mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00

Files

Toni de la Fuente 2b2814723f Prowler 2.7.0 - Brave (#998 )

* Extra7161 EFS encryption at rest check

* Added check_extra7162 which checks if Log groups have 365 days retention

* fixed code to handle all regions and formatted output

* changed check title, resource type and service name as well as making the code more dynamic

* Extra7161 EFS encryption at rest check

* New check_extra7163 Secrets Manager key rotation enabled

* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster

* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml

* Fix link to quicksight dashboard

* Install detect-secrets (e.g. for check_extra742)

* Updating check_extra7163 with requested changes

* fix(assumed-role): Check if -T and -A options are set

* docs(Readme): `-T` option is not mandatory

* fix(assume-role): Handle AWS STS CLI errors

* fix(assume-role): Handle AWS STS CLI errors

* Update group25_FTR

When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.

* Update README.md

broken link for capital letters in group file (group25_FTR)

* #938 issue assume_role multiple times should be fixed

* Label 2.7.0-1December2021 for tests

* Fixed error that appeared if the number of findings was very high.

* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.

* Added line to delete the temp folder after everything is done.

* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe

* updated CHECK_RISK

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added issue templates

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* Fix #963 check 792 to force json in ELB queries

* Fix #957 check 763 had us-east-1 region hardcoded

* Fix #962 check 7147 ALTERNATE NAME

* Fix #940 handling error when can not list functions

* Added new checks 7164 and 7165 to group extras

* Added invalid check or group id to the error message #962

* Fix Broken Link

* Add docker volume example to README.md

* Updated Dockerfile to use amazonlinux container

* Updated Dockerfile with AWS cli v2

* Added upgrade to the RUN

* Added cache purge to Dockerfile

* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3

* exporting the ENV variables

* fixed bracket

* Improved documentation for install process

* fix checks with comma issues

* Added -D option to copy to S3 with the initial AWS credentials

* Cosmetic variable name change

* Added $PROFILE_OPT to CopyToS3 commands

* remove commas

* removed file as it is not needed

* Improved help usage options -h

* Fixed CIS LEVEL on 7163 through 7165

* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set

* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced

* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced

* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced

* New check 7169 Global accelerators are protected by AWS Shield Advanced

* New check 7170 Application load balancers are protected by AWS Shield Advanced

* New check 7171 Classic load balancers are protected by AWS Shield Advanced

* Include example for global resources

* Add AWS Advance Shield protection checks corrections

* Added Shield actions GetSubscriptionState and DescribeProtection

* Added Shield actions GetSubscriptionState and DescribeProtection

* docs(templates): Improve bug template with more info (#982)

* Removed echoes after role chaining fix

* Changed Route53 checks7152 and 7153 to INFO when no domains found

* Changed Route53 checks 7152 and 7153 title to clarify

* Added passed security groups in output to check 778

* Added passed security groups and updated title to check 777

* Added FAIL as error handling when SCP prevents queries to regions

* Label version 2.7.0-6January2022

* Updated .dockerignore with .github/

* Fix: issue #758 and #984

* Fix: issue #741 CloudFront and real-time logs

* Fix issues #971 set all as INFO instead of FAIL when no access to resource

* Fix: issue #986

* Add additional action permissions for Glue and Shield Advanced checks @lazize

* Add extra shield action permission

Allows the shield:GetSubscriptionState action

* Add permission actions

Make sure all files where permission actions are necessary will have the same actions

* Fix: Credential chaining from environment variables @lazize #996f

If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role

* Lable version 2.7.0-24January2022

Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>

2022-01-24 13:49:47 +01:00

serverless_codebuild

Prowler 2.7.0 - Brave (#998 )

2022-01-24 13:49:47 +01:00

src

fixed aws organizations multi-account s3 upload issue

2021-06-28 14:49:54 -07:00

ProwlerEC2.yaml

fixed aws organizations multi-account s3 upload issue

2021-06-28 14:49:54 -07:00

ProwlerRole.yaml

Prowler 2.7.0 - Brave (#998 )

2022-01-24 13:49:47 +01:00

ProwlerS3.yaml

fixed aws organizations multi-account s3 upload issue

2021-06-28 14:49:54 -07:00

README.md

removed ansi2html, added -M html

2020-06-05 12:06:33 -04:00

README.md

Example Solution: Organizational Prowler Deployment

Deploys Prowler to assess all Accounts in an AWS Organization on a schedule, creates assessment reports in HTML, and stores them in an S3 bucket.

Example Solution Goals

Using minimal technologies, so solution can be more easily adopted, and further enhanced as needed.
- Amazon EC2, to run Prowler
- Amazon S3, to store Prowler script & reports.
- AWS CloudFormation, to provision the AWS resources.
- AWS Systems Manager Session Manager, Optional, but recommended, to manage the Prowler EC2 instance, without having to allow inbound ssh.
Staying cohesive with Prowler, for scripting, only leveraging:
- Bash Shell
- AWS CLI
Adhering to the principle of least privilege.
Supporting an AWS Multi-Account approach
- Runs Prowler against All accounts in the AWS Organization
NOTE: If using this solution, you are responsible for making your own independent assessment of the solution and ensuring it complies with your company security and operational standards.

