Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening, and forensics readiness.
- AWS CLI: Ensure that the AWS CLI is installed. Follow the AWS CLI installation guide.
- Python: Ensure that Python version 3.9 or higher is installed.
Make sure you have Python 3.9 or higher:
python3 --versionInstall pip for Python 3:
sudo apt install python3-pipCheck pip version:
pip3 --versionInstall cffi:
pip3 install cffiInstall Prowler:
pip3 install prowlerCheck Prowler version:
prowler -v-
Create User:
- In the AWS Management Console, navigate to IAM.
- Create a new user (e.g.,
prowler-user).
-
Attach Policies:
- Provide
AdministratorAccess(optional). - Attach
ViewOnlyAccessandSystemAuditpolicies.
- Provide
-
Add Inline Policy: Add the following inline policy to the user:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "account:Get*", "appstream:Describe*", "appstream:List*", "backup:List*", "cloudtrail:GetInsightSelectors", "codeartifact:List*", "codebuild:BatchGet*", "dlm:Get*", "drs:Describe*", "ds:Get*", "ds:Describe*", "ds:List*", "ec2:GetEbsEncryptionByDefault", "ecr:Describe*", "ecr:GetRegistryScanningConfiguration", "elasticfilesystem:DescribeBackupPolicy", "glue:GetConnections", "glue:GetSecurityConfiguration*", "glue:SearchTables", "lambda:GetFunction*", "logs:FilterLogEvents", "macie2:GetMacieSession", "s3:GetAccountPublicAccessBlock", "shield:DescribeProtection", "shield:GetSubscriptionState", "securityhub:BatchImportFindings", "securityhub:GetFindings", "ssm:GetDocument", "ssm-incidents:List*", "support:Describe*", "tag:GetTagKeys", "wellarchitected:List*" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowMoreReadForProwler" }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": [ "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/apis/*" ] } ] } -
Create Access Keys:
- Navigate to the user's Security credentials.
- Create new Access Keys.
After installing AWS CLI, configure it with your credentials:
aws configureEnter your AWS Access Key, Secret Key, region, and output format when prompted.
Set AWS credentials and default region as environment variables (optional):
export AWS_ACCESS_KEY_ID=your_access_key_id
export AWS_SECRET_ACCESS_KEY=your_secret_access_key
export AWS_DEFAULT_REGION=your_preferred_regionList available categories:
prowler aws --list-categoriesList available compliance standards:
prowler aws --list-complianceRun a basic scan:
prowler awsList AWS services:
prowler aws --list-services
Run a scan for specific services (e.g., S3 and EC2):
prowler aws --services s3 ec2
Exclude specific checks (e.g., public access for S3 buckets):
prowler aws --excluded-checks s3_bucket_public_access
Specify an AWS profile and region:
prowler aws --profile custom-profile -r us-east-1
Make sure to replace custom-profile with your AWS profile name and adjust the region as needed.
Save the scan results to a file:
prowler aws -M csv > prowler_report.csv
Run specific checks by providing a comma-separated list:
prowler aws --checks check11,check12Generate an HTML report using Prowler’s output:
prowler aws -M html
Use cron to schedule regular scans:
crontab -e
Add a line to run Prowler daily at midnight and save the output:
0 0 * * * /usr/local/bin/prowler aws -M csv > /path/to/reports/prowler_report_$(date +\%F).csv
You can also run Prowler using Docker, which simplifies dependencies and setup:
-
Install Docker: Follow the Docker installation guide.
-
Run Prowler with Docker:
docker run --rm -ti -v ~/.aws:/root/.aws -v $(pwd):/prowler-output prowler -p custom-profileThis command mounts your AWS credentials and the current directory to the Prowler container.
-
Check Permissions: Ensure the AWS user has the necessary permissions as described in the inline policy.
-
Network Connectivity: Verify that the machine running Prowler has internet access to communicate with AWS services.
-
Logs and Debugging: Use verbose output for detailed logs:
prowler aws -v