This feature is currently available only for the AWS provider.
Services Ignored
### AWSACM (AWS Certificate Manager)
Certificates stored in ACM without active usage in AWS resources are excluded. By default, Prowler only scans actively used certificates. Unused certificates will not be checked if they are expired, if their expiring date is near or if they are good.acm_certificates_expiration_check
athena_workgroup_encryption
athena_workgroup_enforce_configuration
cloudtrail_s3_dataevents_read_enabled
cloudtrail_s3_dataevents_write_enabled
ec2_ebs_default_encryption
-
15 security group-related checks, including open ports and ingress/egress traffic rules.
ec2_securitygroup_allow_ingress_from_internet_to_port_X
ec2_securitygroup_default_restrict_traffic
ec2_securitygroup_allow_wide_open_public_ipv4
-
3 network ACL-related checks, ensuring only active ACLs with open ports are flagged.
ec2_networkacl_allow_ingress_X_port
glue_data_catalogs_connection_passwords_encryption_enabled
glue_data_catalogs_metadata_encryption_enabled
Amazon Inspector
Amazon Inspector is a vulnerability discovery service that automates continuous security scans for Amazon EC2, Amazon ECR, and AWS Lambda environments. Prowler recommends enabling Amazon Inspector and addressing all findings. By default, Prowler only triggers alerts if there are Lambda functions, EC2 instances, or ECR repositories in the region where Amazon Inspector should be enabled.inspector2_is_enabled
macie_is_enabled
Network Firewall
A network firewall is essential for monitoring and controlling traffic within a Virtual Private Cloud (VPC). Prowler only alerts for VPCs in use, specifically those containing ENIs (Elastic Network Interfaces).networkfirewall_in_all_vpc
s3_account_level_public_access_blocks
-
VPC Flow Logs: Provide visibility into network traffic for security monitoring. Prowler only checks if Flow Logs are enabled for VPCs in use, i.e., those with active ENIs.
vpc_flow_logs_enabled
-
VPC Subnet Public IP Restrictions: Prevent unintended exposure of resources to the internet. Prowler only checks this configuration for VPCs in use, i.e., those with active ENIs.
vpc_subnet_no_public_ip_by_default
-
Separate Private and Public Subnets: Best practice to avoid exposure risks. Prowler only checks this configuration for VPCs in use, i.e., those with active ENIs.
vpc_subnet_separate_private_public
-
Multi-AZ Subnet Distribution: VPCs should have subnets in different availability zones to prevent a single point of failure. Prowler only checks this configuration for VPCs in use, i.e., those with active ENIs.
vpc_subnet_different_az