Prowler Module 2

Lab Preparation

Inside your Cloud9 environment shell, run the following commands (copy-paste everything in the terminal):

sudo yum update -y
sudo yum remove -y awscli
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -q awscliv2.zip
sudo ./aws/install
. ~/.profile # to load the new path for AWS CLI v2
sudo yum install -y jq git
pip3 install detect-secrets==1.0.3
git clone https://github.com/prowler-cloud/prowler 
cd prowler
./prowler -V

Lab 1: Basic Usage of Prowler

To scan all regions and execute all checks run:

./prowler 
./prowler -q # shows only FAIL findings

NOTE: you can stop it anytime with ctrl+c

Get help:

./prowler -h

Use a specific login profile (~/.aws/credentials or ~/.aws/config)

./prowler -p <profile_name> # not needed for this lab with Cloud9

Lab 2: Foundational Prowler Options

List existing checks:

./prowler -l

Look for all checks of a specific service in existing checks:

./prowler -l | grep -i service

List existing groups of checks:

./prowler -L

List checks inside a group of checks

./prowler -g gdpr -l 

Scan only one region:

./prowler -f us-east-1

Scan two specific regions:

./prowler -f ‘us-east-1 us-east-2’

Lab 3: Basic Usage of Prowler

Execute only specific checks

./prowler -c check11,check12

FYI, not for this lab! 👇🏼 

To run all checks without any option using Docker and Prowler v2:

docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest

To run all checks with some options using Docker and Prowler v2:

docker run -ti --rm -v /your/local/output:/prowler/output --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest -g hipaa -M csv,json,html

Lab 4: Get Findings in CSV, JSON and html formats

Generate reports in CSV, Json and html format for CIS group 1 (IAM)

./prowler -M csv,json,html -g group1

Once it is finished you can see the generated files in the output folder:

ls -ltra output
prowler-output-106908755756-20220803154151.csv
prowler-output-106908755756-20220803154151.json
Prowler-output-106908755756-20220803154151.html

Now see the files in output folder and open them.

Prowler Module 3

Checks folder: https://github.com/prowler-cloud/prowler/tree/master/checks 

Groups folder: https://github.com/prowler-cloud/prowler/tree/master/groups

Prowler Module 4

Lab 5: Send all findings to Security Hub

  1. Make sure AWS Security Hub is enabled in your region with Prowler official integration.
  2. Make sure the role “AWSCloud9SSMAccessRole” has this inline policy attached: https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-security-hub.json
  3. Run:
 ./prowler -M json-asff -S -f <securityhub_region>

Role Assumption

  • In Prowler v2:
./prowler -A 123456789012 -R ProwlerExecRole
  • Optional flags when assuming a role:
-T <seconds> # by default 3600 seconds
-I <external_id>

Lab 6: Assume role to check RDS

  • Use AccountARN:
arn:aws:iam::<your_account_id>:root
  • Add sts:assumeRole permission to “AWSCloud9SSMAccessRole” role as an inline policy:
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
  }
}
  • Run:
./prowler -g rds -A <remote_account_id> -R ProwlerExecRole

AWS Organizations Metadata

  • Using flags: 
-O <your_orgs_management_account_id> -R ProwlerExecRole

Lab 7: Get AWS Organizations metadata

  • If you don’t have an AWS Organizations set up in your environment skip this lab
  • Enable AWS Organizations and deploy same role in your management AWS Organizations account.
  • Run: 
  ./prowler -O <your_orgs_management_account_id> -R ProwlerExecRole -M csv
  • Open the CSV report and see your AWS Organizations metadata for the scanned account
     ls -ltra output/

Allow Listing

  • Using flag: 
-w allowlist_example.txt

Lab 8: Use Shodan.io to find exposed IPs

  1. Run:
export SHODAN_KEY=”your-shodan-api-key”
./prowler -N $SHODAN_KEY -c extra7102

Lab 9: Quick Assessments & multi-account

  • Assessment in a rush? Go with internet-exposed and find secrets:
./prowler -g internet-exposed -M text,json,html,csv -N <shodan_api_key>
./prowler -g secrets -M text,json,html,csv
  •  Assessing multiple accounts?
export ACCOUNTS=”123456789012 98765432109"
export SHODAN_API_KEY=’123445566'
for accountId in $ACCOUNTS; do
./prowler -A $accountId -R ProwlerExecRole -M text,csv,json,html -N $SHODAN_API_KEY; done 

Lab 10: Quick Inventory

Quick Inventory (BETA):

   ./prowler -i

Questions?

https://github.com/prowler-cloud/prowler/discussions/categories/q-a