chore(mutelist): improve default AWS mutelist with ControlTower (#3904)

2026-01-25 02:08:11 +00:00 · 2024-05-03 08:40:54 +02:00
parent c873f95743
commit 8b0bae1c57
2 changed files with 40 additions and 14 deletions
--- a/docs/tutorials/mutelist.md
+++ b/docs/tutorials/mutelist.md
@@ -115,7 +115,7 @@ If you want to mute failed findings only in specific regions, create a file with
              - "*"

 ### Default Mutelist
-For the AWS Provider, Prowler is executed with a Default AWS Mutelist with the AWS Resources that should be muted such as all resources created by AWS Control Tower when setting up a landing zone.
+For the AWS Provider, Prowler is executed with a default AWS Mutelist with the AWS Resources that should be muted such as all resources created by AWS Control Tower when setting up a landing zone that can be found in [AWS Documentation](https://docs.aws.amazon.com/controltower/latest/userguide/shared-account-resources.html).
 You can see this Mutelist file in [`prowler/config/aws_mutelist.yaml`](https://github.com/prowler-cloud/prowler/blob/master/prowler/config/aws_allowlist.yaml).

 ### Supported Mutelist Locations
--- a/prowler/config/aws_mutelist.yaml
+++ b/prowler/config/aws_mutelist.yaml
@@ -3,49 +3,73 @@ Mutelist:
    "*":
      ########################### AWS CONTROL TOWER ###########################
      ### The following entries includes all resources created by AWS Control Tower when setting up a landing zone ###
-      # https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html #
+      # https://docs.aws.amazon.com/controltower/latest/userguide/shared-account-resources.html #
      Checks:
-        "cloudwatch_log_group_*":
-          Regions:
-            - "*"
-          Resources:
-            - "/aws/lambda/aws-controltower-NotificationForwarder"
-            - "StackSet-AWSControlTowerBP-*"
        "awslambda_function_*":
          Regions:
            - "*"
          Resources:
            - "aws-controltower-NotificationForwarder"
-        "cloudformation_stacks_*":
+        "cloudformation_stack*":
          Regions:
            - "*"
          Resources:
            - "StackSet-AWSControlTowerGuardrailAWS-*"
            - "StackSet-AWSControlTowerBP-*"
+            - "StackSet-AWSControlTowerSecurityResources-*"
+            - "StackSet-AWSControlTowerLoggingResources-*"
+            - "StackSet-AWSControlTowerExecutionRole-*"
+            - "AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER"
+            - "AWSControlTowerBP-BASELINE-CONFIG-MASTER"
        "cloudtrail_*":
          Regions:
            - "*"
          Resources:
            - "aws-controltower-BaselineCloudTrail"
+        "cloudwatch_log_group_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower/CloudTrailLogs"
+            - "/aws/lambda/aws-controltower-NotificationForwarder"
+            - "StackSet-AWSControlTowerBP-*"
+        "iam_inline_policy_no_administrative_privileges":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-ForwardSnsNotificationRole/sns"
+            - "aws-controltower-AuditAdministratorRole/AssumeRole-aws-controltower-AuditAdministratorRole"
+            - "aws-controltower-AuditReadOnlyRole/AssumeRole-aws-controltower-AuditReadOnlyRole"
+        "iam.*policy_*":
+          Regions:
+            - "*"
+          Resources:
+            - "AWSControlTowerAccountServiceRolePolicy"
+            - "AWSControlTowerServiceRolePolicy"
+            - "AWSControlTowerStackSetRolePolicy"
+            - "AWSControlTowerAdminPolicy"
+            - "AWSLoadBalancerControllerIAMPolicy"
+            - "AWSControlTowerCloudTrailRolePolicy"
        "iam_role_*":
          Regions:
            - "*"
          Resources:
            - "aws-controltower-AdministratorExecutionRole"
+            - "aws-controltower-AuditAdministratorRole"
+            - "aws-controltower-AuditReadOnlyRole"
            - "aws-controltower-CloudWatchLogsRole"
            - "aws-controltower-ConfigRecorderRole"
            - "aws-controltower-ForwardSnsNotificationRole"
            - "aws-controltower-ReadOnlyExecutionRole"
            - "AWSControlTower_VPCFlowLogsRole"
            - "AWSControlTowerExecution"
+            - "AWSControlTowerCloudTrailRole"
+            - "AWSControlTowerConfigAggregatorRoleForOrganizations"
+            - "AWSControlTowerStackSetRole"
+            - "AWSControlTowerAdmin"
            - "AWSAFTAdmin"
            - "AWSAFTExecution"
            - "AWSAFTService"
-        "iam_policy_*":
-          Regions:
-            - "*"
-          Resources:
-            - "AWSControlTowerServiceRolePolicy"
        "s3_bucket_*":
          Regions:
            - "*"
@@ -56,6 +80,8 @@ Mutelist:
          Regions:
            - "*"
          Resources:
+            - "aws-controltower-AggregateSecurityNotifications"
+            - "aws-controltower-AllConfigNotifications"
            - "aws-controltower-SecurityNotifications"
        "vpc_*":
          Regions: