Prowler App¶
The Prowler App is a user-friendly interface for the Prowler CLI, providing a visual dashboard to monitor your cloud security posture. This tutorial will guide you through setting up and using the Prowler App.
After installing the Prowler App, access it at http://localhost:3000. You can also access to the auto-generated Prowler API documentation at http://localhost:8080/api/v1/docs to see all the available endpoints, parameters and responses.
Note
If you are a Prowler Cloud user you can see API docs at https://api.prowler.com/api/v1/docs
Step 1: Sign Up¶
To get started, sign up using your email and password:
Step 2: Log In¶
Once you’ve signed up, log in with your email and password to start using the Prowler App.
You will see the Overview page with no data yet, so let's start adding a provider to scan your cloud environment.
Step 3: Add a Provider¶
To run your first scan, you need to add a cloud provider account. Prowler App supports AWS, Azure, GCP, and Kubernetes.
- Navigate to
Settings > Cloud Providers. - Click
Add Accountto set up a new provider and provide your credentials:
Step 4: Configure the Provider¶
Choose the provider you want to scan from the following options:
Once you’ve selected a provider, you need to provide the Provider UID:
- AWS: Enter your AWS Account ID.
- GCP: Enter your GCP Project ID.
- Azure: Enter your Azure Subscription ID.
- Kubernetes: Enter your Kubernetes Cluster context of your kubeconfig file.
Optionally, provide a Provider Alias for easier identification. Follow the instructions provided to add your credentials:
Step 4.1: AWS Credentials¶
For AWS, enter your AWS Account ID and choose one of the following methods to connect:
Step 4.1.1: IAM Access Keys¶
-
Select
Connect via Credentials.
-
Enter your
Access Key ID,Secret Access Keyand optionally aSession Token:
Step 4.1.2: IAM Role¶
-
Select
Connect assuming IAM Role.
-
Enter the
Role ARNand any optional field like the AWS Access Keys to assume the role, theExternal ID, theRole Session Nameor theSession Duration:
Note
check if your AWS Security Token Service (STS) has the EU (Ireland) endpoint active. If not we will not be able to connect to your AWS account.
If that is the case your STS configuration may look like this:
To solve this issue, please activate the EU (Ireland) STS endpoint.
Step 4.2: Azure Credentials¶
For Azure, Prowler App uses a service principal application to authenticate, for more information about the process of creating and adding permissions to a service principal check this section. When you finish creating and adding the Entra and Subscription scope permissions to the service principal, enter the Tenant ID, Client ID and Client Secret of the service principal application.
Step 4.3: GCP Credentials¶
To connect your GCP Project, you need to use the Application Default Credentials (ADC) returned by the gcloud CLI. Here’s how to set up:
- Run the following command in your terminal to authenticate with GCP:
- Once authenticated, get the
Client ID,Client SecretandRefresh Tokenfrom~/.config/gcloud/application_default_credentials. - Paste the
Client ID,Client SecretandRefresh Tokeninto the Prowler App.
Step 4.4: Kubernetes Credentials¶
For Kubernetes, Prowler App uses a kubeconfig file to authenticate, paste the contents of your kubeconfig file into the Kubeconfig content field.
By default, the kubeconfig file is located at ~/.kube/config.
Note
If you are adding an EKS, GKE, AKS or external cluster, follow these additional steps to ensure proper authentication:
** Make sure your cluster allow traffic from the Prowler Cloud IP address 52.48.254.174/32 **
-
Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the
kubernetesdirectory of the Prowler repository): -
Generate a long-lived token for authentication:
- Security Note: The
--duration=0option generates a non-expiring token, which may pose a security risk if not managed properly. Users should decide on an appropriate expiration time based on their security policies. If a limited-time token is preferred, set--duration=<TIME>(e.g.,--duration=24h). - Important: If the token expires, Prowler Cloud will no longer be able to authenticate with the cluster. In this case, you will need to generate a new token and remove and re-add the provider in Prowler Cloud with the updated
kubeconfig.
- Security Note: The
-
Update your
kubeconfigto use the ServiceAccount token:Replacekubectl config set-credentials prowler-sa --token=<SA_TOKEN> kubectl config set-context <CONTEXT_NAME> --user=prowler-sawith the generated token and with your KubeConfig Context Name of your EKS, GKE or AKS cluster. -
Now you can add the modified
kubeconfigin Prowler Cloud. Then simply test the connection.
Step 5: Test Connection¶
After adding your credentials of your cloud account, click the Launch button to verify that the Prowler App can successfully connect to your provider:
Step 6: Scan started¶
After successfully adding and testing your credentials, Prowler will start scanning your cloud environment, click on the Go to Scans button to see the progress:
Note
Prowler will automatically scan all configured providers every 24 hours, ensuring your cloud environment stays continuously monitored.
Step 7: Monitor Scan Progress¶
Track the progress of your scan in the Scans section:
Step 8: Analyze the Findings¶
While the scan is running, start exploring the findings in these sections:
- Overview: High-level summary of the scans.
- Compliance: Insights into compliance status.
- Issues: Types of issues detected.
- Browse All Findings: Detailed list of findings detected, where you can filter by severity, service, and more.
To view all new findings that have not been seen prior to this scan, click the Delta filter and select new. To view all changed findings that have had a status change (from PASS to FAIL for example), click the Delta filter and select changed.