Overview - Prowler Open Source Documentation (2024)

Prowler is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations! We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call Prowler SaaS.

Prowler CLI

prowler <provider>
Overview - Prowler Open Source Documentation (1)

Prowler Dashboard

prowler dashboard
Overview - Prowler Open Source Documentation (2)

It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.

Quick Start

Installation

Prowler is available as a project in PyPI, thus can be installed using pip with Python >= 3.9:

Requirements:

  • Python >= 3.9
  • Python pip >= 3.9
  • AWS, GCP, Azure and/or Kubernetes credentials

Commands:

pip install prowlerprowler -v

Requirements:

  • Have docker installed: https://docs.docker.com/get-docker/.
  • AWS, GCP, Azure and/or Kubernetes credentials
  • In the command below, change -v to your local directory path in order to access the reports.

Commands:

docker run -ti --rm -v /your/local/dir/prowler-output:/home/prowler/output \--name prowler \--env AWS_ACCESS_KEY_ID \--env AWS_SECRET_ACCESS_KEY \--env AWS_SESSION_TOKEN toniblyx/prowler:latest

Requirements for Ubuntu 20.04.3 LTS:

  • AWS, GCP, Azure and/or Kubernetes credentials
  • Install python 3.9 with: sudo apt-get install python3.9
  • Remove python 3.8 to avoid conflicts if you can: sudo apt-get remove python3.8
  • Make sure you have the python3 distutils package installed: sudo apt-get install python3-distutils
  • To make sure you use pip for 3.9 get the get-pip script with: curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
  • Execute it with the proper python version: sudo python3.9 get-pip.py
  • Now you should have pip for 3.9 ready: pip3.9 --version

Commands:

pip3.9 install prowlerexport PATH=$PATH:/home/$HOME/.local/bin/prowler -v

Requirements for Developers:

  • AWS, GCP, Azure and/or Kubernetes credentials
  • git, Python >= 3.9, pip and poetry installed (pip install poetry)

Commands:

git clone https://github.com/prowler-cloud/prowlercd prowlerpoetry shellpoetry installpython prowler.py -v
Note

If you want to clone Prowler from Windows, use git config core.longpaths true to allow long file paths.

Requirements:

  • AWS, GCP, Azure and/or Kubernetes credentials
  • Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with: sudo yum install -y python3-pip.
  • Make sure setuptools for python is already installed with: pip3 install setuptools

Commands:

pip3.9 install prowlerexport PATH=$PATH:/home/$HOME/.local/bin/prowler -v

Requirements:

  • Brew installed in your Mac or Linux
  • AWS, GCP, Azure and/or Kubernetes credentials

Commands:

brew install prowlerprowler -v

After the migration of AWS CloudShell from Amazon Linux 2 to Amazon Linux 2023 [1] 2, there is no longer a need to manually compile Python 3.9 as it's already included in AL2023. Prowler can thus be easily installed following the Generic method of installation via pip. Follow the steps below to successfully execute Prowler v4 in AWS CloudShell:

Requirements:

  • Open AWS CloudShell bash.

Commands:

sudo bashadduser prowlersu prowlerpip install prowlercd /tmpprowler aws
Note

To download the results from AWS CloudShell, select Actions -> Download File and add the full path of each file. For the CSV file it will be something like /tmp/output/prowler-output-123456789012-20221220191331.csv

Requirements:

  • Open Azure CloudShell bash.

Commands:

pip install prowlerprowler -v

Prowler container versions

The available versions of Prowler are the following:

  • latest: in sync with master branch (bear in mind that it is not a stable version)
  • v3-latest: in sync with v3 branch (bear in mind that it is not a stable version)
  • <x.y.z> (release): you can find the releases here, those are stable releases.
  • stable: this tag always point to the latest release.
  • v3-stable: this tag always point to the latest release for v3.

The container images are available here:

High level architecture

You can run Prowler from your workstation, a Kubernetes Job, a Google Compute Engine, an Azure VM, an EC2 instance, Fargate or any other container, CloudShell and many more.

Overview - Prowler Open Source Documentation (3)

Deprecations from v3

General

  • Allowlist now is called Mutelist.
  • The --quiet option has been deprecated, now use the --status flag to select the finding's status you want to get from PASS, FAIL or MANUAL.
  • All INFO finding's status has changed to MANUAL.
  • The CSV output format is common for all the providers.

We have deprecated some of our outputs formats:

  • The native JSON is replaced for the JSON OCSF v1.1.0, common for all the providers.

AWS

  • Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
  • To send only FAILS to AWS Security Hub, now use either --send-sh-only-fails or --security-hub --status FAIL.

