Photo by Joseph Northcutt on Unsplash

AWS Security Audits with Prowler

Prowling the Depths

Many vulnerabilities in AWS are not caused by zero-day attacks but by configuration errors – from Amazon Simple Storage Service (S3) buckets with open write permissions, Elastic Compute Cloud (EC2) snapshots that accidentally publish access credentials, or identity and access management (IAM) roles without multifactor authentication. The Prowler [1] open source tool [2] systematically checks for violations of security standards and visualizes risks, and it can be precisely tailored to individual requirements.

The software is not a black box analysis tool, but a framework for traceable security audits at the command line level. The checks are based on best practices and benchmarks (e.g., from such organizations as the Center for Internet Security (CIS), the US National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS)) and deliver immediately actionable results for AWS, Azure, Google Cloud Platform (GCP), Kubernetes, and Microsoft 365. One focus is on AWS, where the scope of testing is greatest and integration with cloud-native services such as Security Hub and GuardDuty is most advanced.

Getting Started

If you want to use Prowler locally on Linux, you need to install it with the Python package manager, for example, on Ubuntu or with Brew, enter:

pipx install prowler
brew install prowler

Alternatively, you can use the Docker container:

docker run -it --rm ghcr.io/prowler-cloud/prowlerprowler -v

The tool uses existing AWS CLI profiles for authentication. To use all of the checks, the profile requires at least the SecurityAudit and ViewOnlyAccess managed policies. Additionally, an inline policy is recommended to unlock specific read permissions