mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-03-21 18:58:04 +00:00
242 lines
9.1 KiB
YAML
242 lines
9.1 KiB
YAML
AWSTemplateFormatVersion: "2010-09-09"
|
|
|
|
# You can invoke CloudFormation and pass the principal ARN from a command line like this:
|
|
# aws cloudformation create-stack \
|
|
# --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
|
|
# --template-body "file://prowler-scan-role.yaml" \
|
|
# --stack-name "ProwlerScanRole" \
|
|
# --parameters "ParameterKey=ExternalId,ParameterValue=ProvidedExternalID"
|
|
|
|
Description: |
|
|
This template creates the ProwlerScan IAM Role in this account with
|
|
all read-only permissions to scan your account for security issues.
|
|
Contains two AWS managed policies (SecurityAudit and ViewOnlyAccess) and an inline policy.
|
|
It sets the trust policy on that IAM Role to permit Prowler to assume that role.
|
|
This template is designed to be used in Prowler Cloud, but can also be used in other Prowler deployments.
|
|
If you are deploying this template to be used in Prowler Cloud please do not edit the AccountId, IAMPrincipal and ExternalId parameters.
|
|
Parameters:
|
|
ExternalId:
|
|
Description: |
|
|
This is the External ID that Prowler will use to assume the role ProwlerScan IAM Role.
|
|
Type: String
|
|
MinLength: 1
|
|
AllowedPattern: ".+"
|
|
ConstraintDescription: "ExternalId must not be empty."
|
|
AccountId:
|
|
Description: |
|
|
AWS Account ID that will assume the role created, if you are deploying this template to be used in Prowler Cloud please do not edit this.
|
|
Type: String
|
|
Default: "232136659152"
|
|
MinLength: 12
|
|
MaxLength: 12
|
|
AllowedPattern: "[0-9]{12}"
|
|
ConstraintDescription: "AccountId must be a valid AWS Account ID."
|
|
IAMPrincipal:
|
|
Description: |
|
|
The IAM principal type and name that will be allowed to assume the role created, leave an * for all the IAM principals in your AWS account. If you are deploying this template to be used in Prowler Cloud please do not edit this.
|
|
Type: String
|
|
Default: role/prowler*
|
|
EnableOrganizations:
|
|
Description: |
|
|
Enable AWS Organizations discovery permissions. Set to true only when deploying this role in the management account.
|
|
This adds read-only Organizations permissions (e.g. ListAccounts, DescribeOrganization) and StackSet management permissions.
|
|
Type: String
|
|
Default: false
|
|
AllowedValues:
|
|
- true
|
|
- false
|
|
EnableS3Integration:
|
|
Description: |
|
|
Enable S3 integration for storing Prowler scan reports.
|
|
Type: String
|
|
Default: false
|
|
AllowedValues:
|
|
- true
|
|
- false
|
|
S3IntegrationBucketName:
|
|
Description: |
|
|
The S3 bucket name where Prowler will store scan reports for your cloud providers.
|
|
Type: String
|
|
Default: ""
|
|
S3IntegrationBucketAccountId:
|
|
Description: |
|
|
The AWS Account ID owner of the S3 Bucket.
|
|
Type: String
|
|
Default: ""
|
|
|
|
Conditions:
|
|
OrganizationsEnabled: !Equals [!Ref EnableOrganizations, true]
|
|
S3IntegrationEnabled: !Equals [!Ref EnableS3Integration, true]
|
|
|
|
|
|
Resources:
|
|
ProwlerScan:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: ProwlerScan
|
|
AssumeRolePolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
AWS: !Sub "arn:${AWS::Partition}:iam::${AccountId}:root"
|
|
Action: "sts:AssumeRole"
|
|
Condition:
|
|
StringEquals:
|
|
"sts:ExternalId": !Sub ${ExternalId}
|
|
StringLike:
|
|
"aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${AccountId}:${IAMPrincipal}"
|
|
MaxSessionDuration: 3600
|
|
ManagedPolicyArns:
|
|
- "arn:aws:iam::aws:policy/SecurityAudit"
|
|
- "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
|
|
Policies:
|
|
- PolicyName: ProwlerScan
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Sid: AllowMoreReadOnly
|
|
Effect: Allow
|
|
Action:
|
|
- "account:Get*"
