Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/prowler-cloud/prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://github.com/prowler-cloud/prowler

aws azure cis-benchmark cloud compliance devsecops forensics gcp gdpr hardening iam multi-cloud python security security-audit security-hardening security-tools well-architected

Last synced: about 2 months ago
JSON representation

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

Lists

README 

        


  

  





  See all the things you and your team can do with ProwlerPro at prowler.pro







  





  Slack Shield

  Python Version

  Python Version

  PyPI Prowler Downloads

  Docker Pulls

  Docker

  Docker

  AWS ECR Gallery

  





  Repo size

  Issues

  Version

  Version

  Contributors

  License

  Twitter

  Twitter




# Description



`Prowler` is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.



It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.



| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.cloud/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.cloud/en/latest/tutorials/misc/#categories) |

|---|---|---|---|---|

| AWS | 301 | 61 -> `prowler aws --list-services` | 25 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |

| GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|

| Azure | 23 | 4 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` |

| Kubernetes | Work In Progress | - | CIS soon | - |



# 📖 Documentation



The full documentation can now be found at [https://docs.prowler.cloud](https://docs.prowler.cloud)



## Looking for Prowler v2 documentation?

For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prowler/tree/2.12.1.



# ⚙️ Install



## Pip package

Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9, < 3.12:



```console

pip install prowler

prowler -v

```

More details at https://docs.prowler.cloud



## Containers



The available versions of Prowler are the following:



- `latest`: in sync with master branch (bear in mind that it is not a stable version)

- `` (release): you can find the releases [here](https://github.com/prowler-cloud/prowler/releases), those are stable releases.

- `stable`: this tag always point to the latest release.



The container images are available here:



- [DockerHub](https://hub.docker.com/r/toniblyx/prowler/tags)

- [AWS Public ECR](https://gallery.ecr.aws/prowler-cloud/prowler)



## From Github



Python >= 3.9, < 3.12 is required with pip and poetry:



```

git clone https://github.com/prowler-cloud/prowler

cd prowler

poetry shell

poetry install

python prowler.py -v

```



# 📐✏️ High level architecture



You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.



![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/080261d9-773d-4af1-af79-217a273e3176)



# 📝 Requirements



Prowler has been written in Python using the [AWS SDK (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html#), [Azure SDK](https://azure.github.io/azure-sdk-for-python/) and [GCP API Python Client](https://github.com/googleapis/google-api-python-client/).

## AWS



Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence).

Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):



  ```console

  aws configure

  ```



  or



  ```console

  export AWS_ACCESS_KEY_ID="ASXXXXXXX"

  export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"

  export AWS_SESSION_TOKEN="XXXXXXXXX"

  ```



Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:



  - `arn:aws:iam::aws:policy/SecurityAudit`

  - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`



  > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.



  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).



  ## Azure



  Prowler for Azure supports the following authentication types:



- Service principal authentication by environment variables (Enterprise Application)

- Current az cli credentials stored

- Interactive browser authentication

- Managed identity authentication



### Service Principal authentication



To allow Prowler assume the service principal identity to start the scan, it is needed to configure the following environment variables:



```console

export AZURE_CLIENT_ID="XXXXXXXXX"

export AZURE_TENANT_ID="XXXXXXXXX"

export AZURE_CLIENT_SECRET="XXXXXXX"

```



If you try to execute Prowler with the `--sp-env-auth` flag and those variables are empty or not exported, the execution is going to fail.

### AZ CLI / Browser / Managed Identity authentication



The other three cases do not need additional configuration, `--az-cli-auth` and `--managed-identity-auth` are automated options, `--browser-auth` needs the user to authenticate using the default browser to start the scan. Also `--browser-auth` needs the tenant id to be specified with `--tenant-id`.



### Permissions



To use each one, you need to pass the proper flag to the execution. Prowler for Azure handles two types of permission scopes, which are:



- **Azure Active Directory permissions**: Used to retrieve metadata from the identity assumed by Prowler and future AAD checks (not mandatory to have access to execute the tool)

- **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool.



#### Azure Active Directory scope



Azure Active Directory (AAD) permissions required by the tool are the following:



- `Directory.Read.All`

- `Policy.Read.All`



#### Subscriptions scope



Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription  to the entity that is going to be assumed by the tool:



- `Security Reader`

- `Reader`



## Google Cloud Platform



Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order):



1. [GOOGLE_APPLICATION_CREDENTIALS environment variable](https://cloud.google.com/docs/authentication/application-default-credentials#GAC)

2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)

3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)



Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.



> By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.



# 💻 Basic Usage



To run prowler, you will need to specify the provider (e.g aws or azure):



```console

prowler 

```



![Prowler Execution](https://github.com/prowler-cloud/prowler/blob/b91b0103ff38e66a915c8a0ed84905a07e4aae1d/docs/img/short-display.png?raw=True)



> Running the `prowler` command without options will use your environment variable credentials.



By default, prowler will generate a CSV, a JSON and a HTML report, however you can generate JSON-ASFF (only for AWS Security Hub) report with `-M` or `--output-modes`:



```console

prowler  -M csv json json-asff html

```



The html report will be located in the `output` directory as the other files and it will look like:



![Prowler Execution](https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/html-output.png?raw=True)



You can use `-l`/`--list-checks` or `--list-services` to list all available checks or services within the provider.



```console

prowler  --list-checks

prowler  --list-services

```



For executing specific checks or services you can use options `-c`/`--checks` or `-s`/`--services`:



```console

prowler aws --checks s3_bucket_public_access

prowler aws --services s3 ec2

```



Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:



```console

prowler aws --excluded-checks s3_bucket_public_access

prowler aws --excluded-services s3 ec2

```



You can always use `-h`/`--help` to access to the usage information and all the possible options:



```console

prowler -h

```



## Checks Configurations

Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**.

This file can be found in the following path:

```

prowler/config/config.yaml

```



## AWS



Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want to audit with `-f`/`--filter-region`:



```console

prowler aws --profile custom-profile -f us-east-1 eu-south-2

```

> By default, `prowler` will scan all AWS regions.



## Azure



With Azure you need to specify which auth method is going to be used:



```console

prowler azure [--sp-env-auth, --az-cli-auth, --browser-auth, --managed-identity-auth]

```

> By default, `prowler` will scan all Azure subscriptions.



## Google Cloud Platform



Optionally, you can provide the location of an application credential JSON file with the following argument:



```console

prowler gcp --credentials-file path

```

> By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.



# 📃 License



Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at