Basic Usage

To run Prowler, you will need to specify the provider (e.g aws, gcp, azure or kubernetes):

Note

If no provider specified, AWS will be used for backward compatibility with most of v2 options.

prowler <provider>
Overview - Prowler Open Source Documentation (4)
Note

Running the prowler command without options will use your environment variable credentials, see Requirements section to review the credentials settings.

If you miss the former output you can use --verbose but Prowler v4 is smoking fast, so you won't see much ;

By default, Prowler generates CSV, JSON-OCSF and HTML reports. However, you can generate a JSON-ASFF report (used by AWS Security Hub) with -M or --output-modes:

prowler <provider> -M csv json-asff json-ocsf html
The html report will be located in the output directory as the other files and it will look like:

Overview - Prowler Open Source Documentation (5)

You can use -l/--list-checks or --list-services to list all available checks or services within the provider.

prowler <provider> --list-checksprowler <provider> --list-services

For executing specific checks or services you can use options -c/checks or -s/services:

prowler azure --checks storage_blob_public_access_level_is_disabledprowler aws --services s3 ec2prowler gcp --services iam computeprowler kubernetes --services etcd apiserver

Also, checks and services can be excluded with options -e/--excluded-checks or --excluded-services:

prowler aws --excluded-checks s3_bucket_public_accessprowler azure --excluded-services defender iamprowler gcp --excluded-services kmsprowler kubernetes --excluded-services controllermanager

More options and executions methods that will save your time in Miscellaneous.

You can always use -h/--help to access to the usage information and all the possible options:

prowler --help

AWS

Use a custom AWS profile with -p/--profile and/or AWS regions which you want to audit with -f/--filter-region:

prowler aws --profile custom-profile -f us-east-1 eu-south-2
Note

By default, prowler will scan all AWS regions.

See more details about AWS Authentication in Requirements

Azure

With Azure you need to specify which auth method is going to be used:

# To use service principal authenticationprowler azure --sp-env-auth# To use az cli authenticationprowler azure --az-cli-auth# To use browser authenticationprowler azure --browser-auth --tenant-id "XXXXXXXX"# To use managed identity authprowler azure --managed-identity-auth

See more details about Azure Authentication in Requirements

Prowler by default scans all the subscriptions that is allowed to scan, if you want to scan a single subscription or various specific subscriptions you can use the following flag (using az cli auth as example):

prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>

Google Cloud

Prowler will use by default your User Account credentials, you can configure it using:

  • gcloud init to use a new account
  • gcloud config set account <account> to use an existing account

Then, obtain your access credentials using: gcloud auth application-default login

Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument:

prowler gcp --credentials-file path

Prowler by default scans all the GCP Projects that is allowed to scan, if you want to scan a single project or various specific projects you can use the following flag:

prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>

See more details about GCP Authentication in Requirements

Kubernetes

Prowler allows you to scan your Kubernetes Cluster either from within the cluster or from outside the cluster.

For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument:

prowler kubernetes --kubeconfig-file path
Note

If no --kubeconfig-file is provided, Prowler will use the default KubeConfig file location (~/.kube/config).

For in-cluster execution, you can use the supplied yaml to run Prowler as a job within a new Prowler namespace:

kubectl apply -f kubernetes/job.yamlkubectl apply -f kubernetes/prowler-role.yamlkubectl apply -f kubernetes/prowler-rolebinding.yamlkubectl get pods --namespace prowler-ns --> prowler-XXXXXkubectl logs prowler-XXXXX --namespace prowler-ns
Note

By default, prowler will scan all namespaces in your active Kubernetes context. Use the flag --context to specify the context to be scanned and --namespaces to specify the namespaces to be scanned.

Prowler v2 Documentation

For Prowler v2 Documentation, please check it out here.

Overview - Prowler Open Source Documentation (2024)

