Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed, AuthN, AuthZ, and more).
Detect Secrets
Prowler scans for secrets stored in plaintext within the audited environment using Kingfisher, an open-source secret-scanning engine. By default these scans run fully offline, so no data leaves the audited environment. Discovered secrets can optionally be validated against the provider APIs to confirm whether they are live — see Validating Discovered Secrets.
The checks with this functionality are the following.
AWS:
- apigateway_restapi_no_secrets_in_stage_variables
- autoscaling_find_secrets_ec2_launch_configuration
- awslambda_function_no_secrets_in_code
- awslambda_function_no_secrets_in_variables
- cloudformation_stack_outputs_find_secrets
- cloudwatch_log_group_no_secrets_in_logs
- codebuild_project_no_secrets_in_variables
- ec2_instance_secrets_user_data
- ec2_launch_template_no_secrets
- ecs_task_definitions_no_environment_secrets
- glue_etl_jobs_no_secrets_in_arguments
- ssm_document_secrets
- stepfunctions_statemachine_no_secrets_in_definition
OpenStack:
- compute_instance_metadata_sensitive_data
- blockstorage_volume_metadata_sensitive_data
- blockstorage_snapshot_metadata_sensitive_data
- objectstorage_container_metadata_sensitive_data
To execute the secret-scanning checks, run the following command:
prowler <provider> --categories secrets
Internet Exposed Resources
Several checks analyse resources that are exposed to the Internet, these are:
- apigateway_restapi_public
- appstream_fleet_default_internet_access_disabled
- awslambda_function_not_publicly_accessible
- ec2_ami_public
- ec2_ebs_public_snapshot
- ec2_instance_internet_facing_with_instance_profile
- ec2_instance_port_X_exposed_to_internet (where X is the port number)
- ec2_instance_public_ip
- ec2_networkacl_allow_ingress_any_port
- ec2_securitygroup_allow_wide_open_public_ipv4
- ec2_securitygroup_allow_ingress_from_internet_to_any_port
- ecr_repositories_not_publicly_accessible
- eks_control_plane_endpoint_access_restricted
- eks_endpoints_not_publicly_accessible
- eks_control_plane_endpoint_access_restricted
- eks_endpoints_not_publicly_accessible
- elbv2_internet_facing
- kms_key_not_publicly_accessible
- opensearch_service_domains_not_publicly_accessible
- rds_instance_no_public_access
- rds_snapshots_public_access
- s3_bucket_policy_public_write_access
- s3_bucket_public_access
- sagemaker_notebook_instance_without_direct_internet_access_configured
- sns_topics_not_publicly_accessible
- sqs_queues_not_publicly_accessible
- network_public_ip_shodan
To execute Internet-exposed related checks, you can run the following command:
prowler <provider> --categories internet-exposed
Shodan
Prowler can check whether any public IPs in cloud environments are exposed in Shodan using the -N/--shodan option.
Using the Environment Variable (Recommended)
Set the SHODAN_API_KEY environment variable to avoid exposing the API key in process listings and shell history:
export SHODAN_API_KEY=<shodan_api_key>
Then run Prowler with the --shodan flag (no value needed):
prowler aws --shodan -c ec2_elastic_ip_shodan
prowler azure --shodan -c network_public_ip_shodan
prowler gcp --shodan -c compute_public_address_shodan
Using the CLI Flag
Alternatively, pass the API key directly on the command line:
prowler aws --shodan <shodan_api_key> -c ec2_elastic_ip_shodan
Passing secret values directly on the command line exposes them in process listings and shell history. Prowler CLI displays a warning when this pattern is detected. Use the SHODAN_API_KEY environment variable instead.