prowler v2.3 RC releases: AWS security assessment, auditing and hardening

Prowler: AWS CIS Benchmark Tool

Prowler is a command-line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.

It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.

Read more about CIS Amazon Web Services Foundations Benchmark v1.2.0 – 05-23-2018

Features

It covers hardening and security best practices for all AWS regions related to the next groups:

• Identity and Access Management (22 checks) [group1]
• Logging (9 checks) [group2]
• Monitoring (14 checks) [group3]
• Networking (4 checks) [group4]
• CIS Level 1 [cislevel1]
• CIS Level 2 [cislevel2]
• Extras (39 checks) see Extras section [extras]
• Forensics related group of checks [forensics-ready]
• GDPR [gdpr] Read more here
• HIPPA [hippa] Read more here

For a comprehensive list and resolution look at the guide on the link above.

With Prowler you can:

• get a colourful or monochrome report
• a CSV format report for diff
• run specific checks without having to run the entire report
• check multiple AWS accounts in parallel

Changelog v2.3 RC

New features:

• Security Hub native integration and ASFF format
• Whitelist support
• Multiple reports and formats at the same time (mono,csv,json,json-asff,junit-xml) like prowler-output-accountid-timestamp.json
• Support for Junit output to use it with Jenkins (-M junit-xml)
• New checks for Trusted boundaries, Elasticsearch, IMDSv2, ECR vulnerabilities, more find secrets and VPC security groups. Comprehensive list below.
• Support for assume role and multi-accounts
• Improved support for AWS GovCloud (US)
• Improved support for AWS-CLI v1 and v2

Other improvements:

• Improved listing of Checks and Groups (-l to see all checks, -L for all groups and -l g groupname to list checks in a particular group)
• Enhanced set entropy for detect-secrets from env BASE64_LIMIT and HEX_LIMIT @yumminhuang (3df2786)
• Improved GetCallerIdentity handling / credentials
• Enhanced documentation with more commands and examples

New checks:

• 7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark) [extras, secrets]
• 7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS benchmark) [extras]
• 7.77 [extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark) [extras]
• 7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark) [extras]
• 7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports [extras, elasticsearch]
• 7.80 [extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled [extras, elasticsearch]
• 7.81 [extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled [extras, elasticsearch]
• 7.82 [extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled [extras, elasticsearch]
• 7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled [extras, elasticsearch]
• 7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled [extras, elasticsearch]
• 7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available [extras, elasticsearch]
• 7.86 [extra786] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (Not Scored) (Not part of CIS benchmark) [extras]
• 7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports [extras, elasticsearch]
• 7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains [extras, elasticsearch]
• 7.89 [extra789] Find trust boundaries in VPC endpoint services connections [trustboundaries]
• 7.90 [extra790] Find trust boundaries in VPC endpoint services whitelisted principles [trustboundaries]

More…

Install

pip install awscli
git clone https://github.com/Alfresco/prowler
cd prowler

Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
aws configure

Make sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
arn:aws:iam::aws:policy/SecurityAudit

Usage

1 – Run the prowler.sh command without options (it will use your environment variable credentials if exist or default in ~/.aws/credentials file and run checks over all regions when needed, default region is us-east-1):

./prowler

2 – For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):

./prowler -p custom-profile -r us-east-1

3 – For a single check use option -c:

./prowler -c check310

or for custom profile and region

./prowler -p custom-profile -r us-east-1 -c check11

or for a group of checks use group name:

./prowler -c check3

Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310

4 – If you want to save your report for later analysis:

./prowler > prowler-report.txt

or if you want a colored HTML report do:

pip install ansi2html
./prowler | ansi2html -la > report.html

or if you want a pipe-delimited report file, do:

./prowler -M csv > output.psv

5 – To perform an assessment based on CIS Profile Definitions you can use level1 or level2 with -c flag, more information about this here, page 8:

./prowler -c level1

6 – If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously -P 4):

grep -E ‘^\[([0-9A-Aa-z_-]+)\]’ ~/.aws/credentials | tr -d ‘][‘ | shuf | \
xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv 2> /dev/null >> all-accounts.csv

7 – For help use:

./prowler -h

USAGE:
      prowler -p <profile> -r <region> [ -h ]
  Options:
      -p <profile>        specify your AWS profile to use (i.e.: default)
      -r <region>         specify an AWS region to direct API requests to (i.e.: us-east-1)
      -c <checknum>       specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1, check3 for entire section 3 or level1 for CIS Level 1 Profile Definitions)
      -f <filterregion>   specify an AWS region to run checks against (i.e.: us-west-1)
      -m <maxitems>       specify the maximum number of items to return for long-running requests (default: 100)
      -M <mode>           output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr)
      -k                  keep the credential report
      -n                  show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
      -h                  this help

• Sample screenshot of report first lines:

• Sample screenshot of a single check for check 3.3:

Source: https://github.com/Alfresco/