mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
733 lines
34 KiB
Plaintext
733 lines
34 KiB
Plaintext
---
|
||
title: "Configuration File"
|
||
---
|
||
|
||
import { VersionBadge } from "/snippets/version-badge.mdx"
|
||
|
||
Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**. This file can be found in the following [path](https://github.com/prowler-cloud/prowler/blob/master/prowler/config/config.yaml):
|
||
|
||
```
|
||
prowler/config/config.yaml
|
||
```
|
||
|
||
Additionally, you can input a custom configuration file using the `--config-file` argument.
|
||
|
||
<Note>
|
||
Numeric thresholds enforce hard limits. A value outside the accepted range is dropped with a warning and the check falls back to its built-in default. See [Configuration Value Limits](/developer-guide/configurable-checks#configuration-value-limits) for the exact range of every bounded option (max-days caps, percentages, counts, etc.).
|
||
</Note>
|
||
|
||
## AWS
|
||
|
||
### Configurable Checks
|
||
|
||
The following list includes all the AWS checks with configurable variables that can be changed in the configuration yaml file:
|
||
|
||
| Check Name | Value | Type |
|
||
|---------------------------------------------------------------|--------------------------------------------------|-----------------|
|
||
| `acm_certificates_expiration_check` | `days_to_expire_threshold` | Integer |
|
||
| `acmpca_certificate_authority_pqc_key_algorithm` | `acmpca_pqc_key_algorithms` | List of Strings |
|
||
| `appstream_fleet_maximum_session_duration` | `max_session_duration_seconds` | Integer |
|
||
| `appstream_fleet_session_disconnect_timeout` | `max_disconnect_timeout_in_seconds` | Integer |
|
||
| `appstream_fleet_session_idle_disconnect_timeout` | `max_idle_disconnect_timeout_in_seconds` | Integer |
|
||
| `autoscaling_find_secrets_ec2_launch_configuration` | `secrets_ignore_patterns` | List of Strings |
|
||
| `awslambda_function_no_secrets_in_code` | `secrets_ignore_patterns` | List of Strings |
|
||
| `awslambda_function_no_secrets_in_variables` | `secrets_ignore_patterns` | List of Strings |
|
||
| `awslambda_function_using_supported_runtimes` | `obsolete_lambda_runtimes` | Integer |
|
||
| `awslambda_function_vpc_is_in_multi_azs` | `lambda_min_azs` | Integer |
|
||
| `cloudformation_stack_outputs_find_secrets` | `secrets_ignore_patterns` | List of Strings |
|
||
| `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_actions` | List of Strings |
|
||
| `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_entropy` | Integer |
|
||
| `cloudtrail_threat_detection_enumeration` | `threat_detection_enumeration_minutes` | Integer |
|
||
| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_actions` | List of Strings |
|
||
| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_entropy` | Integer |
|
||
| `cloudtrail_threat_detection_privilege_escalation` | `threat_detection_privilege_escalation_minutes` | Integer |
|
||
| `cloudwatch_log_group_no_secrets_in_logs` | `secrets_ignore_patterns` | List of Strings |
|
||
| `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days` | Integer |
|
||
| `codebuild_github_allowed_organizations` | `github_allowed_organizations` | List of Strings |
|
||
| `codebuild_project_no_secrets_in_variables` | `excluded_sensitive_environment_variables` | List of Strings |
|
||
| `codebuild_project_no_secrets_in_variables` | `secrets_ignore_patterns` | List of Strings |
|
||
| `config_recorder_all_regions_enabled` | `mute_non_default_regions` | Boolean |
|
||
| `drs_job_exist` | `mute_non_default_regions` | Boolean |
|
||
| `ec2_elastic_ip_shodan` | `shodan_api_key` | String |
|
||
| `ec2_instance_older_than_specific_days` | `max_ec2_instance_age_in_days` | Integer |
|
||
| `ec2_instance_secrets_user_data` | `secrets_ignore_patterns` | List of Strings |
|
||
| `ec2_launch_template_no_secrets` | `secrets_ignore_patterns` | List of Strings |
|
||
| `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_instance_owners` | List of Strings |
|
||
| `ec2_securitygroup_allow_ingress_from_internet_to_any_port` | `ec2_allowed_interface_types` | List of Strings |
|
||
| `ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports`| `ec2_high_risk_ports` | List of Integer |
|
||
| `ec2_securitygroup_with_many_ingress_egress_rules` | `max_security_group_rules` | Integer |
|
