This module creates an ECS cluster with EventBridge scheduled cron that starts ECS tasks to run Prowler scans on your AWS environments. You provision this module in a security account and specify what accounts you want to scan.
Steps:
-
Enable Security Hub in every account (without AWS config to save costs) and setup the security account as delegated administrator to centralize the findings
-
Enable the Prowler integration in Security Hub
-
Create IAM roles in the accounts you want to scan with these permissions
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
- The custom policy mentioned here
- Security hub access
-
Use the following trust policy for the IAM roles
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::SECURITYACCOUNTID:role/prowler-scanner-assumerole-SCANACCOUNTID" }, "Action": "sts:AssumeRole" }] }
If you need more help: For an extensive write-up check out my blog (this included troubleshooting tips)
Discover ES Foundation, the smart digital infrastructure for SaaS companies that want to grow and thrive.
Check out our website for more information.
Name | Version |
---|---|
aws | 5.0.1 |
Name | Source | Version |
---|---|---|
task_sg | terraform-aws-modules/security-group/aws | n/a |
vpc | terraform-aws-modules/vpc/aws | 4.0.2 |
Name | Type |
---|---|
aws_cloudwatch_event_rule.cron | resource |
aws_cloudwatch_event_target.ecs_scheduled_task | resource |
aws_ecs_cluster.cluster | resource |
aws_ecs_task_definition.taskdef | resource |
aws_iam_role.eventbridgerole | resource |
aws_iam_role.executionrole | resource |
aws_iam_role.taskrole | resource |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_ids | A list of account IDs to scan | list(string) |
n/a | yes |
prefix | A prefix for the resources | string |
"prowler-scanner" |
no |
schedule_expression | The schedule expression for the eventbridge rule (ie how often to run the scans) | string |
"cron(0 3 * * ? *)" |
no |
security_account_id | The account ID where this module is run from (ie. the security account) | string |
n/a | yes |
use_nat_gateway | We use NAT gateways if true, otherwise we use public IPs | bool |
false |
no |
No outputs.