Prowling AWS

Snooping Around

Lurking

Back in your browser and the AWS IAM service, you can see in Figure 2 where to paste the policy content shown in Listing 2 (i.e., the Policies | Create policy page). After carefully pasting all of Listing 2 into the JSON tab, click the blue Review policy button at the bottom of the screen. Just make sure you paste over the existing empty JSON policy to remove it before proceeding, and you'll be fine.

Figure 2: Creating the IAM policy for Prowler.

On the following screen, you're required to provide a sensible name for the policy (e.g., prowler-audit-policy ), check the policy rules displayed, and click the blue button at the bottom of the page to proceed.

Figure 3 shows success, and you can now attach your shiny new policy to your user (or role, if you prefer, having attached the role to your user).

Figure 3: Happiness is a successfully created IAM policy for Prowler.

The final AWS step is attaching your policy to your user, as seen in Figure 4. In the IAM service, click Users , choose your user, then click Add permissions and select a policy. Next, click Attach existing policies directly , tick the box beside prowler-audit-policy to select it, and click the blue Next: Review button.

Figure 4: Prepare to choose your Prowler policy.

On the next screen, click Add permissions ; lo and behold, you'll see your new policy under Attached directly .

If you failed to get that far, just retrace your steps. It's not tricky once you are familiar with the process.

Prowling

To recap, you have created an AWS user and attached your newly created policy to that user. Good practice would usually be to create an IAM role, too, and then attach the policy to the new role if multiple users need to access the policy. The command aws configure lets the AWS command-line client know exactly where to find your credentials.

You can now cd to your prowler directory to run the script that fires up Prowler. You probably remember that the directory was created during the GitHub repository cloning process in the early stages.

Now you can run your tests. A relatively healthy smattering of patience is required for your first run. As you'd expect because of the Herculean task being attempted by Prowler, it takes a good few minutes to complete. The redacted Figure 5 shows the beginning of an in-depth audit.

Figure 5: Prowler sets itself up at the start of the auditing run with useful colored output for clarity as it goes.

As the AWS audit continues, you can see the impressive test coverage being performed against the AWS account (Figure 6). If your permissions are safe in the IAM policy, then other than using up some of your concurrent API request limits it's a good idea to run this type of audit frequently to help spot issues or misconfigurations that you'd have otherwise missed.

Figure 6: The tests are extremely thorough and well considered.

Grand Theft AWS

Once the stealthy Prowler has finished its business, you have a number of other ways to tune it for your needs that you might want to explore. For example, if you have multiple AWS accounts over which you want to run Prowler, you can interpolate the name of the account profile in your ~/.aws/credentials file:

$ ./prowler -p custom-profile -r eu-west-1

Although the command only points at one region, Prowler will traverse the other regions where needed to complete its auditing.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Reducing your attack surface
    Windows Defender Application Control protects systems against threats that traditional virus scanners and signature-based mechanisms cannot detect by restricting applications in the user context and reducing the code allowed in the system kernel.
  • AWS security scans with Scout2
    Scout2 is an open source auditing tool that helps you keep your AWS environments secure.
  • Linux nftables packet filter
    The latest nftables packet filter implementation, now available in the Linux kernel, promises better performance and simpler syntax and operation.
  • Advanced Windows security using EMET
    Although attacks on computers are numerous and varied, they are predominantly based on the same techniques. Microsoft closes these vulnerabilities on Windows computers using the Enhanced Mitigation Experience Toolkit (EMET).
  • Setting up SELinux policies
    Writing custom SELinux policy modules is not hard with some basic knowledge of SELinux. We show you how to distribute those modules to all the machines in your own system landscape.
comments powered by Disqus