cdk-prowler
Project description
cdk-prowler
An AWS CDK custom construct for deploying Prowler to you AWS Account. The following description about Prowler is taken from https://github.com/toniblyx/prowler:
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA…
It generates security html results which are stored in an s3 bucket:
And in your Codebuild Report group:
AWS AMI
If you just want to make the Prowler security checks in your account try my Prowler AWS Marketplace AMI. With just $1 Prowler will do over 180 security checks across a huge amount of AWS services in all your regions. Don't forget the terminate the Ec2 instance when the Prowler stack got created for not paying more than that $1 :).
With buying the AMI you support my on my passion for creating open source products like this cdk-prowler construct. Furthermore you enable me to work on future features like mentioned in the Planned Features section. Thank you so much :) !
Find out more about the AMI in my blogpost
Example
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from cdk_prowler import ProwlerAudit
app = App()
stack = Stack(app, "ProwlerAudit-stack")
ProwlerAudit(stack, "ProwlerAudit")
cdk-prowler Properties
cdk-prowler supports some properties to tweak your stack. Like for running a Cloudwatch schedule to regualary run the Prowler scan with a defined cron expression.
You can see the supported properties in Api.md
Cross Account Buckets
By providing your own Bucket you can have the CodeBuild project drop the Prowler results in another account. Make sure that you have your Bucket policy setup to allow the account running the Prowler reports access to writing those record.
Additionally, you will probably want to provide an additionalS3CopyArgs: '--acl bucket-owner-full-control'
to ensure that those object can be read by the account owner.
Planned Features
- Supporting AWS SecurityHub https://github.com/toniblyx/prowler#security-hub-integration
- Triggering an event with SNS when prowler finishes the run
- AMI EC2 executable
Architecture
Misc
yes | yarn destroy && yarn deploy --require-approval never
Rerun Prowler on deploy
yarn deploy --require-approval never -c reRunProwler=true
Thanks To
- My friend and fellaw ex colleague Tony de la Fuente (https://github.com/toniblyx https://twitter.com/ToniBlyx) for developing such a cool security tool as Prowler
- As always to the amazing CDK / Projen Community. Join us on Slack!
- Projen project and the community around it
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for cdk_prowler-1.121.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | c02369a5037b18485e594bf00110110cb7e94b5da0393064ec43422582505eb5 |
|
MD5 | 4d46ea73af86656ee74610818e58741e |
|
BLAKE2b-256 | e64f3f96676cbd4cc7a7c794c43d4bb4eade9fc745395b92e7641c09a9f92371 |