diff --git a/prowler/config/aws_allowlist.yaml b/prowler/config/aws_allowlist.yaml index 79329989..65af6111 100644 --- a/prowler/config/aws_allowlist.yaml +++ b/prowler/config/aws_allowlist.yaml @@ -1,84 +1,65 @@ -### Account, Check and/or Region can be * to apply for all the cases. -### Resources and tags are lists that can have either Regex or Keywords. -### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. -### Use an alternation Regex to match one of multiple tags with "ORed" logic. -### For each check you can except Accounts, Regions, Resources and/or Tags. -########################### ALLOWLIST EXAMPLE ########################### +# When using Control Tower, guardrails prevent access to certain protected resources. +# The allowlist below ensures that warnings instead of errors are reported for the affected resources. +# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html +########################### CONTROL TOWER ALLOWLIST ########################### +### The following file includes all resources created by AWS Control Tower ### Allowlist: Accounts: - "123456789012": - Checks: - "iam_user_hardware_mfa_enabled": - Regions: - - "us-east-1" - Resources: - - "user-1" # Will ignore user-1 in check iam_user_hardware_mfa_enabled - - "user-2" # Will ignore user-2 in check iam_user_hardware_mfa_enabled - "ec2_*": - Regions: - - "*" - Resources: - - "*" # Will ignore every EC2 check in every account and region - "*": - Regions: - - "*" - Resources: - - "test" - Tags: - - "test=test" # Will ignore every resource containing the string "test" and the tags 'test=test' and - - "project=test|project=stage" # either of ('project=test' OR project=stage) in account 123456789012 and every region - "*": Checks: - "s3_bucket_object_versioning": + "cloudwatch_log_group_*": Regions: - - "eu-west-1" - - "us-east-1" + - "*" Resources: - - "ci-logs" # Will ignore bucket "ci-logs" AND ALSO bucket "ci-logs-replica" in specified check and regions - - "logs" # Will ignore EVERY BUCKET containing the string "logs" in specified check and regions - - ".+-logs" # Will ignore all buckets containing the terms ci-logs, qa-logs, etc. in specified check and regions - "*": + - "/aws/lambda/aws-controltower-NotificationForwarder" + - "StackSet-AWSControlTowerBP-*" + "awslambda_function_*": + Regions: + - "*" + Resources: + - "aws-controltower-NotificationForwarder" + "cloudformation_stacks_*": + Regions: + - "*" + Resources: + - "StackSet-AWSControlTowerGuardrailAWS-*" + - "StackSet-AWSControlTowerBP-*" + "cloudtrail_*": + Regions: + - "*" + Resources: + - "aws-controltower-BaselineCloudTrail" + "iam_role_*": + Regions: + - "*" + Resources: + - "aws-controltower-AdministratorExecutionRole" + - "aws-controltower-CloudWatchLogsRole" + - "aws-controltower-ConfigRecorderRole" + - "aws-controltower-ForwardSnsNotificationRole" + - "aws-controltower-ReadOnlyExecutionRole" + - "AWSControlTower_VPCFlowLogsRole" + - "AWSControlTowerExecution" + "iam_policy_*": + Regions: + - "*" + Resources: + - "AWSControlTowerServiceRolePolicy" + "s3_bucket_*": + Regions: + - "*" + Resources: + - "aws-controltower-logs-*" + - "aws-controltower-s3-access-logs-*" + "sns_*": + Regions: + - "*" + Resources: + - "aws-controltower-SecurityNotifications" + "vpc_*": Regions: - "*" Resources: - "*" Tags: - - "environment=dev" # Will ignore every resource containing the tag 'environment=dev' in every account and region - - "*": - Checks: - "ecs_task_definitions_no_environment_secrets": - Regions: - - "*" - Resources: - - "*" - Exceptions: - Accounts: - - "0123456789012" - Regions: - - "eu-west-1" - - "eu-south-2" # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1 - - "123456789012": - Checks: - "*": - Regions: - - "*" - Resources: - - "*" - Exceptions: - Resources: - - "test" - Tags: - - "environment=prod" # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod - - - -# EXAMPLE: CONTROL TOWER (to migrate) -# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist -# below ensures that warnings instead of errors are reported for the affected resources. -#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+ -#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+ -#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+ -#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+ + - "Name=aws-controltower-VPC" diff --git a/prowler/config/aws_allowlist_example.yaml b/prowler/config/aws_allowlist_example.yaml new file mode 100644 index 00000000..7f5028c0 --- /dev/null +++ b/prowler/config/aws_allowlist_example.yaml @@ -0,0 +1,74 @@ +### Account, Check and/or Region can be * to apply for all the cases. +### Resources and tags are lists that can have either Regex or Keywords. +### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together. +### Use an alternation Regex to match one of multiple tags with "ORed" logic. +### For each check you can except Accounts, Regions, Resources and/or Tags. +########################### ALLOWLIST EXAMPLE ########################### +Allowlist: + Accounts: + "123456789012": + Checks: + "iam_user_hardware_mfa_enabled": + Regions: + - "us-east-1" + Resources: + - "user-1" # Will ignore user-1 in check iam_user_hardware_mfa_enabled + - "user-2" # Will ignore user-2 in check iam_user_hardware_mfa_enabled + "ec2_*": + Regions: + - "*" + Resources: + - "*" # Will ignore every EC2 check in every account and region + "*": + Regions: + - "*" + Resources: + - "test" + Tags: + - "test=test" # Will ignore every resource containing the string "test" and the tags 'test=test' and + - "project=test|project=stage" # either of ('project=test' OR project=stage) in account 123456789012 and every region + + "*": + Checks: + "s3_bucket_object_versioning": + Regions: + - "eu-west-1" + - "us-east-1" + Resources: + - "ci-logs" # Will ignore bucket "ci-logs" AND ALSO bucket "ci-logs-replica" in specified check and regions + - "logs" # Will ignore EVERY BUCKET containing the string "logs" in specified check and regions + - ".+-logs" # Will ignore all buckets containing the terms ci-logs, qa-logs, etc. in specified check and regions + "*": + Regions: + - "*" + Resources: + - "*" + Tags: + - "environment=dev" # Will ignore every resource containing the tag 'environment=dev' in every account and region + + "*": + Checks: + "ecs_task_definitions_no_environment_secrets": + Regions: + - "*" + Resources: + - "*" + Exceptions: + Accounts: + - "0123456789012" + Regions: + - "eu-west-1" + - "eu-south-2" # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1 + + "123456789012": + Checks: + "*": + Regions: + - "*" + Resources: + - "*" + Exceptions: + Resources: + - "test" + Tags: + - "environment=prod" # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod diff --git a/prowler/config/aws_controltower_allowlist.yaml b/prowler/config/aws_controltower_allowlist.yaml deleted file mode 100644 index 65af6111..00000000 --- a/prowler/config/aws_controltower_allowlist.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# When using Control Tower, guardrails prevent access to certain protected resources. -# The allowlist below ensures that warnings instead of errors are reported for the affected resources. -# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html -########################### CONTROL TOWER ALLOWLIST ########################### -### The following file includes all resources created by AWS Control Tower ### -Allowlist: - Accounts: - "*": - Checks: - "cloudwatch_log_group_*": - Regions: - - "*" - Resources: - - "/aws/lambda/aws-controltower-NotificationForwarder" - - "StackSet-AWSControlTowerBP-*" - "awslambda_function_*": - Regions: - - "*" - Resources: - - "aws-controltower-NotificationForwarder" - "cloudformation_stacks_*": - Regions: - - "*" - Resources: - - "StackSet-AWSControlTowerGuardrailAWS-*" - - "StackSet-AWSControlTowerBP-*" - "cloudtrail_*": - Regions: - - "*" - Resources: - - "aws-controltower-BaselineCloudTrail" - "iam_role_*": - Regions: - - "*" - Resources: - - "aws-controltower-AdministratorExecutionRole" - - "aws-controltower-CloudWatchLogsRole" - - "aws-controltower-ConfigRecorderRole" - - "aws-controltower-ForwardSnsNotificationRole" - - "aws-controltower-ReadOnlyExecutionRole" - - "AWSControlTower_VPCFlowLogsRole" - - "AWSControlTowerExecution" - "iam_policy_*": - Regions: - - "*" - Resources: - - "AWSControlTowerServiceRolePolicy" - "s3_bucket_*": - Regions: - - "*" - Resources: - - "aws-controltower-logs-*" - - "aws-controltower-s3-access-logs-*" - "sns_*": - Regions: - - "*" - Resources: - - "aws-controltower-SecurityNotifications" - "vpc_*": - Regions: - - "*" - Resources: - - "*" - Tags: - - "Name=aws-controltower-VPC"