Prowler on AWS

Prowler is an awesome open source tool for auditing AWS settings within an account or many accounts across an organisation.

Prowler on AWS

Prowler is an awesome open source tool for auditing AWS settings within an account or many accounts across an organisation.

https://github.com/toniblyx/prowler

The docs in the project are awesome but as a summary it does all this cool stuff.

  • get a direct colorful or monochrome report
  • a HTML, CSV, JUNIT, JSON or JSON ASFF format report
  • send findings directly to Security Hub
  • run specific checks and groups or create your own
  • check multiple AWS accounts in parallel or sequentially
  • and more!

Junit

AWS announced support for JUnit reporting as part of a CodeBuild Project some time ago.

https://aws.amazon.com/blogs/devops/test-reports-with-aws-codebuild

I thought it would be great to integrate this with the outputs from prowler to provide full account audits nicely packaged up into a single Cloudformation template.

Workflow

The following workflow is implemented within the CloudFormation template.

  • CodeBuild project kicks off a container
  • Container installs a few dependancies like AWS Cli, detect-secrets and clones the prowler repo from GitHub
  • Kick off a prowler run to audit the settings within the account
  • prowler outputs the JUnit files and CodeBuild posts them to a report group

Each run will create a summary report as follows and you can filter based on success, fail and see the outputs for each of the tests executed.

Cloudformation Template

Once you provision this template to the target account you will be provided with a CodeBuild project that can be run adhoc to audit all the setting within the account.

Should you want to adjust the prowler command edit line 155 with your desired parameters. I'm targeting on ap-southeast-2 for example in the default prowler command as follows

./prowler -r ap-southeast-2 -f ap-southeast-2 -M junit-xml
---
AWSTemplateFormatVersion: 2010-09-09
Description: Creates a CodeBuild project to audit the AWS account with prowler https://github.com/toniblyx/prowler

Parameters:
  ServiceName:
    Description: 'Specifies the service name used within component naming'
    Type: String
    Default: 'prowler'

  LogsRetentionInDays:
    Description: 'Specifies the number of days you want to retain codebuild run log events in the specified log group. Junit reports are kept for 30 days'
    Type: Number
    Default: 3
    AllowedValues: [1, 3, 5, 7, 14, 30, 60]

Resources:
  ArtifactBucket:
    Type: AWS::S3::Bucket
    Properties:
      Tags:
        - Key: Name
          Value: !Join ['-', ['AP2', 'INF', !Ref 'ServiceName', !Ref 'AWS::AccountId', 'S3', 'Prowler']]
      BucketName: !Sub '${ServiceName}-${AWS::Region}-prowler-${AWS::AccountId}'
      AccessControl: LogDeliveryWrite
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  ArtifactBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref 'ArtifactBucket'
      PolicyDocument:
        Id: Content
        Version: '2012-10-17'
        Statement:
          - Action: '*'
            Condition:
              Bool:
                aws:SecureTransport: 'false'
            Effect: Deny
            Principal: '*'
            Resource:
              - !Join ['', ['arn:aws:s3:::', !Ref 'ArtifactBucket', '/*']]
            Sid: S3ForceSSL
          - Action: 's3:PutObject'
            Condition:
              'Null':
                s3:x-amz-server-side-encryption: 'true'
            Effect: Deny
            Principal: '*'
            Resource:
              - !Join ['', ['arn:aws:s3:::', !Ref 'ArtifactBucket', '/*']]
            Sid: DenyUnEncryptedObjectUploads

  # Codebuild Projects
  CodeBuildServiceRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W28
            reason: "Explicit name is required for this resource to avoid circular dependencies."
    Properties:
      RoleName: prowler-codebuild-role
      Path: '/service-role/'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/job-function/SupportUser'
        - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          -
            Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
      Policies:
        - PolicyName: LogGroup
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Effect: Allow
                Resource: !Sub 'arn:aws:logs:ap-southeast-2:${AWS::AccountId}:log-group:/aws/codebuild/*'
        - PolicyName: S3
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:GetBucketAcl
                  - s3:GetBucketLocation
                Effect: Allow
                Resource: !Sub 'arn:aws:s3:::${ArtifactBucket}/*'
        - PolicyName: CodeBuild
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - codebuild:CreateReportGroup
                  - codebuild:CreateReport
                  - codebuild:UpdateReport
                  - codebuild:BatchPutTestCases
                  - codebuild:BatchPutCodeCoverages
                Effect: Allow
                Resource: !Sub 'arn:aws:codebuild:ap-southeast-2:${AWS::AccountId}:report-group/*'
        - PolicyName: AssumeRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - sts:AssumeRole
                Effect: Allow
                Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/prowler-codebuild-role'

  ProwlerCodeBuild:
    Type: AWS::CodeBuild::Project
    Properties:
      Artifacts:
        Type: NO_ARTIFACTS
      Source:
        Type: NO_SOURCE
        BuildSpec: |
          version: 0.2
          phases:
            install:
              runtime-versions:
                python: 3.8
              commands:
                - pip3 install detect-secrets
                - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
                - unzip awscliv2.zip
                - ./aws/install
                - git clone https://github.com/toniblyx/prowler
            build:
              commands:
                - cd prowler
                - ./prowler -r ap-southeast-2 -f ap-southeast-2 -M junit-xml
          reports:
            prowler:
              files:
                - '**/*'
              base-directory: 'prowler/junit-reports'
              file-format: JunitXml
      Environment:
        ComputeType: "BUILD_GENERAL1_SMALL"
        Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
        Type: "LINUX_CONTAINER"
      Description: Run Prowler audit for the SMC
      ServiceRole: !GetAtt CodeBuildServiceRole.Arn
      TimeoutInMinutes: 300

  ProwlerCodeBuildReportGroup:
    Type: AWS::CodeBuild::ReportGroup
    Properties:
      Name: prowler
      Type: TEST
      ExportConfig:
        ExportConfigType: NO_EXPORT

  ProwlerLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: !Sub '/aws/codebuild/${ProwlerCodeBuild}'
      RetentionInDays: !Ref LogsRetentionInDays

Outputs:
  ArtifactBucketName:
    Description: Artifact Bucket Name
    Value: !Ref 'ArtifactBucket'
    Export:
      Name: !Sub 'ArtifactBucketName-${ServiceName}'

Opensource

There were a couple of changes that needed to be made to the JUnit output for this to work within CodeBuild initially. Additional metadata was required within the JUnit test output summaries so I raised my first issue against an OpenSource project.

https://github.com/toniblyx/prowler/issues/673

I then followed it up with a proposed change which as noted was a little gnarly :)

https://github.com/toniblyx/prowler/pull/671

The maintainers where great, friendly and walked me through getting my first PR merged! Big thanks to you both!

I hope this experience encourages others to contribute to OpenSource project like prowler in the future.

Thanks for reading!