ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rename util/Audit_Pipeline.yaml to util/multi-account/Audit_Pipeline.yaml

Browse Source
This commit is contained in:
Toni de la Fuente
2019-10-14 18:10:57 +02:00
committed by GitHub
parent 27305365ef
commit ffcfef02a6
1 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

414
util/multi-account/Audit_Pipeline.yaml Normal file
View File

@@ -0,0 +1,414 @@
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Prowler Auditing Tools Stack
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "Organizations and Accounts"
Parameters:
- pOrgMasterAccounts
- pOrgExcludedAccounts
- pStandAloneAccounts
- Label:
default: "Check Group and Execution"
Parameters:
- pProwlerCheckGroup
- pAuditEveryXHours
- Label:
default: "Advanced"
Parameters:
- pTimeoutMinutes
- pAuditRolePathName
- pCustomProwlerRepo
- pCustomProwlerCloneArgs
ParameterLabels:
pOrgMasterAccounts:
default: "Organization Master Accounts"
pOrgExcludedAccounts:
default: "Excluded Organiztion Members"
pStandAloneAccounts:
default: "Stand-alone Accounts"
pProwlerCheckGroup:
default: "Prowler Check Group"
pAuditEveryXHours:
default: "Perform Audit every X hours"
pTimeoutMinutes:
default: "Permit Audit to run for X minutes"
pAuditRolePathName:
default: "Custom audit role path"
pCustomProwlerRepo:
default: "Custom git repo location for prowler"
pCustomProwlerCloneArgs:
default: "Custom arguments to git clone --depth 1"
Parameters:
pAuditEveryXHours:
Default: 24
Type: Number
Description: Number of hours between prowler audit runs.
MinValue: 2
MaxValue: 168
pTimeoutMinutes:
Default: 30
Type: Number
Description: Timeout for running prowler across the fleet
MinValue: 5
MaxValue: 480
pAuditRolePathName:
Default: '/audit/prowler/XA_AuditRole_Prowler'
Type: String
Description: Role path and name which prowler will assume in the target accounts (Audit_Exec_Role.yaml)
# TODO: Validation: begins with "/" and does NOT end with "/"
pOrgMasterAccounts:
Description: Comma Separated list of Organization Master Accounts, or 'none'
Default: 'none'
Type: String
MinLength: 4
AllowedPattern: ^(none|([0-9]{12}(,[0-9]{12})*))$
ConstraintDescription: comma separated list 12-digit account numbers, or 'none'
pOrgExcludedAccounts: # Comma Separated list of Org Member Accounts to EXCLUDE
Description: Comma Separated list of Skipped Organization Member Accounts, or 'none'
Default: 'none'
Type: String
MinLength: 4
AllowedPattern: ^(none|([0-9]{12}(,[0-9]{12})*))$
ConstraintDescription: comma separated list 12-digit account numbers, or 'none'
pStandAloneAccounts: # Comma Separated list of Stand-Alone Accounts
Description: Comma Separated list of Stand-alone Accounts, or 'none'
Default: 'none'
Type: String
MinLength: 4
AllowedPattern: ^(none|([0-9]{12}(,[0-9]{12})*))$
ConstraintDescription: comma separated list 12-digit account numbers, or 'none'
pProwlerCheckGroup:
Default: 'cislevel1'
Type: String
Description: Which group of checks should prowler run
AllowedValues:
- 'group1'
- 'group2'
- 'group3'
- 'group4'
- 'cislevel1'
- 'cislevel2'
- 'extras'
- 'forensics-ready'
- 'gdpr'
- 'hipaa'
- 'secrets'
- 'apigateway'
- 'rds'
pCustomProwlerRepo:
Type: String
Default: 'https://github.com/toniblyx/prowler.git'
MinLength: 10
pCustomProwlerCloneArgs:
Type: String
Default: '--branch master'
MinLength: 0
##### TODO
# pResultsBucket: # if specified, use an existing bucket for the data
# pEnableAthena:
# Default: false
# Type: Boolean
# Description: Set to true to enable creation of Athena/QuickSight resources
#### TODO
# Conditions:
# cUseAthena: False
Resources:
# S3 Bucket for Results, Config
ProwlerResults:
Type: "AWS::S3::Bucket"
Properties:
# BucketName: !Sub "audit-results-${AWS::AccountId}"
Tags:
- Key: "data-type"
Value: "it-audit:sensitive"
- Key: "data-public"
Value: "NO"
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