||
| `ecs_task_definitions_no_environment_secrets` | `secrets_ignore_patterns` | List of Strings |
|
||
| `ecr_repositories_scan_vulnerabilities_in_latest_image` | `ecr_repository_vulnerability_minimum_severity` | String |
|
||
| `eks_cluster_uses_a_supported_version` | `eks_cluster_oldest_version_supported` | String |
|
||
| `eks_control_plane_logging_all_types_enabled` | `eks_required_log_types` | List of Strings |
|
||
| `elasticache_redis_cluster_backup_enabled` | `minimum_snapshot_retention_period` | Integer |
|
||
| `elb_is_in_multiple_az` | `elb_min_azs` | Integer |
|
||
| `elbv2_is_in_multiple_az` | `elbv2_min_azs` | Integer |
|
||
| `rolesanywhere_trust_anchor_pqc_pki` | `rolesanywhere_pqc_pca_key_algorithms` | List of Strings |
|
||
| `cloudfront_distributions_pqc_tls_enabled` | `cloudfront_pqc_min_protocol_versions` | List of Strings |
|
||
| `apigateway_domain_name_pqc_tls_enabled` | `apigateway_pqc_tls_allowed_policies` | List of Strings |
|
||
| `guardduty_is_enabled` | `mute_non_default_regions` | Boolean |
|
||
| `iam_user_access_not_stale_to_sagemaker` | `max_unused_sagemaker_access_days` | Integer |
|
||
| `iam_user_accesskey_unused` | `max_unused_access_keys_days` | Integer |
|
||
| `iam_user_console_access_unused` | `max_console_access_days` | Integer |
|
||
| `organizations_delegated_administrators` | `organizations_trusted_delegated_administrators` | List of Strings |
|
||
| `organizations_scp_check_deny_regions` | `organizations_enabled_regions` | List of Strings |
|
||
| `rds_instance_backup_enabled` | `check_rds_instance_replicas` | Boolean |
|
||
| `securityhub_enabled` | `mute_non_default_regions` | Boolean |
|
||
| `secretsmanager_secret_unused` | `max_days_secret_unused` | Integer |
|
||
| `secretsmanager_secret_rotated_periodically` | `max_days_secret_unrotated` | Integer |
|
||
| `ssm_document_secrets` | `secrets_ignore_patterns` | List of Strings |
|
||
| `trustedadvisor_premium_support_plan_subscribed` | `verify_premium_support_plans` | Boolean |
|
||
| `transfer_server_pqc_ssh_kex_enabled` | `transfer_pqc_ssh_allowed_policies` | List of Strings |
|
||
| `dynamodb_table_cross_account_access` | `trusted_account_ids` | List of Strings |
|
||
| `eventbridge_bus_cross_account_access` | `trusted_account_ids` | List of Strings |
|
||
| `eventbridge_schema_registry_cross_account_access` | `trusted_account_ids` | List of Strings |
|
||
| `s3_bucket_cross_account_access` | `trusted_account_ids` | List of Strings |
|
||
| `ssm_documents_set_as_public` | `trusted_account_ids` | List of Strings |
|
||
| `vpc_endpoint_connections_trust_boundaries` | `trusted_account_ids` | List of Strings |
|
||
| `vpc_endpoint_services_allowed_principals_trust_boundaries` | `trusted_account_ids` | List of Strings |
|
||
| `opensearch_service_domains_not_publicly_accessible` | `trusted_ips` | List of Strings |
|
||
|
||
|
||
### Validating Discovered Secrets
|
||
|
||
<VersionBadge version="5.32.0" />
|
||
|
||
By default, the secret-scanning checks run fully offline: secrets are detected but never sent anywhere. Setting `secrets_validate` to `True` additionally confirms whether each discovered secret is live by authenticating with it against the corresponding provider API. The discovered secret itself serves as the credential, so Prowler requires no additional permissions to validate it.
|
||
|
||
`secrets_validate` applies to every AWS secret-scanning check listed above (those that accept `secrets_ignore_patterns`). The `--scan-secrets-validate` CLI flag is provider-wide: it also enables validation for the secret-scanning checks of other providers, such as the OpenStack metadata checks.
|
||
|
||
To enable validation through the configuration file, set the value under the `aws` section:
|
||
|
||
```yaml
|
||
aws:
|
||
secrets_validate: True
|
||
```
|
||
|
||
To enable validation for a single scan (any provider), use Prowler CLI:
|
||
|
||
```
|
||
prowler aws --scan-secrets-validate
|
||
```
|
||
|
||
<Warning>
|
||
Secret validation makes outbound network calls that authenticate with each discovered secret. The credential is exercised against the provider, so the call appears in the audited account's logs and can trigger its monitoring (for example, AWS CloudTrail records the validation request). Validation stays disabled by default so that scans remain fully offline.
