Skip to content

Getting Started With AWS on Prowler

Prowler App

Walkthrough video onboarding an AWS Account using Assumed Role.

Step 1: Get Your AWS Account ID

  1. Log in to the AWS Console
  2. Locate your AWS account ID in the top-right dropdown menu

Account ID detail

Step 2: Access Prowler Cloud or Prowler App

  1. Navigate to Prowler Cloud or launch Prowler App

  2. Go to "Configuration" > "Cloud Providers"

    Cloud Providers Page

  3. Click "Add Cloud Provider"

    Add a Cloud Provider

  4. Select "Amazon Web Services"

    Select AWS Provider

  5. Enter your AWS Account ID and optionally provide a friendly alias

    Add account ID

  6. Choose the preferred authentication method (next step)

    Select auth method

Step 3: Set Up AWS Authentication

Before proceeding, choose the preferred authentication mode:

Credentials

  • Quick scan as current user
  • No extra setup
  • Credentials time out

Assumed Role

  • Preferred Setup
  • Permanent Credentials
  • Requires access to create role

This method grants permanent access and is the recommended setup for production environments.

Assume Role Overview

For detailed instructions on how to create the role, see Authentication > Assume Role.

  1. Once the role is created, go to the IAM Console, click on the "ProwlerScan" role to open its details:

    ProwlerScan role info

  2. Copy the Role ARN

    New Role Info

  3. Paste the ARN into the corresponding field in Prowler Cloud or Prowler App

    Input the Role ARN

  4. Click "Next", then "Launch Scan"

    Next button in Prowler Cloud Launch Scan

Credentials (Static Access Keys)

AWS accounts can also be configured using static credentials (not recommended for long-term use):

Connect via credentials

For detailed instructions on how to create the credentials, see Authentication > Credentials.

  1. Complete the form in Prowler Cloud or Prowler App and click "Next"

    Filled credentials page

  2. Click "Launch Scan"

    Launch Scan

Prowler CLI

Configure AWS Credentials

To authenticate with AWS, use one of the following methods:

aws configure

or

export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"

These credentials must be associated with a user or role with the necessary permissions to perform security checks.

More details on Assume Role settings from the CLI in Assume Role page.

AWS Profiles

To use a custom AWS profile, specify it with the following command:

prowler aws -p/--profile <profile_name>

Multi-Factor Authentication (MFA)

For IAM entities requiring Multi-Factor Authentication (MFA), use the --mfa flag. Prowler prompts for the following values to initiate a new session:

  • ARN of your MFA device
  • TOTP (time-based one-time password)