prowler v2.0 releases: AWS security assessment, auditing and hardening
Prowler: AWS CIS Benchmark Tool
Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.
Read more about CIS Amazon Web Services Foundations Benchmark v1.2.0 – 05-23-2018
Features
It covers hardening and security best practices for all AWS regions related to the next groups:
- Identity and Access Management (22 checks) [group1]
- Logging (9 checks) [group2]
- Monitoring (14 checks) [group3]
- Networking (4 checks) [group4]
- CIS Level 1 [cislevel1]
- CIS Level 2 [cislevel2]
- Extras (39 checks) see Extras section [extras]
- Forensics related group of checks [forensics-ready]
- GDPR [gdpr] Read more here
- HIPPA [hippa] Read more here
For a comprehensive list and resolution look at the guide on the link above.
With Prowler you can:
- get a colourful or monochrome report
- a CSV format report for diff
- run specific checks without having to run the entire report
- check multiple AWS accounts in parallel
Changelog v2.0
New features:
- Refactored code:
- reduced number of lines in prowler main script and add
includesfolder with parts to easily find and manage all components- dedicated folder for
checks, a check per file,- same for
groupsof checks, now we can create custom groups and run Prowler against your custom group (for example only the checks that your company needs).- moved Dockerfile to
utilsfolder.- moved IAM policy additions to
iamfolder- Output changed
PASSandFAILinstead ofOKandWARNINGmessages displayed.- Option
-g <group_id>: run specific group from the existing or new one- Option
-b: hide banner- Check whitelisting: thanks to the new groups management, you can create your own checks based on your needs.
- Custom checks: now it is easier to add a new check, just create your check based on the sample one and add it to a group, or create your own group.
- Added version to the banner and changed description
- Added new check
extra723that looks for public RDS snapshots (single and cluster)- Added check
extra724Certificate Transparency- Added check ID on every check and group title.
- Added check
extra725S3 object-level logging (extras and forensics)- Added check
extra726Trusted Advisor errors and warnings- Added check
extra727SQS queues have policy public- Added check
extra728SQS queues have encryption enabled- Added
-Vflag to see version- Added check
extra729no EBS Volumes unencrypted- Added check
extra730ACM Certificates are about to expire in 7 days or less- Added check
extra731SNS topics have policy set as Public- Added check
extra732Geo restrictions are enabled in CloudFront distributions- Added check
extra733SAML Providers then STS can be used- Added check
extra734S3 buckets have default encryption (SSE) enabled and policy to enforce it- Added check
extra735RDS instances storage is encrypted- Added check
extra736exposed KMS keys- Added check
extra737KMS keys with key rotation disabled- Added check
extra738CloudFront distributions are set to HTTPS- Added check
extra739ELBs have logging enabled- Added check
extra740EBS snapshots are encrypted- JSON support as output mode
-M json, thanks to @hb3b- Added support to run on Fargate and uses metadata for credentials, thanks to @mattfinlayson
- Added group checks for GDPR and HIPAA, thanks to @crashGoBoom for helping out with HIPAA
More…
Install
pip install awscli
git clone https://github.com/Alfresco/prowler
cd prowlerMake sure you have properly configured your AWS-CLI with a valid Access Key and Region:
aws configureMake sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
arn:aws:iam::aws:policy/SecurityAudit
Usage
1 – Run the prowler.sh command without options (it will use your environment variable credentials if exist or default in ~/.aws/credentials file and run checks over all regions when needed, default region is us-east-1):
./prowler
2 – For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
./prowler -p custom-profile -r us-east-1
3 – For a single check use option -c:
./prowler -c check310
or for custom profile and region
./prowler -p custom-profile -r us-east-1 -c check11
or for a group of checks use group name:
./prowler -c check3
Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
4 – If you want to save your report for later analysis:
./prowler > prowler-report.txt
or if you want a colored HTML report do:
pip install ansi2html
./prowler | ansi2html -la > report.html
or if you want a pipe-delimited report file, do:
./prowler -M csv > output.psv
5 – To perform an assessment based on CIS Profile Definitions you can use level1 or level2 with -c flag, more information about this here, page 8:
./prowler -c level1
6 – If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously -P 4):
grep -E ‘^\[([0-9A-Aa-z_-]+)\]’ ~/.aws/credentials | tr -d ‘][‘ | shuf | \
xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv 2> /dev/null >> all-accounts.csv
7 – For help use:
- Sample screenshot of report first lines:
- Sample screenshot of a single check for check 3.3:
Source: https://github.com/Alfresco/
