From f364315e48e71cf718ddef75bbb4f8bfc12fed86 Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Tue, 7 Mar 2023 14:14:31 +0100
Subject: [PATCH] chore(iam): update Prowler permissions (#2050)

---
 docs/tutorials/aws/securityhub.md          |  6 ++--
 permissions/create_role_to_assume_cfn.yaml | 38 ++++++++++++++++------
 permissions/prowler-additions-policy.json  |  2 ++
 3 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/docs/tutorials/aws/securityhub.md b/docs/tutorials/aws/securityhub.md
index 9d225d6c..d0e1be60 100644
--- a/docs/tutorials/aws/securityhub.md
+++ b/docs/tutorials/aws/securityhub.md
@@ -18,13 +18,13 @@ Before sending findings to Prowler, you will need to perform next steps:
 Once it is enabled, it is as simple as running the command below (for all regions):
 
 ```sh
-./prowler aws -S
+prowler aws -S
 ```
 
 or for only one filtered region like eu-west-1:
 
 ```sh
-./prowler -S -f eu-west-1
+prowler -S -f eu-west-1
 ```
 
 > **Note 1**: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command.
@@ -43,5 +43,5 @@ By default, Prowler archives all its findings in Security Hub that have not appe
 You can skip this logic by using the option `--skip-sh-update` so Prowler will not archive older findings:
 
 ```sh
-./prowler -S --skip-sh-update
+prowler -S --skip-sh-update
 ```
diff --git a/permissions/create_role_to_assume_cfn.yaml b/permissions/create_role_to_assume_cfn.yaml
index c5f3ef96..89a3ddcf 100644
--- a/permissions/create_role_to_assume_cfn.yaml
+++ b/permissions/create_role_to_assume_cfn.yaml
@@ -4,7 +4,7 @@ AWSTemplateFormatVersion: '2010-09-09'
 # aws cloudformation create-stack \
 #  --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
 #  --template-body "file://create_role_to_assume_cfn.yaml" \
-#  --stack-name "ProwlerExecRole" \
+#  --stack-name "ProwlerScanRole" \
 #  --parameters "ParameterKey=AuthorisedARN,ParameterValue=arn:aws:iam::123456789012:root"
 #
 Description: |
@@ -13,7 +13,7 @@ Description: |
   account to assume that role. The role name and the ARN of the trusted user can all be passed
   to the CloudFormation stack as parameters. Then you can run Prowler to perform a security
   assessment with a command like:
-  ./prowler -A <THIS_ACCOUNT_ID> -R ProwlerExecRole
+  prowler --role ProwlerScanRole.ARN
 Parameters:
   AuthorisedARN:
     Description: |
@@ -22,12 +22,12 @@ Parameters:
     Type: String
   ProwlerRoleName:
     Description: |
-      Name of the IAM role that will have these policies attached. Default: ProwlerExecRole
+      Name of the IAM role that will have these policies attached. Default: ProwlerScanRole
     Type: String
-    Default: 'ProwlerExecRole'
+    Default: 'ProwlerScanRole'
 
 Resources:
-  ProwlerExecRole:
+  ProwlerScanRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
@@ -42,31 +42,49 @@ Resources:
             #   Bool:
             #     'aws:MultiFactorAuthPresent': true
       # This is 12h that is maximum allowed, Minimum is 3600 = 1h
-      # to take advantage of this use -T like in './prowler -A <ACCOUNT_ID_TO_ASSUME> -R ProwlerExecRole -T 43200 -M text,html'
+      # to take advantage of this use -T like in './prowler --role ProwlerScanRole.ARN -T 43200'
       MaxSessionDuration: 43200
       ManagedPolicyArns:
         - 'arn:aws:iam::aws:policy/SecurityAudit'
         - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
       RoleName: !Sub ${ProwlerRoleName}
       Policies:
-        - PolicyName: ProwlerExecRoleAdditionalViewPrivileges
+        - PolicyName: ProwlerScanRoleAdditionalViewPrivileges
           PolicyDocument:
             Version : '2012-10-17'
             Statement:
             - Effect: Allow
               Action:
-                - 'ds:ListAuthorizedApplications'
+                - 'account:Get*'
+                - 'appstream:Describe*'
+                - 'appstream:List*'
+                - 'codeartifact:List*'
+                - 'codebuild:BatchGet*'
+                - 'ds:Get*'
+                - 'ds:Describe*'
+                - 'ds:List*'
                 - 'ec2:GetEbsEncryptionByDefault'
                 - 'ecr:Describe*'
                 - 'elasticfilesystem:DescribeBackupPolicy'
                 - 'glue:GetConnections'
-                - 'glue:GetSecurityConfiguration'
+                - 'glue:GetSecurityConfiguration*'
                 - 'glue:SearchTables'
-                - 'lambda:GetFunction'
+                - 'lambda:GetFunction*'
+                - 'macie2:GetMacieSession'
                 - 's3:GetAccountPublicAccessBlock'
                 - 'shield:DescribeProtection'
                 - 'shield:GetSubscriptionState'
+                - 'securityhub:BatchImportFindings'
+                - 'securityhub:GetFindings'
                 - 'ssm:GetDocument'
                 - 'support:Describe*'
                 - 'tag:GetTagKeys'
               Resource: '*'
+        - PolicyName: ProwlerScanRoleAdditionalViewPrivilegesApiGateway
+          PolicyDocument:
+            Version : '2012-10-17'
+            Statement:
+            - Effect: Allow
+              Action:
+                - 'apigateway:GET'
+              Resource: 'arn:aws:apigateway:*::/restapis/*'
diff --git a/permissions/prowler-additions-policy.json b/permissions/prowler-additions-policy.json
index edd38f9d..df425e4e 100644
--- a/permissions/prowler-additions-policy.json
+++ b/permissions/prowler-additions-policy.json
@@ -3,7 +3,9 @@
   "Statement": [
     {
       "Action": [
+        "account:Get*",
         "appstream:Describe*",
+        "appstream:List*",
         "codeartifact:List*",
         "codebuild:BatchGet*",
         "ds:Describe*",