|
||
</Warning>
|
||
|
||
|
||
## Azure
|
||
|
||
### Configurable Checks
|
||
The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file:
|
||
|
||
| Check Name | Value | Type |
|
||
|---------------------------------------------------------------|--------------------------------------------------|-----------------|
|
||
| `network_public_ip_shodan` | `shodan_api_key` | String |
|
||
| `app_ensure_php_version_is_latest` | `php_latest_version` | String |
|
||
| `app_ensure_python_version_is_latest` | `python_latest_version` | String |
|
||
| `app_ensure_java_version_is_latest` | `java_latest_version` | String |
|
||
| `sqlserver_recommended_minimal_tls_version` | `recommended_minimal_tls_versions` | List of Strings |
|
||
| `vm_sufficient_daily_backup_retention_period` | `vm_backup_min_daily_retention_days` | Integer |
|
||
| `vm_desired_sku_size` | `desired_vm_sku_sizes` | List of Strings |
|
||
| `storage_smb_channel_encryption_with_secure_algorithm` | `recommended_smb_channel_encryption_algorithms` | List of Strings |
|
||
| `defender_attack_path_notifications_properly_configured` | `defender_attack_path_minimal_risk_level` | String |
|
||
| `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_threshold` | Float |
|
||
| `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_minutes` | Integer |
|
||
| `apim_threat_detection_llm_jacking` | `apim_threat_detection_llm_jacking_actions` | List of Strings |
|
||
|
||
|
||
## GCP
|
||
|
||
### Configurable Checks
|
||
The following list includes all the GCP checks with configurable variables that can be changed in the configuration yaml file:
|
||
|
||
| Check Name | Value | Type |
|
||
|---------------------------------------------------------------|--------------------------------------------------|-----------------|
|
||
| `compute_configuration_changes` | `compute_audit_log_lookback_days` | Integer |
|
||
| `compute_instance_group_multiple_zones` | `mig_min_zones` | Integer |
|
||
|
||
## Kubernetes
|
||
|
||
### Configurable Checks
|
||
The following list includes all the Kubernetes checks with configurable variables that can be changed in the configuration yaml file:
|
||
|
||
| Check Name | Value | Type |
|
||
|---------------------------------------------------------------|--------------------------------------------------|-----------------|
|
||
| `audit_log_maxbackup` | `audit_log_maxbackup` | String |
|
||
| `audit_log_maxsize` | `audit_log_maxsize` | String |
|
||
| `audit_log_maxage` | `audit_log_maxage` | String |
|
||
| `apiserver_strong_ciphers` | `apiserver_strong_ciphers` | String |
|
||
| `kubelet_strong_ciphers_only` | `kubelet_strong_ciphers` | String |
|
||
|
||
|
||
## M365
|
||
|
||
### Configurable Checks
|
||
The following list includes all the Microsoft 365 checks with configurable variables that can be changed in the configuration yaml file:
|
||
|
||
| Check Name | Value | Type |
|
||
|---------------------------------------------------------------|--------------------------------------------------|-----------------|
|
||
| `entra_admin_users_sign_in_frequency_enabled` | `sign_in_frequency` | Integer |
|
||
| `teams_external_file_sharing_restricted` | `allowed_cloud_storage_services` | List of Strings |
|
||
| `exchange_organization_mailtips_enabled` | `recommended_mailtips_large_audience_threshold` | Integer |
|
||
|
||
|
||
## GitHub
|
||
|
||
### Configurable Checks
|
||
The following list includes all the GitHub checks with configurable variables that can be changed in the configuration yaml file:
|
||
|
||
| Check Name | Value | Type |
|
||
|--------------------------------------------|---------------------------------------------|---------|
|
||
| `repository_inactive_not_archived` | `inactive_not_archived_days_threshold` | Integer |
|
||
|
||
## Vercel
|
||
|
||
### Configurable Checks
|
||
The following list includes all the Vercel checks with configurable variables that can be changed in the configuration YAML file:
|
||
|
||
| Check Name | Value | Type |
|
||
|-----------------------------------------------------|------------------------------------|-----------------|
|
||
| `authentication_no_stale_tokens` | `stale_token_threshold_days` | Integer |
|
||
| `authentication_token_not_expired` | `days_to_expire_threshold` | Integer |
|
||
| `deployment_production_uses_stable_target` | `stable_branches` | List of Strings |
|
||
| `domain_ssl_certificate_valid` | `days_to_expire_threshold` | Integer |
|
||
| `project_environment_no_secrets_in_plain_type` | `secret_suffixes` | List of Strings |
|
||
| `team_member_role_least_privilege` | `max_owner_percentage` | Integer |
|
||
| `team_member_role_least_privilege` | `max_owners` | Integer |
|
||
| `team_no_stale_invitations` | `stale_invitation_threshold_days` | Integer |
|
||
|
||
## Okta
|
||
|
||
### Configurable Checks
|
||
The following list includes all the Okta checks with configurable variables that can be changed in the configuration YAML file:
|
||
|
||
| Check Name | Value | Type |
|
||
|---------------------------------------------------------------|------------------------------------|---------|
|
||
| `application_admin_console_session_idle_timeout_15min` | `okta_admin_console_idle_timeout_max_minutes` | Integer |
|
||
| `signon_global_session_idle_timeout_15min` | `okta_max_session_idle_minutes` | Integer |
|
||
|
||
## Config YAML File Structure
|
||
|
||
<Note>
|
||
This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider.
