chore(allowlist): prettify allowlist names (#2963)

prowler/config/aws_allowlist.yaml

@@ -1,84 +1,65 @@
-### Account, Check and/or Region can be * to apply for all the cases.
-### Resources and tags are lists that can have either Regex or Keywords.
-### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together.
-### Use an alternation Regex to match one of multiple tags with "ORed" logic.
-### For each check you can except Accounts, Regions, Resources and/or Tags.
-###########################  ALLOWLIST EXAMPLE  ###########################
+# When using Control Tower, guardrails prevent access to certain protected resources.
+# The allowlist below ensures that warnings instead of errors are reported for the affected resources.
+# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html
+###########################  CONTROL TOWER ALLOWLIST  ###########################
+### The following file includes all resources created by AWS Control Tower ###
 Allowlist:
   Accounts:
-    "123456789012":
-      Checks:
-        "iam_user_hardware_mfa_enabled":
-          Regions:
-            - "us-east-1"
-          Resources:
-            - "user-1"           # Will ignore user-1 in check iam_user_hardware_mfa_enabled
-            - "user-2"           # Will ignore user-2 in check iam_user_hardware_mfa_enabled
-        "ec2_*":
-          Regions:
-            - "*"
-          Resources:
-            - "*"                 # Will ignore every EC2 check in every account and region
-        "*":
-          Regions:
-            - "*"
-          Resources:
-            - "test"
-          Tags:
-            - "test=test"         # Will ignore every resource containing the string "test" and the tags 'test=test' and
-            - "project=test|project=stage" # either of ('project=test' OR project=stage) in account 123456789012 and every region
-
     "*":
       Checks:
-        "s3_bucket_object_versioning":
+        "cloudwatch_log_group_*":
           Regions:
-            - "eu-west-1"
-            - "us-east-1"
+            - "*"
           Resources:
-            - "ci-logs"           # Will ignore bucket "ci-logs" AND ALSO bucket "ci-logs-replica" in specified check and regions
-            - "logs"              # Will ignore EVERY BUCKET containing the string "logs" in specified check and regions
-            - ".+-logs"           # Will ignore all buckets containing the terms ci-logs, qa-logs, etc. in specified check and regions
-        "*":
+            - "/aws/lambda/aws-controltower-NotificationForwarder"
+            - "StackSet-AWSControlTowerBP-*"
+        "awslambda_function_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-NotificationForwarder"
+        "cloudformation_stacks_*":
+          Regions:
+            - "*"
+          Resources:
+            - "StackSet-AWSControlTowerGuardrailAWS-*"
+            - "StackSet-AWSControlTowerBP-*"
+        "cloudtrail_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-BaselineCloudTrail"
+        "iam_role_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-AdministratorExecutionRole"
+            - "aws-controltower-CloudWatchLogsRole"
+            - "aws-controltower-ConfigRecorderRole"
+            - "aws-controltower-ForwardSnsNotificationRole"
+            - "aws-controltower-ReadOnlyExecutionRole"
+            - "AWSControlTower_VPCFlowLogsRole"
+            - "AWSControlTowerExecution"
+        "iam_policy_*":
+          Regions:
+            - "*"
+          Resources:
+            - "AWSControlTowerServiceRolePolicy"
+        "s3_bucket_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-logs-*"
+            - "aws-controltower-s3-access-logs-*"
+        "sns_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-SecurityNotifications"
+        "vpc_*":
           Regions:
             - "*"
           Resources:
             - "*"
           Tags:
-            - "environment=dev"    # Will ignore every resource containing the tag 'environment=dev' in every account and region
-
-    "*":
-      Checks:
-        "ecs_task_definitions_no_environment_secrets":
-          Regions:
-            - "*"
-          Resources:
-            - "*"
-          Exceptions:
-            Accounts:
-              - "0123456789012"
-            Regions:
-              - "eu-west-1"
-              - "eu-south-2"        # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1
-
-    "123456789012":
-      Checks:
-        "*":
-          Regions:
-            - "*"
-          Resources:
-            - "*"
-          Exceptions:
-            Resources:
-              - "test"
-            Tags:
-              - "environment=prod"   # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
-
-
-
-# EXAMPLE: CONTROL TOWER (to migrate)
-# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist
-# below ensures that warnings instead of errors are reported for the affected resources.
-#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
-#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
-#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
-#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
+            - "Name=aws-controltower-VPC"