# LoggingConfiguration:
# TODO: Enable BucketLogging - requires more parameters
DeletionPolicy: "Retain"
Metadata:
cfn_nag:
rules_to_suppress:
- id: W35
reason: "Bucket logging requires additional configuration not yet supported by this template"
# Policy to allow assuming the XA_AuditRole_Prowler in target accounts
ProwlerAuditManagerRole:
Type: AWS::IAM::Role
Properties:
RoleName: AuditManagerRole_Prowler
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: AssumeRole-XA_AuditRole_Prowler
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- !Sub "arn:aws:iam::*:role${pAuditRolePathName}"
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Resource:
- !Sub "${ProwlerResults.Arn}/*"
- Effect: Allow
Action:
- s3:ListBucket
- s3:HeadBucket
- s3:GetBucketLocation
- s3:GetBucketAcl
Resource:
- !Sub "${ProwlerResults.Arn}"
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"
- !Sub "${ProwlerResults.Arn}"
- Effect: Allow
Action:
- ssm:GetParameters
Resource:
- !Sub "arn:aws:ssm:us-east-1:${AWS::AccountId}:parameter/audit/prowler/config/*"
Metadata:
cfn_nag:
rules_to_suppress:
- id: W28
reason: "the role name is intentionally static"
- id: W11
reason: "not sure where the violation of w11 is"
## Code Build Job
ProwlerBuildProject:
Type: "AWS::CodeBuild::Project"
Properties:
Name: PerformProwlerAudit
Description: "Run Prowler audit on accounts in targeted organizations"
QueuedTimeoutInMinutes: 480
TimeoutInMinutes: !Ref pTimeoutMinutes
ServiceRole: !Ref ProwlerAuditManagerRole
EncryptionKey: !Sub "arn:aws:kms:us-east-1:${AWS::AccountId}:alias/aws/s3"
Environment:
Type: "LINUX_CONTAINER"
ComputeType: "BUILD_GENERAL1_MEDIUM"
PrivilegedMode: False
Image: "aws/codebuild/standard:2.0-1.12.0"
ImagePullCredentialsType: "CODEBUILD"
Artifacts: # s3://stack-prowlerresults-randomness/prowler/results/...
Name: "results"
Type: "S3"
Location: !Ref ProwlerResults
Path: "prowler"
NamespaceType: NONE
Packaging: NONE
OverrideArtifactName: False
EncryptionDisabled: False
LogsConfig: # S3/logs/pipeline/
CloudWatchLogs:
Status: ENABLED
GroupName: "audit/prowler"
StreamName: "codebuild_runs"
S3Logs:
Status: DISABLED
# Location: !Sub "${ProwlerResults.Arn}/codebuild_run_logs"
EncryptionDisabled: False
BadgeEnabled: False
Tags:
- Key: "data-type"
Value: "it-audit:sensitive"
- Key: "data-public"
Value: "NO"
Cache:
Type: "NO_CACHE"
Source:
Type: NO_SOURCE
BuildSpec: |
version: 0.2
env:
parameter-store:
PROWL_CHECK_GROUP: /audit/prowler/config/check_group
PROWL_MASTER_ACCOUNTS: /audit/prowler/config/orgmaster_accounts
PROWL_STANDALONE_ACCOUNTS: /audit/prowler/config/standalone_accounts
PROWL_SKIP_ACCOUNTS: /audit/prowler/config/skip_accounts
PROWL_AUDIT_ROLE: /audit/prowler/config/audit_role
PROWLER_REPO: /audit/prowler/config/gitrepo
PROWLER_CLONE_ARGS: /audit/prowler/config/gitcloneargs
phases:
install:
runtime-versions:
python: 3.7
commands:
- aws --version
- git clone --depth 1 $PROWLER_REPO $PROWLER_CLONE_ARGS
pre_build:
commands:
- env | grep PROWL_
- export OUTBASE=$(date -u +"out/diagnostics/%Y/%m/%d")
- export STAMP=$(date -u +"%Y%m%dT%H%M%SZ")
- mkdir -p $OUTBASE || true
- prowler/prowler -V
- aws sts get-caller-identity > ${OUTBASE}/${STAMP}-caller-id.json
build:
commands:
#### Run Prowler against this account, but don't fail the build
# - export PROWLER_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
# - /bin/bash prowler/prowler -g cislevel1 -M csv -n -k > ${OUTBASE}/${STAMP}.${PROWLER_ACCOUNT_ID}.prowler.cislevel1.csv || /bin/true
# - /bin/bash prowler/prowler -g forensics-ready -M csv -n -k > ${OUTBASE}/${STAMP}.${PROWLER_ACCOUNT_ID}.prowler.forensics-ready.csv || /bin/true
#### Run Prowler targeting all accounts in the configured organizations
- test -f prowler/util/config
- /bin/bash prowler/util/megaprowler.sh out
finally:
- ps axuwww | grep -E 'parallel|sem|prowler'
post_build:
commands:
- echo "attempting to collect any prowler credential reports ..."
