frost/config.yaml.example

81 строка
2.1 KiB
Plaintext

#
# frost config file
#
# Documentation on config file found in README.md
#
exemptions:
- test_name: test_ec2_instance_has_required_tags
test_param_id: i-0123456789f014c162
expiration_day: 2019-01-01
reason: ec2 instance has no owner
- test_name: test_ec2_security_group_opens_specific_ports_to_all
test_param_id: '*HoneyPot'
expiration_day: 2020-01-01
reason: purposefully insecure security group
severities:
- test_name: test_ec2_instance_has_required_tags
severity: INFO
- test_name: '*'
severity: ERROR
aws:
admin_groups:
- "Administrators"
admin_policies:
- "AWSAdminRequireMFA"
user_is_inactive:
no_activity_since:
years: 1
months: 0
created_after:
weeks: 1
access_key_expires_after:
years: 1
months: 0
required_tags:
- Name
- Type
- App
- Env
# Allowed ports for the test_ec2_security_group_opens_specific_ports_to_all
# test for all instances
allowed_ports_global:
- 25
# Allowed ports for the test_ec2_security_group_opens_specific_ports_to_all
# test for specific instances. In this example, we are allowing ports 22
# and 2222 for all security groups that include the word 'bastion' in them.
allowed_ports:
- test_param_id: '*bastion'
ports:
- 22
- 2222
max_ami_age_in_days: 90
owned_ami_account_ids:
- 1234567890
gcp:
allowed_org_domains:
- mygsuiteorg.com
allowed_gke_versions:
- 1.15.12-gke.20
- 1.16.13-gke.401
- 1.17.9-gke.1504
- 1.18.6-gke.3504
# Allowed ports for the test_firewall_opens_any_ports_to_all
# test for all firewalls
allowed_ports_global:
- 25
# Allowed ports for the test_firewall_opens_any_ports_to_all
# test for specific firewalls. In this example, we are allowing ports 22
# and 2222 for all firewalls that include the word 'bastion' in them.
allowed_ports:
- test_param_id: '*bastion'
ports:
- 22
- 2222
gsuite:
domain: 'mygsuiteorg.com'
min_number_of_owners: 2
user_is_inactive:
no_activity_since:
years: 1
months: 0