Prowler is an Open Source Security tool to perform Cloud Security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
See all the things you and your team can do with ProwlerPro at prowler.pro
Prowler is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prowler/tree/2.12.1.
Prowler is available as a project in PyPI, thus can be installed using pip with Python >= 3.9:
pip install prowler-cloud prowler -v
The available versions of Prowler are the following:
latest: in sync with master branch (bear in mind that it is not a stable version)
<x.y.z>(release): you can find the releases here, those are stable releases.
stable: this tag always point to the latest release.
The container images are available here:
Python >= 3.9 is required with pip and pipenv:
git clone https://github.com/prowler-cloud/prowler cd prowler pipenv shell pipenv install python prowler.py -v
The full documentation now can be found at https://docs.prowler.cloud
You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.
Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described here. Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
export AWS_ACCESS_KEY_ID="ASXXXXXXX" export AWS_SECRET_ACCESS_KEY="XXXXXXXXX" export AWS_SESSION_TOKEN="XXXXXXXXX"
Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy prowler-additions-policy.json to the role you are using.
Prowler for Azure supports the following authentication types:
To allow Prowler assume the service principal identity to start the scan, it is needed to configure the following environment variables:
export AZURE_CLIENT_ID="XXXXXXXXX" export AZURE_TENANT_ID="XXXXXXXXX" export AZURE_CLIENT_SECRET="XXXXXXX"
If you try to execute Prowler with the
--sp-env-auth flag and those variables are empty or not exported, the execution is going to fail.
The other three cases does not need additional configuration,
--managed-identity-auth are automated options,
--browser-auth needs the user to authenticate using the default browser to start the scan.
To use each one, you need to pass the proper flag to the execution. Prowler for Azure handles two types of permission scopes, which are:
Azure Active Directory (AAD) permissions required by the tool are the following:
Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
To run prowler, you will need to specify the provider (e.g aws or azure):
prowlercommand without options will use your environment variable credentials.
By default, prowler will generate a CSV, a JSON and a HTML report, however you can generate JSON-ASFF (only for AWS Security Hub) report with
prowler <provider> -M csv json json-asff html
The html report will be located in the
output directory as the other files and it will look like:
You can use
--list-services to list all available checks or services within the provider.
prowler <provider> --list-checks prowler <provider> --list-services
For executing specific checks or services you can use options
prowler aws --checks s3_bucket_public_access prowler aws --services s3 ec2
Also, checks and services can be excluded with options
prowler aws --excluded-checks s3_bucket_public_access prowler aws --excluded-services s3 ec2
You can always use
--help to access to the usage information and all the possible options:
Several Prowler's checks have user configurable variables that can be modified in a common configuration file. This file can be found in the following path:
Use a custom AWS profile with
--profile and/or AWS regions which you want to audit with
prowler aws --profile custom-profile -f us-east-1 eu-south-2
prowlerwill scan all AWS regions.
With Azure you need to specify which auth method is going to be used:
prowler azure [--sp-env-auth, --az-cli-auth, --browser-auth, --managed-identity-auth]
prowlerwill scan all Azure subscriptions.
Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0