prowler/config/aws_allowlist_example.yaml

@@ -0,0 +1,74 @@
+### Account, Check and/or Region can be * to apply for all the cases.
+### Resources and tags are lists that can have either Regex or Keywords.
+### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together.
+### Use an alternation Regex to match one of multiple tags with "ORed" logic.
+### For each check you can except Accounts, Regions, Resources and/or Tags.
+###########################  ALLOWLIST EXAMPLE  ###########################
+Allowlist:
+  Accounts:
+    "123456789012":
+      Checks:
+        "iam_user_hardware_mfa_enabled":
+          Regions:
+            - "us-east-1"
+          Resources:
+            - "user-1"           # Will ignore user-1 in check iam_user_hardware_mfa_enabled
+            - "user-2"           # Will ignore user-2 in check iam_user_hardware_mfa_enabled
+        "ec2_*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"                 # Will ignore every EC2 check in every account and region
+        "*":
+          Regions:
+            - "*"
+          Resources:
+            - "test"
+          Tags:
+            - "test=test"         # Will ignore every resource containing the string "test" and the tags 'test=test' and
+            - "project=test|project=stage" # either of ('project=test' OR project=stage) in account 123456789012 and every region
+
+    "*":
+      Checks:
+        "s3_bucket_object_versioning":
+          Regions:
+            - "eu-west-1"
+            - "us-east-1"
+          Resources:
+            - "ci-logs"           # Will ignore bucket "ci-logs" AND ALSO bucket "ci-logs-replica" in specified check and regions
+            - "logs"              # Will ignore EVERY BUCKET containing the string "logs" in specified check and regions
+            - ".+-logs"           # Will ignore all buckets containing the terms ci-logs, qa-logs, etc. in specified check and regions
+        "*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Tags:
+            - "environment=dev"    # Will ignore every resource containing the tag 'environment=dev' in every account and region
+
+    "*":
+      Checks:
+        "ecs_task_definitions_no_environment_secrets":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Exceptions:
+            Accounts:
+              - "0123456789012"
+            Regions:
+              - "eu-west-1"
+              - "eu-south-2"        # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1
+
+    "123456789012":
+      Checks:
+        "*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Exceptions:
+            Resources:
+              - "test"
+            Tags:
+              - "environment=prod"   # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod

prowler/config/aws_controltower_allowlist.yaml

@@ -1,65 +0,0 @@
-# When using Control Tower, guardrails prevent access to certain protected resources.
-# The allowlist below ensures that warnings instead of errors are reported for the affected resources.
-# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html
-###########################  CONTROL TOWER ALLOWLIST  ###########################
-### The following file includes all resources created by AWS Control Tower ###
-Allowlist:
-  Accounts:
-    "*":
-      Checks:
-        "cloudwatch_log_group_*":
-          Regions:
-            - "*"
-          Resources:
-            - "/aws/lambda/aws-controltower-NotificationForwarder"
-            - "StackSet-AWSControlTowerBP-*"
-        "awslambda_function_*":
-          Regions:
-            - "*"
-          Resources:
-            - "aws-controltower-NotificationForwarder"
-        "cloudformation_stacks_*":
-          Regions:
-            - "*"
-          Resources:
-            - "StackSet-AWSControlTowerGuardrailAWS-*"
-            - "StackSet-AWSControlTowerBP-*"
-        "cloudtrail_*":
-          Regions:
-            - "*"
-          Resources:
-            - "aws-controltower-BaselineCloudTrail"
-        "iam_role_*":
-          Regions:
-            - "*"
-          Resources:
-            - "aws-controltower-AdministratorExecutionRole"
-            - "aws-controltower-CloudWatchLogsRole"
-            - "aws-controltower-ConfigRecorderRole"
-            - "aws-controltower-ForwardSnsNotificationRole"
-            - "aws-controltower-ReadOnlyExecutionRole"
-            - "AWSControlTower_VPCFlowLogsRole"
-            - "AWSControlTowerExecution"
-        "iam_policy_*":
-          Regions:
-            - "*"
-          Resources:
-            - "AWSControlTowerServiceRolePolicy"
-        "s3_bucket_*":
-          Regions:
-            - "*"
-          Resources:
-            - "aws-controltower-logs-*"
-            - "aws-controltower-s3-access-logs-*"
-        "sns_*":
-          Regions:
-            - "*"
-          Resources:
-            - "aws-controltower-SecurityNotifications"
-        "vpc_*":
-          Regions:
-            - "*"
-          Resources:
-            - "*"
-          Tags:
-            - "Name=aws-controltower-VPC"