Prowler is an open-source AWS security assessment and auditing tool that helps evaluate the security posture of your AWS services and accounts. It’s built on top of AWS-CLI and generates reports in text, JSON, JUnit XML, and CSV formats.
1. Prerequisites
Before using Prowler, ensure you have the following installed and configured:
- AWS CLI: Install and configure the AWS CLI by following the official AWS guide.
- Prowler: Clone the Prowler repository from GitHub with
git clone https://github.com/toniblyx/prowler
or download the latest release from here.
2. Basic Usage
To start using Prowler, navigate to the Prowler directory and execute ./prowler
. By default, Prowler runs all the checks on your AWS environment.
3. Prowler Command-Line Options
You can customize Prowler’s behavior using various command-line options:
Option | Description | Example |
---|---|---|
-g | Run specific group of checks | ./prowler -g group1 |
-c | Run a specific check | `./prowler -c check |
Option | Description | Example |
---|---|---|
-r | Specify an AWS region | ./prowler -r us-west-2 |
-l | List available checks and groups | ./prowler -l |
-M | Specify output format (text, json, junit-xml, csv) | ./prowler -M json |
-o | Specify output file | ./prowler -o prowler_report.txt |
-A | Run Prowler across all AWS accounts (requires AWS Organizations) | ./prowler -A |
-f | Filter results by a specific string | ./prowler -f "s3" |
4. Customizing Prowler Checks
Prowler allows you to create custom checks and groups. You can follow these steps to add your own checks:
- Create a new check file: Create a new file in the
checks
directory namedcheck_your_check_name.sh
. - Define your check: Use the following template to define your check:
groupname="your_group_name"
group_title="Your Group Title"
check_id="your_check_id"
check_title="Your Check Title"
check_cis_level="Level 1, Level 2 or Not applicable"
check_description="A brief description of your check"
check_remediation="A brief description of the remediation steps"
check_severity="Critical, High, Medium, Low or Info
check_awscli_installed="yes" # Set to "no" if the check doesn't require AWS CLI
check_supported_os="linux" # Specify supported OS (linux, macos, or all)
check_delay="0" # Set a delay between API calls if needed
function check_your_check_id() {
# Add your check logic here
# Use `awk`, `grep`, `jq`, or other tools to process the output
# Store the check result in a variable, e.g., result
if [[ "$result" == "EXPECTED_RESULT" ]]; then
echo "$check_id,$check_severity,$check_cis_level,$result,$account,$region,$resource,$check_description,$check_remediation"
else
echo "$check_id,$check_severity,$check_cis_level,$result,$account,$region,$resource,$check_description,$check_remediation"
fi
}
- Add your check to a group: In the
groups
directory, create a new file namedgroup_your_group_name
and add the following content:
#!/bin/bash
for check in check_your_check_id; do
. "checks/$check.sh" && $check
done
- Run your custom check or group: Use the
-c
or-g
options to run your custom check or group:
./prowler -c
./prowler -c check_your_check_id
or
./prowler -g your_group_name
Cheatsheet
Action | Command |
---|---|
Run Prowler with default checks | ./prowler |
Run a specific group of checks | ./prowler -g group1 |
Run a specific check | ./prowler -c check1 |
Specify an AWS region | ./prowler -r us-west-2 |
List available checks and groups | ./prowler -l |
Specify output format | ./prowler -M json |
Specify output file | ./prowler -o prowler_report.txt |
Run Prowler across all AWS accounts | ./prowler -A |
Filter results by a specific string | ./prowler -f "s3" |
Run a custom check | ./prowler -c check_your_check_id |
Run a custom group of checks | ./prowler -g your_group_name |
Comment (1)