Lab Preparation
Inside your Cloud9 environment shell, run the following commands (copy-paste everything in the terminal):
sudo yum update -y
sudo yum remove -y awscli
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -q awscliv2.zip
sudo ./aws/install
. ~/.profile # to load the new path for AWS CLI v2
sudo yum install -y jq git
pip3 install detect-secrets==1.0.3
git clone https://github.com/prowler-cloud/prowler
cd prowler
./prowler -V
Lab 1: Basic Usage of Prowler
To scan all regions and execute all checks run:
./prowler ./prowler -q # shows only FAIL findings
NOTE: you can stop it anytime with ctrl+c
Get help:
./prowler -h
Use a specific login profile (~/.aws/credentials or ~/.aws/config)
./prowler -p <profile_name> # not needed for this lab with Cloud9
Lab 2: Foundational Prowler Options
List existing checks:
./prowler -l
Look for all checks of a specific service in existing checks:
./prowler -l | grep -i service
List existing groups of checks:
./prowler -L
List checks inside a group of checks
./prowler -g gdpr -l
Scan only one region:
./prowler -f us-east-1
Scan two specific regions:
./prowler -f ‘us-east-1 us-east-2’
Lab 3: Basic Usage of Prowler
Execute only specific checks
./prowler -c check11,check12
FYI, not for this lab! 👇🏼
To run all checks without any option using Docker and Prowler v2:
docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest
To run all checks with some options using Docker and Prowler v2:
docker run -ti --rm -v /your/local/output:/prowler/output --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest -g hipaa -M csv,json,html
Lab 4: Get Findings in CSV, JSON and html formats
Generate reports in CSV, Json and html format for CIS group 1 (IAM)
./prowler -M csv,json,html -g group1
Once it is finished you can see the generated files in the output folder:
ls -ltra output prowler-output-106908755756-20220803154151.csv prowler-output-106908755756-20220803154151.json Prowler-output-106908755756-20220803154151.html
Now see the files in output folder and open them.
Prowler Module 3
Checks folder: https://github.com/prowler-cloud/prowler/tree/master/checks
Groups folder: https://github.com/prowler-cloud/prowler/tree/master/groups
Prowler Module 4
Lab 5: Send all findings to Security Hub
- Make sure AWS Security Hub is enabled in your region with Prowler official integration.
- Make sure the role “AWSCloud9SSMAccessRole” has this inline policy attached: https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-security-hub.json
- Run:
./prowler -M json-asff -S -f <securityhub_region>
Role Assumption
- Use this template as reference to create a role: https://github.com/prowler-cloud/prowler/blob/master/iam/create_role_to_assume_cfn.yaml
- In Prowler v2:
./prowler -A 123456789012 -R ProwlerExecRole
- Optional flags when assuming a role:
-T <seconds> # by default 3600 seconds
-I <external_id>
Lab 6: Assume role to check RDS
- Deploy Prowler read-only role in the AWS account where you will assume a role and scan with Prowler using this CloudFormation template: https://github.com/prowler-cloud/prowler/blob/master/iam/create_role_to_assume_cfn.yaml
- Use AccountARN:
arn:aws:iam::<your_account_id>:root
- Add sts:assumeRole permission to “AWSCloud9SSMAccessRole” role as an inline policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
}
}
- Run:
./prowler -g rds -A <remote_account_id> -R ProwlerExecRole
AWS Organizations Metadata
- Using flags:
-O <your_orgs_management_account_id> -R ProwlerExecRole
Lab 7: Get AWS Organizations metadata
- If you don’t have an AWS Organizations set up in your environment skip this lab
- Enable AWS Organizations and deploy same role in your management AWS Organizations account.
- https://github.com/prowler-cloud/prowler/blob/master/iam/create_role_to_assume_cfn.yaml
- Or, you can manually create a role with the following permissions (these are part of SecurityAudit managed policy so it is included in Prowler Role template):
- organizations:DescribeAccount
- organizations:ListTagsForResource
- Run:
./prowler -O <your_orgs_management_account_id> -R ProwlerExecRole -M csv
- Open the CSV report and see your AWS Organizations metadata for the scanned account
ls -ltra output/
Allow Listing
- Using flag:
-w allowlist_example.txt
Lab 8: Use Shodan.io to find exposed IPs
- Run:
export SHODAN_KEY=”your-shodan-api-key”
./prowler -N $SHODAN_KEY -c extra7102
Lab 9: Quick Assessments & multi-account
- Assessment in a rush? Go with internet-exposed and find secrets:
./prowler -g internet-exposed -M text,json,html,csv -N <shodan_api_key>
./prowler -g secrets -M text,json,html,csv
- Assessing multiple accounts?
export ACCOUNTS=”123456789012 98765432109"
export SHODAN_API_KEY=’123445566'
for accountId in $ACCOUNTS; do
./prowler -A $accountId -R ProwlerExecRole -M text,csv,json,html -N $SHODAN_API_KEY; done
Lab 10: Quick Inventory
Quick Inventory (BETA):
./prowler -i
Questions?
https://github.com/prowler-cloud/prowler/discussions/categories/q-a