feat(controltower): add AWS Control Tower resources to default Allowl…

…ist configuration file (#2953)

Co-authored-by: Toni de la Fuente <[email protected]>

docs/tutorials/allowlist.md

@@ -82,7 +82,12 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
                 Tags:
                   - "environment=prod"   # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
 
-
+## AWS Control Tower Allowlist
+When using Control Tower, guardrails prevent access to certain protected resources. Prowler has an allowlist that ensures that warnings instead of errors are reported for all resources created by AWS Control Tower when setting up a landing zone.
+You can execute Prowler with the AWS Control Tower allowlist using the following command:
+```sh
+prowler aws --allowlist prowler/config/aws_controltower_allowlist.yaml
+```
 ## Supported Allowlist Locations
 
 The allowlisting flag supports the following locations:

prowler/config/aws_controltower_allowlist.yaml

@@ -0,0 +1,65 @@
+# When using Control Tower, guardrails prevent access to certain protected resources.
+# The allowlist below ensures that warnings instead of errors are reported for the affected resources.
+# https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html
+###########################  CONTROL TOWER ALLOWLIST  ###########################
+### The following file includes all resources created by AWS Control Tower ###
+Allowlist:
+  Accounts:
+    "*":
+      Checks:
+        "cloudwatch_log_group_*":
+          Regions:
+            - "*"
+          Resources:
+            - "/aws/lambda/aws-controltower-NotificationForwarder"
+            - "StackSet-AWSControlTowerBP-*"
+        "awslambda_function_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-NotificationForwarder"
+        "cloudformation_stacks_*":
+          Regions:
+            - "*"
+          Resources:
+            - "StackSet-AWSControlTowerGuardrailAWS-*"
+            - "StackSet-AWSControlTowerBP-*"
+        "cloudtrail_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-BaselineCloudTrail"
+        "iam_role_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-AdministratorExecutionRole"
+            - "aws-controltower-CloudWatchLogsRole"
+            - "aws-controltower-ConfigRecorderRole"
+            - "aws-controltower-ForwardSnsNotificationRole"
+            - "aws-controltower-ReadOnlyExecutionRole"
+            - "AWSControlTower_VPCFlowLogsRole"
+            - "AWSControlTowerExecution"
+        "iam_policy_*":
+          Regions:
+            - "*"
+          Resources:
+            - "AWSControlTowerServiceRolePolicy"
+        "s3_bucket_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-logs-*"
+            - "aws-controltower-s3-access-logs-*"
+        "sns_*":
+          Regions:
+            - "*"
+          Resources:
+            - "aws-controltower-SecurityNotifications"
+        "vpc_*":
+          Regions:
+            - "*"
+          Resources:
+            - "*"
+          Tags:
+            - "Name=aws-controltower-VPC"

prowler/providers/aws/lib/arguments/arguments.py

@@ -124,7 +124,7 @@ def init_parser(self):
         "--allowlist-file",
         nargs="?",
         default=None,
-        help="Path for allowlist yaml file. See example prowler/config/allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
+        help="Path for allowlist yaml file. See example prowler/config/aws_allowlist.yaml for reference and format. It also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/",
     )
     # Based Scans
     aws_based_scans_subparser = aws_parser.add_argument_group("AWS Based Scans")