ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
94b978a934de562e5205a177e2b5ed4c3eaa6a8a
prowler/util/org-multi-account/README.md
Julio Delgado Jr 94b978a934 renamed
2020-04-28 12:36:10 -04:00

5.2 KiB
Raw Blame History

Organizational Prowler Deployment

Created by: Julio Delgado Jr. delgjul@amazon.com

Deploys Prowler to assess all Accounts in an AWS Organization.

Prowler is an independent third-party command line tool for AWS Security Best Practices Assessment, Auditing, Hardening, and Forensic Readiness. It evaluates guidelines of the CIS Amazon Web Services Foundations Benchmark and dozens of additional checks, including for GDPR, and HIPAA.

Solution Goals

  • Use minimal technologies, so solution can be more easily adopted, and further enhanced as needed.
  • Staying cohesive with Prowler, for scripting, only leveraging:
    • Bash Shell
    • AWS CLI
  • Adhere to the principle of least privilege.
  • Support an AWS Multi-Account approach
    • Runs Prowler against All accounts in the AWS Organization

Components

  1. ProwlerS3.yaml
    • Creates Private S3 Bucket for Prowler script and reports.
    • Public Access Block permissions enabled.
    • SSE-S3 used for encryption
    • Versioning Enabled
    • Bucket Policy only grants GetObject, PutObject, and ListObject to Principals from the same AWS Organization.
  2. ProwlerRole.yaml
    • Creates Cross-Account Role for Prowler to assess accounts in AWS Organization
    • Allows Role to be assumed by the Prowler EC2 instance role in the AWS account where Prowler EC2 resides (preferably the Audit/Security account).
    • Role has permissions needed for Prowler to assess accounts.
    • Role has GetObject, PutObject, and ListObject rights to Prowler S3 from Component #1.
  3. ProwlerEC2.yaml
    • Creates Prowler EC2 instance
      • Uses the Latest Amazon Linux 2 AMI
      • Uses "t2.micro" Instance Type
    • Uses cfn-init for prepping the Prowler EC2
      • Installs necessary packages for Prowler
      • Downloads run-prowler-reports.sh script from Prowler S3 from Component #1.
      • Creates /home/ec2-user/.awsvariables, to store CloudFormation data as variables to be used in script.
      • Creates cron job for Prowler to run on a schedule.
    • Creates Prowler Security Group
      • Denies inbound access. If using ssh to manage Prowler, then update Security Group with pertinent rule.
      • Allows outbound 80/443 for updates, and Amazon S3 communications
    • Creates Instance Role that is used for Prowler EC2
      • Role has permissions for Systems Manager Agent communications, and Session Manager
      • Role has GetObject, PutObject, and ListObject rights to Prowler S3 from Component #1.
      • Role has rights to Assume Cross-Account Role from Component #2.
  4. run-prowler-reports.sh
    • Script is documented accordingly.
    • In summary:
      • Download latest version of Prowler
      • Find AWS Master Account
      • Lookup All Accounts in AWS Organization
      • Run Prowler against All Accounts in AWS Organization
      • Save Reports to reports prefix in S3 from Component #1
      • Report Names: date+time-accountid-report.html

Instructions

  1. Deploy ProwlerS3.yaml in the Logging Account.
    • Could be deployed to any account in the AWS Organizations, if desired.
  2. Upload run-prowler-reports.sh to the root of the S3 Bucket created in Step #1.
  3. Deploy ProwlerRole.yaml in the Master Account
    • Use CloudFormation Stacks, to deploy to Master Account, as organizational StackSets don't apply to the Master Account.
    • Use CloudFormation StackSet, to deploy to all Member Accounts.
  4. Deploy ProwlerEC2.yaml in the Audit/Security Account
    • Could be deployed to any account in the AWS Organizations, if desired.
  5. Scheduled: Run Prowler against all Accounts in AWS Organization, based on schedule you provided, and set for the cron job.
  6. Adhoc: Run Prowler against all Accounts in AWS Organization
    • Connect to Prowler EC2 Instance
      • If using Session Manager, then after login, switch to "ec2-user", via: sudo -u ec2-user
      • If using SSH, then login as "ec2-user"
    • Run Script: /home/ec2-user/run-prowler-reports.sh
Reference in New Issue View Git Blame Copy Permalink