ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(prowler-role): Add templates to deploy it in AWS (#6499)

Browse Source
This commit is contained in:
Pepe Fagoaga
2025-01-14 22:49:20 +05:45
committed by GitHub
parent f1f61249e0
commit badf0ace76
6 changed files with 228 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -45,6 +45,7 @@ junit-reports/
# Terraform
.terraform*
*.tfstate
*.tfstate.*
# .env
ui/.env*

9
permissions/prowler-additions-policy.json
View File

@@ -52,7 +52,7 @@
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowMoreReadForProwler"
"Sid": "AllowMoreReadOnly"
},
{
"Effect": "Allow",
@@ -60,9 +60,10 @@
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/apis/*"
]
"arn:*:apigateway:*::/restapis/*",
"arn:*:apigateway:*::/apis/*"
],
"Sid": "AllowAPIGatewayReadOnly"
}
]
}

13
permissions/prowler-security-hub.json
View File

@@ -1,13 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"securityhub:BatchImportFindings",
"securityhub:GetFindings"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

117
permissions/templates/cloudformation/prowler-scan-role.yml Normal file
View File

@@ -0,0 +1,117 @@
AWSTemplateFormatVersion: "2010-09-09"
# You can invoke CloudFormation and pass the principal ARN from a command line like this:
# aws cloudformation create-stack \
# --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
# --template-body "file://prowler-pro-saas-scan-role.yaml" \
# --stack-name "ProwlerProSaaSScanRole" \
# --parameters "ParameterKey=ExternalId,ParameterValue=ProvidedExternalID"
Description: |
This template creates the ProwlerScan IAM Role in this account with
all read-only permissions to scan your account for security issues.
Contains two AWS managed policies (SecurityAudit and ViewOnlyAccess) and an inline policy.
It sets the trust policy on that IAM Role to permit Prowler to assume that role.
Parameters:
ExternalId:
Description: |
DO NOT CHANGE THIS.
This is the External ID that Prowler will use to assume the role ProwlerScan IAM Role.
Type: String
AccountId:
Description: |
AWS Account ID that will assume the role created, if you are deploying this template to be used in Prowler Cloud
please use the default AWS Account ID.
Type: String
Default: "232136659152"
Resources:
ProwlerScan:
Type: AWS::IAM::Role
Properties:
RoleName: ProwlerScan
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:${AWS::Partition}:iam::${AccountId}:root"
Action: "sts:AssumeRole"
Condition:
StringEquals:
"sts:ExternalId": !Sub ${ExternalId}
StringLike:
"aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${AccountId}:role/prowler*"
MaxSessionDuration: 3600
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/SecurityAudit"
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
Policies:
- PolicyName: ProwlerScan
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowMoreReadOnly
Effect: Allow
Action:
- "account:Get*"
- "appstream:Describe*"
- "appstream:List*"
- "backup:List*"
- "bedrock:List*"
- "bedrock:Get*"
- "cloudtrail:GetInsightSelectors"
- "codeartifact:List*"
- "codebuild:BatchGet*"
- "codebuild:ListReportGroups"
- "cognito-idp:GetUserPoolMfaConfig"
- "dlm:Get*"
- "drs:Describe*"
- "ds:Get*"
- "ds:Describe*"
- "ds:List*"
- "dynamodb:GetResourcePolicy"
- "ec2:GetEbsEncryptionByDefault"
- "ec2:GetSnapshotBlockPublicAccessState"
- "ec2:GetInstanceMetadataDefaults"
- "ecr:Describe*"
- "ecr:GetRegistryScanningConfiguration"
- "elasticfilesystem:DescribeBackupPolicy"
- "glue:GetConnections"
- "glue:GetSecurityConfiguration*"
- "glue:SearchTables"
- "lambda:GetFunction*"
- "logs:FilterLogEvents"
- "lightsail:GetRelationalDatabases"
- "macie2:GetMacieSession"
- "macie2:GetAutomatedDiscoveryConfiguration"
- "s3:GetAccountPublicAccessBlock"
- "shield:DescribeProtection"
- "shield:GetSubscriptionState"
- "securityhub:BatchImportFindings"
- "securityhub:GetFindings"
- "servicecatalog:Describe*"
- "servicecatalog:List*"
- "ssm:GetDocument"
- "ssm-incidents:List*"
- "states:ListTagsForResource"
- "support:Describe*"
- "tag:GetTagKeys"
- "wellarchitected:List*"
Resource: "*"
- Sid: AllowAPIGatewayReadOnly
Effect: Allow
Action:
- "apigateway:GET"
Resource:
- "arn:*:apigateway:*::/restapis/*"
- "arn:*:apigateway:*::/apis/*"
Tags:
- Key: "Service"
Value: "https://prowler.com"
- Key: "Support"
Value: "support@prowler.com"
- Key: "CloudFormation"
Value: "true"
- Key: "Name"
Value: "ProwlerScan"

10
permissions/templates/terraform/README.md Normal file
View File

@@ -0,0 +1,10 @@
## Deployment using Terraform
To deploy the Prowler Scan Role in order to allow to scan you AWS account from Prowler, please run the following commands in your terminal:
1. `terraform init`
2. `terraform plan`
3. `terraform apply`
During the `terraform plan` and `terraform apply` steps you will be asked for an External ID to be configured in the `ProwlerScan` IAM role.
> Note that Terraform will use the AWS credentials of your default profile.

95
permissions/templates/terraform/main.tf Normal file
View File

@@ -0,0 +1,95 @@
# Variables
###################################
variable "external_id" {
type = string
description = "IAM Role External ID - Please input your External ID here below"
}
variable "account_id" {
type = string
description = "AWS Account ID that will assume the role created, if you are deploying this template to be used in Prowler Cloud please use the default AWS Account ID"
default = "232136659152"
}
##### PLEASE, DO NOT EDIT BELOW THIS LINE #####
# Terraform Provider Configuration
###################################
terraform {
required_version = ">= 1.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.83"
}
}
}
provider "aws" {
region = "us-east-1"
default_tags {
tags = {
"Name" = "ProwlerScan",
"Terraform" = "true",
"Service" = "https://prowler.com",
"Support" = "support@prowler.com"
}
}
}
data "aws_partition" "current" {}
# IAM Role
###################################
data "aws_iam_policy_document" "prowler_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${var.account_id}:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
var.external_id,
]
}
condition {
test = "StringLike"
variable = "aws:PrincipalArn"
values = [
"arn:${data.aws_partition.current.partition}:iam::${var.account_id}:role/prowler*",
]
}
}
}
resource "aws_iam_role" "prowler_scan" {
name = "ProwlerScan"
assume_role_policy = data.aws_iam_policy_document.prowler_assume_role_policy.json
}
resource "aws_iam_policy" "prowler_scan_policy" {
name = "ProwlerScan"
description = "Prowler Scan Policy"
policy = file("../../prowler-additions-policy.json")
}
resource "aws_iam_role_policy_attachment" "prowler_scan_policy_attachment" {
role = aws_iam_role.prowler_scan.name
policy_arn = aws_iam_policy.prowler_scan_policy.arn
}
resource "aws_iam_role_policy_attachment" "prowler_scan_securityaudit_policy_attachment" {
role = aws_iam_role.prowler_scan.name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/SecurityAudit"
}
resource "aws_iam_role_policy_attachment" "prowler_scan_viewonly_policy_attachment" {
role = aws_iam_role.prowler_scan.name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/job-function/ViewOnlyAccess"
}