--- AWSTemplateFormatVersion: 2010-09-09 Description: Creates a CodeBuild project to audit the AWS account with Prowler and stores the html report in a S3 bucket / Original author https://github.com/stevecjones Parameters: ServiceName: Description: 'Specifies the service name used within component naming' Type: String Default: 'prowler' LogsRetentionInDays: Description: 'Specifies the number of days you want to retain CodeBuild run log events in the specified log group. Junit reports are kept for 30 days' Type: Number Default: 3 AllowedValues: [1, 3, 5, 7, 14, 30, 60] ProwlerOptions: Description: 'Options to pass to Prowler command, make sure at least -M junit-xml is used. -r for the region to send API queries, -f to filter only that region, -M output formats, -c for comma separated checks, for all checks do not use -c, for more options see -h' Type: String Default: -r eu-west-1 -f eu-west-1 -M text,junit-xml,html -c check11,check12,check13,check14 Resources: ArtifactBucket: Type: AWS::S3::Bucket Properties: Tags: - Key: Name Value: !Join ['-', ['AP2', 'INF', !Ref 'ServiceName', !Ref 'AWS::AccountId', 'S3', 'Prowler']] BucketName: !Sub '${ServiceName}-${AWS::Region}-prowler-${AWS::AccountId}' AccessControl: LogDeliveryWrite VersioningConfiguration: Status: Enabled # LoggingConfiguration: # DestinationBucketName: !ImportValue 'ProviderLogBucket' # LogFilePrefix: !Sub '${ServiceName}-${AWS::Region}-prowler-${AWS::AccountId}/' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true ArtifactBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref 'ArtifactBucket' PolicyDocument: Id: Content Version: '2012-10-17' Statement: - Action: '*' Condition: Bool: aws:SecureTransport: 'false' Effect: Deny Principal: '*' Resource: - !Join ['', ['arn:aws:s3:::', !Ref 'ArtifactBucket', '/*']] Sid: S3ForceSSL - Action: 's3:PutObject' Condition: 'Null': s3:x-amz-server-side-encryption: 'true' Effect: Deny Principal: '*' Resource: - !Join ['', ['arn:aws:s3:::', !Ref 'ArtifactBucket', '/*']] Sid: DenyUnEncryptedObjectUploads # Codebuild Project CodeBuildServiceRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "Explicit name is required for this resource to avoid circular dependencies." Properties: RoleName: prowler-codebuild-role Path: '/service-role/' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/job-function/SupportUser' - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess' - 'arn:aws:iam::aws:policy/SecurityAudit' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Action: 'sts:AssumeRole' Effect: Allow Principal: Service: - codebuild.amazonaws.com Policies: - PolicyName: LogGroup PolicyDocument: Version: '2012-10-17' Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*' - PolicyName: S3 PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation Effect: Allow Resource: !Sub 'arn:aws:s3:::${ArtifactBucket}/*' - PolicyName: CodeBuild PolicyDocument: Version: '2012-10-17' Statement: - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Effect: Allow Resource: !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*' - PolicyName: AssumeRole PolicyDocument: Version: '2012-10-17' Statement: - Action: - sts:AssumeRole Effect: Allow Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/prowler-codebuild-role' ProwlerCodeBuild: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: NO_ARTIFACTS Source: Type: NO_SOURCE # Prowler command below runs a set of checks, configure it base on your needs, no options will run all regions all checks. # option -M junit-xml is requirede in order to get the report in CodeBuild. BuildSpec: | version: 0.2 phases: install: runtime-versions: python: 3.8 commands: - echo "Installing Prowler and dependencies..." - pip3 install detect-secrets - yum -y install jq - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - unzip awscliv2.zip - ./aws/install - git clone https://github.com/toniblyx/prowler build: commands: - echo "Running Prowler..." - cd prowler - ./prowler $PROWLER_OPTIONS post_build: commands: - echo "Uploading reports to S3..." - aws s3 cp --sse AES256 output/*.html s3://$BUCKET_REPORT/ - echo "Done!" reports: prowler: files: - '**/*' base-directory: 'prowler/junit-reports' file-format: JunitXml Environment: # UILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. ComputeType: "BUILD_GENERAL1_SMALL" Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" Type: "LINUX_CONTAINER" EnvironmentVariables: - Name: BUCKET_REPORT Value: !Ref 'ArtifactBucket' Type: PLAINTEXT - Name: PROWLER_OPTIONS Value: !Ref 'ProwlerOptions' Type: PLAINTEXT Description: Run Prowler assessment ServiceRole: !GetAtt CodeBuildServiceRole.Arn TimeoutInMinutes: 300 ProwlerCodeBuildReportGroup: Type: AWS::CodeBuild::ReportGroup Properties: Name: prowler Type: TEST ExportConfig: ExportConfigType: NO_EXPORT ProwlerLogGroup: Type: 'AWS::Logs::LogGroup' Properties: LogGroupName: !Sub '/aws/codebuild/${ProwlerCodeBuild}' RetentionInDays: !Ref LogsRetentionInDays Outputs: ArtifactBucketName: Description: Artifact Bucket Name Value: !Ref 'ArtifactBucket' Export: Name: !Sub 'ArtifactBucketName-${ServiceName}'