Cloud Security Auditing with Prowler

IMBRO
3 min readFeb 28, 2024

--

Prowler is an Open Source security tool to perform AWS, Azure and Google Cloud security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.

You can read official documentation here

Today, We are only gonna focus on AWS security auditing part.

Installation

We can install prowler almost everywhere.
Here we are gonna install it in an Ubuntu machine.
You can refer documentation for other installation methods

For Prowler to work we should have :

  1. Python 3.9 +
sudo apt install python3.9
sudo apt remove python3.8

2. AWS Command Line

sudo apt install aws-cli

3. Pip

sudo apt install python3-pip

4. Now Prowler

pip3 install prowler
export PATH=$PATH:/home/$HOME/.local/bin/

Configure

Firstly we are gonna create a AWS user for Auditing purpose.

  1. Sign In to you AWS console and go to IAM > Users. Then create user

2. Give a name and click Next

3. In Set permission tab,

  • Attach policies directly [You can create a group and add user to that as well]
  • Search and select SecurityAudit policy
  • You can also give S3FullAccess policy, if you wanna store Reports in S3 bucket.
  • Then Click next

4. Review everything and create User.

5. Go to IAM > Users > <Your-Username>. Then create access key

6. Select Command Line Interface and Click next

7. Without closing the tab, Open your ubuntu terminal

8. Configure your aws-cli with access tokens

aws configure
AWS Access Key ID [None]: <Paste your Access Key ID>

AWS Secret Access Key [None]: <Paste you Secret Access Key>

Default region name [None]: <Enter your sever region>

Default output format [None]: <You can chosse JSON, CSV, HTML or leave it default>

For region, look at the top right of your AWS console or check the URL

In my case, The region is us-east-1

9. Done.

Usage

Just specify Provider [aws, azure, etc.]

prowler aws

You can go through the report and manually eliminate false positives.

Few Prowler Commands

You can customize Prowler’s behavior using various command-line options:

  • Help
prowler --help
  • Run specific group of checks
prowler -g group1
  • Run a specific check
prowler -c check
  • Specify an AWS region
prowler -r us-west-2
  • List available checks and groups
prowler -l
  • Specify output file
prowler -o prowler_report.txt
  • Run Prowler across all AWS accounts (requires AWS Organizations)
prowler -A
  • Filter results by a specific string
prowler -f "s3"

And So on..

You can refer this for additional commands to get started.

Prowler is a powerful open source tool for auditing and other purposes. The scope of this tool is wide as we can integrate this to other 3rd party tools as well.

This guide is to make you started on your Auditing journey in your Cyber Security Career. Hope you guys enjoyed and learnt few things. Thank you

--

--