablesettings", - "dynamodb:describelimits", - "dynamodb:describereservedcapacity", - "dynamodb:describereservedcapacityofferings", - "dynamodb:describestream", - "dynamodb:describetable", - "dynamodb:describetimetolive", - "dynamodb:listbackups", - "dynamodb:listglobaltables", - "dynamodb:liststreams", - "dynamodb:listtables", - "dynamodb:listtagsofresource", - "ec2:describe*", - "ec2:get*", - "ecr:describe*", - "ecr:getrepositorypolicy", - "ecr:listimages", - "ecs:describe*", - "ecs:list*", - "eks:describecluster", - "eks:listclusters", - "elasticache:describe*", - "elasticbeanstalk:describe*", - "elasticbeanstalk:listavailablesolutionstacks", - "elasticfilesystem:describefilesystems", - "elasticfilesystem:describemounttargets", - "elasticfilesystem:describemounttargetsecuritygroups", - "elasticloadbalancing:describe*", - "elasticmapreduce:describe*", - "elasticmapreduce:list*", - "elastictranscoder:list*", - "es:describe*", - "es:listdomainnames", - "events:describe*", - "events:list*", - "firehose:describe*", - "firehose:list*", - "fms:listcompliancestatus", - "fms:listpolicies", - "fsx:describe*", - "fsx:list*", - "gamelift:list*", - "glacier:describevault", - "glacier:getvaultaccesspolicy", - "glacier:list*", - "globalaccelerator:describe*", - "globalaccelerator:list*", - "greengrass:list*", - "guardduty:get*", - "guardduty:list*", - "iam:generatecredentialreport", - "iam:generateservicelastaccesseddetails", - "iam:get*", - "iam:list*", - "iam:simulatecustompolicy", - "iam:simulateprincipalpolicy", - "importexport:listjobs", - "inspector:describe*", - "inspector:get*", - "inspector:list*", - "inspector:preview*", - "iot:describe*", - "iot:getpolicy", - "iot:getpolicyversion", - "iot:list*", - "kinesis:describestream", - "kinesis:liststreams", - "kinesis:listtagsforstream", - "kinesisanalytics:listapplications", - "kms:describe*", - "kms:get*", - "kms:list*", - "lambda:getaccountsettings", - "lambda:getfunctionconfiguration", - "lambda:getlayerversionpolicy", - "lambda:getpolicy", - "lambda:list*", - "lex:getbotaliases", - "lex:getbotchannelassociations", - "lex:getbots", - "lex:getbotversions", - "lex:getintents", - "lex:getintentversions", - "lex:getslottypes", - "lex:getslottypeversions", - "lex:getutterancesview", - "license-manager:list*", - "lightsail:getblueprints", - "lightsail:getbundles", - "lightsail:getinstances", - "lightsail:getinstancesnapshots", - "lightsail:getkeypair", - "lightsail:getloadbalancers", - "lightsail:getregions", - "lightsail:getstaticips", - "lightsail:isvpcpeered", - "logs:describe*", - "logs:listtagsloggroup", - "machinelearning:describe*", - "mediaconnect:describe*", - "mediaconnect:list*", - "mediastore:getcontainerpolicy", - "mediastore:listcontainers", - "mobilehub:listavailablefeatures", - "mobilehub:listavailableregions", - "mobilehub:listprojects", - "mobiletargeting:getapplicationsettings", - "mobiletargeting:getcampaigns", - "mobiletargeting:getimportjobs", - "mobiletargeting:getsegments", - "opsworks-cm:describe*", - "opsworks-cm:describeservers", - "opsworks:describe*", - "opsworks:describestacks", - "organizations:describe*", - "organizations:list*", - "polly:describe*", - "polly:list*", - "quicksight:describe*", - "quicksight:list*", - "ram:list*", - "rds:describe*", - "rds:downloaddblogfileportion", - "rds:listtagsforresource", - "redshift:describe*", - "redshift:viewqueriesinconsole", - "rekognition:describe*", - "rekognition:list*", - "robomaker:describe*", - "robomaker:list*", - "route53:get*", - "route53:list*", - "route53domains:getdomaindetail", - "route53domains:getoperationdetail", - "route53domains:list*", - "route53resolver:get*", - "route53resolver:list*", - "s3:getaccelerateconfiguration", - "s3:getaccountpublicaccessblock", - "s3:getanalyticsconfiguration", - "s3:getbucket*", - "s3:getencryptionconfiguration", - "s3:getinventoryconfiguration", - "s3:getlifecycleconfiguration", - "s3:getmetricsconfiguration", - "s3:getobjectacl", - "s3:getobjectversionacl", - "s3:getreplicationconfiguration", - "s3:listallmybuckets", - "s3:listbucket", - "sagemaker:describe*", - "sagemaker:list*", - "sdb:domainmetadata", - "sdb:list*", - "secretsmanager:getresourcepolicy", - "secretsmanager:listsecrets", - "secretsmanager:listsecretversionids", - "securityhub:describe*", - "securityhub:get*", - "securityhub:list*", - "serverlessrepo:getapplicationpolicy", - "serverlessrepo:list*", - "servicecatalog:list*", - "ses:getidentitydkimattributes", - "ses:getidentitypolicies", - "ses:getidentityverificationattributes", - "ses:list*", - "ses:sendemail", - "shield:describe*", - "shield:list*", - "snowball:listclusters", - "snowball:listjobs", - "sns:gettopicattributes", - "sns:list*", - "sqs:getqueueattributes", - "sqs:listdeadlettersourcequeues", - "sqs:listqueues", - "sqs:listqueuetags", - "ssm:describe*", - "ssm:getautomationexecution", - "ssm:listassociations", - "ssm:listdocuments", - "sso:describepermissionspolicies", - "sso:list*", - "states:listactivities", - "states:liststatemachines", - "storagegateway:describebandwidthratelimit", - "storagegateway:describecache", - "storagegateway:describecachediscsivolumes", - "storagegateway:describegatewayinformation", - "storagegateway:describemaintenancestarttime", - "storagegateway:describenfsfileshares", - "storagegateway:describesnapshotschedule", - "storagegateway:describestorediscsivolumes", - "storagegateway:describetapearchives", - "storagegateway:describetaperecoverypoints", - "storagegateway:describetapes", - "storagegateway:describeuploadbuffer", - "storagegateway:describevtldevices", - "storagegateway:describeworkingstorage", - "storagegateway:list*", - "support:describe*", - "swf:list*", - "tag:getresources", - "tag:gettagkeys", - "transfer:describe*", - "transfer:list*", - "translate:list*", - "trustedadvisor:describe*", - "waf-regional:list*", - "waf-regional:listwebacls", - "waf:list*", - "workdocs:describeavailabledirectories", - "workdocs:describeinstances", - "workmail:describe*", - "workspaces:describe*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] -}