Updated workflow of prowler for AWS (#167)

Author: ruchit-cd

.github/workflows/prowlerAWS.yml

@@ -0,0 +1,160 @@
+---
+name: Prowler Reusable Workflow
+
+on:
+  workflow_call:
+    inputs:
+      cloud_provider:
+        required: true
+        type: string
+        default: aws
+        description: 'Cloud Provider'
+      aws_region:
+        required: false
+        type: string
+        description: 'AWS Region'
+      access_token_lifetime:
+        required: false
+        type: number
+        default: 300
+        description: 'Duration for which an access token remains valid.'
+      role_duration_seconds:
+        required: false
+        type: number
+        default: 900
+        description: 'Duration of the session.'
+      retention_days:
+        required: false
+        type: number
+        default: 1
+        description: 'Duration of the reports retention period.'
+      enable_s3_upload:
+        required: false
+        type: boolean
+        default: false
+        description: 'Enable this to upload the reports to S3 bucket.'
+      enable_slack_notification:
+        required: false
+        type: boolean
+        default: false
+        description: 'Enable Slack notifications for workflow results.'
+      SLACK_MESSAGE:
+        required: false
+        type: string
+        default: 'Updated prowler workflow notification'
+        description: 'Message to display in Slack Notification'
+      SLACK_ENV:
+        required: false
+        type: string
+        default: ''
+        description: 'Workflow Environment to show in Slack Notification'
+      send_to_securityhub:
+        type: boolean
+        required: false
+        default: false
+        description: 'Send findings to Security Hub'
+
+    secrets:
+      BUILD_ROLE:
+        required: false
+        description: 'AWS OIDC role for AWS authentication.'
+      PROWLER_ROLE_NAME:
+        required: false
+        description: 'AWS IAM Role Name for running prowler.'
+      AWS_ACCESS_KEY_ID:
+        required: false
+        description: 'AWS Access Key ID'
+      AWS_SECRET_ACCESS_KEY:
+        required: false
+        description: 'AWS Secret Access Key'
+      AWS_SESSION_TOKEN:
+        required: false
+        description: 'AWS Session Token'
+      TARGET_ACCOUNT_ID:
+        required: false
+        description: 'All aws account ids you want to scan.'
+      S3_BUCKET_NAME:
+        required: false
+        description: 'S3 bucket to store the prowler reports.'
+      SLACK_WEBHOOK:
+        required: false
+        description: 'The slack channel webhook URL to send the notification'
+      SLACK_USERNAME:
+        required: false
+        description: 'The slack channel webhook URL to send the notification'
+
+jobs:
+  prowler:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Install pip
+        run: |
+          sudo apt update
+          sudo apt install -y python3 python3-pip
+
+      - name: Install Prowler
+        run: |
+          python3 -m pip install --upgrade pip
+          pip3 install prowler
+
+      - name: Install AWS CLI
+        if: ${{ inputs.cloud_provider == 'aws' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
+          role-to-assume: ${{ secrets.BUILD_ROLE }}
+          aws-region: ${{ inputs.aws_region }}
+          role-duration-seconds: ${{ inputs.role_duration_seconds }}
+          role-skip-session-tagging: true
+
+      - name: Running Prowler for AWS
+        env:
+          ACCOUNT_ID: ${{ secrets.TARGET_ACCOUNT_ID }}
+        run: |
+          export MONTH_NAME=$(date +%B)
+          for ACCOUNTID in $ACCOUNT_ID; do
+          {
+            echo "Scanning AWS Account: $ACCOUNTID"
+            PROWLER_CMD="prowler aws \
+              --role arn:aws:iam::${ACCOUNTID}:role/${{ secrets.PROWLER_ROLE_NAME }} \
+              --output-directory /home/runner/work/prowler/prowler/output/$MONTH_NAME \
+              --output-modes html csv json-asff \
+              --ignore-exit-code-3"
+            if [ "${{ inputs.send_to_securityhub }}" = "true" ]; then
+              PROWLER_CMD="$PROWLER_CMD --security-hub"
+            fi
+            eval $PROWLER_CMD
+          }
+          done
+
+      - name: Upload Artifact
+        if: ${{ inputs.enable_s3_upload == false }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: prowler-reports
+          path: /home/runner/work/prowler/prowler/output/
+          retention-days: ${{ inputs.retention_days }}
+
+      - name: Upload Prowler Results to AWS S3
+        if: ${{ inputs.enable_s3_upload == true }}
+        run: |
+          YEAR=$(date +'%Y')
+          MONTH=$(date +'%m')
+          aws s3 cp /home/runner/work/prowler/prowler/output/ s3://${{ secrets.S3_BUCKET_NAME }}/$YEAR/$MONTH/ --recursive
+
+      - name: 'Notify Slack'
+        uses: clouddrove/action-slack-notify@1
+        if: ${{ inputs.enable_slack_notification == true }}
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_MESSAGE: ${{ inputs.SLACK_MESSAGE }}
+          SLACK_ENV: ${{ inputs.SLACK_ENV }}
+          SLACK_USERNAME: ${{ secrets.SLACK_USERNAME}}
+          SLACK_COLOR: ${{ job.status == 'success' && 'good' || job.status == 'failure' && 'danger' || 'warning' }}
+...

docs/prowlerAWS.md

@@ -0,0 +1,43 @@
+## [Prowler Workflow](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/prowlerAWS.yml)
+Prowler an open cloud security platform for our cloud environment. We get a complete report of our cloud infra.
+
+### Usage
+This workflow is used to run Prowler scan on your cloud infra for AWS. In the Workflow you can choose to send your report to your S3 Bucket or you can also disable that and at the end of the workflow you will get a Artifact which you can download. You can also enable the feature of Security Hub which will send the findings into your account. It also supports Multi-AWS account.
+
+### Example for AWS cloud provider
+
+```yaml
+name: 'Running Prowler'
+
+on:
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  aws-assessment:
+    name: Run prowler security
+    # uses: clouddrove/github-shared-workflows/.github/workflows/prowler.yml@master
+    uses: clouddrove-sandbox/test-shared-workflow/.github/workflows/prowler.yml@master
+    with:
+      cloud_provider: 'aws'
+      aws_region: ## aws region
+      role_duration_seconds: 900
+      retention_period: ## retention period of reports
+      SLACK_MESSAGE: ## Message to display in Slack Notification
+      SLACK_ENV: ## Workflow Environment to display in Slack Notification
+      enable_s3_upload: true ## to upload reports into your S3 Bucket
+      enable_slack_notification: false ## to get the notification on slack for successfull running the workflow 
+      send_to_securityhub: ## Enable this to get the findings in your security hub
+    secrets:
+      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}   ## OIDC Role
+      PROWLER_ROLE_NAME: ${{ secrets.PROWLER_ROLE_NAME }}    ## Prowler Role
+      TARGET_ACCOUNT_ID: ${{ secrets.TARGET_ACCOUNT_ID }}
+      S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      SLACK_USERNAME: ${{ secrets.SLACK_USERNAME }}
+```
+
+It uses Clouddrove Github-Shared-Workflow. [HERE](https://github.com/clouddrove/github-shared-workflows/blob/master/.github/workflows/prowlerAWS.yml)