chore(iam): update Prowler permissions (#2050)

prowler-cloud · Mar 7, 2023 · f364315 · f364315
1 parent 3ddb5a1
commit f364315
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 13 deletions.
diff --git a/docs/tutorials/aws/securityhub.md b/docs/tutorials/aws/securityhub.md
@@ -18,13 +18,13 @@ Before sending findings to Prowler, you will need to perform next steps:
 Once it is enabled, it is as simple as running the command below (for all regions):
 
 ```sh
-./prowler aws -S
+prowler aws -S
 ```
 
 or for only one filtered region like eu-west-1:
 
 ```sh
-./prowler -S -f eu-west-1
+prowler -S -f eu-west-1
 ```
 
 > **Note 1**: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command.
@@ -43,5 +43,5 @@ By default, Prowler archives all its findings in Security Hub that have not appe
 You can skip this logic by using the option `--skip-sh-update` so Prowler will not archive older findings:
 
 ```sh
-./prowler -S --skip-sh-update
+prowler -S --skip-sh-update
 ```
diff --git a/permissions/create_role_to_assume_cfn.yaml b/permissions/create_role_to_assume_cfn.yaml
@@ -4,7 +4,7 @@ AWSTemplateFormatVersion: '2010-09-09'
 # aws cloudformation create-stack \
 #  --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
 #  --template-body "file://create_role_to_assume_cfn.yaml" \
-#  --stack-name "ProwlerExecRole" \
+#  --stack-name "ProwlerScanRole" \
 #  --parameters "ParameterKey=AuthorisedARN,ParameterValue=arn:aws:iam::123456789012:root"
 #
 Description: |
@@ -13,7 +13,7 @@ Description: |
   account to assume that role. The role name and the ARN of the trusted user can all be passed
   to the CloudFormation stack as parameters. Then you can run Prowler to perform a security
   assessment with a command like:
-  ./prowler -A <THIS_ACCOUNT_ID> -R ProwlerExecRole
+  prowler --role ProwlerScanRole.ARN
 Parameters:
   AuthorisedARN:
     Description: |
@@ -22,12 +22,12 @@ Parameters:
     Type: String
   ProwlerRoleName:
     Description: |
-      Name of the IAM role that will have these policies attached. Default: ProwlerExecRole
+      Name of the IAM role that will have these policies attached. Default: ProwlerScanRole
     Type: String
-    Default: 'ProwlerExecRole'
+    Default: 'ProwlerScanRole'
 
 Resources:
-  ProwlerExecRole:
+  ProwlerScanRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
@@ -42,31 +42,49 @@ Resources:
             #   Bool:
             #     'aws:MultiFactorAuthPresent': true
       # This is 12h that is maximum allowed, Minimum is 3600 = 1h
-      # to take advantage of this use -T like in './prowler -A <ACCOUNT_ID_TO_ASSUME> -R ProwlerExecRole -T 43200 -M text,html'
+      # to take advantage of this use -T like in './prowler --role ProwlerScanRole.ARN -T 43200'
       MaxSessionDuration: 43200
       ManagedPolicyArns:
         - 'arn:aws:iam::aws:policy/SecurityAudit'
         - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
       RoleName: !Sub ${ProwlerRoleName}
       Policies:
-        - PolicyName: ProwlerExecRoleAdditionalViewPrivileges
+        - PolicyName: ProwlerScanRoleAdditionalViewPrivileges
           PolicyDocument:
             Version : '2012-10-17'
             Statement:
             - Effect: Allow
               Action:
-                - 'ds:ListAuthorizedApplications'
+                - 'account:Get*'
+                - 'appstream:Describe*'
+                - 'appstream:List*'
+                - 'codeartifact:List*'
+                - 'codebuild:BatchGet*'
+                - 'ds:Get*'
+                - 'ds:Describe*'
+                - 'ds:List*'
                 - 'ec2:GetEbsEncryptionByDefault'
                 - 'ecr:Describe*'
                 - 'elasticfilesystem:DescribeBackupPolicy'
                 - 'glue:GetConnections'
-                - 'glue:GetSecurityConfiguration'
+                - 'glue:GetSecurityConfiguration*'
                 - 'glue:SearchTables'
-                - 'lambda:GetFunction'
+                - 'lambda:GetFunction*'
+                - 'macie2:GetMacieSession'
                 - 's3:GetAccountPublicAccessBlock'
                 - 'shield:DescribeProtection'
                 - 'shield:GetSubscriptionState'
+                - 'securityhub:BatchImportFindings'
+                - 'securityhub:GetFindings'
                 - 'ssm:GetDocument'
                 - 'support:Describe*'
                 - 'tag:GetTagKeys'
               Resource: '*'
+        - PolicyName: ProwlerScanRoleAdditionalViewPrivilegesApiGateway
+          PolicyDocument:
+            Version : '2012-10-17'
+            Statement:
+            - Effect: Allow
+              Action:
+                - 'apigateway:GET'
+              Resource: 'arn:aws:apigateway:*::/restapis/*'
diff --git a/permissions/prowler-additions-policy.json b/permissions/prowler-additions-policy.json
@@ -3,7 +3,9 @@
   "Statement": [
     {
       "Action": [
+        "account:Get*",
         "appstream:Describe*",
+        "appstream:List*",
         "codeartifact:List*",
         "codebuild:BatchGet*",
         "ds:Describe*",