Skip to main content
Prowler offers an automated tool to discover and provision all AWS accounts within an AWS Organization. This streamlines onboarding for organizations managing multiple AWS accounts by automatically generating the configuration needed for bulk provisioning. The tool, aws_org_generator.py‎, complements the Bulk Provider Provisioning tool and is available in the Prowler repository at: util/prowler-bulk-provisioning
Native AWS Organizations support is now available in Prowler Cloud. You can onboard all accounts via the UI wizard — with automatic discovery, hierarchical tree selection, connection testing, and bulk scan launch — without any scripts or YAML files.See AWS Organizations in Prowler Cloud.The CLI-based tool below remains useful for self-hosted Prowler App and advanced automation scenarios.

Overview

The AWS Organizations Bulk Provisioning tool simplifies multi-account onboarding by:
  • Automatically discovering all active accounts in an AWS Organization
  • Generating YAML configuration files for bulk provisioning
  • Supporting account filtering and custom role configurations
  • Eliminating manual entry of account IDs and role ARNs

Prerequisites

Requirements

  • Python 3.7 or higher
  • AWS credentials with Organizations read access
  • ProwlerRole (or custom role) deployed across all target accounts
  • Prowler API key (from Prowler Cloud or self-hosted Prowler App)

Deploying ProwlerRole Across AWS Organizations

Before using the AWS Organizations generator, deploy the ProwlerRole across all accounts in the organization using CloudFormation StackSets.
Follow the official documentation: Deploying Prowler IAM Roles Across AWS OrganizationsKey points:
  • Use CloudFormation StackSets from the management account
  • Deploy to all organizational units (OUs) or specific OUs
  • Use an external ID for enhanced security
  • Ensure the role has necessary permissions for Prowler scans

Installation

Clone the repository and install required dependencies:

AWS Credentials Setup

Configure AWS credentials with Organizations read access:
  • Management account credentials, or
  • Delegated administrator account with organizations:ListAccounts permission
Required IAM permissions:

Prowler API Key Setup

Configure your Prowler API key:
To create an API key:
  1. Log in to Prowler Cloud or Prowler App
  2. Click ProfileAccount
  3. Click Create API Key
  4. Provide a descriptive name and optionally set an expiration date
  5. Copy the generated API key (it will only be shown once)
For detailed instructions, see: Prowler App API Keys

Basic Usage

Generate Configuration for All Accounts

To generate a YAML configuration file for all active accounts in the organization:
This command:
  1. Lists all ACTIVE accounts in the organization
  2. Generates YAML entries for each account
  3. Saves the configuration to aws-accounts.yaml
Output:

Review Generated Configuration

Review the generated YAML configuration:
Example output:

Dry Run Mode

Test the configuration without writing a file:

Advanced Configuration

Using a Specific AWS Profile

Specify an AWS profile when multiple profiles are configured:

Excluding Specific Accounts

Exclude the management account or other accounts from provisioning:
Common exclusion scenarios:
  • Management account (requires different permissions)
  • Break-glass accounts (emergency access)
  • Suspended or archived accounts

Including Only Specific Accounts

Generate configuration for specific accounts only:

Custom Role Name

Specify a custom role name if not using the default ProwlerRole:

Custom Alias Format

Customize account aliases using template variables:
Available template variables:
  • {name} - Account name
  • {id} - Account ID
  • {email} - Account email

Additional Role Assumption Options

Configure optional role assumption parameters:

Complete Workflow Example

1

Deploy ProwlerRole Using StackSets

  1. Log in to the AWS management account
  2. Open CloudFormation → StackSets
  3. Create a new StackSet using the Prowler role template
  4. Deploy to all organizational units
  5. Use a unique external ID (e.g., prowler-org-2024-abc123)
2

Generate YAML Configuration

Configure AWS credentials and generate the YAML file:
Output:
3

Review Generated Configuration

Verify the generated YAML configuration:
4

Run Bulk Provisioning

Provision all accounts to Prowler Cloud or Prowler App:
With custom options:
Successful output:

Command Reference

Full Command-Line Options

Troubleshooting

Error: “No AWS credentials found”

Solution: Configure AWS credentials using one of these methods:

Error: “Access denied to AWS Organizations API”

Cause: Current credentials don’t have permission to list organization accounts. Solution:
  • Ensure management account credentials are used
  • Verify IAM permissions include organizations:ListAccounts
  • Check IAM policies for Organizations access

Error: “AWS Organizations is not enabled”

Cause: The account is not part of an organization. Solution: This tool requires an AWS Organization. Create one in the AWS Organizations console or use standard bulk provisioning for standalone accounts.

No Accounts Generated After Filters

Cause: All accounts were filtered out by --exclude or --include options. Solution: Review filter options and verify account IDs are correct:

Connection Test Failures During Bulk Provisioning

Cause: ProwlerRole may not be deployed correctly or credentials are invalid. Solution:
  • Verify StackSet deployment status in CloudFormation
  • Check role trust policy includes correct external ID
  • Test role assumption manually:

Security Best Practices

Use External ID

Always use an external ID when assuming cross-account roles:
The external ID must match the one configured in the ProwlerRole trust policy across all accounts.

Exclude Sensitive Accounts

Exclude accounts that shouldn’t be scanned or require special handling:

Review Generated Configuration

Always review the generated YAML before provisioning:

Next Steps

Bulk Provider Provisioning

Learn how to bulk provision providers in Prowler.

Prowler App

Detailed instructions on how to use Prowler.