Prowler for AWS

Introduction

Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.

It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 190 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.

What we are going to cover

This chapter wil cover the prowler tool and the step by step guide on how we can run our own assessments on the AWS Cloud

Requirements

We will be using our astudent machine to run the prowler tool. Below are the steps to be taken to install prowler

  • For Ubuntu Linux (apt based Linux distributions and AWS CLI v2):

    sudo apt update
sudo apt install python3 python3-pip jq git zip
pip install detect-secrets==1.0.3
git clone https://github.com/prowler-cloud/prowler

  • Once Prowler repository is cloned, get into the folder and you can run it:

    cd prowler
./prowler

    We will consider that the AWS CLI is installed and valid access keys are configured. The credentials which are configured, must be associated to a user or role with proper permissions to do all checks. To make sure, add the AWS managed policies, SecurityAudit and ViewOnlyAccess, to the user or role being used. Policy ARNs are:

    arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

Steps to audit

  1. Run the prowler command without options (it will use your environment variable credentials if they exist or will default to using the ~/.aws/credentials file and run checks over all regions when needed. The default region is us-east-1):

  2. Use -l to list all available checks and the groups (sections) that reference them. To list all groups use -L and to list content of a group use -l -g .

  3. By defaulr prowler scans all the regions opted by the organization. It has two parameters related to regions -r that is used to query AWS services APU endpoints and the -f option to filter only those regions you want to scan.

  4. You can also save the report for later analysis by using the -M parameter

Additional references

Prowler

PreviousPacuNextAWS Security Hub

Last updated