mirror of
https://github.com/prowler-cloud/prowler.git
synced 2025-12-19 05:17:47 +00:00
fix(templates): only one cloudformation template (#8451)
This commit is contained in:
Pepe Fagoaga
@@ -1,182 +0,0 @@
|
||||
AWSTemplateFormatVersion: "2010-09-09"
|
||||
|
||||
# You can invoke CloudFormation and pass the parameters from a command line like this:
|
||||
# aws cloudformation create-stack \
|
||||
# --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
|
||||
# --template-body "file://prowler-scan-role-with-s3-integration.yml" \
|
||||
# --stack-name "ProwlerScanRoleWithS3Integration" \
|
||||
# --parameters "ParameterKey=ExternalId,ParameterValue=your-external-id-here" \
|
||||
# "ParameterKey=S3IntegrationBucketName,ParameterValue=your-bucket-name" \
|
||||
# "ParameterKey=S3IntegrationBucketAccount,ParameterValue=123456789012"
|
||||
|
||||
Description: |
|
||||
This template creates the ProwlerScan IAM Role in this account with
|
||||
all read-only permissions to scan your account for security issues.
|
||||
Contains two AWS managed policies (SecurityAudit and ViewOnlyAccess) and inline policies.
|
||||
It sets the trust policy on that IAM Role to permit Prowler to assume that role.
|
||||
Additionally, this template includes S3 integration permissions that allow Prowler
|
||||
to store scan reports in your specified S3 bucket with appropriate security controls.
|
||||
This template can also be used to update an existing ProwlerScan role deployment
|
||||
since it only adds S3 permissions.
|
||||
This template is designed to be used in Prowler Cloud, but can also be used in other Prowler deployments.
|
||||
If you are deploying this template to be used in Prowler Cloud please do not edit the AccountId, IAMPrincipal and ExternalId parameters.
|
||||
Parameters:
|
||||
ExternalId:
|
||||
Description: |
|
||||
This is the External ID that Prowler will use to assume the role ProwlerScan IAM Role.
|
||||
Type: String
|
||||
MinLength: 1
|
||||
AllowedPattern: ".+"
|
||||
ConstraintDescription: "ExternalId must not be empty."
|
||||
AccountId:
|
||||
Description: |
|
||||
AWS Account ID that will assume the role created, if you are deploying this template to be used in Prowler Cloud please do not edit this.
|
||||
Type: String
|
||||
Default: "232136659152"
|
||||
MinLength: 12
|
||||
MaxLength: 12
|
||||
AllowedPattern: "[0-9]{12}"
|
||||
ConstraintDescription: "AccountId must be a valid AWS Account ID."
|
||||
IAMPrincipal:
|
||||
Description: |
|
||||
The IAM principal type and name that will be allowed to assume the role created, leave an * for all the IAM principals in your AWS account. If you are deploying this template to be used in Prowler Cloud please do not edit this.
|
||||
Type: String
|
||||
Default: role/prowler*
|
||||
S3IntegrationBucketName:
|
||||
Description: |
|
||||
The S3 bucket name where Prowler will store scan reports for your cloud providers.
|
||||
Type: String
|
||||
S3IntegrationBucketAccount:
|
||||
Description: |
|
||||
The AWS Account ID owner of the S3 Bucket.
|
||||
Type: String
|
||||
MinLength: 12
|
||||
MaxLength: 12
|
||||
AllowedPattern: "[0-9]{12}"
|
||||
ConstraintDescription: "S3IntegrationBucketAccount must be a valid 12-digit AWS Account ID."
