Skip to content

Configuration File

Several Prowler's checks have user configurable variables that can be modified in a common configuration file. This file can be found in the following path:

prowler/config/config.yaml

Also you can input a custom configuration file using the --config-file argument.

AWS

Configurable Checks

The following list includes all the AWS checks with configurable variables that can be changed in the configuration yaml file:

Check Name Value Type
iam_user_accesskey_unused max_unused_access_keys_days Integer
iam_user_console_access_unused max_console_access_days Integer
ec2_elastic_ip_shodan shodan_api_key String
ec2_securitygroup_with_many_ingress_egress_rules max_security_group_rules Integer
ec2_instance_older_than_specific_days max_ec2_instance_age_in_days Integer
vpc_endpoint_connections_trust_boundaries trusted_account_ids List of Strings
vpc_endpoint_services_allowed_principals_trust_boundaries trusted_account_ids List of Strings
cloudwatch_log_group_retention_policy_specific_days_enabled log_group_retention_days Integer
appstream_fleet_session_idle_disconnect_timeout max_idle_disconnect_timeout_in_seconds Integer
appstream_fleet_session_disconnect_timeout max_disconnect_timeout_in_seconds Integer
appstream_fleet_maximum_session_duration max_session_duration_seconds Integer
awslambda_function_using_supported_runtimes obsolete_lambda_runtimes Integer
organizations_scp_check_deny_regions organizations_enabled_regions List of Strings
organizations_delegated_administrators organizations_trusted_delegated_administrators List of Strings
ecr_repositories_scan_vulnerabilities_in_latest_image ecr_repository_vulnerability_minimum_severity String
trustedadvisor_premium_support_plan_subscribed verify_premium_support_plans Boolean
config_recorder_all_regions_enabled allowlist_non_default_regions Boolean
drs_job_exist allowlist_non_default_regions Boolean
guardduty_is_enabled allowlist_non_default_regions Boolean
securityhub_enabled allowlist_non_default_regions Boolean

Azure

Configurable Checks

The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file:

Check Name Value Type
network_public_ip_shodan shodan_api_key String
app_ensure_php_version_is_latest php_latest_version String
app_ensure_python_version_is_latest python_latest_version String
app_ensure_java_version_is_latest java_latest_version String

GCP

Configurable Checks

Config YAML File Structure

Note

This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider.

config.yaml
# AWS Configuration
aws:

  # AWS Global Configuration
  # aws.allowlist_non_default_regions --> Allowlist Failed Findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
  allowlist_non_default_regions: False

  # AWS IAM Configuration
  # aws.iam_user_accesskey_unused --> CIS recommends 45 days
  max_unused_access_keys_days: 45
  # aws.iam_user_console_access_unused --> CIS recommends 45 days
  max_console_access_days: 45

  # AWS EC2 Configuration
  # aws.ec2_elastic_ip_shodan
  shodan_api_key: null
  # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
  max_security_group_rules: 50
  # aws.ec2_instance_older_than_specific_days --> by default is 6 months (180 days)
  max_ec2_instance_age_in_days: 180

  # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
  # Single account environment: No action required. The AWS account number will be automatically added by the checks.
  # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
  # trusted_account_ids : ["123456789012", "098765432109", "678901234567"]
  trusted_account_ids: []

  # AWS Cloudwatch Configuration
  # aws.cloudwatch_log_group_retention_policy_specific_days_enabled --> by default is 365 days
  log_group_retention_days: 365

  # AWS AppStream Session Configuration
  # aws.appstream_fleet_session_idle_disconnect_timeout
  max_idle_disconnect_timeout_in_seconds: 600 # 10 Minutes
  # aws.appstream_fleet_session_disconnect_timeout
  max_disconnect_timeout_in_seconds: 300 # 5 Minutes
  # aws.appstream_fleet_maximum_session_duration
  max_session_duration_seconds: 36000 # 10 Hours

  # AWS Lambda Configuration
  # aws.awslambda_function_using_supported_runtimes
  obsolete_lambda_runtimes:
    [
      "python3.6",
      "python2.7",
      "nodejs4.3",
      "nodejs4.3-edge",
      "nodejs6.10",
      "nodejs",
      "nodejs8.10",
      "nodejs10.x",
      "dotnetcore1.0",
      "dotnetcore2.0",
      "dotnetcore2.1",
      "ruby2.5",
    ]

  # AWS Organizations
  # organizations_scp_check_deny_regions
  # organizations_enabled_regions: [
  #   'eu-central-1',
  #   'eu-west-1',
  #   "us-east-1"
  # ]
  organizations_enabled_regions: []
  organizations_trusted_delegated_administrators: []

  # AWS ECR
  # ecr_repositories_scan_vulnerabilities_in_latest_image
  # CRITICAL
  # HIGH
  # MEDIUM
  ecr_repository_vulnerability_minimum_severity: "MEDIUM"

  # AWS Trusted Advisor
  # trustedadvisor_premium_support_plan_subscribed
  verify_premium_support_plans: True

# Azure Configuration
azure:
  # Azure Network Configuration
  # azure.network_public_ip_shodan
  shodan_api_key: null

  # Azure App Configuration
  # azure.app_ensure_php_version_is_latest
  php_latest_version: "8.2"
  # azure.app_ensure_python_version_is_latest
  python_latest_version: "3.12"
  # azure.app_ensure_java_version_is_latest
  java_latest_version: "17"

# GCP Configuration
gcp: