mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
66 lines
2.1 KiB
YAML
66 lines
2.1 KiB
YAML
# When using Control Tower, guardrails prevent access to certain protected resources.
|
|
# The allowlist below ensures that warnings instead of errors are reported for the affected resources.
|
|
# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html
|
|
########################### CONTROL TOWER ALLOWLIST ###########################
|
|
### The following file includes all resources created by AWS Control Tower ###
|
|
Allowlist:
|
|
Accounts:
|
|
"*":
|
|
Checks:
|
|
"cloudwatch_log_group_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "/aws/lambda/aws-controltower-NotificationForwarder"
|
|
- "StackSet-AWSControlTowerBP-*"
|
|
"awslambda_function_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "aws-controltower-NotificationForwarder"
|
|
"cloudformation_stacks_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "StackSet-AWSControlTowerGuardrailAWS-*"
|
|
- "StackSet-AWSControlTowerBP-*"
|
|
"cloudtrail_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "aws-controltower-BaselineCloudTrail"
|
|
"iam_role_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "aws-controltower-AdministratorExecutionRole"
|
|
- "aws-controltower-CloudWatchLogsRole"
|
|
- "aws-controltower-ConfigRecorderRole"
|
|
- "aws-controltower-ForwardSnsNotificationRole"
|
|
- "aws-controltower-ReadOnlyExecutionRole"
|
|
- "AWSControlTower_VPCFlowLogsRole"
|
|
- "AWSControlTowerExecution"
|
|
"iam_policy_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "AWSControlTowerServiceRolePolicy"
|
|
"s3_bucket_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "aws-controltower-logs-*"
|
|
- "aws-controltower-s3-access-logs-*"
|
|
"sns_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "aws-controltower-SecurityNotifications"
|
|
"vpc_*":
|
|
Regions:
|
|
- "*"
|
|
Resources:
|
|
- "*"
|
|
Tags:
|
|
- "Name=aws-controltower-VPC"
|