From 3a893889b6ad58c903f67233fd8dcbafea475080 Mon Sep 17 00:00:00 2001 From: zfLQ2qx2 <31103058+zfLQ2qx2@users.noreply.github.com> Date: Wed, 13 Nov 2019 22:49:32 -0500 Subject: [PATCH] Misc prowler fixes --- README.md | 12 +++--- checks/check_extra718 | 12 ++++-- checks/check_extra726 | 12 ++++-- checks/check_extra73 | 18 +++++++-- checks/check_extra734 | 52 ++++++++++++++++--------- checks/check_extra742 | 2 +- checks/check_extra756 | 6 +-- checks/check_extra761 | 10 ++++- checks/check_extra763 | 38 ++++++++++++++++++ checks/check_extra764 | 50 ++++++++++++++++++++++++ groups/group7_extras | 2 +- iam/prowler-policy-additions.json | 13 ++++--- util/multi-account/Audit_Exec_Role.yaml | 14 ++++--- util/multi-account/Audit_Pipeline.yaml | 3 -- 14 files changed, 188 insertions(+), 56 deletions(-) create mode 100644 checks/check_extra763 create mode 100644 checks/check_extra764 diff --git a/README.md b/README.md index 3405705be365..6638da32e413 100644 --- a/README.md +++ b/README.md @@ -314,6 +314,7 @@ Instead of using default policy SecurityAudit for the account you use for checks "directconnect:describe*", "dynamodb:listtables", "ec2:describe*", + "ec2:GetEbsEncryptionByDefault", "ecr:describe*", "ecs:describe*", "ecs:list*", @@ -343,6 +344,11 @@ Instead of using default policy SecurityAudit for the account you use for checks "rds:downloaddblogfileportion", "rds:listtagsforresource", "redshift:describe*", + "route53domains:getdomaindetail", + "route53domains:getoperationdetail", + "route53domains:listdomains", + "route53domains:listoperations", + "route53domains:listtagsfordomain", "route53:getchange", "route53:getcheckeripranges", "route53:getgeolocation", @@ -361,12 +367,8 @@ Instead of using default policy SecurityAudit for the account you use for checks "route53:listreusabledelegationsets", "route53:listtagsforresource", "route53:listtagsforresources", - "route53domains:getdomaindetail", - "route53domains:getoperationdetail", - "route53domains:listdomains", - "route53domains:listoperations", - "route53domains:listtagsfordomain", "s3:getbucket*", + "s3:GetEncryptionConfiguration", "s3:getlifecycleconfiguration", "s3:getobjectacl", "s3:getobjectversionacl", diff --git a/checks/check_extra718 b/checks/check_extra718 index e5b326907e2a..7331911397ef 100644 --- a/checks/check_extra718 +++ b/checks/check_extra718 @@ -21,11 +21,15 @@ extra718(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do - BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text|grep -v "^None$") - if [[ $BUCKET_SERVER_LOG_ENABLED ]];then - textPass "Bucket $bucket has server access logging enabled" - else + BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text 2>&1) + if [[ $(echo "$BUCKET_SERVER_LOG_ENABLED" | grep AccessDenied) ]]; then + textFail "Access Denied Trying to Get Bucket Logging for $bucket" + continue + fi + if [[ $(echo "$BUCKET_SERVER_LOG_ENABLED" | grep "^None$") ]]; then textFail "Bucket $bucket has server access logging disabled!" + else + textPass "Bucket $bucket has server access logging enabled" fi done else diff --git a/checks/check_extra726 b/checks/check_extra726 index 6b0bd0b170b8..e58d88848325 100644 --- a/checks/check_extra726 +++ b/checks/check_extra726 @@ -22,10 +22,14 @@ extra726(){ # forcing us-east-1 region only since support only works in that region TA_CHECKS_ID=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region us-east-1 --query checks[*].id --output text) for checkid in $TA_CHECKS_ID; do - QUERY_RESULT_NO_OK=$($AWSCLI support describe-trusted-advisor-check-result --check-id $checkid --language en $PROFILE_OPT --region us-east-1 --query 'result.status' --output text | grep -v "ok" ) - if [[ $QUERY_RESULT_NO_OK ]]; then - TA_CHECKS_NAME=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region us-east-1 --query "checks[?id==\`$checkid\`].