|
||||
|
||||
Resources:
|
||||
ProwlerScan:
|
||||
Type: AWS::IAM::Role
|
||||
Properties:
|
||||
RoleName: ProwlerScan
|
||||
AssumeRolePolicyDocument:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Principal:
|
||||
AWS: !Sub "arn:${AWS::Partition}:iam::${AccountId}:root"
|
||||
Action: "sts:AssumeRole"
|
||||
Condition:
|
||||
StringEquals:
|
||||
"sts:ExternalId": !Sub ${ExternalId}
|
||||
StringLike:
|
||||
"aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${AccountId}:${IAMPrincipal}"
|
||||
MaxSessionDuration: 3600
|
||||
ManagedPolicyArns:
|
||||
- "arn:aws:iam::aws:policy/SecurityAudit"
|
||||
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
|
||||
Policies:
|
||||
- PolicyName: ProwlerScan
|
||||
PolicyDocument:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Sid: AllowMoreReadOnly
|
||||
Effect: Allow
|
||||
Action:
|
||||
- "account:Get*"
|
||||
- "appstream:Describe*"
|
||||
- "appstream:List*"
|
||||
- "backup:List*"
|
||||
- "bedrock:List*"
|
||||
- "bedrock:Get*"
|
||||
- "cloudtrail:GetInsightSelectors"
|
||||
- "codeartifact:List*"
|
||||
- "codebuild:BatchGet*"
|
||||
- "codebuild:ListReportGroups"
|
||||
- "cognito-idp:GetUserPoolMfaConfig"
|
||||
- "dlm:Get*"
|
||||
- "drs:Describe*"
|
||||
- "ds:Get*"
|
||||
- "ds:Describe*"
|
||||
- "ds:List*"
|
||||
- "dynamodb:GetResourcePolicy"
|
||||
- "ec2:GetEbsEncryptionByDefault"
|
||||
- "ec2:GetSnapshotBlockPublicAccessState"
|
||||
- "ec2:GetInstanceMetadataDefaults"
|
||||
- "ecr:Describe*"
|
||||
- "ecr:GetRegistryScanningConfiguration"
|
||||
- "elasticfilesystem:DescribeBackupPolicy"
|
||||
- "glue:GetConnections"
|
||||
- "glue:GetSecurityConfiguration*"
|
||||
- "glue:SearchTables"
|
||||
- "lambda:GetFunction*"
|
||||
- "logs:FilterLogEvents"
|
||||
- "lightsail:GetRelationalDatabases"
|
||||
- "macie2:GetMacieSession"
|
||||
- "macie2:GetAutomatedDiscoveryConfiguration"
|
||||
- "s3:GetAccountPublicAccessBlock"
|
||||
- "shield:DescribeProtection"
|
||||
- "shield:GetSubscriptionState"
|
||||
- "securityhub:BatchImportFindings"
|
||||
- "securityhub:GetFindings"
|
||||
- "servicecatalog:Describe*"
|
||||
- "servicecatalog:List*"
|
||||
- "ssm:GetDocument"
|
||||
- "ssm-incidents:List*"
|
||||
- "states:ListTagsForResource"
|
||||
- "support:Describe*"
|
||||
- "tag:GetTagKeys"
|
||||
- "wellarchitected:List*"
|
||||
Resource: "*"
|
||||
- Sid: AllowAPIGatewayReadOnly
|
||||
Effect: Allow
|
||||
Action:
|
||||
- "apigateway:GET"
|
||||
Resource:
|
||||
- "arn:*:apigateway:*::/restapis/*"
|
||||
- "arn:*:apigateway:*::/apis/*"
|
||||
- PolicyName: ProwlerS3Integration
|
||||
PolicyDocument:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- "s3:PutObject"
|
||||
Resource:
|
||||
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*"
|
||||
Condition:
|
||||
StringEquals:
|
||||
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccount}
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- "s3:GetBucketLocation"
|
||||
Resource:
|
||||
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}"
|
||||
Condition:
|
||||
StringEquals:
|
||||
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccount}
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- "s3:DeleteObject"
|
||||
Resource:
|
||||
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*test-prowler-connection.txt"
|
||||
Condition:
|
||||
StringEquals:
|
||||
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccount}
|
||||
Tags:
|
||||
- Key: "Service"
|
||||
Value: "https://prowler.com"
|
||||
- Key: "Support"
|
||||
Value: "support@prowler.com"
|
||||
- Key: "CloudFormation"
|
||||
Value: "true"
|
||||
- Key: "Name"
|
||||
Value: "ProwlerScan"
|
||||
|
||||
Outputs:
|
||||
ProwlerScanRoleArn:
|
||||
Description: "ARN of the ProwlerScan IAM Role"
|
||||
Value: !GetAtt ProwlerScan.Arn
|
||||
Export:
|
||||
Name: !Sub "${AWS::StackName}-ProwlerScanRoleArn"
|
||||
@@ -36,6 +36,28 @@ Parameters:
|
||||
The IAM principal type and name that will be allowed to assume the role created, leave an * for all the IAM principals in your AWS account. If you are deploying this template to be used in Prowler Cloud please do not edit this.
