This module creates an ECS cluster with EventBridge scheduled cron that starts ECS tasks to run Prowler scans on your AWS environments. You provision this module in a security account and specify what accounts you want to scan.
Steps:
-
Enable Security Hub in every account (without AWS config to save costs) and setup the security account as delegated administrator to centralize the findings
-
Enable the Prowler integration in Security Hub
-
Create IAM roles in the accounts you want to scan with these permissions
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
- The custom policy mentioned here
- Security hub access
-
Use the following trust policy for the IAM roles
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::SECURITYACCOUNTID:role/prowler-scanner-assumerole-SCANACCOUNTID" }, "Action": "sts:AssumeRole" }] }
If you need more help: For an extensive write-up check out my blog (this included troubleshooting tips)
ElasticScale is a Solutions Architecture as a Service focusing on start-ups and scale-ups. For a fixed monthly subscription fee, we handle all your AWS workloads. Some services include:
- Migrating existing workloads to AWS
- Implementing the Zero Trust security model
- Integrating DevOps principles within your organization
- Moving to infrastructure automation (Terraform)
- Complying with ISO27001 regulations within AWS
You can pause the subscription at any time and have direct access to certified AWS professionals.
Check out our website for more information.
| Name | Version |
|---|---|
| aws | 5.0.1 |
| Name | Source | Version |
|---|---|---|
| task_sg | terraform-aws-modules/security-group/aws | n/a |
| vpc | terraform-aws-modules/vpc/aws | 4.0.2 |
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.cron | resource |
| aws_cloudwatch_event_target.ecs_scheduled_task | resource |
| aws_ecs_cluster.cluster | resource |
| aws_ecs_task_definition.taskdef | resource |
| aws_iam_role.eventbridgerole | resource |
| aws_iam_role.executionrole | resource |
| aws_iam_role.taskrole | resource |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_ids | A list of account IDs to scan | list(string) |
n/a | yes |
| prefix | A prefix for the resources | string |
"prowler-scanner" |
no |
| schedule_expression | The schedule expression for the eventbridge rule (ie how often to run the scans) | string |
"cron(0 3 * * ? *)" |
no |
| security_account_id | The account ID where this module is run from (ie. the security account) | string |
n/a | yes |
| use_nat_gateway | We use NAT gateways if true, otherwise we use public IPs | bool |
false |
no |
No outputs.