Components

ProwlerS3.yaml
- Creates Private S3 Bucket for Prowler script and reports.
- Enables Amazon S3 Block Public Access
- Enables SSE-S3 with Amazon S3 Default Encryption
- Versioning Enabled
- Bucket Policy limits API actions to Principals from the same AWS Organization.
ProwlerRole.yaml
- Creates Cross-Account Role for Prowler to assess accounts in AWS Organization
- Allows Role to be assumed by the Prowler EC2 instance role in the AWS account where Prowler EC2 resides (preferably the Audit/Security account).
- Role has permissions needed for Prowler to assess accounts.
- Role has rights to Prowler S3 from Component #1.
ProwlerEC2.yaml
- Creates Prowler EC2 instance
  - Uses the Latest Amazon Linux 2 AMI
  - Uses t2.micro Instance Type
  - Encrypts Root Volume with AWS Managed Key "aws/ebs"
- Uses cfn-init for prepping the Prowler EC2
  - Installs necessary packages for Prowler
  - Downloads run-prowler-reports.sh script from Prowler S3 from Component #1.
  - Creates /home/ec2-user/.awsvariables, to store CloudFormation data as variables to be used in script.
  - Creates cron job for Prowler to run on a schedule.
- Creates Prowler Security Group
  - Denies inbound access. If using ssh to manage Prowler, then update Security Group with pertinent rule.
  - Allows outbound 80/443 for updates, and Amazon S3 communications -
- Creates Instance Role that is used for Prowler EC2
  - Role has permissions for Systems Manager Agent communications, and Session Manager
  - Role has rights to Prowler S3 from Component #1.
  - Role has rights to Assume Cross-Account Role from Component #2.
run-prowler-reports.sh
- Script is documented accordingly.
- Script loops through all AWS Accounts in AWS Organization, and by default, Runs Prowler as follows:
  - -R: used to specify Cross-Account role for Prowler to assume to run its assessment.
  - -A: used to specify AWS Account number for Prowler to run assessment against.
  - -g cislevel1: used to specify cislevel1 checks for Prowler to assess
```
./prowler/prowler -R "$ROLE" -A "$accountId" -g cislevel1 -M html
```
  - NOTE: Script can be modified to run Prowler as desired.
- Script runs Prowler against 1 AWS Account at a time.
  - Update PARALLEL_ACCOUNTS variable in script, to specify how many Accounts to assess with Prowler in parallel.
  - If running against multiple AWS Accounts in parallel, monitor performance, and upgrade Instance Type as necessary.
```
PARALLEL_ACCOUNTS="1"
```
- In summary:
  - Download latest version of Prowler
  - Find AWS Master Account
  - Lookup All Accounts in AWS Organization
  - Run Prowler against All Accounts in AWS Organization
  - Save Reports to reports prefix in S3 from Component #1
  - Report Names: date+time-accountid-report.html

Instructions

Deploy ProwlerS3.yaml in the Logging Account.
- Could be deployed to any account in the AWS Organizations, if desired.
- See How to get AWS Organization ID
- Take Note of CloudFormation Outputs, that will be needed in deploying the below CloudFormation templates.
Upload run-prowler-reports.sh to the root of the S3 Bucket created in Step #1.
Deploy ProwlerRole.yaml in the Master Account
- Use CloudFormation Stacks, to deploy to Master Account, as organizational StackSets don't apply to the Master Account.
- Use CloudFormation StackSet, to deploy to all Member Accounts. See Create Stack Set with Service-Managed Permissions
- Take Note of CloudFormation Outputs, that will be needed in deploying the below CloudFormation templates.
Deploy ProwlerEC2.yaml in the Audit/Security Account
- Could be deployed to any account in the AWS Organizations, if desired.
Prowler will run against all Accounts in AWS Organization, per the schedule you provided, and set in a cron job for ec2-user

Post-Setup

Run Prowler on a Schedule against all Accounts in AWS Organization

Prowler will run on the Schedule you provided.
Cron job for ec2-user is managing the schedule.
This solution implemented this automatically. Nothing for you to do.

Ad hoc Run Prowler against all Accounts in AWS Organization

Connect to Prowler EC2 Instance
- If using Session Manager, then after login, switch to ec2-user, via: sudo bash and su - ec2-user
- If using SSH, then login as ec2-user

Run Prowler Script

cd /home/ec2-user
./run-prowler-reports.sh

Ad hoc Run Prowler Interactively

Connect to Prowler EC2 Instance
- If using Session Manager, then after login, switch to ec2-user, via: sudo bash and su - ec2-user
- If using SSH, then login as ec2-user
See Cross-Account Role and S3 Bucket being used for Prowler
```
cd /home/ec2-user
cat .awsvariables
```
Run Prowler interactively. See Usage Examples
```
cd /home/ec2-user
./prowler/prowler
```

Upgrading Prowler to Latest Version

Connect to Prowler EC2 Instance
- If using Session Manager, then after login, switch to ec2-user, via: sudo bash and su - ec2-user
- If using SSH, then login as ec2-user

Delete the existing version of Prowler, and download the latest version of Prowler

cd /home/ec2-user
rm -rf prowler
git clone https://github.com/toniblyx/prowler.git