ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2b2814723ffc84495f7af928a5f381bed978dd6d
prowler/util/org-multi-account/serverless_codebuild/templates/ProwlerCodeBuildStack.yaml
Toni de la Fuente 2b2814723f Prowler 2.7.0 - Brave (#998) 
* Extra7161 EFS encryption at rest check

* Added check_extra7162 which checks if Log groups have 365 days retention

* fixed code to handle all regions and formatted output

* changed check title, resource type and service name as well as making the code more dynamic

* Extra7161 EFS encryption at rest check

* New check_extra7163 Secrets Manager key rotation enabled

* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster

* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml

* Fix link to quicksight dashboard

* Install detect-secrets (e.g. for check_extra742)

* Updating check_extra7163 with requested changes

* fix(assumed-role): Check if -T and -A options are set

* docs(Readme): `-T` option is not mandatory

* fix(assume-role): Handle AWS STS CLI errors

* fix(assume-role): Handle AWS STS CLI errors

* Update group25_FTR

When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.

* Update README.md

broken link for capital letters in group file (group25_FTR)

* #938 issue assume_role multiple times should be fixed

* Label 2.7.0-1December2021 for tests

* Fixed error that appeared if the number of findings was very high.

* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.

* Added line to delete the temp folder after everything is done.

* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe

* updated CHECK_RISK

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added issue templates

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* Fix #963 check 792 to force json in ELB queries

* Fix #957 check 763 had us-east-1 region hardcoded

* Fix #962 check 7147 ALTERNATE NAME

* Fix #940 handling error when can not list functions

* Added new checks 7164 and 7165 to group extras

* Added invalid check or group id to the error message #962

* Fix Broken Link

* Add docker volume example to README.md

* Updated Dockerfile to use amazonlinux container

* Updated Dockerfile with AWS cli v2

* Added upgrade to the RUN

* Added cache purge to Dockerfile

* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3

* exporting the ENV variables

* fixed bracket

* Improved documentation for install process

* fix checks with comma issues

* Added -D option to copy to S3 with the initial AWS credentials

* Cosmetic variable name change

* Added $PROFILE_OPT to CopyToS3 commands

* remove commas

* removed file as it is not needed

* Improved help usage options -h

* Fixed CIS LEVEL on 7163 through 7165

* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set

* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced

* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced

* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced

* New check 7169 Global accelerators are protected by AWS Shield Advanced

* New check 7170 Application load balancers are protected by AWS Shield Advanced

* New check 7171 Classic load balancers are protected by AWS Shield Advanced

* Include example for global resources

* Add AWS Advance Shield protection checks corrections

* Added Shield actions GetSubscriptionState and DescribeProtection

* Added Shield actions GetSubscriptionState and DescribeProtection

* docs(templates): Improve bug template with more info (#982)

* Removed echoes after role chaining fix

* Changed Route53 checks7152 and 7153 to INFO when no domains found

* Changed Route53 checks 7152 and 7153 title to clarify

* Added passed security groups in output to check 778

* Added passed security groups and updated title to check 777

* Added FAIL as error handling when SCP prevents queries to regions

* Label version 2.7.0-6January2022

* Updated .dockerignore with .github/

* Fix: issue #758 and #984

* Fix: issue #741 CloudFront and real-time logs

* Fix issues #971 set all as INFO instead of FAIL when no access to resource

* Fix: issue #986

* Add additional action permissions for Glue and Shield Advanced checks @lazize

* Add extra shield action permission

Allows the shield:GetSubscriptionState action

* Add permission actions

Make sure all files where permission actions are necessary will have the same actions

* Fix: Credential chaining from environment variables @lazize #996f

If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role

* Lable version 2.7.0-24January2022

Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>
2022-01-24 13:49:47 +01:00

215 lines
7.8 KiB
YAML
Raw Blame History

---
AWSTemplateFormatVersion: 2010-09-09
Description: Creates a CodeBuild project to audit an AWS account with Prowler and stores the html report in a S3 bucket.
Parameters:
AwsOrgId:
Type: String
Description: Enter AWS Organizations ID
AllowedPattern: ^o-[a-z0-9]{10,32}$
ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
Default: o-itdezkbz6h
CodeBuildRole:
Description: Enter Name for CodeBuild Role to create
Type: String
AllowedPattern: ^[\w+=,.@-]{1,64}$
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
Default: ProwlerCodeBuild-Role
CodeBuildSourceS3:
Type: String
Description: Enter like <bucket-name>/<path>/<object-name>.zip
ConstraintDescription: Max 63 characters. Can't start or end with dash. Can use numbers and lowercase letters.
Default: prowler-util-411267690458-ap-northeast-2/run-prowler-reports.sh.zip
ProwlerReportS3:
Type: String
Description: Enter S3 Bucket for Prowler Reports. prefix-awsaccount-awsregion
AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
ConstraintDescription: Max 63 characters. Can't start or end with dash. Can use numbers and lowercase letters.
Default: prowler-954896828174-ap-northeast-2
ProwlerReportS3Account:
Type: String
Description: Enter AWS Account Number where Prowler S3 Bucket resides.
AllowedPattern: ^\d{12}$
ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
Default: 954896828174
CrossAccountRole:
Type: String
Description: Enter CrossAccount Role Prowler will be using to assess AWS Accounts in the AWS Organization. (ProwlerCrossAccountRole)
AllowedPattern: ^[\w+=,.@-]{1,64}$
ConstraintDescription: Max 64 alphanumeric characters. Also special characters [+, =, ., @, -]
Default: ProwlerXA-CBRole
ProwlerReportFormat:
Type: String
Description: Enter Prowler Option like html, csv, json
Default: html
Resources:
ProwlerCodeBuildRole:
Type: AWS::IAM::Role
Properties:
Description: Prowler CodeBuild Role
RoleName: !Ref CodeBuildRole
Tags:
- Key: App
Value: Prowler
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: Prowler-S3
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowGetPutListObject
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}
- !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}/*
Action:
- s3:GetObject
- s3:PutObject
- s3:ListBucket
- s3:PutObjectAcl
- Sid: AllowReadOnlyS3Access
Effect: Allow
Resource: "*"
Action:
- "s3:Get*"
- "s3:List*"
- PolicyName: Prowler-CrossAccount-AssumeRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowStsAssumeRole
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:iam::*:role/${CrossAccountRole}
Action: sts:AssumeRole
Condition:
StringEquals:
aws:PrincipalOrgId: !Ref AwsOrgId
- PolicyName: Prowler-CloudWatch
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowCreateLogs
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- Sid: AllowPutevent
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*:log-stream:*
Action:
- logs:PutLogEvents
ProwlerCodeBuild:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Type: NO_ARTIFACTS
Source:
Type: S3
Location: !Ref CodeBuildSourceS3
BuildSpec: |
version: 0.2
phases:
install:
runtime-versions:
python: 3.8
commands:
- echo "Updating yum ..."
- yum -y update
- echo "Updating pip ..."
- python -m pip install --upgrade pip
- echo "Installing requirements ..."
- pip install "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
build:
commands:
- echo "Running Prowler with script"
- chmod +x run-prowler-reports.sh
- ./run-prowler-reports.sh
post_build:
commands:
- echo "Done!"
Environment:
# AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month.
# BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute.
# BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute.
# BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute.
# BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute.
ComputeType: "BUILD_GENERAL1_SMALL"
Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
Type: "LINUX_CONTAINER"
EnvironmentVariables:
- Name: "S3"
Value: !Sub s3://${ProwlerReportS3}
Type: PLAINTEXT
- Name: "S3ACCOUNT"
Value: !Ref ProwlerReportS3Account
Type: PLAINTEXT
- Name: "ROLE"
Value: !Ref CrossAccountRole
Type: PLAINTEXT
- Name: "FORMAT"
Value: !Ref ProwlerReportFormat
Type: PLAINTEXT
Description: Run Prowler assessment
ServiceRole: !GetAtt ProwlerCodeBuildRole.Arn
TimeoutInMinutes: 300
ProwlerCWRuleRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action:
- sts:AssumeRole
Description: ProwlerCWRuleRole
RoleName: ProwlerCWRule-Role
Policies:
- PolicyName: Rule-Events
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSEventInvokeCodeBuild
Effect: Allow
Resource: "*"
Action:
- codebuild:StartBuild
ProwlerRule:
Type: AWS::Events::Rule
Properties:
Description: This rule will trigger CodeBuild to audit AWS Accounts in my Organization with Prowler
ScheduleExpression: cron(0 21 * * ? *)
RoleArn: !GetAtt ProwlerCWRuleRole.Arn
Name: ProwlerExecuteRule
State: ENABLED
Targets:
- Arn: !Sub ${ProwlerCodeBuild.Arn}
Id: Prowler-CodeBuild-Target
RoleArn: !GetAtt ProwlerCWRuleRole.Arn
Outputs:
ProwlerEc2Account:
Description: AWS Account Number where Prowler EC2 Instance resides.
Value: !Ref AWS::AccountId
ProwlerCodeBuildRole:
Description: Instance Role given to the Prowler EC2 Instance (needed to grant sts:AssumeRole rights).
Value: !Ref ProwlerCodeBuildRole
ProwlerReportS3:
Description: S3 Bucket for Prowler Reports
Value: !Ref ProwlerReportS3
Reference in New Issue View Git Blame Copy Permalink