References

Top Articles
Ciabatta Bread Recipe
15 Warm Winter Vegan Soup Recipes | Aglow Lifestyle
YouTube-Alternative ohne Werbung — DKeu.de
Thinkorswim Custom Expression Subscription Limit Exceeded
Milehigh Prep Report
Omen Support
Tappedoutmtg
Toyota Corolla Verso D-Cat: Der (fast) Alleskönner
Classroom 6X Minecraft 1.8
✂️ Emoji Emoticon Copy Paste 📋 | EmojiAll English Official Website
Toyota Sienna 3.5 V6 AWD - Auf großer Fahrt
Toyota Sienna - Infos, Preise, Alternativen
Banco De Chase Cerca De Aquí
Sanjis Lighter
The Best Places to Live and Work as a Moviemaker, 2024
U187760277
Liinaliiis
Pizza Express Menu St Clairsville Ohio
Projo Com Obituaries
The Best Ways To Score Free Access To Airport Lounges - Islands
Ari J. Kane Papers, 1976-2016 - University of Michigan Special Collections Research Center - University of Michigan Finding Aids
Clinical Research Coordinator Lead | U-M Careers
What Time Does Walmart Auto Center Open
David Bromstad Salary Per Episode
[RELEASE] Anemone3DS - A Complete Theme and Splash Manager for your 3DS!
3DS:Splash screens - Hacks Guide Wiki
CEOs of Albertsons and Kroger says shoppers would see lower prices after merger
Kroger-Albertsons merger trial starts. Here's what to know.
Irm.roilog.com
Ctlottery.org Official Website
Leccion 4 Lesson Test
Cyoa Tg
Sunnybrook’s MyChart offers access to medical records for Psychiatry patients
MyChart | University Hospitals
Ua 5954
Sarah Dreyer Obituary
Before and After Body Sculpting: Tips to Get the Best Results
Video shows officers dragged Tyreek Hill out of his car after he put his window back up
Lucy Letby was convicted of killing seven British babies. A judge has a warning for those who think she's innocent
Boevengalerijen, beroemdheden en België: een korte geschiedenis van de "mugshot"
Marshall Price Net Worth
Roblox Southwest Florida (SWF) Codes (September 2024) - Free cars and cash!
Bloomberg Rss
Kara Del Toro Listal
Public Records
North Charleston Police Accident Reports | Auger & Auger
Sju Exam Schedule
1-866-602-4279
Chevrolet Sonic Serpentine Belt Replacement Cost Estimate
Chevrolet Sonic Serpentine/Drive Belt Replacement Costs
Yeti Authorized Amazon
Best Food Clinton Hill
Corgi Tail - Should they be Short or Long? Should Corgi Tails be Docked?
Do Corgis Have Tails? Breed Facts & Characteristics – Dogster
Firehouse Subs Stevens Point Menu
Driving Directions To Costco Near Me
Leptin Supplement Gnc
Lehigh Wheelmen Meetup
Lowell Holiday Wrestling Tournament 2022
Appliance Surplus Orland Park
2007 Honda CRV Serpentine Belt Diagram: All You Need to Know
2007 Honda CRV Serpentine Belt Diagram: A Comprehensive Guide
Strange World Showtimes Near Marcus La Crosse Cinema
LandWatch Review: Exploring the World of Land Ownership
Gebrauchte Luxus-Handtaschen von Hermès | SACLÀB
Your Guide to the Top 10 Hermès Bags
Shield Hardening Stellaris
Uci Summer Session 1
Boat Trader Wisconsin
Ac-15 Gungeon
Levett Funeral Home Obituaries Decatur Ga
2012 - Das Ende der Welt - Stream: Jetzt online anschauen
Texas Motors Specialty Photos
Fintechzoommortgagecalculator.live Hours
Desi Cinemas.com
Movierulz Malayalam Movies Connected 2023
407-646-7070
Www.stantonoptical/Order-Status
Zomboid Fracture
Huggy Wuggy X Reader Smut
Eero Optimize For Conferencing And Gaming
Judy Dove Swaggart
Circuit Training Power Rule Answer Key Pdf
University Of Wisconsin Volleyball Leak Pics
Www Popeyes Academy Com
Jack Daniels Pop Tarts
Espn Wr Stats
Hitbdsm Felony
In The Heights Gomovies
Cj So Cool Net Worth 2021
Download fallout 3 mods pc.10 essential Fallout 3 mods - Modutech
The Thrill of the Chase - confetti_cupcake
You Hurt My Feelings Showtimes Near Marcus Ronnie's Cinema
Flixtor Nu Not Working
Ootp 23 Mods
Hyvee.com Login
H Rubin Vision Center Orangeburg Sc
B103 Bus
Easiest Rustic Bread Recipe EVER | Simple & Delicious! - Shelf Cooking
Amazing! Starbucks Strawberry Acai Refresher Recipe [In Just 15 Minutes]
Tj Maxx Tempe Marketplace
Alabama Teachers Credit Union Albertville Al
Latest Posts
Article information

Author: Kareem Mueller DO

Last Updated:

Views: 6320

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Kareem Mueller DO

Birthday: 1997-01-04

Address: Apt. 156 12935 Runolfsdottir Mission, Greenfort, MN 74384-6749

Phone: +16704982844747

Job: Corporate Administration Planner

Hobby: Mountain biking, Jewelry making, Stone skipping, Lacemaking, Knife making, Scrapbooking, Letterboxing

Introduction: My name is Kareem Mueller DO, I am a vivacious, super, thoughtful, excited, handsome, beautiful, combative person who loves writing and wants to share my knowledge and understanding with you.