|
||
|
||
</Note>
|
||
```yaml title="config.yaml"
|
||
# AWS Configuration
|
||
aws:
|
||
# AWS Global Configuration
|
||
# aws.mute_non_default_regions --> Set to True to muted failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config
|
||
mute_non_default_regions: False
|
||
# If you want to mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w mutelist.yaml`:
|
||
# Mutelist:
|
||
# Accounts:
|
||
# "*":
|
||
# Checks:
|
||
# "*":
|
||
# Regions:
|
||
# - "ap-southeast-1"
|
||
# - "ap-southeast-2"
|
||
# Resources:
|
||
# - "*"
|
||
|
||
# AWS IAM Configuration
|
||
# aws.iam_user_accesskey_unused --> CIS recommends 45 days
|
||
max_unused_access_keys_days: 45
|
||
# aws.iam_user_console_access_unused --> CIS recommends 45 days
|
||
max_console_access_days: 45
|
||
# aws.iam_user_access_not_stale_to_sagemaker --> default 90 days
|
||
max_unused_sagemaker_access_days: 90
|
||
|
||
# AWS EC2 Configuration
|
||
# aws.ec2_elastic_ip_shodan
|
||
# TODO: create common config
|
||
shodan_api_key: null
|
||
# aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
|
||
max_security_group_rules: 50
|
||
# aws.ec2_instance_older_than_specific_days --> by default is 6 months (180 days)
|
||
max_ec2_instance_age_in_days: 180
|
||
# aws.ec2_securitygroup_allow_ingress_from_internet_to_any_port
|
||
# allowed network interface types for security groups open to the Internet
|
||
ec2_allowed_interface_types:
|
||
[
|
||
"api_gateway_managed",
|
||
"vpc_endpoint",
|
||
]
|
||
# allowed network interface owners for security groups open to the Internet
|
||
ec2_allowed_instance_owners:
|
||
[
|
||
"amazon-elb"
|
||
]
|
||
# aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
|
||
ec2_high_risk_ports:
|
||
[
|
||
25,
|
||
110,
|
||
135,
|
||
143,
|
||
445,
|
||
3000,
|
||
4333,
|
||
5000,
|
||
5500,
|
||
8080,
|
||
8088,
|
||
]
