mirror of
https://github.com/prowler-cloud/prowler.git
synced 2025-12-19 05:17:47 +00:00
73 lines
3.0 KiB
YAML
73 lines
3.0 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
#
|
|
# You can invoke CloudFormation and pass the principal ARN from a command line like this:
|
|
# aws cloudformation create-stack \
|
|
# --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
|
|
# --template-body "file://create_role_to_assume_cfn.yaml" \
|
|
# --stack-name "ProwlerExecRole" \
|
|
# --parameters "ParameterKey=AuthorisedARN,ParameterValue=arn:aws:iam::123456789012:root"
|
|
#
|
|
Description: |
|
|
This template creates an AWS IAM Role with an inline policy and two AWS managed policies
|
|
attached. It sets the trust policy on that IAM Role to permit a named ARN in another AWS
|
|
account to assume that role. The role name and the ARN of the trusted user can all be passed
|
|
to the CloudFormation stack as parameters. Then you can run Prowler to perform a security
|
|
assessment with a command like:
|
|
./prowler -A <THIS_ACCOUNT_ID> -R ProwlerExecRole
|
|
Parameters:
|
|
AuthorisedARN:
|
|
Description: |
|
|
ARN of user who is authorised to assume the role that is created by this template.
|
|
E.g., arn:aws:iam::123456789012:root
|
|
Type: String
|
|
ProwlerRoleName:
|
|
Description: |
|
|
Name of the IAM role that will have these policies attached. Default: ProwlerExecRole
|
|
Type: String
|
|
Default: 'ProwlerExecRole'
|
|
|
|
Resources:
|
|
ProwlerExecRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
AWS: !Sub ${AuthorisedARN}
|
|
Action: 'sts:AssumeRole'
|
|
## In case MFA is required uncomment lines below and read https://github.com/prowler-cloud/prowler#run-prowler-with-mfa-protected-credentials
|
|
# Condition:
|
|
# Bool:
|
|
# 'aws:MultiFactorAuthPresent': true
|
|
# This is 12h that is maximum allowed, Minimum is 3600 = 1h
|
|
# to take advantage of this use -T like in './prowler -A <ACCOUNT_ID_TO_ASSUME> -R ProwlerExecRole -T 43200 -M text,html'
|
|
MaxSessionDuration: 43200
|
|
ManagedPolicyArns:
|
|
- 'arn:aws:iam::aws:policy/SecurityAudit'
|
|
- 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
|
|
RoleName: !Sub ${ProwlerRoleName}
|
|
Policies:
|
|
- PolicyName: ProwlerExecRoleAdditionalViewPrivileges
|
|
PolicyDocument:
|
|
Version : '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- 'ds:ListAuthorizedApplications'
|
|
- 'ec2:GetEbsEncryptionByDefault'
|
|
- 'ecr:Describe*'
|
|
- 'elasticfilesystem:DescribeBackupPolicy'
|
|
- 'glue:GetConnections'
|
|
- 'glue:GetSecurityConfiguration'
|
|
- 'glue:SearchTables'
|
|
- 'lambda:GetFunction'
|
|
- 's3:GetAccountPublicAccessBlock'
|
|
- 'shield:DescribeProtection'
|
|
- 'shield:GetSubscriptionState'
|
|
- 'ssm:GetDocument'
|
|
- 'support:Describe*'
|
|
- 'tag:GetTagKeys'
|
|
Resource: '*'
|