awslabs / aws-security-assessment-solution Goto Github PK

For every role this creates, I would like an easy way to set a custom permissions boundary property. Something like

PermissionsBoundary: 'arn:aws:iam::123xxxxxx789:policy/MyOrganizatoinsPermBoundary'

We have multiple AWS Accounts - different environments/services. It would be better if this utility could be run from 1 account and then review the security settings in multiple other accounts.

The ransomware stack is failing deployment due to the custom resource xLambdaCheckFor2k8 failing to create. Per Lambda, the function is failing. This causes the whole solution to fail to deploy.

xLambdaCheckFor2k8:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt rLambdaCheckFor2k8.Arn

Maybe scale out by creating 2 build projects. One that orchestrates the other and by chunking the multi-account list in groups of three, then start build for each chunk using the MULTI_ACCOUNT_LIST_OVERRIDE environment variable.

Can we go even higher in parallelism? For customers with ~100+ accounts, the speedup is considerable the more parallelism we have.

Prowler has a native dashboard. I think it'd be a nice touch if there was a boolean value controlling whether the output is simply copied to s3 unmodified and analysis/database resources would not be created. The user could then download and analyze the output with the prowler native reporting dashboard.

It would be nice to have an easy way to continuously scan and monitor prowler results over time. Monthly feels like a good cadence.

The latest version of the SelfServiceSec.yml template is malforming S3 links:

rVPCStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Join
- ''
- - 'https://'
- !Ref TemplateS3Bucket
- '.s3-'
- !Ref "AWS::Region"
- '.amazonaws.com/SelfServiceSecVPC.yml'

It should read:

rVPCStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Join
- ''
- - 'https://'
- !Ref TemplateS3Bucket
- '.s3.'
- !Ref "AWS::Region"
- '.amazonaws.com/SelfServiceSecVPC.yml'

The template does not come up with a DeletionPolicy on the resources to be created. Aws CloudFormation complains that it needs to have a DeletionPolicy mentioned on the resources (see the screenshot below).

error1
I have modified the DeletionPolicy with the value "DeletionPolicy: Delete" yet after I did this change, I got another error "As part of the import operation, you cannot modify or add [Outputs]". See the screenshot below.

error2
Any suggestions ?

Suggestion for the section Deployment Guide and file how-to-deploy.md

• Go to Upload files to S3 section
• Modify/update the first sentence to this :
  "Copy the uncompressed files from "CloudFormation-Templates" to root directory into your S3 bucket.

Reason behind this is if you copy via folder directory and when you run CFN template it will show S3.Access denied error as the CFN would not able to find the files it is looking for as it would be looking for them in root directory.

Prowler doesn't support aggregating a multi-account scan assessment into a single report. This project could attempt to create a single aggregated report.

We're having an issue with the report not being generated after waiting 4+ hours. The VM shutdown and we don't see any output in the S3 bucket. Where should we look to troubleshoot?

to resolve i modified the SelfServiceSecEC2.yml , added the below after line 48

      ./prowler -M html
      aws s3 cp --recursive ./output/ s3://${SelfServiceSecS3Bucket}

Prowler open source security assessment tool is now on V3.

In README.md

ransomeware

is misspelled, should be

ransomware