|
||
|
||
# AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
|
||
# AWS SSM Configuration (ssm_documents_set_as_public)
|
||
# AWS S3 Configuration (s3_bucket_cross_account_access)
|
||
# AWS EventBridge Configuration (eventbridge_schema_registry_cross_account_access, eventbridge_bus_cross_account_access)
|
||
# AWS DynamoDB Configuration (dynamodb_table_cross_account_access)
|
||
# Single account environment: No action required. The AWS account number will be automatically added by the checks.
|
||
# Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
|
||
# trusted_account_ids : ["123456789012", "098765432109", "678901234567"]
|
||
trusted_account_ids: []
|
||
|
||
# AWS Cloudwatch Configuration
|
||
# aws.cloudwatch_log_group_retention_policy_specific_days_enabled --> by default is 365 days
|
||
log_group_retention_days: 365
|
||
|
||
# AWS AppStream Session Configuration
|
||
# aws.appstream_fleet_session_idle_disconnect_timeout
|
||
max_idle_disconnect_timeout_in_seconds: 600 # 10 Minutes
|
||
# aws.appstream_fleet_session_disconnect_timeout
|
||
max_disconnect_timeout_in_seconds: 300 # 5 Minutes
|
||
# aws.appstream_fleet_maximum_session_duration
|
||
max_session_duration_seconds: 36000 # 10 Hours
|
||
|
||
# AWS Lambda Configuration
|
||
# aws.awslambda_function_using_supported_runtimes
|
||
obsolete_lambda_runtimes:
|
||
[
|
||
"java8",
|
||
"go1.x",
|
||
"provided",
|
||
"python3.6",
|
||
"python2.7",
|
||
"python3.7",
|
||
"nodejs4.3",
|
||
"nodejs4.3-edge",
|
||
"nodejs6.10",
|
||
"nodejs",
|
||
"nodejs8.10",
|
||
"nodejs10.x",
|
||
"nodejs12.x",
|
||
"nodejs14.x",
|
||
"dotnet5.0",
|
||
"dotnetcore1.0",
|
||
"dotnetcore2.0",
|
||
"dotnetcore2.1",
|
||
"dotnetcore3.1",
|
||
"ruby2.5",
|
||
"ruby2.7",
|
||
]
|
||
|
||
# AWS Organizations
|
||
# aws.organizations_scp_check_deny_regions
|
||
# aws.organizations_enabled_regions: [
|
||
# "eu-central-1",
|
||
# "eu-west-1",
|
||
# "us-east-1"
|
||
# ]
|
||
organizations_enabled_regions: []
|
||
organizations_trusted_delegated_administrators: []
|
||
|
||
# AWS ECR
|
||
# aws.ecr_repositories_scan_vulnerabilities_in_latest_image
|
||
# CRITICAL
|
||
# HIGH
|
||
# MEDIUM
|
||
ecr_repository_vulnerability_minimum_severity: "MEDIUM"
|
||
|
||
# AWS Trusted Advisor
|
||
# aws.trustedadvisor_premium_support_plan_subscribed
|
||
verify_premium_support_plans: True
|
||
|
||
# AWS CloudTrail Configuration
|
||
# aws.cloudtrail_threat_detection_privilege_escalation
|
||
threat_detection_privilege_escalation_threshold: 0.2 # Percentage of actions found to decide if it is an privilege_escalation attack event, by default is 0.2 (20%)
|
||
threat_detection_privilege_escalation_minutes: 1440 # Past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
|
||
threat_detection_privilege_escalation_actions:
|
||
[
|
||
"AddPermission",
|
||
"AddRoleToInstanceProfile",
|
||
"AddUserToGroup",
|
||
"AssociateAccessPolicy",
|
||
"AssumeRole",
|
||
"AttachGroupPolicy",
|
||
"AttachRolePolicy",
|
||
"AttachUserPolicy",
|
||
"ChangePassword",
|
||
"CreateAccessEntry",
|
||
"CreateAccessKey",
|
||
"CreateDevEndpoint",
|
||
"CreateEventSourceMapping",
|
||
"CreateFunction",
|
||
"CreateGroup",
|
||
"CreateJob",
|
||
"CreateKeyPair",
|
||
"CreateLoginProfile",
|
||
"CreatePipeline",
|
||
"CreatePolicyVersion",
|
||
"CreateRole",
|
||
"CreateStack",
|
||
"DeleteRolePermissionsBoundary",
|
||
"DeleteRolePolicy",
|
||
"DeleteUserPermissionsBoundary",
|
||
"DeleteUserPolicy",
|
||
"DetachRolePolicy",
|
||
"DetachUserPolicy",
|
||
"GetCredentialsForIdentity",
|
||
"GetId",
|
||
"GetPolicyVersion",
|
||
"GetUserPolicy",
|
||
"Invoke",
|
||
"ModifyInstanceAttribute",
|
||
"PassRole",