|
|
- "appstream:Describe*"
|
|
- "appstream:List*"
|
|
- "backup:List*"
|
|
- "bedrock:List*"
|
|
- "bedrock:Get*"
|
|
- "cloudtrail:GetInsightSelectors"
|
|
- "codeartifact:List*"
|
|
- "codebuild:BatchGet*"
|
|
- "codebuild:ListReportGroups"
|
|
- "cognito-idp:GetUserPoolMfaConfig"
|
|
- "dlm:Get*"
|
|
- "drs:Describe*"
|
|
- "ds:Get*"
|
|
- "ds:Describe*"
|
|
- "ds:List*"
|
|
- "dynamodb:GetResourcePolicy"
|
|
- "ec2:GetEbsEncryptionByDefault"
|
|
- "ec2:GetSnapshotBlockPublicAccessState"
|
|
- "ec2:GetInstanceMetadataDefaults"
|
|
- "ecr:Describe*"
|
|
- "ecr:GetRegistryScanningConfiguration"
|
|
- "elasticfilesystem:DescribeBackupPolicy"
|
|
- "glue:GetConnections"
|
|
- "glue:GetSecurityConfiguration*"
|
|
- "glue:SearchTables"
|
|
- "lambda:GetFunction*"
|
|
- "logs:FilterLogEvents"
|
|
- "lightsail:GetRelationalDatabases"
|
|
- "macie2:GetMacieSession"
|
|
- "macie2:GetAutomatedDiscoveryConfiguration"
|
|
- "s3:GetAccountPublicAccessBlock"
|
|
- "shield:DescribeProtection"
|
|
- "shield:GetSubscriptionState"
|
|
- "securityhub:BatchImportFindings"
|
|
- "securityhub:GetFindings"
|
|
- "servicecatalog:Describe*"
|
|
- "servicecatalog:List*"
|
|
- "ssm:GetDocument"
|
|
- "ssm-incidents:List*"
|
|
- "states:ListTagsForResource"
|
|
- "support:Describe*"
|
|
- "tag:GetTagKeys"
|
|
- "wellarchitected:List*"
|
|
Resource: "*"
|
|
- Sid: AllowAPIGatewayReadOnly
|
|
Effect: Allow
|
|
Action:
|
|
- "apigateway:GET"
|
|
Resource:
|
|
- "arn:*:apigateway:*::/restapis/*"
|
|
- "arn:*:apigateway:*::/apis/*"
|
|
- !If
|
|
- OrganizationsEnabled
|
|
- PolicyName: ProwlerOrganizations
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Sid: AllowOrganizationsReadOnly
|
|
Effect: Allow
|
|
Action:
|
|
- "organizations:DescribeAccount"
|
|
- "organizations:DescribeOrganization"
|
|
- "organizations:ListAccounts"
|
|
- "organizations:ListAccountsForParent"
|
|
- "organizations:ListOrganizationalUnitsForParent"
|
|
- "organizations:ListRoots"
|
|
- "organizations:ListTagsForResource"
|
|
Resource: "*"
|
|
- Sid: AllowStackSetManagement
|
|
Effect: Allow
|
|
Action:
|
|
- "organizations:RegisterDelegatedAdministrator"
|
|
- "iam:CreateServiceLinkedRole"
|
|
Resource: "*"
|
|
- !Ref AWS::NoValue
|
|
- !If
|
|
- S3IntegrationEnabled
|
|
- PolicyName: S3Integration
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- "s3:PutObject"
|
|
Resource:
|
|
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*"
|
|
Condition:
|
|
StringEquals:
|
|
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId}
|
|
- Effect: Allow
|
|
Action:
|
|
- "s3:ListBucket"
|
|
Resource:
|
|
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}"
|
|
Condition:
|
|
StringEquals:
|
|
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId}
|
|
- Effect: Allow
|
|
Action:
|
|
- "s3:DeleteObject"
|
|
Resource:
|
|
- !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*test-prowler-connection.txt"
|
|
Condition:
|
|
StringEquals:
|
|
"s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId}
|
|
- !Ref AWS::NoValue
|
|
Tags:
|
|
- Key: "Service"
|
|
Value: "https://prowler.com"
|
|
- Key: "Support"
|
|
Value: "support@prowler.com"
|
|
- Key: "CloudFormation"
|
|
Value: "true"
|
|
- Key: "Name"
|
|
Value: "ProwlerScan"
|
|
|
|
Metadata:
|
|
AWS::CloudFormation::StackName: "Prowler"
|
|
AWS::CloudFormation::Interface:
|
|
ParameterGroups:
|
|
- Label:
|
|
default: Required
|
|
Parameters:
|
|
- ExternalId
|
|
- AccountId
|
|
- IAMPrincipal
|
|
- EnableOrganizations
|
|
- EnableS3Integration
|
|
- Label:
|
|
default: Optional
|
|
Parameters:
|
|
- S3IntegrationBucketName
|
|
- S3IntegrationBucketAccountId
|
|
|
|
Outputs:
|
|
ProwlerScanRoleArn:
|
|
Description: "ARN of the ProwlerScan IAM Role"
|
|
Value: !GetAtt ProwlerScan.Arn
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-ProwlerScanRoleArn"
|