mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-01-25 02:08:11 +00:00
29 lines
1.3 KiB
Plaintext
29 lines
1.3 KiB
Plaintext
# Each line is a (checkid:item) tuple
|
|
|
|
# Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning)
|
|
check26:myignoredbucket
|
|
|
|
# Note that by default, this searches for the string appearing *anywhere* in the resource name.
|
|
# For example:
|
|
# extra718:ci-logs # Will block bucket "ci-logs" AND ALSO bucket "ci-logs-replica"
|
|
# extra718:logs # Will block EVERY BUCKET containing the string "logs"
|
|
|
|
# line starting with # are ignored as comments
|
|
# add a line per resource as here:
|
|
#<checkid1>:<resource to ignore 1>
|
|
#<checkid1>:<resource to ignore 2>
|
|
# checkid2
|
|
#<checkid2>:<resource to ignore 1>
|
|
|
|
# REGEXES
|
|
# This allowlist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use)
|
|
# therefore:
|
|
# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
|
|
|
|
# EXAMPLE: CONTROL TOWER
|
|
# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist
|
|
# below ensures that warnings instead of errors are reported for the affected resources.
|
|
#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
|
|
#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
|
|
#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
|
|
#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+ |