|
||
"PutGroupPolicy",
|
||
"PutPipelineDefinition",
|
||
"PutRolePermissionsBoundary",
|
||
"PutRolePolicy",
|
||
"PutUserPermissionsBoundary",
|
||
"PutUserPolicy",
|
||
"ReplaceIamInstanceProfileAssociation",
|
||
"RunInstances",
|
||
"SetDefaultPolicyVersion",
|
||
"UpdateAccessKey",
|
||
"UpdateAssumeRolePolicy",
|
||
"UpdateDevEndpoint",
|
||
"UpdateEventSourceMapping",
|
||
"UpdateFunctionCode",
|
||
"UpdateJob",
|
||
"UpdateLoginProfile",
|
||
]
|
||
# aws.cloudtrail_threat_detection_enumeration
|
||
threat_detection_enumeration_threshold: 0.3 # Percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%)
|
||
threat_detection_enumeration_minutes: 1440 # Past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
|
||
threat_detection_enumeration_actions:
|
||
[
|
||
"DescribeAccessEntry",
|
||
"DescribeAccountAttributes",
|
||
"DescribeAvailabilityZones",
|
||
"DescribeBundleTasks",
|
||
"DescribeCarrierGateways",
|
||
"DescribeClientVpnRoutes",
|
||
"DescribeCluster",
|
||
"DescribeDhcpOptions",
|
||
"DescribeFlowLogs",
|
||
"DescribeImages",
|
||
"DescribeInstanceAttribute",
|
||
"DescribeInstanceInformation",
|
||
"DescribeInstanceTypes",
|
||
"DescribeInstances",
|
||
"DescribeInstances",
|
||
"DescribeKeyPairs",
|
||
"DescribeLogGroups",
|
||
"DescribeLogStreams",
|
||
"DescribeOrganization",
|
||
"DescribeRegions",
|
||
"DescribeSecurityGroups",
|
||
"DescribeSnapshotAttribute",
|
||
"DescribeSnapshotTierStatus",
|
||
"DescribeSubscriptionFilters",
|
||
"DescribeTransitGatewayMulticastDomains",
|
||
"DescribeVolumes",
|
||
"DescribeVolumesModifications",
|
||
"DescribeVpcEndpointConnectionNotifications",
|
||
"DescribeVpcs",
|
||
"GetAccount",
|
||
"GetAccountAuthorizationDetails",
|
||
"GetAccountSendingEnabled",
|
||
"GetBucketAcl",
|
||
"GetBucketLogging",
|
||
"GetBucketPolicy",
|
||
"GetBucketReplication",
|
||
"GetBucketVersioning",
|
||
"GetCallerIdentity",
|
||
"GetCertificate",
|
||
"GetConsoleScreenshot",
|
||
"GetCostAndUsage",
|
||
"GetDetector",
|
||
"GetEbsDefaultKmsKeyId",
|
||
"GetEbsEncryptionByDefault",
|
||
"GetFindings",
|
||
"GetFlowLogsIntegrationTemplate",
|
||
"GetIdentityVerificationAttributes",
|
||
"GetInstances",
|
||
"GetIntrospectionSchema",
|
||
"GetLaunchTemplateData",
|
||
"GetLaunchTemplateData",
|
||
"GetLogRecord",
|
||
"GetParameters",
|
||
"GetPolicyVersion",
|
||
"GetPublicAccessBlock",
|
||
"GetQueryResults",
|
||
"GetRegions",
|
||
"GetSMSAttributes",
|
||
"GetSMSSandboxAccountStatus",
|
||
"GetSendQuota",
|
||
"GetTransitGatewayRouteTableAssociations",
|
||
"GetUserPolicy",
|
||
"HeadObject",
|
||
"ListAccessKeys",
|
||
"ListAccounts",
|
||
"ListAllMyBuckets",
|
||
"ListAssociatedAccessPolicies",
|
||
"ListAttachedUserPolicies",
|
||
"ListClusters",
|
||
"ListDetectors",
|
||
"ListDomains",
|
||
"ListFindings",
|
||
"ListHostedZones",
|
||
"ListIPSets",
|
||
"ListIdentities",
|
||
"ListInstanceProfiles",
|
||
"ListObjects",
|
||
"ListOrganizationalUnitsForParent",
|
||
"ListOriginationNumbers",
|
||
"ListPolicyVersions",
|
||
"ListRoles",
|
||
"ListRoles",
|
||
"ListRules",
|
||
"ListServiceQuotas",
|
||
"ListSubscriptions",
|
||
"ListTargetsByRule",
|
||
"ListTopics",
|
||
"ListUsers",
|
||
"LookupEvents",
|
||
"Search",
|
||
]
|
||
# aws.cloudtrail_threat_detection_llm_jacking
|
||
threat_detection_llm_jacking_threshold: 0.4 # Percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%)
|
||
threat_detection_llm_jacking_minutes: 1440 # Past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours)
|
||
threat_detection_llm_jacking_actions:
|
||
[
|
||
"PutUseCaseForModelAccess", # Submits a use case for model access, providing justification (Write).
|
||
"PutFoundationModelEntitlement", # Grants entitlement for accessing a foundation model (Write).
|
||
"PutModelInvocationLoggingConfiguration", # Configures logging for model invocations (Write).
|
||
"CreateFoundationModelAgreement", # Creates a new agreement to use a foundation model (Write).
|
||
"InvokeModel", # Invokes a specified Bedrock model for inference using provided prompt and parameters (Read).
|
||
"InvokeModelWithResponseStream", # Invokes a Bedrock model for inference with real-time token streaming (Read).
|
||
"GetUseCaseForModelAccess", # Retrieves an existing use case for model access (Read).
|
||
"GetModelInvocationLoggingConfiguration", # Fetches the logging configuration for model invocations (Read).
|
||
"GetFoundationModelAvailability", # Checks the availability of a foundation model for use (Read).
|
||
"ListFoundationModelAgreementOffers", # Lists available agreement offers for accessing foundation models (List).
|
||
"ListFoundationModels", # Lists the available foundation models in Bedrock (List).
|
||
"ListProvisionedModelThroughputs", # Lists the provisioned throughput for previously created models (List).
|
||
]
|
||
|
||
# AWS RDS Configuration
|
||
# aws.rds_instance_backup_enabled
|
||
# Whether to check RDS instance replicas or not
|
||
check_rds_instance_replicas: False
|
||
|
||
# AWS ACM Configuration
|
||
# aws.acm_certificates_expiration_check
|
||
days_to_expire_threshold: 7
|
||
|
||
# AWS EKS Configuration
|
||
# aws.eks_control_plane_logging_all_types_enabled
|
||
# EKS control plane logging types that must be enabled
|
||
eks_required_log_types:
|
||
[
|
||
"api",
|
||
"audit",
|
||
"authenticator",
|
||
"controllerManager",
|
||
"scheduler",
|
||
]
|
||
|
||
# aws.eks_cluster_uses_a_supported_version
|
||
# EKS clusters must be version 1.28 or higher
|
||
eks_cluster_oldest_version_supported: "1.28"
|
||
|
||
# AWS CodeBuild Configuration
|
||
# aws.codebuild_project_no_secrets_in_variables
|
||
# CodeBuild sensitive variables that are excluded from the check
|
||
excluded_sensitive_environment_variables:
|
||
[
|
||
|
||
]
|
||
|
||
# Azure Configuration
|
||
azure:
|
||
# Azure Network Configuration
|
||
# azure.network_public_ip_shodan
|
||
# TODO: create common config
|
||
shodan_api_key: null
|
||
|
||
# Azure App Service
|
||
# azure.app_ensure_php_version_is_latest
|
||
php_latest_version: "8.2"
|
||
# azure.app_ensure_python_version_is_latest
|
||
python_latest_version: "3.12"
|
||
# azure.app_ensure_java_version_is_latest
|
||
java_latest_version: "17"
|
||
|
||
# Azure SQL Server
|
||
# azure.sqlserver_minimal_tls_version
|
||
recommended_minimal_tls_versions:
|
||
[
|
||
"1.2",
|
||
"1.3"
|
||
]
