-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathProwlerEC2toS3withSSMandSQS.yaml
353 lines (351 loc) · 10.4 KB
/
ProwlerEC2toS3withSSMandSQS.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
AWSTemplateFormatVersion: 2010-09-09
Parameters:
ProwlerOption:
Type: String
MaxLength: 128
Description: Prolwer parameters
Default: aws
EmailAddress:
Type: String
MaxLength: 128
Description: CHECK YOUR INBOX! - TO RECEIVE NOTIFICATIONS YOU MUST ACCEPT THE TOPIC SUBSCRIPTION BEFORE PROWLER COMPLETES - This is the Email address to send Notification When the Prowler Report is Ready
LatestAmiId:
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: '/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64'
InstanceType:
Type: String
Description: Choosing t2 micro to be frugal
Default: t3.large
Resources:
#S3 Bucket
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- Id: LoggingLifeCycle
Status: Enabled
ExpirationInDays: '365'
NoncurrentVersionExpirationInDays: '365'
NotificationConfiguration:
TopicConfigurations:
- Event: s3:ObjectCreated:Put
Topic: !Ref MySNSTopic
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !GetAtt ProwlerIAMRole.Arn
Action: s3:PutObject
Resource: !Sub "arn:${AWS::Partition}:s3:::${S3Bucket}/*"
- Sid: Deny non-HTTPS access
Effect: Deny
Principal: "*"
Action: s3:*
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${S3Bucket}"
- !Sub "arn:${AWS::Partition}:s3:::${S3Bucket}/*"
Condition:
Bool:
aws:SecureTransport: "false"
# Internet Gateway
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: InterntGateway
# Internet Gateway Attachment
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
# Elastic IP for Nat Gateway
NatGatewayEIP:
DependsOn: InternetGatewayAttachment
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Tags:
- Key: Name
Value: EIP for NAT Gateway
# Nat Gateway
NatGateway:
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- NatGatewayEIP
- AllocationId
SubnetId: !Ref PublicSubnet
Tags:
- Key: Name
Value: NatGateway
# Public Route Table
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: PublicRoutes
# Default Public Route
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
# Private Route Table
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private Route Table
# Default Private Route
DefaultPrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
#RouteTableAssociation
ProwlerSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref ProwlerSubnet
#RouteTableAssociation
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet
# VPC
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: VPC
# Subnet Public
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: !Select [ 0, !GetAZs ] # Get the first AZ in the list
Tags:
- Key: Name
Value: Public Subnet
# Subnet Private
ProwlerSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
AvailabilityZone: !Select [ 0, !GetAZs ] # Get the first AZ in the list
MapPublicIpOnLaunch: False
Tags:
- Key: Name
Value: ProwlerSubnet
# EC2 Instances
LaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateData:
MetadataOptions:
HttpTokens: required
ProwlerStation:
Type: 'AWS::EC2::Instance'
DependsOn:
- NatGateway
- InternetGateway
Properties:
LaunchTemplate:
LaunchTemplateId:
Ref: LaunchTemplate
Version: "1"
Monitoring: true
UserData:
Fn::Base64:
Fn::Sub:
- |
#!/bin/bash -x
sudo dnf upgrade -y
cd /home/ec2-user
sudo dnf install -y jq git pip openssl-devel bzip2-devel libffi-devel gcc git zlib-devel
sudo yum remove awscli -y
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update
pip install prowler
mkdir prowler
cd prowler
#the next line is needed or prowler execution will fail with a: No such file or directory
mkdir output
prowler ${prowler_options} >> ./output/prowler.log
zip -r prowler.zip output/
aws s3 cp ./prowler.zip s3://${bucket_name}
sudo shutdown -h now
- bucket_name: !Ref S3Bucket
prowler_options: !Ref ProwlerOption
IamInstanceProfile: !Ref ProwlerProfile
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
SecurityGroupIds:
- !Ref ProwlerSG
SubnetId: !Ref ProwlerSubnet
Tags:
- Key: Name
Value: ProwlerStation
#Security Groups
ProwlerSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !Ref VPC
GroupDescription: No Inbound SG
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Description: Allow all HTTPS outbound traffic to enable prowler scan.
Tags:
- Key: Name
Value: ProwlerSG
# IAM
ProwlerIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Policies:
- PolicyName: ProwlerExecRoleAdditionalViewPrivileges
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- account:Get*
- apigateway:GET
- appstream:Describe*
- appstream:List*
- backup:List*
- cloudtrail:GetInsightSelectors
- codeartifact:List*
- codebuild:BatchGet*
- codebuild:ListReportGroups
- cognito-idp:GetUserPoolMfaConfig
- dlm:Get*
- drs:Describe*
- ds:Get*
- ds:Describe*
- ds:List*
- dynamodb:GetResourcePolicy
- ec2:GetEbsEncryptionByDefault
- ec2:GetSnapshotBlockPublicAccessState
- ec2:GetInstanceMetadataDefaults
- ecr:Describe*
- ecr:GetRegistryScanningConfiguration
- elasticfilesystem:DescribeBackupPolicy
- glue:GetConnections
- glue:GetSecurityConfiguration*
- glue:SearchTables
- lambda:GetFunction*
- logs:FilterLogEvents
- lightsail:GetRelationalDatabases
- macie2:GetMacieSession
- macie2:GetAutomatedDiscoveryConfiguration
- s3:GetAccountPublicAccessBlock
- shield:DescribeProtection
- shield:GetSubscriptionState
- securityhub:BatchImportFindings
- securityhub:GetFindings
- ssm:GetDocument
- ssm-incidents:List*
- support:Describe*
- tag:GetTagKeys
- wellarchitected:List*
Resource: '*'
- PolicyName: ProwlerCopyToS3
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:PutObject"
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket
- /*
ProwlerProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref ProwlerIAMRole
#SNS
MySNSTopic:
Type: AWS::SNS::Topic
MySNSSubscription:
Type: AWS::SNS::Subscription
Properties:
Protocol: email
Endpoint: !Ref EmailAddress
TopicArn: !Ref MySNSTopic
MySNSTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"SNS:Publish"
],
"Resource": {
"Ref": "MySNSTopic"
}
}
]
}
Topics:
- !Ref MySNSTopic