forked from prowler-cloud/prowler
-
Notifications
You must be signed in to change notification settings - Fork 0
/
allowlist_example.txt
29 lines (24 loc) · 1.3 KB
/
allowlist_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Each line is a (checkid:item) tuple
# Example: Will not consider a myignoredbucket failures as full failure. (Still printed as a warning)
check26:myignoredbucket
# Note that by default, this searches for the string appearing *anywhere* in the resource name.
# For example:
# extra718:ci-logs # Will block bucket "ci-logs" AND ALSO bucket "ci-logs-replica"
# extra718:logs # Will block EVERY BUCKET containing the string "logs"
# line starting with # are ignored as comments
# add a line per resource as here:
#<checkid1>:<resource to ignore 1>
#<checkid1>:<resource to ignore 2>
# checkid2
#<checkid2>:<resource to ignore 1>
# REGEXES
# This allowlist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use)
# therefore:
# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
# EXAMPLE: CONTROL TOWER
# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist
# below ensures that warnings instead of errors are reported for the affected resources.
#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+