How to Enhance Cloud Security Audits with Prowler: Step-by-Step Guide

How to Enhance Cloud Security Audits with Prowler: Step-by-Step Guide

Introduction

I bumped across Prowler (https://github.com/prowler-cloud/prowler) when my team was looking for a tool using which we could write custom checks to ensure security of our account.

Prowler is an open-source security tool designed to help you assess, audit, and improve the security of your AWS, Azure, Google Cloud, and Kubernetes environments. Think of it as your security advisor that ensures your cloud setup is following best practices and staying secure.

Architecture

Prowler can be run from various platforms, whether it's from your workstation, a Kubernetes Job, a Google Compute Engine, an Azure VM, or an EC2 instance. It's flexible and can fit into many different environments. The tool includes two main components: the Prowler CLI (Command Line Interface) and Prowler SaaS.

  • Prowler CLI: This is the core tool you run from the command line. You can use it to perform security checks, generate reports, and more.
  • Prowler SaaS: This is a service built on top of the CLI, providing additional features and a user-friendly dashboard for managing your security assessments.

Solution

Imagine you’re managing a company’s cloud infrastructure. You’ve got servers, databases, and services spread across AWS, Azure, Google Cloud, and Kubernetes. Keeping track of security best practices can be overwhelming. This is where Prowler steps in.

You can run Prowler to perform a thorough security assessment of your cloud environments. It checks your setup against a wide range of security standards like CIS, NIST, GDPR, and more. With hundreds of checks available, Prowler ensures that your infrastructure meets industry standards and highlights any potential security gaps.

Here’s how it works:

  1. Install Prowler: You can easily install Prowler using pip or Docker. For instance, you can run pip install prowler if you're using Python.
  2. Run Security Checks: Use the Prowler CLI to start assessments. For example, prowler aws will check your AWS setup, while prowler azure does the same for Azure.
  3. View Results: After running the checks, Prowler provides detailed reports. You can review these reports to see if any issues need addressing.

Common Prowler Commands

  1. Run a Full Security Check for AWS:
prowler -b

Explanation: This command runs all available checks for your AWS environment. The -b flag (bulk mode) ensures that it covers all aspects, from general best practices to specific compliance checks like CIS and GDPR.

  1. Run a Check for a Specific AWS Service:
prowler -c s3

Explanation: If you want to run checks related to a specific AWS service, such as S3, EC2, or IAM, you can use the -c flag . This helps you focus on a particular area rather than checking everything.

  1. Generate Reports in Multiple Formats:
prowler -M csv,json,html

Explanation: This command generates the security check results in multiple formats like CSV, JSON, and HTML. It's useful for sharing the reports with team members or for integrating the results into other systems.

  1. Prowler Dashboard:
prowler dashboard

Explanation: The dashboard makes it easier to manage security assessments, especially in larger, multi-cloud environments where manual CLI operations would be more complex and harder to track.

  1. Run Prowler with a Specific AWS Profile:
prowler --profile myawsprofile

Explanation: If you manage multiple AWS accounts, you can use a specific AWS profile to run the checks by using the --profile option. This is useful when you want to target a specific account.

Create a Custom Check

You can add custom checks to Prowler to meet specific security needs. Here’s an example of creating a custom check to identify IAM users who haven't logged in for 90 days.

Steps to Add a Custom Check:

  1. Run a Full Security Check for AWS:

Create a New Shell Script for Your Custom Check: Let’s say you want to create a custom check to ensure that all IAM users who have not logged in for the past 90 days. Create a new shell script for the check:

bash:

touch Unuse_IAM_Users.sh

chmod +x Unuse_IAM_Users.sh

  1. Add the Following Code:
#!/bin/bash
check_unused_iam_users() {
    echo "Checking for unused IAM users (inactive for 90 days)..."
    aws iam list-users --query 'Users[*].UserName' --output text | while read username; do
        last_used=$(aws iam get-user --user-name "$username" --query 'User.PasswordLastUsed' --output text 2>/dev/null)
    if [ "$last_used" == "None" ] || [ -z "$last_used" ]; then
        echo "PASS: $username has never logged in."
    else
        days_since_last_used=$(($(($(date +%s) - $(date -d "$last_used" +%s))) / 86400))
        if [ $days_since_last_used -ge 90 ]; then
            echo "FAIL: $username has not logged in for $days_since_last_used days."
        else
            echo "PASS: $username is active."
        fi
    fi
done
  1. Execute the Script:

bash:

bash Unuse_IAM_Users.sh

This check helps identify IAM users who haven’t logged in for 90 days and are potentially a security risk.


How Prowler is different from AWS Config

Here's a detailed comparison between Prowler and AWS Config, highlighting their key differences:

Feature

Prowler

AWS Config

Purpose

Security auditing and compliance

Continuous monitoring and resource management

Scope

Multi-cloud (AWS, Azure, GCP, Kubernetes)

AWS-specific resources

Type of Checks

On-demand security assessments

Continuous compliance and configuration tracking

Customization

Highly customizable with custom checks

Custom rules can be defined for AWS resources

Usage

Command-line tool for audits and reporting

Service integrated into AWS Management Console

User Interface

Primarily CLI with optional SaaS dashboard

Web-based dashboard in AWS Management Console

Compliance Standards

Supports various standards like CIS, NIST, GDPR

Supports compliance against AWS best practices

Frequency

Manual or scheduled runs

Continuous monitoring of resource states

Reporting

Generates reports in multiple formats (CSV, JSON, HTML)

Provides configuration history and compliance status

Summary of Differences:

  • Prowler is designed for proactive security assessments across multiple cloud environments, providing flexibility in auditing security controls and ensuring compliance with various standards.
  • AWS Config is focused on continuous tracking of resource configurations within AWS, ensuring that resources comply with desired configurations and helping to manage changes over time.

Overall, Prowler is ideal for security-focused teams needing to assess their cloud infrastructure actively, while AWS Config is suited for teams looking to maintain continuous compliance and configuration management within AWS.

Conclusion

Prowler is a powerful tool for anyone managing cloud environments and looking to ensure their security posture is top-notch. With its broad range of checks and user-friendly setup, it makes security assessments straightforward and effective. Whether you're using it for regular audits or as part of your continuous monitoring strategy, Prowler helps you stay on top of your security game and keep your cloud infrastructure safe.

For more details, check out the Prowler documentation and start making your cloud environments more secure today!