Skip to content

AWS Authentication in Prowler

Prowler requires AWS credentials to function properly. Authentication is available through the following methods:

  • Static Credentials
  • Assumed Role

Required Permissions

To ensure full functionality, attach the following AWS managed policies to the designated user or role:

  • arn:aws:iam::aws:policy/SecurityAudit
  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

Additional Permissions

For certain checks, additional read-only permissions are required. Attach the following custom policy to your role: prowler-additions-policy.json

This method grants permanent access and is the recommended setup for production environments.

  1. Download the Prowler Scan Role Template

    Prowler Scan Role Template

    Download Role Template

  2. Open the AWS Console, search for CloudFormation

    CloudFormation Search

  3. Go to Stacks and click "Create stack" > "With new resources (standard)"

    Create Stack

  4. In Specify Template, choose "Upload a template file" and select the downloaded file

    Upload a template file Upload file from downloads

  5. Click "Next", provide a stack name and the External ID shown in the Prowler Cloud setup screen

    External ID Stack Data

    Info

    An External ID is required when assuming the ProwlerScan role to comply with AWS confused deputy prevention.

  6. Acknowledge the IAM resource creation warning and proceed

    Stack Creation Second Step

  7. Click "Submit" to deploy the stack

    Click on submit

To provision the scan role using Terraform:

  1. Run the following commands:

    terraform init
terraform plan
terraform apply

  2. During plan and apply, provide the External ID when prompted, which is available in the Prowler Cloud or Prowler App UI:

    Get External ID

💡 Note: Terraform will use the AWS credentials of the default profile.

Credentials

  1. Go to the AWS Console, open CloudShell

    AWS CloudShell

  2. Run:

    aws iam create-access-key

  3. Copy the output containing:

    • AccessKeyId
    • SecretAccessKey

    CloudShell Output

Use the AWS Access Portal or the CLI:

  1. Retrieve short-term credentials for the IAM identity using this command:

    aws sts get-session-token --duration-seconds 900
    Note

    Check the aws documentation here

  2. Copy the output containing:

    • AccessKeyId
    • SecretAccessKey
    • SessionToken

    Sample output: 

    {
    "Credentials": {
        "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
        "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
        "Expiration": "2020-05-19T18:06:10+00:00"
    }
}