Skip to content

Latest commit

 

History

History
75 lines (56 loc) · 4.27 KB

README.md

File metadata and controls

75 lines (56 loc) · 4.27 KB
Raw

Description

This module creates an ECS cluster with EventBridge scheduled cron that starts ECS tasks to run Prowler scans on your AWS environments. You provision this module in a security account and specify what accounts you want to scan.

Steps:

  1. Enable Security Hub in every account (without AWS config to save costs) and setup the security account as delegated administrator to centralize the findings

  2. Enable the Prowler integration in Security Hub

  3. Create IAM roles in the accounts you want to scan with these permissions

    1. arn:aws:iam::aws:policy/SecurityAudit
    2. arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
    3. The custom policy mentioned here
    4. Security hub access

  4. Use the following trust policy for the IAM roles

     {
     "Version": "2012-10-17",
     "Statement": [{
         "Effect": "Allow",
         "Principal": {
             "AWS": "arn:aws:iam::SECURITYACCOUNTID:role/prowler-scanner-assumerole-SCANACCOUNTID"
         },
         "Action": "sts:AssumeRole"
     }]
 }

If you need more help: For an extensive write-up check out my blog (this included troubleshooting tips)

About ElasticScale

Discover ES Foundation, the smart digital infrastructure for SaaS companies that want to grow and thrive.

Check out our website for more information.

ElasticScale banner

Providers

Name Version
aws 5.0.1

Modules

Name Source Version
task_sg terraform-aws-modules/security-group/aws n/a
vpc terraform-aws-modules/vpc/aws 4.0.2

Resources

Name Type
aws_cloudwatch_event_rule.cron resource
aws_cloudwatch_event_target.ecs_scheduled_task resource
aws_ecs_cluster.cluster resource
aws_ecs_task_definition.taskdef resource
aws_iam_role.eventbridgerole resource
aws_iam_role.executionrole resource
aws_iam_role.taskrole resource
aws_region.current data source

Inputs

Name Description Type Default Required
account_ids A list of account IDs to scan list(string) n/a yes
prefix A prefix for the resources string "prowler-scanner" no
schedule_expression The schedule expression for the eventbridge rule (ie how often to run the scans) string "cron(0 3 * * ? *)" no
security_account_id The account ID where this module is run from (ie. the security account) string n/a yes
use_nat_gateway We use NAT gateways if true, otherwise we use public IPs bool false no

Outputs

No outputs.