{name:name}[*]" --output text) - textFail "Trusted Advisor check $TA_CHECKS_NAME is in state $QUERY_RESULT_NO_OK" + TA_CHECKS_NAME=$($AWSCLI support describe-trusted-advisor-checks --language en $PROFILE_OPT --region us-east-1 --query "checks[?id==\`$checkid\`].{name:name}[*]" --output text) + QUERY_TA_CHECK_RESULT=$($AWSCLI support describe-trusted-advisor-check-result --check-id $checkid --language en $PROFILE_OPT --region us-east-1 --query 'result.status' --output text) + if [[ $(echo $QUERY_TA_CHECK_RESULT | grep ok) ]]; then + textPass "Trusted Advisor check $TA_CHECKS_NAME is in state $QUERY_TA_CHECK_RESULT" + elif [[ $(echo $QUERY_TA_CHECK_RESULT | grep warning) ]]; then + textInfo "Trusted Advisor check $TA_CHECKS_NAME is in state $QUERY_TA_CHECK_RESULT" + else + textFail "Trusted Advisor check $TA_CHECKS_NAME is in state $QUERY_TA_CHECK_RESULT" fi done } diff --git a/checks/check_extra73 b/checks/check_extra73 index 3b0efc1abf0c..8e203b7985e3 100644 --- a/checks/check_extra73 +++ b/checks/check_extra73 @@ -24,7 +24,11 @@ CHECK_ALTERNATE_check703="extra73" # extra73(){ # ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text) # for bucket in $ALL_BUCKETS_LIST; do -# BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --region $REGION --output text) +# BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --region $REGION --output text 2>&1) +# if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then +# textFail "Access Denied Trying to Get Bucket Location for $bucket" +# continue +# fi # if [[ "None" == $BUCKET_LOCATION ]]; then # BUCKET_LOCATION="us-east-1" # fi @@ -54,7 +58,11 @@ extra73(){ S3_FINDING_POLICY="Ok" # LOCATION - BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --output text) + BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --output text 2>&1) + if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then + textFail "Access Denied Trying to Get Bucket Location for $bucket" + continue + fi if [[ "None" == $BUCKET_LOCATION ]]; then BUCKET_LOCATION="us-east-1" fi @@ -133,7 +141,11 @@ extra73(){ # } # extra73Thread(){ # bucket=$1 -# BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket --profile $PROFILE --region $REGION --output text) +# BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket --profile $PROFILE --region $REGION --output text 2>&1) +# if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then +# textFail "Access Denied Trying to Get Bucket Location for $bucket" +# return +# fi # if [[ "None" == $BUCKET_LOCATION ]]; then # BUCKET_LOCATION="us-east-1" # fi diff --git a/checks/check_extra734 b/checks/check_extra734 index 63e9aab65a9b..235e7423ecfc 100644 --- a/checks/check_extra734 +++ b/checks/check_extra734 @@ -20,31 +20,45 @@ extra734(){ LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) if [[ $LIST_OF_BUCKETS ]]; then for bucket in $LIST_OF_BUCKETS;do + # query to get if has encryption enabled or not RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1) - if [[ $(echo "$RESULT" | grep ServerSideEncryptionConfigurationNotFoundError) ]] ; then - textFail "Bucket $bucket does not enforce encryption!" - elif [[ $(echo "$RESULT" | grep