|
||||
Type: String
|
||||
Default: role/prowler*
|
||||
EnableS3Integration:
|
||||
Description: |
|
||||
Enable S3 integration for storing Prowler scan reports.
|
||||
Type: String
|
||||
Default: false
|
||||
AllowedValues:
|
||||
- true
|
||||
- false
|
||||
S3IntegrationBucketName:
|
||||
Description: |
|
||||
The S3 bucket name where Prowler will store scan reports for your cloud providers.
|
||||
Type: String
|
||||
Default: ""
|
||||
S3IntegrationBucketAccountId:
|
||||
Description: |
|
||||
The AWS Account ID owner of the S3 Bucket.
|
||||
Type: String
|
||||
Default: ""
|
||||
|
||||
Conditions:
|
||||
S3IntegrationEnabled: !Equals [!Ref EnableS3Integration, true]
|
||||
|
||||
|
||||
Resources:
|
||||
ProwlerScan:
|
||||
@@ -118,6 +140,37 @@ Resources:
|
||||
Resource:
|
||||
- "arn:*:apigateway:*::/restapis/*"
|
||||
- "arn:*:apigateway:*::/apis/*"
|
||||
- !If
|
||||
- S3IntegrationEnabled
|
||||
- PolicyName: S3Integration
|
||||
PolicyDocument:
|
||||
Version: "2012-10-17"
|
||||
Statement:
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- "s3:PutObject"
|
||||
Resource:
|
||||
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*"
|
||||
Condition:
|
||||
StringEquals:
|
||||
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId}
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- "s3:GetBucketLocation"
|
||||
Resource:
|
||||
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}"
|
||||
Condition:
|
||||
StringEquals:
|
||||
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId}
|
||||
- Effect: Allow
|
||||
Action:
|
||||
- "s3:DeleteObject"
|
||||
Resource:
|
||||
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*test-prowler-connection.txt"
|
||||
Condition:
|
||||
StringEquals:
|
||||
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId}
|
||||
- !Ref AWS::NoValue
|
||||
Tags:
|
||||
- Key: "Service"
|
||||
Value: "https://prowler.com"
|
||||
@@ -128,6 +181,23 @@ Resources:
|
||||
- Key: "Name"
|
||||
Value: "ProwlerScan"
|
||||
|
||||
Metadata:
|
||||
AWS::CloudFormation::StackName: "Prowler"
|
||||
AWS::CloudFormation::Interface:
|
||||
ParameterGroups:
|
||||
- Label:
|
||||
default: Required
|
||||
Parameters:
|
||||
- ExternalId
|
||||
- AccountId
|
||||
- IAMPrincipal
|
||||
- EnableS3Integration
|
||||
- Label:
|
||||
default: Optional
|
||||
Parameters:
|
||||
- S3IntegrationBucketName
|
||||
- S3IntegrationBucketAccountId
|
||||
|
||||
Outputs:
|
||||
ProwlerScanRoleArn:
|
||||
Description: "ARN of the ProwlerScan IAM Role"
|
||||
|
||||
Reference in New Issue
Block a user