Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy prowler-additions-policy.json to the role you are using. If you want Prowler to send findings to AWS Security Hub, make sure you also attach the custom policy prowler-security-hub.json.
Prowler can use your custom AWS Profile with:
If your IAM entity enforces MFA you can use
--mfa and Prowler will ask you to input the following values to get a new session:
- ARN of your MFA device
- TOTP (Time-Based One-Time Password)
STS Endpoint Region¶
If you are using Prowler in AWS regions that are not enabled by default you need to use the argument
--sts-endpoint-region to point the AWS STS API calls
get-caller-identity to the non-default region, e.g.:
prowler aws --sts-endpoint-region eu-south-2.