luizmachado.dev

PT EN

Getting to Know Prowler Open Source

1. Prowler Open Source Overview

  • Multi-cloud: Although Prowler originally focused on AWS, the current version also supports Azure, GCP, and Oracle Cloud. In the AWS context, this is especially useful for organizations managing hybrid or multi-cloud environments.
  • Extensive checks: It has over 300 checks covering different security and compliance areas (identity, networking, encryption, logging, monitoring, etc.).
  • Built-in frameworks: Comes with built-in support for benchmarks such as CIS (Center for Internet Security), PCI-DSS, HIPAA, ISO 27001, SOC 2, GDPR, among others. You can choose to run specific audits or combine several.

---

2. Installation and Configuration

2.1 Installation Methods

  1. Repository Clone (GitHub)

- The most straightforward way to install, getting the latest version (or choosing a specific version/tag).

- Ideal for those who want to customize the code or integrate directly into pipelines.

  1. Docker / Container

- Prowler provides an official Docker image.

- Allows execution without installing dependencies on the local machine.

- Facilitates standardization in CI/CD environments or clusters like ECS, EKS, and Docker Swarm.

  1. Distributed Packages

- Some users package Prowler into packages or installation scripts. Depending on the Linux distro (Ubuntu, Amazon Linux, etc.), there may be specific packages or tutorials.

2.2 Basic Configuration

  • Credentials and Permissions

- Prowler needs access to AWS APIs (via AWS CLI or environment variables).

- It is recommended to create an IAM Role with read permissions for services such as IAM, EC2, S3, CloudTrail, and so on, following the principle of least privilege.

  • Environment Variables

- AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION or AWS_PROFILE can be set to point to the audit profile/credentials.

2.3 Basic Execution

Default execution example


./prowler -p default



Example running CIS checks


./prowler -p default -g cislevel1
  • -p: indicates the AWS profile (if you have multiple in ~/.aws/credentials).
  • -g: indicates the check group (e.g., cislevel1, cislevel2, etc.).

---

3. Specific Use Cases

3.1 Selecting and Customizing Checks

  • Check Groups

- Prowler organizes checks into groups (e.g., cislevel1, cislevel2, iso27001, hipaa, etc.).

- You can run all checks simultaneously or focus on specific checks to optimize time and generate reports oriented to the desired compliance.

  • Configuration Files and Custom Checks

- The documentation shows how to create custom modules using shell scripts or Python, to add internal rules that don't natively exist in Prowler.

- Useful when the organization follows its own policies (for example, checking if a specific tag is present).

3.2 Output and Report Formats

  • Supported Formats:

- json, csv, json-asff (AWS Security Finding Format), html, pdf, among others.

- json-asff allows easy integration with AWS Security Hub, generating natively compatible findings.

  • Customization:

- You can add prefixes or suffixes to identify the analyzed environment (e.g., dev, stage, prod).

- Create pipelines that send these reports to S3, or index them in log systems (OpenSearch, Splunk, etc.).

Example: 
./prowler -p default -M csv > resultados.csv

./prowler -p default -M json-asff > resultados-asff.json

3.3 Scanning Multiple Accounts and Regions

  • Multi-Account

- The documentation explains how to use -A to run with multiple accounts if you have configured profiles or --role to assume roles in different accounts.

- In large organizations, it is common to have a script that iterates over each account in AWS Organizations, calling Prowler for each one.

  • Regions

- By default, Prowler only checks the defined region (AWS_DEFAULT_REGION).

- This is important when there are sensitive resources spread across multiple regions.

You can use -r or --regions to inspect multiple regions:

./prowler -p default -r us-east-1,us-west-2,eu-central-1

3.4 Integration with AWS Security Hub

  • AWS Security Finding Format (ASFF)

- Prowler generates findings in this format if you use the -M json-asff parameter.

- Then, it is possible to import manually or via script to Security Hub, correlating Prowler findings with alerts from GuardDuty, Inspector, etc.

  • Automation

- A typical flow: Prowler runs (can be via container on ECS), generates a report in json-asff, and then a Lambda script (or command line) posts these findings to Security Hub.

- This unifies visualization and facilitates incident prioritization.

---

4. New Features and Documentation Highlights

4.1 Checks for Other Clouds

  • Azure, GCP, and OCI

- Although our focus is AWS, the documentation reinforces that Prowler can now run checks on other clouds.

- This allows security teams to standardize audits in hybrid environments.

4.2 Integration with CI/CD Tools

  • GitHub Actions

- You can find workflow examples in the repository and in the Prowler documentation, facilitating automatic execution on each pull request.

- Use it for "shift-left" in security: whenever someone modifies infrastructure (Terraform, CloudFormation), you run Prowler to ensure there are no compliance violations.

  • GitLab CI and CodeBuild

- Similarly, there are templates and guides for integrating into GitLab or CodeBuild pipelines on AWS.

- The output (csv/json) can be stored as a build artifact or sent to S3 repositories.

4.3 Benchmark Mode and Custom Benchmarks

  • Benchmark Mode

- Prowler has a "benchmark mode" that focuses exclusively on checks from a framework, assigning scores and generating specific reports for CIS, PCI, etc.

- It allows you to have a compliance "score" and know which points you are failing or passing.

  • Custom Benchmarks

- The documentation explains how to create your own benchmarks by combining native checks + custom checks.

- Great for companies that have internal requirements, or that want to consolidate multiple benchmarks into a single execution.

---

5. Best Practices for Usage (According to the Documentation)

  1. Automate Regular Executions

- The documentation emphasizes the importance of running Prowler periodically (daily, weekly, or monthly), as the security posture must be monitored continuously.

  1. Store Reports Historically

- For audits, it is useful to keep records of how compliance stood over time.

- Use versioning in an S3 bucket or a log repository to compare progress.

  1. Fix Critical Findings Quickly

- Some Prowler checks have higher severity — for example, "S3 Bucket Allows Public Access" or "Root Account without MFA".

- It is recommended to create an immediate remediation process for high-priority items.

  1. Keep the Tool Updated

- The Prowler team releases frequent updates, adding new checks, improving performance, and fixing bugs.

- Follow the changelog and release notes on GitHub or in the official documentation.

  1. Integrate with Other Tools

- The documentation provides examples of how to send findings to Splunk, Elasticsearch/OpenSearch, Slack, Email, etc.

- This ensures that critical alerts are not "forgotten" in a local report.

---

The main advantages include:

  • Comprehensive Coverage (over 300 checks)
  • Support for Multiple Compliance Frameworks
  • Cross-Platform Execution (Docker, local, CI/CD, etc.)
  • Easy Integration with AWS Services (Security Hub, EventBridge, S3, etc.)

---

Recommended Resources

awsprowleropen-sourcesecuritycomplianceauditingcis