Regex in Prowler AllowList

[gregorschulz]

Hi,
I'm still struggeling with the allowlist to exclude fails.

In the allowlist I'm using

extra73:^abucket\.de$
extra73:^open\.abucket\.de$

which matches =~ in bash with both buckets "abucket.de" and "open.abucket.de" as expected and as described in allowlist_example.txt
The bucket "private.bucket.de" should not be allowed.

But a Prowler run still marks the findings of "abucket.de" and "open.abucket.de" as "FAIL" and not as "WARNING".

What am I missing here?

Thanks for help.

[MrCloudSec]

Hi @gregorschulz, the problem here is that the allowlist feature in Prowler uses the result extended field to match, you can check it here https://github.com/prowler-cloud/prowler/blob/master/include/outputs#L244

So, for your use case the bash regex operation which is being executed is the following:

us-east-1: abucket.de bucket is Public! =~ ^abucket\.de$

As you can see above, this regex is not going to match, so you need to change your allowlist to this:

extra73:abucket\.de
extra73:open\.abucket\.de

Please, let us know if this works for you.

Thanks!

[gregorschulz]

Hi @sergargar,
thanks for your reply.

Your suggestion does not work unfortunately, because the not-as-public-intended bucket "private.abucket.de", which should cause a FAIL is only reported with a WARNING.

regards,
Gregor

[jfagoagas]

Hi @gregorschulz the problem with that is the same as you mentioned in this issue #961

Prowler's allowlist uses the result extended field instead of the resource id.

#961 (comment)

We have in our roadmap a refactor of this feature for Prowler v3.

Sorry for the inconvenience.

Thank you.