Skip to content

Latest commit

 

History

History
343 lines (209 loc) · 12.3 KB

API.md

File metadata and controls

343 lines (209 loc) · 12.3 KB
Raw

API Reference

Constructs

ProwlerAudit

Creates a CodeBuild project to audit an AWS account with Prowler and stores the html report in a S3 bucket.

This will run onece at the beginning and on a schedule afterwards. Partial contribution from https://github.com/stevecjones

Initializers 

import { ProwlerAudit } from '@matthewbonig/cdk-prowler'

new ProwlerAudit(parent: Stack, id: string, props?: ProwlerAuditProps)
Name Type Description
parent aws-cdk-lib.Stack No description.
id string No description.
props ProwlerAuditProps No description.
parentRequired
  • Type: aws-cdk-lib.Stack
idRequired
  • Type: string
propsOptional

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Properties

Name Type Description
codebuildProject aws-cdk-lib.aws_codebuild.Project No description.
enableScheduler boolean No description.
logsRetentionInDays aws-cdk-lib.aws_logs.RetentionDays No description.
prowlerOptions string No description.
prowlerScheduler string No description.
prowlerVersion string No description.
serviceName string No description.
codebuildProjectRequired 
public readonly codebuildProject: Project;
  • Type: aws-cdk-lib.aws_codebuild.Project
enableSchedulerRequired 
public readonly enableScheduler: boolean;
  • Type: boolean
logsRetentionInDaysRequired 
public readonly logsRetentionInDays: RetentionDays;
  • Type: aws-cdk-lib.aws_logs.RetentionDays
prowlerOptionsRequired 
public readonly prowlerOptions: string;
  • Type: string
prowlerSchedulerRequired 
public readonly prowlerScheduler: string;
  • Type: string
prowlerVersionRequired 
public readonly prowlerVersion: string;
  • Type: string
serviceNameRequired 
public readonly serviceName: string;
  • Type: string

Structs

ProwlerAuditProps

Initializer 

import { ProwlerAuditProps } from '@matthewbonig/cdk-prowler'

const prowlerAuditProps: ProwlerAuditProps = { ... }

Properties

Name Type Description
additionalS3CopyArgs string An optional parameter to add to the S3 bucket copy command.
allowlist aws-cdk-lib.aws_s3_assets.Asset An Prowler-specific Allowlist file.
enableScheduler boolean enables the scheduler for running prowler periodically.
logsRetentionInDays aws-cdk-lib.aws_logs.RetentionDays Specifies the number of days you want to retain CodeBuild run log events in the specified log group.
prowlerOptions string Options to pass to Prowler command, make sure at least -M junit-xml is used for CodeBuild reports.
prowlerScheduler string The time when Prowler will run in cron format.
prowlerVersion string Specifies the concrete Prowler version.
reportBucket aws-cdk-lib.aws_s3.IBucket An optional S3 bucket to store the Prowler reports.
reportBucketPrefix string An optional prefix for the report bucket objects.
reportBucketSecret aws-cdk-lib.aws_secretsmanager.ISecret An optional Secret that has, in plaintext, the bucket to write to.
serviceName string Specifies the service name used within component naming.
additionalS3CopyArgsOptional 
public readonly additionalS3CopyArgs: string;
  • Type: string

An optional parameter to add to the S3 bucket copy command.

Example

--acl bucket-owner-full-control
allowlistOptional 
public readonly allowlist: Asset;
  • Type: aws-cdk-lib.aws_s3_assets.Asset
  • Default: undefined

An Prowler-specific Allowlist file.

If a value is provided then this is passed to Prowler on runs using the '-w' flag. If no value is provided, the -w parameter is not used. If you provide an asset that is zipped, it must contain an 'allowlist.txt' file which will be passed to Prowler.

Example

new Asset(this, 'AllowList', { path: path.join(__dirname, 'allowlist.txt') })
enableSchedulerOptional 
public readonly enableScheduler: boolean;
  • Type: boolean
  • Default: false

enables the scheduler for running prowler periodically.

Together with prowlerScheduler.

logsRetentionInDaysOptional 
public readonly logsRetentionInDays: RetentionDays;
  • Type: aws-cdk-lib.aws_logs.RetentionDays
  • Default: : 3

Specifies the number of days you want to retain CodeBuild run log events in the specified log group.

Junit reports are kept for 30 days, HTML reports in S3 are not deleted

prowlerOptionsOptional 
public readonly prowlerOptions: string;
  • Type: string
  • Default: '-M text,junit-xml,html,csv,json'

Options to pass to Prowler command, make sure at least -M junit-xml is used for CodeBuild reports.

Use -r for the region to send API queries, -f to filter only one region, -M output formats, -c for comma separated checks, for all checks do not use -c or -g, for more options see -h. For a complete assessment use "-M text,junit-xml,html,csv,json", for SecurityHub integration use "-r region -f region -M text,junit-xml,html,csv,json,json-asff -S -q"

prowlerSchedulerOptional 
public readonly prowlerScheduler: string;
  • Type: string
  • Default: 'cron(0 22 * * ? *)'

The time when Prowler will run in cron format.

Default is daily at 22:00h or 10PM 'cron(0 22 * * ? *)', for every 5 hours also works 'rate(5 hours)'. More info here https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html.

prowlerVersionOptional 
public readonly prowlerVersion: string;
  • Type: string
  • Default: 2.7.0

Specifies the concrete Prowler version.

reportBucketOptional 
public readonly reportBucket: IBucket;
  • Type: aws-cdk-lib.aws_s3.IBucket

An optional S3 bucket to store the Prowler reports.

reportBucketPrefixOptional 
public readonly reportBucketPrefix: string;
  • Type: string

An optional prefix for the report bucket objects.

reportBucketSecretOptional 
public readonly reportBucketSecret: ISecret;
  • Type: aws-cdk-lib.aws_secretsmanager.ISecret

An optional Secret that has, in plaintext, the bucket to write to.

serviceNameOptional 
public readonly serviceName: string;
  • Type: string
  • Default: : prowler

Specifies the service name used within component naming.