AWS Authentication in Prowler¶
Proper authentication is required for Prowler to perform security checks across AWS resources. Ensure that AWS-CLI is correctly configured or manually declare AWS credentials before running scans.
Configure AWS Credentials¶
Use one of the following methods to authenticate:
or
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
These credentials must be associated with a user or role with the necessary permissions to perform security checks.
Assign Required AWS Permissions¶
To ensure full functionality, attach the following AWS managed policies to the designated user or role:
arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Note
Some security checks require read-only additional permissions. Attach the following custom policies to the role: prowler-additions-policy.json. If you want Prowler to send findings to AWS Security Hub, make sure to also attach the custom policy: prowler-security-hub.json.
AWS Profiles and Service Scanning in Prowler¶
Prowler supports authentication and security assessments using custom AWS profiles and can optionally scan unused services.
Using Custom AWS Profiles
Prowler allows you to specify a custom AWS profile using the following command:
Multi-Factor Authentication (MFA)¶
If MFA enforcement is required for your IAM entity, you can use --mfa
. Prowler will prompt you to enter the following in order to get a new session:
- ARN of your MFA device
- TOTP (Time-Based One-Time Password)