ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(azure): Review actual roles necessary to execute Prowler (#4501)

Browse Source
This commit is contained in:
Rubén De la Torre Vico
2024-07-23 15:15:23 +02:00
committed by GitHub
parent bd56ca2979
commit 489830f01a
5 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/getting-started/requirements.md
View File

@@ -71,12 +71,18 @@ To use each one you need to pass the proper flag to the execution. Prowler for A
- `Policy.Read.All`
- `UserAuthenticationMethod.Read.All`
- **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool. It is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
- `Security Reader`
- `Reader`
- `ProwlerRole` (custom role defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json))
To assign the permissions, follow the instructions in the [Microsoft Entra ID permissions](../tutorials/azure/create-prowler-service-principal.md#assigning-the-proper-permissions) section and the [Azure subscriptions permissions](../tutorials/azure/subscriptions.md#assigning-proper-permissions) section, respectively.
#### Checks that require ProwlerRole
The following checks require the `ProwlerRole` custom role to be executed, if you want to run them, make sure you have assigned the role to the identity that is going to be assumed by Prowler:
- `app_function_access_keys_configured`
- `app_function_ftps_deployment_disabled`
## Google Cloud
### Authentication

BIN
docs/img/add-reader-role.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 MiB

BIN
docs/img/page-IAM.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 348 KiB

12
docs/tutorials/azure/subscriptions.md
View File

@@ -11,25 +11,21 @@ Where you can pass from 1 up to N subscriptions to be scanned.
## Assigning proper permissions
Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
- `Security Reader`
- `Reader`
Regarding the subscription scope, Prowler by default scans all subscriptions that it is able to list, so it is necessary to add the `Reader` RBAC built-in roles per subscription or management group (recommended for multiple subscriptions, see it in the [next section](#recommendation-for-multiple-subscriptions)) to the entity that will be adopted by the tool:
To assign this roles, follow the instructions:
1. Access your subscription, then select your subscription.
2. Select "Access control (IAM)".
3. In the overview, select "Roles".
![IAM Page](../../img/page-IAM.png)
4. Click on "+ Add" and select "Add role assignment".
5. In the search bar, type `Security Reader`, select it and click on "Next".
5. In the search bar, type `Reader`, select it and click on "Next".
6. In the Members tab, click on "+ Select members" and add the members you want to assign this role.
7. Click on "Review + assign" to apply the new role.
*Repeat these steps for `Reader` role*
![Add reader role to subscription](../../img/add-reader-role.gif)
Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Please be sure to change the `assignableScopes` field for your subscriptions or management group. Once the cusotm role is created, repeat the steps mentioned above to assign the new `ProwlerRole` to an identity.
Moreover, some additional read-only permissions are needed for some checks, for this kind of checks that are not covered by built-in roles we use a custom role. This role is defined in [prowler-azure-custom-role](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json). Once the cusotm role is created, repeat the steps mentioned above to assign the new `ProwlerRole` to an identity.
## Recommendation for multiple subscriptions

4
permissions/prowler-azure-custom-role.json
View File

@@ -1,9 +1,9 @@
{
"properties": {
"roleName": "ProwlerRole",
"description": "",
"description": "Role used for checks that require read-only access to Azure resources and are not covered by the Reader role.",
"assignableScopes": [
"/providers/Microsoft.Management/managementGroups/<name_management_group> or /subscriptions/<subscription_id>"
"/"
],
"permissions": [
{