AccessDenied) ]] ; then + if [[ $(echo "$RESULT" | grep AccessDenied) ]]; then textFail "Access Denied Trying to Get Encryption for $bucket" - else - TEMP_SSE_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) - # get bucket policy - $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2> /dev/null - # check if the S3 policy forces SSE s3:x-amz-server-side-encryption:true - CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'| awk '/Condition/ && !skip { print } { skip = /x-amz-server-side-encryption/} '|grep \"true\") - CHECK_BUCKET_SSE_POLICY_VALUE=$(cat $TEMP_SSE_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'| awk '/Condition/ && !skip { print } { skip = /x-amz-server-side-encryption/} '|grep -Eo "AES256|aws:kms") - - echo "$RESULT" | while read RBUCKET SSEALG; do - if [[ $SSEALG ]]; then - textPass "Bucket $RBUCKET has default encryption enabled with algorithm $SSEALG" - fi - done - if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT && $CHECK_BUCKET_SSE_POLICY_VALUE ]]; then - textPass "Bucket $bucket has S3 bucket policy to enforce encryption with $CHECK_BUCKET_SSE_POLICY_VALUE" - fi + continue + fi + if [[ $(echo "$RESULT" | grep ServerSideEncryptionConfigurationNotFoundError) ]]; then + textFail "Bucket $bucket does not enforce encryption!" + continue + fi + TEMP_SSE_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) + + # get bucket policy + $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2> /dev/null + if [[ $(grep AccessDenied $TEMP_SSE_POLICY_FILE) ]]; then + textFail "Access Denied Trying to Get Bucket Policy for $bucket" + rm -fr $TEMP_SSE_POLICY_FILE + continue + fi + if [[ $(grep NoSuchBucketPolicy $TEMP_SSE_POLICY_FILE) ]]; then + textFail "No bucket policy for $bucket" rm -fr $TEMP_SSE_POLICY_FILE + continue fi + + # check if the S3 policy forces SSE s3:x-amz-server-side-encryption:true + CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and (.Principal|type == "object") and .Principal.AWS == "*" and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringNotEquals."s3:x-amz-server-side-encryption" != null)') + if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT == "" ]]; then + textFail "Bucket $bucket does not enforce encryption!" + rm -fr $TEMP_SSE_POLICY_FILE + continue + fi + CHECK_BUCKET_SSE_POLICY_VALUE=$(echo "$CHECK_BUCKET_SSE_POLICY_PRESENT" | jq -r '.Condition.StringNotEquals."s3:x-amz-server-side-encryption"') + + textPass "Bucket $bucket has S3 bucket policy to enforce encryption with $CHECK_BUCKET_SSE_POLICY_VALUE" + + rm -fr $TEMP_SSE_POLICY_FILE done else diff --git a/checks/check_extra742 b/checks/check_extra742 index f34afff4879c..277eb43568a3 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -45,7 +45,7 @@ extra742(){ rm -f $CFN_OUTPUTS_FILE fi else - textInfo "$regx: CloudFormation stack $stack has not Outputs" "$regx" + textInfo "$regx: CloudFormation stack $stack has no Outputs" "$regx" fi done else diff --git a/checks/check_extra756 b/checks/check_extra756 index 506ebd4d3de6..538fa55b08dc 100644 --- a/checks/check_extra756 +++ b/checks/check_extra756 @@ -18,10 +18,10 @@ CHECK_ALTERNATE_check756="extra756" extra756(){ for regx in $REGIONS; do - LIST_OF_RS_CLUSTERS=$($AWSCLI $PROFILE_OPT --region $regx redshift describe-clusters --query Clusters[*].ClusterIdentifier --output text) + LIST_OF_RS_CLUSTERS=$($AWSCLI $PROFILE_OPT redshift describe-clusters --region $regx --query Clusters[*].ClusterIdentifier --output text) if [[ $LIST_OF_RS_CLUSTERS ]];then for cluster in $LIST_OF_RS_CLUSTERS; do - IS_PUBLICLY_ACCESSIBLE=$($AWSCLI $PROFILE_OPT --region $regx redshift describe-clusters --cluster-identifier $cluster --query Clusters[*].PubliclyAccessible --output text|grep True) + IS_PUBLICLY_ACCESSIBLE=$($AWSCLI $PROFILE_OPT redshift describe-clusters --region $regx --cluster-identifier $cluster --query Clusters[*].PubliclyAccessible --output text|grep True) if [[ $IS_PUBLICLY_ACCESSIBLE ]]; then textFail "$regx: Redshift cluster $cluster is publicly accessible" "$regx" else @@ -29,7 +29,7 @@ extra756(){ fi done else - textInfo "$regx: Redshift clusters found" "$regx" + textInfo "$regx: No Redshift clusters found" "$regx" fi done } diff --git a/checks/check_extra761 b/checks/check_extra761 index a74f76de3ea1..542186188fab 100644 --- a/checks/check_extra761 +++ b/checks/check_extra761 @@ -19,7 +19,15 @@ CHECK_ALTERNATE_check761="extra761" extra761(){ textInfo "Looking for EBS Default Encryption activation in all regions... " for regx in $REGIONS; do - EBS_DEFAULT_ENCRYPTION=$($AWSCLI ec2 get-ebs-encryption-by-default $PROFILE_OPT --region $regx --query 'EbsEncryptionByDefault') + EBS_DEFAULT_ENCRYPTION=$($AWSCLI ec2 get-ebs-encryption-by-default $PROFILE_OPT --region $regx --query 'EbsEncryptionByDefault' 2>&1) + if [[ $(echo "$EBS_DEFAULT_ENCRYPTION" | grep "argument operation: Invalid choice") ]]; then + textFail "Newer aws cli needed for get-ebs-encryption-by-default" + continue + fi + if [[ $(echo "$EBS_DEFAULT_ENCRYPTION" | grep UnauthorizedOperation) ]]; then + textFail "Prowler needs ec2:GetEbsEncryptionByDefault permission for this check" + continue + fi if [[ $EBS_DEFAULT_ENCRYPTION == "true" ]];then textPass "$regx: EBS Default Encryption is activated" "$regx" else diff --git a/checks/check_extra763 b/checks/check_extra763 new file mode 100644 index 000000000000..7c839cf378de --- /dev/null +++ b/checks/check_extra763 @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra763="7.63" +CHECK_TITLE_extra763="[extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra763="NOT_SCORED" +CHECK_TYPE_extra763="EXTRA" +CHECK_ALTERNATE_check763="extra763" + +extra763(){ + # "Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)" + LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) + if [[ $LIST_OF_BUCKETS ]]; then + for bucket in $LIST_OF_BUCKETS;do + BUCKET_VERSIONING_ENABLED=$($AWSCLI s3api get-bucket-versioning --bucket $bucket $PROFILE_OPT --query Status --output text 2>&1) + if [[ $(echo "$BUCKET_VERSIONING_ENABLED" | grep AccessDenied) ]]; then + textFail "Access Denied Trying to Get Bucket Versioning for $bucket" + continue + fi + if [[ $(echo "$BUCKET_VERSIONING_ENABLED" | grep "^Enabled$") ]]; then + textPass "Bucket $bucket has versioning enabled" + else + textFail "Bucket $bucket has versioning disabled!" + fi + done + else + textInfo "No S3 Buckets found" + fi +} diff --git a/checks/check_extra764 b/checks/check_extra764 new file mode 100644 index 000000000000..fc3e70097d16 --- /dev/null +++ b/checks/check_extra764 @@ -0,0 +1,50 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra764="7.64" +CHECK_TITLE_extra764="[extra764] Check if S3 buckets have secure transport policy (Not Scored) (Not part of CIS benchmark)" +CHECK_SCORED_extra764="NOT_SCORED" +CHECK_TYPE_extra764="EXTRA" +CHECK_ALTERNATE_check764="extra764" + +extra764(){ + LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1) + if [[ $LIST_OF_BUCKETS ]]; then + for bucket in $LIST_OF_BUCKETS;do + TEMP_STP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) + + # get bucket policy + $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_STP_POLICY_FILE 2>&1 + if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then + textFail "Access Denied Trying to Get Bucket Policy for $bucket" + continue + fi + if [[ $(grep NoSuchBucketPolicy $TEMP_STP_POLICY_FILE) ]]; then + textFail "No bucket policy for $bucket" + continue + fi + + # check if the S3 policy denies all actions by all principals when aws:SecureTransport:false + CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and (.Principal|type == "object") and .Principal.AWS == "*" and .Action=="s3:*" and .Resource==$arn and .Condition.Bool."aws:SecureTransport" == "false")') + if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then + textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport" + else + textFail "Bucket $bucket allows requests over insecure transport" + fi + + rm -fr $TEMP_STP_POLICY_FILE + done + + else + textInfo "No S3 Buckets found" + fi +} diff --git a/groups/group7_extras b/groups/group7_extras index b186e032b1a0..612c0c60eac9 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - [extras] **********************************************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets` diff --git a/iam/prowler-policy-additions.json b/iam/prowler-policy-additions.json index 7b2f2f7999f1..da53b9ebd1a4 100644 --- a/iam/prowler-policy-additions.json +++ b/iam/prowler-policy-additions.json @@ -5,18 +5,19 @@ "Action": [ "acm:describecertificate", "acm:listcertificates", + "apigateway:GET", + "cloudtrail:GetEventSelectors", + "ec2:GetEbsEncryptionByDefault", "es:describeelasticsearchdomainconfig", + "guardduty:GetDetector", + "guardduty:ListDetectors", "logs:DescribeLogGroups", "logs:DescribeMetricFilters", + "s3:GetEncryptionConfiguration", "ses:getidentityverificationattributes", "sns:listsubscriptionsbytopic", - "guardduty:ListDetectors", - "guardduty:GetDetector", - "S3:GetEncryptionConfiguration", - "trustedadvisor:Describe*", - "cloudtrail:GetEventSelectors", - "apigateway:GET", "support:*" + "trustedadvisor:Describe*", ], "Effect": "Allow", "Resource": "*" diff --git a/util/multi-account/Audit_Exec_Role.yaml b/util/multi-account/Audit_Exec_Role.yaml index 673defaa2eb0..a89950a34c89 100644 --- a/util/multi-account/Audit_Exec_Role.yaml +++ b/util/multi-account/Audit_Exec_Role.yaml @@ -50,18 +50,20 @@ Resources: Action: - "acm:describecertificate" - "acm:listcertificates" + - "apigateway:GET" + - "cloudtrail:GetEventSelectors" + - "ec2:GetEbsEncryptionByDefault" - "es:describeelasticsearchdomainconfig" + - "guardduty:ListDetectors" + - "guardduty:GetDetector" - "logs:DescribeLogGroups" - "logs:DescribeMetricFilters" + - "s3:GetEncryptionConfiguration" - "ses:getidentityverificationattributes" - "sns:listsubscriptionsbytopic" - - "guardduty:ListDetectors" - - "guardduty:GetDetector" - - "S3:GetEncryptionConfiguration" - - "trustedadvisor:Describe*" - - "cloudtrail:GetEventSelectors" - - "apigateway:GET" - "support:*" + - "trustedadvisor:Describe*" + Metadata: cfn_nag: rules_to_suppress: diff --git a/util/multi-account/Audit_Pipeline.yaml b/util/multi-account/Audit_Pipeline.yaml index acd0c21652aa..92b74a6aabba 100644 --- a/util/multi-account/Audit_Pipeline.yaml +++ b/util/multi-account/Audit_Pipeline.yaml @@ -301,9 +301,6 @@ Resources: discard-paths: no base-directory: out - - - ProwlerAuditTriggerRole: Type: AWS::IAM::Role Properties: