Description
Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.
It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.
Read more about CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018
High level architecture
Requirements and Installation
Prowler has been written in bash using AWS-CLI underneath and it works in Linux, Mac OS or Windows with cygwin or virtualisation. Also requires jq and detect-secrets to work properly.
Installing on macOS:
Pre-requisites-1: Install awscli
The AWS Command Line Interface (CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.
~ ๎ฐ brew install awscli
==> Downloading https://ghcr.io/v2/homebrew/core/gdbm/manifests/1.23
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/gdbm/blobs/sha256:0d0aeea95f9e7b4ccfa1e8d7f3a83b3b4d604eac1178e4f88ad51d132ad1f7cd
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:0d0aeea95f9e7b4ccfa1e8d7f3a83b3b4d604eac1178e4f88ad51d132ad1f7cd?se=2022-02-27T11%3A50%3A00Z&sig=dJo3OQOO0eZnkuyklfneSj
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/mpdecimal/manifests/2.5.1
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/mpdecimal/blobs/sha256:73e9acc9ca851c0d7fb92fdb223bf63595c319d7c5e01049388ce7989777852c
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:73e9acc9ca851c0d7fb92fdb223bf63595c319d7c5e01049388ce7989777852c?se=2022-02-27T11%3A50%3A00Z&sig=bCdulNokukDii1yNIdDppm
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/ca-certificates/manifests/2022-02-01
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/ca-certificates/blobs/sha256:40e00f88df310bc2dc42aefb3e834c0a3022f125fecdf21f26431d12a104dbc0
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:40e00f88df310bc2dc42aefb3e834c0a3022f125fecdf21f26431d12a104dbc0?se=2022-02-27T11%3A50%3A00Z&sig=FHgfhW%2Bb7DoB%2FIvJPL
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/openssl/1.1/manifests/1.1.1m
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/openssl/1.1/blobs/sha256:bac056f55bf254752ed522eccf37cf2c7cfdc38d46b2c469a777f5feb41cbbc4
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:bac056f55bf254752ed522eccf37cf2c7cfdc38d46b2c469a777f5feb41cbbc4?se=2022-02-27T11%3A50%3A00Z&sig=ihmy38A%2B1XtzeN0CBQv0
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/readline/manifests/8.1.2
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/readline/blobs/sha256:976185ec243284d74eb8b9c554d944cbc0208c26495193bcd28fdf12a08f134e
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:976185ec243284d74eb8b9c554d944cbc0208c26495193bcd28fdf12a08f134e?se=2022-02-27T11%3A50%3A00Z&sig=j6pYkvoxke%2FwvMAKy8iI
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/sqlite/manifests/3.38.0
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/sqlite/blobs/sha256:9e77132d9e64fcca7abb562cf6980ce578f961041187dbf84b6d1d85eb2388a2
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:9e77132d9e64fcca7abb562cf6980ce578f961041187dbf84b6d1d85eb2388a2?se=2022-02-27T11%3A50%3A00Z&sig=dGAHhFNTH6moSeW1fSgZJ2
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/xz/manifests/5.2.5
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/xz/blobs/sha256:099055bb0afb3dfd454e72ce2228a0fad54e90ef63577e33d18b9c92a444317a
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:099055bb0afb3dfd454e72ce2228a0fad54e90ef63577e33d18b9c92a444317a?se=2022-02-27T11%3A50%3A00Z&sig=WtJ1o5hzyyVhscY3o2Ln91
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/python/3.9/manifests/3.9.10
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/python/3.9/blobs/sha256:be3b63b24b595b7dadd25913c916cdf1c451cd5cf8068b3b2e98e6d8c40012a4
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:be3b63b24b595b7dadd25913c916cdf1c451cd5cf8068b3b2e98e6d8c40012a4?se=2022-02-27T11%3A50%3A00Z&sig=C2XDSS%2FrlaogO%2F24FG
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/six/manifests/1.16.0_2-1
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/six/blobs/sha256:560f73cafaea617d44f93beffdac91ac3b93095b1b64ff3877c5c4903f1cb001
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:560f73cafaea617d44f93beffdac91ac3b93095b1b64ff3877c5c4903f1cb001?se=2022-02-27T11%3A50%3A00Z&sig=Qar1WPal%2BEZOCiycUwM2
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/awscli/manifests/2.4.21
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/awscli/blobs/sha256:8509e291d1bac898b135f57ea5997057752bc48f96e92a8bc39ad8816239b202
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:8509e291d1bac898b135f57ea5997057752bc48f96e92a8bc39ad8816239b202?se=2022-02-27T11%3A50%3A00Z&sig=0YHe4d3%2BLQ2OgcGlm89B
######################################################################## 100.0%
==> Installing dependencies for awscli: gdbm, mpdecimal, ca-certificates, openssl@1.1, readline, sqlite, xz, python@3.9 and six
==> Installing awscli dependency: gdbm
==> Pouring gdbm--1.23.monterey.bottle.tar.gz
๐บ /usr/local/Cellar/gdbm/1.23: 24 files, 956.7KB
==> Installing awscli dependency: mpdecimal
==> Pouring mpdecimal--2.5.1.monterey.bottle.tar.gz
๐บ /usr/local/Cellar/mpdecimal/2.5.1: 71 files, 2.1MB
==> Installing awscli dependency: ca-certificates
==> Pouring ca-certificates--2022-02-01.all.bottle.tar.gz
==> Regenerating CA certificate bundle from keychain, this may take a while...
๐บ /usr/local/Cellar/ca-certificates/2022-02-01: 3 files, 213.4KB
==> Installing awscli dependency: openssl@1.1
==> Pouring openssl@1.1--1.1.1m.monterey.bottle.tar.gz
๐บ /usr/local/Cellar/openssl@1.1/1.1.1m: 8,081 files, 18.5MB
==> Installing awscli dependency: readline
==> Pouring readline--8.1.2.monterey.bottle.tar.gz
๐บ /usr/local/Cellar/readline/8.1.2: 48 files, 1.6MB
==> Installing awscli dependency: sqlite
==> Pouring sqlite--3.38.0.monterey.bottle.tar.gz
๐บ /usr/local/Cellar/sqlite/3.38.0: 11 files, 4.4MB
==> Installing awscli dependency: xz
==> Pouring xz--5.2.5.monterey.bottle.tar.gz
๐บ /usr/local/Cellar/xz/5.2.5: 95 files, 1.3MB
==> Installing awscli dependency: python@3.9
==> Pouring python@3.9--3.9.10.monterey.bottle.tar.gz
==> /usr/local/Cellar/python@3.9/3.9.10/bin/python3 -m ensurepip
==> /usr/local/Cellar/python@3.9/3.9.10/bin/python3 -m pip install -v --no-deps --no-index --upgrade --isolated --target=/usr/local/lib/python3.9/site-packages /usr/local/Cellar/python@3.9/3.9.10/Framewor
๐บ /usr/local/Cellar/python@3.9/3.9.10: 3,080 files, 54.9MB
==> Installing awscli dependency: six
==> Pouring six--1.16.0_2.all.bottle.1.tar.gz
๐บ /usr/local/Cellar/six/1.16.0_2: 20 files, 122.3KB
==> Installing awscli
==> Pouring awscli--2.4.21.monterey.bottle.tar.gz
==> Caveats
The "examples" directory has been installed to:
/usr/local/share/awscli/examples
zsh completions and functions have been installed to:
/usr/local/share/zsh/site-functions
==> Summary
๐บ /usr/local/Cellar/awscli/2.4.21: 12,403 files, 98.0MB
==> Running `brew cleanup awscli`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
==> Caveats
==> awscli
The "examples" directory has been installed to:
/usr/local/share/awscli/examples
zsh completions and functions have been installed to:
/usr/local/share/zsh/site-functions
Pre-requisites-2: Install jq
jq is a lightweight and flexible command-line JSON processor
~/Documents/prowler/prowler master ๎ฐ brew install jq
==> Downloading https://ghcr.io/v2/homebrew/core/jq/manifests/1.6-1
Already downloaded: /Users/macpro/Library/Caches/Homebrew/downloads/fc2724606b6ebef1ba0db7d7ae84cfca1df8cfed9e58e3a8714413b3676935f7--jq-1.6-1.bottle_manifest.json
==> Downloading https://ghcr.io/v2/homebrew/core/jq/blobs/sha256:7fee6ea327062b37d34ef5346a84810a1752cc7146fff1223fab76c9b45686e0
Already downloaded: /Users/macpro/Library/Caches/Homebrew/downloads/de57802c1c3740b0761a664bea8c9f15347d4049295d0c81cd6368eda6b34953--jq--1.6.monterey.bottle.1.tar.gz
==> Pouring jq--1.6.monterey.bottle.1.tar.gz
๐บ /usr/local/Cellar/jq/1.6: 18 files, 1.1MB
==> Running `brew cleanup jq`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Pre-requisites-3: Install detect-secrets
~/Documents/prowler/prowler master ๎ฐ brew install detect-secrets
Running `brew update --preinstall`...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> Updated Formulae
Updated 2 formulae.
==> Downloading https://ghcr.io/v2/homebrew/core/detect-secrets/manifests/1.2.0
Already downloaded: /Users/macpro/Library/Caches/Homebrew/downloads/2bc8b428481bdd5d7b761dd35c815afc1f89566bba036e3f3024095a08847c56--detect-secrets-1.2.0.bottle_manifest.json
==> Downloading https://ghcr.io/v2/homebrew/core/detect-secrets/blobs/sha256:483d2bd7fa7a791cef6d92273d53c40c32055d986f9976eef5d78332d16b47b0
Already downloaded: /Users/macpro/Library/Caches/Homebrew/downloads/02f1e9c7e1532b55d0186fc4edc39578e0f571e161d6fd7f5a82ccbe83192020--detect-secrets--1.2.0.monterey.bottle.tar.gz
==> Pouring detect-secrets--1.2.0.monterey.bottle.tar.gz
๐บ /usr/local/Cellar/detect-secrets/1.2.0: 937 files, 11.6MB
==> Running `brew cleanup detect-secrets`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Pre-requisites-4: aws configure
Run "aws configure" and enter the required values to access your AWS account and run the audits. Prowler uses aws-cli in the background, so it uses your existing AWS credentials that you entered in "aws configure" to perform the audits.
~/Documents/prowler/prowler master ๎ฐ aws configure
AWS Access Key ID [****************:
AWS Secret Access Key [****************]:
Default region name [eu-xxxxxx-1]:
Default output format [json]:
Install prowler
Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.
Install Prowler on macOS:
~/Documents/prowler ๎ฐ git clone https://github.com/prowler-cloud/prowler
Cloning into 'prowler'...
remote: Enumerating objects: 9457, done.
remote: Counting objects: 100% (3011/3011), done.
remote: Compressing objects: 100% (940/940), done.
remote: Total 9457 (delta 2260), reused 2699 (delta 2063), pack-reused 6446
Receiving objects: 100% (9457/9457), 55.23 MiB | 25.25 MiB/s, done.
Resolving deltas: 100% (6780/6780), done.
~/Documents/prowler ๎ฐ ls
prowler
~/Documents/prowler ๎ฐ cd prowler
~/Documents/prowler/prowler master ๎ฐ ls
48: Pipfile command iam line util
CODE_OF_CONDUCT.md README.md docs include not whitelist_sample.txt
LICENSE checklist.txt found integrations output
LIST_OF_CHECKS_AND_GROUPS.md checks groups jq: prowler
Prowler in action
Sample screenshot of default console report first lines of command ./prowler:
Sample screenshot of the html output -M html:
Trust Boundaries Checks:
This group of checks helps to analyse a particular AWS account (subject) on existing links to other AWS accounts across various AWS services, in order to identify untrusted links.
~/Documents/prowler/prowler master ๎ฐ ./prowler -g trustboundaries
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.7.0-24January2022
|_| the handy cloud security tool
Date: Sun 27 Feb 2022 15:32:33 CET
Color code for results:
- INFO (Information)
- PASS (Recommended value)
- WARNING (Ignored by whitelist)
- FAIL (Fix required)
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS API Region: [eu-central-1] AWS Filter Region: [all]
AWS Account: [xxxxxxxxxxx] UserId: [xxxxxxxxxxx]
Caller Identity ARN: [arn:aws:iam::xxxxxx:user/xxxxxx]
16.0 Find cross-account trust boundaries - [trustboundaries] ******* - []
7.89 [extra789] Find trust boundaries in VPC endpoint services connections - vpc [Medium]
7.90 [extra790] Find trust boundaries in VPC endpoint services whitelisted principles - vpc [Medium]
Generate Forensics ready report:
~/Documents/prowler/prowler master ๎ฐ ./prowler -M html -g forensics-ready
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.7.0-24January2022
|_| the handy cloud security tool
Date: Sun 27 Feb 2022 13:55:25 CET
Color code for results:
- INFO (Information)
- PASS (Recommended value)
- WARNING (Ignored by whitelist)
- FAIL (Fix required)
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS API Region: [eu-xxxxx-1] AWS Filter Region: [all]
AWS Account: [xxxxxx] UserId: [xxxxxxxx]
Caller Identity ARN: [arn:aws:iam::xxxxxx:user/xxxxxx]
8.0 Forensics Readiness - [forensics-ready] ************************ - []
2.1 [check21] Ensure CloudTrail is enabled in all regions - cloudtrail [High]
2.2 [check22] Ensure CloudTrail log file validation is enabled - cloudtrail [Medium]
PASS! eu-central-1: Trail arn:aws:cloudtrail:eu-central-1:xxxxxxx:trail/xxx_xxx_Trail log file validation enabled
2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible - cloudtrail [Critical]
2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs - cloudtrail [Low]
2.5 [check25] Ensure AWS Config is enabled in all regions - configservice [Medium]
PASS! eu-north-1: AWS Config recorder enabled
FAIL! ap-south-1: AWS Config recorder disabled
FAIL! eu-west-3: AWS Config recorder disabled
FAIL! eu-west-2: AWS Config recorder disabled
FAIL! eu-west-1: AWS Config recorder disabled
FAIL! ap-northeast-3: AWS Config recorder disabled
FAIL! ap-northeast-2: AWS Config recorder disabled
FAIL! ap-northeast-1: AWS Config recorder disabled
FAIL! sa-east-1: AWS Config recorder disabled
FAIL! ca-central-1: AWS Config recorder disabled
FAIL! ap-southeast-1: AWS Config recorder disabled
FAIL! ap-southeast-2: AWS Config recorder disabled
FAIL! eu-central-1: AWS Config recorder disabled
FAIL! us-east-1: AWS Config recorder disabled
FAIL! us-east-2: AWS Config recorder disabled
FAIL! us-west-1: AWS Config recorder disabled
FAIL! us-west-2: AWS Config recorder disabled
2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - s3 [Medium]
2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs - cloudtrail [Medium]
2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs - vpc [Medium]
FAIL! eu-north-1: VPC vpc-xxxxxx VPCFlowLog is disabled
FAIL! ap-south-1: VPC vpc-xxxxxx VPCFlowLog is disabled
FAIL! eu-west-3: VPC vpc-xxxxxxx VPCFlowLog is disabled
FAIL! eu-west-2: VPC vpc-xxxxxxx VPCFlowLog is disabled
FAIL! ap-northeast-3: VPC vpc-xx VPCFlowLog is disabled
FAIL! ap-northeast-2: VPC vpc-xx VPCFlowLog is disabled
FAIL! ap-northeast-1: VPC vpc-xx VPCFlowLog is disabled
FAIL! sa-east-1: VPC vpc-xxxxxxx VPCFlowLog is disabled
FAIL! ca-central-1: VPC vpc-xxxx VPCFlowLog is disabled
FAIL! ap-southeast-1: VPC vpc-xx VPCFlowLog is disabled
FAIL! ap-southeast-2: VPC vpc-xx VPCFlowLog is disabled
FAIL! eu-central-1: VPC vpc-xxxx VPCFlowLog is disabled
FAIL! eu-central-1: VPC vpc-xxxx VPCFlowLog is disabled
FAIL! eu-central-1: VPC vpc-xxxx VPCFlowLog is disabled
FAIL! eu-central-1: VPC vpc-xxxx VPCFlowLog is disabled
FAIL! us-east-1: VPC vpc-xxxxxxx VPCFlowLog is disabled
FAIL! us-east-2: VPC vpc-xxxxxxx VPCFlowLog is disabled
FAIL! us-west-1: VPC vpc-xxxxxxx VPCFlowLog is disabled
FAIL! us-west-2: VPC vpc-xxxxxxx VPCFlowLog is disabled
7.12 [extra712] Check if Amazon Macie is enabled - macie [Low]
FAIL! eu-central-1: No Macie related IAM roles found. It is most likely not to be enabled
7.13 [extra713] Check if GuardDuty is enabled - guardduty [High]
PASS! eu-north-1: GuardDuty detector xxxxxxx enabled
PASS! ap-south-1: GuardDuty detector xxxxxxx enabled
PASS! eu-west-3: GuardDuty detector xxxxxxx enabled
PASS! eu-west-2: GuardDuty detector xxxxxxx enabled
PASS! eu-west-1: GuardDuty detector xxxxxxx enabled
FAIL! ap-northeast-3: GuardDuty detector not configured!
PASS! ap-northeast-2: GuardDuty detector xxxxxx enabled
PASS! ap-northeast-1: GuardDuty detector xxxxxx enabled
PASS! sa-east-1: GuardDuty detector xxxxxxx enabled
PASS! ca-central-1: GuardDuty detector xxxxxxx enabled
PASS! ap-southeast-1: GuardDuty detector xxxxxx enabled
PASS! ap-southeast-2: GuardDuty detector xxxxxx enabled
PASS! eu-central-1: GuardDuty detector xxxxxxx enabled
PASS! us-east-1: GuardDuty detector xxxxxxx enabled
PASS! us-east-2: GuardDuty detector xxxxxxx enabled
PASS! us-west-1: GuardDuty detector xxxxxxx enabled
PASS! us-west-2: GuardDuty detector xxxxxxx enabled
7.14 [extra714] Check if CloudFront distributions have logging enabled - cloudfront [Medium]
INFO! eu-central-1: No CloudFront distributions found
7.15 [extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled - es [Medium]
INFO! eu-north-1: No Amazon ES domain found
INFO! ap-south-1: No Amazon ES domain found
INFO! eu-west-3: No Amazon ES domain found
INFO! eu-west-2: No Amazon ES domain found
INFO! eu-west-1: No Amazon ES domain found
INFO! ap-northeast-3: No Amazon ES domain found
INFO! ap-northeast-2: No Amazon ES domain found
INFO! ap-northeast-1: No Amazon ES domain found
INFO! sa-east-1: No Amazon ES domain found
INFO! ca-central-1: No Amazon ES domain found
INFO! ap-southeast-1: No Amazon ES domain found
INFO! ap-southeast-2: No Amazon ES domain found
INFO! eu-central-1: No Amazon ES domain found
INFO! us-east-1: No Amazon ES domain found
INFO! us-east-2: No Amazon ES domain found
INFO! us-west-1: No Amazon ES domain found
INFO! us-west-2: No Amazon ES domain found
7.17 [extra717] Check if Elastic Load Balancers have logging enabled - elb [Medium]
INFO! eu-north-1: No ELBs found
INFO! ap-south-1: No ELBs found
INFO! eu-west-3: No ELBs found
INFO! eu-west-2: No ELBs found
INFO! eu-west-1: No ELBs found
INFO! ap-northeast-3: No ELBs found
INFO! ap-northeast-2: No ELBs found
INFO! ap-northeast-1: No ELBs found
INFO! sa-east-1: No ELBs found
INFO! ca-central-1: No ELBs found
INFO! ap-southeast-1: No ELBs found
INFO! ap-southeast-2: No ELBs found
INFO! eu-central-1: No ELBs found
INFO! us-east-1: No ELBs found
INFO! us-east-2: No ELBs found
INFO! us-west-1: No ELBs found
INFO! us-west-2: No ELBs found
7.18 [extra718] Check if S3 buckets have server access logging enabled - s3 [Medium]
7.19 [extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs - route53 [Medium]
INFO! eu-central-1: No Route53 hosted zones found
7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail - lambda [Low]
INFO! ap-south-1: No Lambda functions found
INFO! eu-west-3: No Lambda functions found
INFO! eu-west-2: No Lambda functions found
INFO! eu-west-1: No Lambda functions found
FAIL! ap-northeast-3: Lambda function CUSTOM_CENTRALIZED_CLOUDTRAIL_CHECK NOT enabled in trail arn:aws:cloudtrail:eu-xxxxx-1:xxxxxxxxx:trail/xxx_xxx_Trail
INFO! ap-northeast-2: No Lambda functions found
INFO! ap-northeast-1: No Lambda functions found
INFO! sa-east-1: No Lambda functions found
INFO! ca-central-1: No Lambda functions found
INFO! ap-southeast-1: No Lambda functions found
INFO! ap-southeast-2: No Lambda functions found
INFO! eu-central-1: No Lambda functions found
INFO! us-east-1: No Lambda functions found
INFO! us-east-2: No Lambda functions found
INFO! us-west-1: No Lambda functions found
INFO! us-west-2: No Lambda functions found
7.21 [extra721] Check if Redshift cluster has audit logging enabled - redshift [Medium]
INFO! eu-north-1: No Redshift cluster configured
INFO! ap-south-1: No Redshift cluster configured
INFO! eu-west-3: No Redshift cluster configured
INFO! eu-west-2: No Redshift cluster configured
INFO! eu-west-1: No Redshift cluster configured
INFO! ap-northeast-3: No Redshift cluster configured
INFO! ap-northeast-2: No Redshift cluster configured
INFO! ap-northeast-1: No Redshift cluster configured
INFO! sa-east-1: No Redshift cluster configured
INFO! ca-central-1: No Redshift cluster configured
INFO! ap-southeast-1: No Redshift cluster configured
INFO! ap-southeast-2: No Redshift cluster configured
INFO! eu-central-1: No Redshift cluster configured
INFO! us-east-1: No Redshift cluster configured
INFO! us-east-2: No Redshift cluster configured
INFO! us-west-1: No Redshift cluster configured
INFO! us-west-2: No Redshift cluster configured
7.22 [extra722] Check if API Gateway has logging enabled - apigateway [Medium]
INFO! eu-north-1: No API Gateway found
INFO! ap-south-1: No API Gateway found
INFO! eu-west-3: No API Gateway found
INFO! eu-west-2: No API Gateway found
INFO! eu-west-1: No API Gateway found
INFO! ap-northeast-3: No API Gateway found
INFO! ap-northeast-2: No API Gateway found
INFO! ap-northeast-1: No API Gateway found
INFO! sa-east-1: No API Gateway found
INFO! ca-central-1: No API Gateway found
INFO! ap-southeast-1: No API Gateway found
INFO! ap-southeast-2: No API Gateway found
INFO! eu-central-1: No API Gateway found
INFO! us-east-1: No API Gateway found
INFO! us-east-2: No API Gateway found
INFO! us-west-1: No API Gateway found
INFO! us-west-2: No API Gateway found
7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail - s3 [Medium]
FAIL! eu-central-1: S3 bucket aws-athena-query-results-eu-central-1-xxxxxxxxx has Object-level logging disabled
7.101 [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled - es [Low]
INFO! eu-north-1: No Amazon ES domain found
INFO! ap-south-1: No Amazon ES domain found
INFO! eu-west-3: No Amazon ES domain found
INFO! eu-west-2: No Amazon ES domain found
INFO! eu-west-1: No Amazon ES domain found
INFO! ap-northeast-3: No Amazon ES domain found
INFO! ap-northeast-2: No Amazon ES domain found
INFO! ap-northeast-1: No Amazon ES domain found
INFO! sa-east-1: No Amazon ES domain found
INFO! ca-central-1: No Amazon ES domain found
INFO! ap-southeast-1: No Amazon ES domain found
INFO! ap-southeast-2: No Amazon ES domain found
INFO! eu-central-1: No Amazon ES domain found
INFO! us-east-1: No Amazon ES domain found
INFO! us-east-2: No Amazon ES domain found
INFO! us-west-1: No Amazon ES domain found
INFO! us-west-2: No Amazon ES domain found
7.94 [extra794] Ensure EKS Control Plane Audit Logging is enabled for all log types - eks [Medium]
INFO! eu-north-1: No EKS clusters found
INFO! ap-south-1: No EKS clusters found
INFO! eu-west-3: No EKS clusters found
INFO! eu-west-2: No EKS clusters found
INFO! eu-west-1: No EKS clusters found
INFO! ap-northeast-3: No EKS clusters found
INFO! ap-northeast-2: No EKS clusters found
INFO! ap-northeast-1: No EKS clusters found
INFO! sa-east-1: No EKS clusters found
INFO! ca-central-1: No EKS clusters found
INFO! ap-southeast-1: No EKS clusters found
INFO! ap-southeast-2: No EKS clusters found
INFO! eu-central-1: No EKS clusters found
INFO! us-east-1: No EKS clusters found
INFO! us-east-2: No EKS clusters found
INFO! us-west-1: No EKS clusters found
INFO! us-west-2: No EKS clusters found
Conclusion
Prowler provides dozens of security configuration checks related to services such as Amazon Redshift, Amazon ElasticCache, Amazon API Gateway and Amazon CloudFront. Integrating Prowler with AWS Security Hub will provide posture information about resources not currently covered by existing Security Hub integrations or compliance standards.
Use AWS Fargate and Prowler to send security configuration findings about AWS services to Security Hub โ https://aws.amazon.com/blogs/security/use-aws-fargate-prowler-send-security-configuration-findings-about-aws-services-security-hub
Top comments (0)