|
||
|
||
# Azure Storage
|
||
# azure.storage_smb_channel_encryption_with_secure_algorithm
|
||
# List of SMB channel encryption algorithms allowed on file shares. A storage
|
||
# account passes only if every enabled algorithm is in this list. Defaults to
|
||
# the value required by CIS (AES-256-GCM only, excluding weaker AES-128 ciphers).
|
||
recommended_smb_channel_encryption_algorithms:
|
||
[
|
||
"AES-256-GCM",
|
||
# "AES-128-CCM",
|
||
# "AES-128-GCM",
|
||
]
|
||
|
||
# Azure Virtual Machines
|
||
# azure.vm_desired_sku_size
|
||
# List of desired VM SKU sizes that are allowed in the organization
|
||
desired_vm_sku_sizes:
|
||
[
|
||
"Standard_A8_v2",
|
||
"Standard_DS3_v2",
|
||
"Standard_D4s_v3",
|
||
]
|
||
# Azure VM Backup Configuration
|
||
# azure.vm_sufficient_daily_backup_retention_period
|
||
vm_backup_min_daily_retention_days: 7
|
||
|
||
# Azure API Management Threat Detection Configuration
|
||
# azure.apim_threat_detection_llm_jacking
|
||
apim_threat_detection_llm_jacking_threshold: 0.1
|
||
apim_threat_detection_llm_jacking_minutes: 1440
|
||
apim_threat_detection_llm_jacking_actions:
|
||
[
|
||
# OpenAI API endpoints
|
||
"ImageGenerations_Create",
|
||
"ChatCompletions_Create",
|
||
"Completions_Create",
|
||
"Embeddings_Create",
|
||
"FineTuning_Jobs_Create",
|
||
"Models_List",
|
||
|
||
# Azure OpenAI endpoints
|
||
"Deployments_List",
|
||
"Deployments_Get",
|
||
"Deployments_Create",
|
||
"Deployments_Delete",
|
||
|
||
# Anthropic endpoints
|
||
"Messages_Create",
|
||
"Claude_Create",
|
||
|
||
# Google AI endpoints
|
||
"GenerateContent",
|
||
"GenerateText",
|
||
"GenerateImage",
|
||
|
||
# Meta AI endpoints
|
||
"Llama_Create",
|
||
"CodeLlama_Create",
|
||
|
||
# Other LLM endpoints
|
||
"Gemini_Generate",
|
||
"Claude_Generate",
|
||
"Llama_Generate"
|
||
]
|
||
|
||
# GCP Configuration
|
||
gcp:
|
||
# GCP Compute Configuration
|
||
# gcp.compute_public_address_shodan
|
||
shodan_api_key: null
|
||
# gcp.compute_configuration_changes
|
||
# Number of days to look back for Compute Engine configuration changes in audit logs
|
||
compute_audit_log_lookback_days: 1
|
||
# gcp.compute_instance_group_multiple_zones
|
||
# Minimum number of zones a MIG should span for high availability
|
||
mig_min_zones: 2
|
||
|
||
# Kubernetes Configuration
|
||
kubernetes:
|
||
# Kubernetes API Server
|
||
# kubernetes.apiserver_audit_log_maxbackup_set
|
||
audit_log_maxbackup: 10
|
||
# kubernetes.apiserver_audit_log_maxsize_set
|
||
audit_log_maxsize: 100
|
||
# kubernetes.apiserver_audit_log_maxage_set
|
||
audit_log_maxage: 30
|
||
# kubernetes.apiserver_strong_ciphers_only
|
||
apiserver_strong_ciphers:
|
||
[
|
||
"TLS_AES_128_GCM_SHA256",
|
||
"TLS_AES_256_GCM_SHA384",
|
||
"TLS_CHACHA20_POLY1305_SHA256",
|
||
]
|
||
# Kubelet
|
||
# kubernetes.kubelet_strong_ciphers_only
|
||
kubelet_strong_ciphers:
|
||
[
|
||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||
]
|
||
|
||
# M365 Configuration
|
||
m365:
|
||
# Entra Conditional Access Policy
|
||
# m365.entra_admin_users_sign_in_frequency_enabled
|
||
sign_in_frequency: 4 # 4 hours
|
||
# Teams Settings
|
||
# m365.teams_external_file_sharing_restricted
|
||
allowed_cloud_storage_services:
|
||
[
|
||
#"allow_box",
|
||
#"allow_drop_box",
|
||
#"allow_egnyte",
|
||
#"allow_google_drive",
|
||
#"allow_share_file",
|
||
]
|
||
# Exchange Organization Settings
|
||
# m365.exchange_organization_mailtips_enabled
|
||
recommended_mailtips_large_audience_threshold: 25 # maximum number of recipients
|
||
|
||
# GitHub Configuration
|
||
github:
|
||
# github.repository_inactive_not_archived
|
||
inactive_not_archived_days_threshold: 180
|
||
|
||
# Vercel Configuration
|
||
vercel:
|
||
# vercel.deployment_production_uses_stable_target
|
||
stable_branches:
|
||
- "main"
|
||
- "master"
|
||
# vercel.authentication_token_not_expired & vercel.domain_ssl_certificate_valid
|
||
days_to_expire_threshold: 7
|
||
# vercel.authentication_no_stale_tokens
|
||
stale_token_threshold_days: 90
|
||
# vercel.team_no_stale_invitations
|
||
stale_invitation_threshold_days: 30
|
||
# vercel.team_member_role_least_privilege
|
||
max_owner_percentage: 20
|
||
max_owners: 3
|
||
# vercel.project_environment_no_secrets_in_plain_type
|
||
secret_suffixes:
|
||
- "_KEY"
|
||
- "_SECRET"
|
||
- "_TOKEN"
|
||
- "_PASSWORD"
|
||
- "_API_KEY"
|
||
- "_PRIVATE_KEY"
|
||
|
||
|
||
```
|