luizmachado.dev

PT EN

Getting to Know Prowler Open Source

1. Prowler Open Source Overview

  • Multi-cloud: Although Prowler originally focused on AWS, the current version also supports Azure, GCP, and Oracle Cloud. In the AWS context, this is especially useful for organizations managing hybrid or multi-cloud environments.
  • Extensive checks: It has over 300 checks covering different security and compliance areas (identity, networking, encryption, logging, monitoring, etc.).
  • Built-in frameworks: Comes with built-in support for benchmarks such as CIS (Center for Internet Security), PCI-DSS, HIPAA, ISO 27001, SOC 2, GDPR, among others. You can choose to run specific audits or combine several.

2. Installation and Configuration

2.1 Installation Methods

  1. Repository Clone (GitHub)
    - The most straightforward way to install, getting the latest version (or choosing a specific version/tag).
    - Ideal for those who want to customize the code or integrate directly into pipelines.

  2. Docker / Container
    - Prowler provides an official Docker image.
    - Allows execution without installing dependencies on the local machine.
    - Facilitates standardization in CI/CD environments or clusters like ECS, EKS, and Docker Swarm.

  3. Distributed Packages
    - Some users package Prowler into packages or installation scripts. Depending on the Linux distro (Ubuntu, Amazon Linux, etc.), there may be specific packages or tutorials.

2.2 Basic Configuration

  • Credentials and Permissions
  • Prowler needs access to AWS APIs (via AWS CLI or environment variables).

  • It is recommended to create an IAM Role with read permissions for services such as IAM, EC2, S3, CloudTrail, and so on, following the principle of least privilege.

  • Environment Variables

  • AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION or AWS_PROFILE can be set to point to the audit profile/credentials.

2.3 Basic Execution

# Default execution example
./prowler -p default

# Example running CIS checks
./prowler -p default -g cislevel1
  • -p: indicates the AWS profile (if you have multiple in ~/.aws/credentials).
  • -g: indicates the check group (e.g., cislevel1, cislevel2, etc.).

3. Specific Use Cases

3.1 Selecting and Customizing Checks

  • Check Groups
  • Prowler organizes checks into groups (e.g., cislevel1, cislevel2, iso27001, hipaa, etc.).

  • You can run all checks simultaneously or focus on specific checks to optimize time and generate reports oriented to the desired compliance.

  • Configuration Files and Custom Checks

  • The documentation shows how to create custom modules using shell scripts or Python, to add internal rules that don't natively exist in Prowler.
  • Useful when the organization follows its own policies (for example, checking if a specific tag is present).

3.2 Output and Report Formats

  • Supported Formats:
  • json, csv, json-asff (AWS Security Finding Format), html, pdf, among others.

  • json-asff allows easy integration with AWS Security Hub, generating natively compatible findings.

  • Customization:

  • You can add prefixes or suffixes to identify the analyzed environment (e.g., dev, stage, prod).
  • Create pipelines that send these reports to S3, or index them in log systems (OpenSearch, Splunk, etc.).

Example:

./prowler -p default -M csv > resultados.csv
./prowler -p default -M json-asff > resultados-asff.json

3.3 Scanning Multiple Accounts and Regions

  • Multi-Account
  • The documentation explains how to use -A to run with multiple accounts if you have configured profiles or --role to assume roles in different accounts.

  • In large organizations, it is common to have a script that iterates over each account in AWS Organizations, calling Prowler for each one.

  • Regions

  • By default, Prowler only checks the defined region (AWS_DEFAULT_REGION).
  • This is important when there are sensitive resources spread across multiple regions.

You can use -r or --regions to inspect multiple regions:

./prowler -p default -r us-east-1,us-west-2,eu-central-1

3.4 Integration with AWS Security Hub

  • AWS Security Finding Format (ASFF)
  • Prowler generates findings in this format if you use the -M json-asff parameter.

  • Then, it is possible to import manually or via script to Security Hub, correlating Prowler findings with alerts from GuardDuty, Inspector, etc.

  • Automation

  • A typical flow: Prowler runs (can be via container on ECS), generates a report in json-asff, and then a Lambda script (or command line) posts these findings to Security Hub.
  • This unifies visualization and facilitates incident prioritization.

4. New Features and Documentation Highlights

4.1 Checks for Other Clouds

  • Azure, GCP, and OCI
  • Although our focus is AWS, the documentation reinforces that Prowler can now run checks on other clouds.
  • This allows security teams to standardize audits in hybrid environments.

4.2 Integration with CI/CD Tools

  • GitHub Actions
  • You can find workflow examples in the repository and in the Prowler documentation, facilitating automatic execution on each pull request.

  • Use it for "shift-left" in security: whenever someone modifies infrastructure (Terraform, CloudFormation), you run Prowler to ensure there are no compliance violations.

  • GitLab CI and CodeBuild

  • Similarly, there are templates and guides for integrating into GitLab or CodeBuild pipelines on AWS.
  • The output (csv/json) can be stored as a build artifact or sent to S3 repositories.

4.3 Benchmark Mode and Custom Benchmarks

  • Benchmark Mode
  • Prowler has a "benchmark mode" that focuses exclusively on checks from a framework, assigning scores and generating specific reports for CIS, PCI, etc.

  • It allows you to have a compliance "score" and know which points you are failing or passing.

  • Custom Benchmarks

  • The documentation explains how to create your own benchmarks by combining native checks + custom checks.
  • Great for companies that have internal requirements, or that want to consolidate multiple benchmarks into a single execution.

5. Best Practices for Usage (According to the Documentation)

  1. Automate Regular Executions
    - The documentation emphasizes the importance of running Prowler periodically (daily, weekly, or monthly), as the security posture must be monitored continuously.

  2. Store Reports Historically
    - For audits, it is useful to keep records of how compliance stood over time.
    - Use versioning in an S3 bucket or a log repository to compare progress.

  3. Fix Critical Findings Quickly
    - Some Prowler checks have higher severity — for example, "S3 Bucket Allows Public Access" or "Root Account without MFA".
    - It is recommended to create an immediate remediation process for high-priority items.

  4. Keep the Tool Updated
    - The Prowler team releases frequent updates, adding new checks, improving performance, and fixing bugs.
    - Follow the changelog and release notes on GitHub or in the official documentation.

  5. Integrate with Other Tools
    - The documentation provides examples of how to send findings to Splunk, Elasticsearch/OpenSearch, Slack, Email, etc.
    - This ensures that critical alerts are not "forgotten" in a local report.

The main advantages include:

  • Comprehensive Coverage (over 300 checks)
  • Support for Multiple Compliance Frameworks
  • Cross-Platform Execution (Docker, local, CI/CD, etc.)
  • Easy Integration with AWS Services (Security Hub, EventBridge, S3, etc.)

Recommended Resources

awsprowleropen-sourcesecuritycomplianceauditingcis