AWS Authentication in Prowler¶
Prowler requires AWS credentials to function properly. Authentication is available through the following methods:
- Static Credentials
- Assumed Role
Required Permissions¶
To ensure full functionality, attach the following AWS managed policies to the designated user or role:
arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Additional Permissions¶
For certain checks, additional read-only permissions are required. Attach the following custom policy to your role: prowler-additions-policy.json
Assume Role (Recommended)¶
This method grants permanent access and is the recommended setup for production environments.
-
Download the Prowler Scan Role Template
-
Open the AWS Console, search for CloudFormation
-
Go to Stacks and click "Create stack" > "With new resources (standard)"
-
In Specify Template, choose "Upload a template file" and select the downloaded file
-
Click "Next", provide a stack name and the External ID shown in the Prowler Cloud setup screen
Info
An External ID is required when assuming the ProwlerScan role to comply with AWS confused deputy prevention.
-
Acknowledge the IAM resource creation warning and proceed
-
Click "Submit" to deploy the stack
To provision the scan role using Terraform:
-
Run the following commands:
-
During
plan
andapply
, provide the External ID when prompted, which is available in the Prowler Cloud or Prowler App UI:
💡 Note: Terraform will use the AWS credentials of the default profile.
Credentials¶
-
Go to the AWS Console, open CloudShell
-
Run:
-
Copy the output containing:
AccessKeyId
SecretAccessKey
Use the AWS Access Portal or the CLI:
-
Retrieve short-term credentials for the IAM identity using this command:
Note
Check the aws documentation here
-
Copy the output containing:
AccessKeyId
SecretAccessKey
SessionToken
Sample output:
{ "Credentials": { "AccessKeyId": "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE", "Expiration": "2020-05-19T18:06:10+00:00" } }