- find /tmp/ -name prowler\* | xargs -I % cp % ${OUTDIAG} || true
artifacts:
files:
- '**/*'
discard-paths: no
base-directory: out
ProwlerAuditTriggerRole:
Type: AWS::IAM::Role
Properties:
# RoleName: Let cloudformation create this
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: AssumeRole-XA_AuditRole_Prowler
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codebuild:StartBuild
Resource:
- !GetAtt ProwlerBuildProject.Arn
ProwlerAuditTrigger:
Type: AWS::Events::Rule
Properties:
Description: !Sub "Execute Prowler audit every ${pAuditEveryXHours} hours"
Name: "ScheduledProwler"
RoleArn: !GetAtt ProwlerAuditTriggerRole.Arn
## Other ways to define scheduling
# ScheduleExpression: "cron(MM HH ? * * *)"
# ScheduleExpression: "cron(45 15 ? * * *)"
# ScheduleExpression: !Sub "rate( ${pAuditEveryXHours} hours)"
ScheduleExpression: !Sub "rate(${pAuditEveryXHours} hours)"
State: ENABLED
Targets:
- Arn: !GetAtt ProwlerBuildProject.Arn
Id: 'ScheduledProwler'
RoleArn: !GetAtt ProwlerAuditTriggerRole.Arn
ProwlerConfigCheckGroup:
Type: AWS::SSM::Parameter
Properties:
Description: "Name of the prowler check group to use"
Name: "/audit/prowler/config/check_group"
Type: "String"
Value: !Ref pProwlerCheckGroup
ProwlerConfigMasterAccounts:
Type: AWS::SSM::Parameter
Properties:
Description: "List of organization master accounts"
Name: "/audit/prowler/config/orgmaster_accounts"
Type: "String"
Value: !Ref pOrgMasterAccounts
ProwlerConfigStandAloneAccounts:
Type: AWS::SSM::Parameter
Properties:
Description: "List of stand-alone accounts"
Name: "/audit/prowler/config/standalone_accounts"
Type: "String"
Value: !Ref pStandAloneAccounts
ProwlerConfigSkipAccounts:
Type: AWS::SSM::Parameter
Properties:
Description: "List of skipped organization member accounts"
Name: "/audit/prowler/config/skip_accounts"
Type: "String"
Value: !Ref pOrgExcludedAccounts
ProwlerConfigAuditRole:
Type: AWS::SSM::Parameter
Properties:
Description: "Role used to audit target accounts"
Name: "/audit/prowler/config/audit_role"
Type: "String"
Value: !Ref pAuditRolePathName
ProwlerConfigGitRepo:
Type: AWS::SSM::Parameter
Properties:
Description: "Git repository where prowler is gathered"
Name: "/audit/prowler/config/gitrepo"
Type: "String"
Value: !Ref pCustomProwlerRepo
ProwlerConfigGitCloneArgs:
Type: AWS::SSM::Parameter
Properties:
Description: "Git clone arguments"
Name: "/audit/prowler/config/gitcloneargs"
Type: "String"
Value: !Ref pCustomProwlerCloneArgs
# -- Conditional "cUseAthena"
# Athena
# QuickSight
# ???
Outputs:
ResultsBucket:
Description: S3 Bucket with Prowler Results, Logs, Configs
Value: !Ref ProwlerResults