Audit the AWS Account using Prowler by running in AWS CloudShell
Use Case:
Customers look to use multiple auditing tools in order to provide quick assessments of their AWS environments. These tools allow for reports to be generated for review by the customer and appropriate teams, which in turn helps them begin security remediation efforts.
Prowler is a publicly available security auditing tool that provides comprehensive reports for customers using AWS.
ShortCut is a mechanism for customers to use to run Prowler within an AWS account, using AWS CloudShell. When customers use ShortCut, this allows for customers to quickly perform an audit on their environment, without having to provision IAM Access Keys or EC2 instances.
Prerequisites:
Note: The current version of this script is run in a single account in a single region.
In order to use CloudShell, the customer will need the following permissions within their AWS Account:
cloudshell:*Instructions
- Log in to the AWS Console
- The shell script used shortcut.sh is below code
#!/bin/bash
# ShortCut - Run Prowler and ScoutSuite in Customer's environment using AWS CloudShell
# DozerCat - Team DragonCat - AWS
# Package Prerequisites
sudo yum update -y
sudo yum install python3 -y
sudo yum install screen -y
sudo yum install zip -y
# Variable and Environment Prerequisites
account=$(aws sts get-caller-identity | jq --raw-output '.Account')
mkdir ${account}-results
# Prowler
cd ~
git clone https://github.com/toniblyx/prowler
pip3 install detect-secrets --user
cd prowler
screen -dmS prowler sh -c "./prowler -E extra7143,check113,check114,extra713,check43,extra74,extra763,extra7125 -r us-west-2 -f us-west-2 -M csv,html;cd ~;zip -r ${account}-results/prowler-${account}.zip /home/cloudshell-user/prowler/output"
# Check on screen sessions
screen -ls- Go to AWS CloudShell. There’s a screenshot of the AWS CloudShell icon below, or if you’re logged into AWS already, you can click this link: console.aws.amazon.com/cloudshell
- Once the session begins, upload the shortcut.sh, file into the AWS CloudShell session by selecting Actions -> Upload File.
- Once the file is uploaded, run the following command within your AWS CloudShell session:
bash shortcut.shYou can check the status of the screen session by typing the following command:
screen -r prowlerNote: Please make sure, you are not disturbing the screen session of the above command till it completes, it might take time depending on the resource usage.
- The results for Prowler will be located in the following directory:
/home/cloudshell-user/<account number>-results- To download the results from AWS CloudShell, select Actions -> Download File.
- In the Download File prompt, use the file path and file name to download the results.
Note:
The file downloaded will be in zip format having a CSV file and HTML as output. We configured these 2 as output formats in our shell script.
Ignore Check List:
extra7143,check113,check114,check43,extra74,extra763,extra7125,extra713
References:
- https://github.com/toniblyx/prowler/tree/master/util/cloudshell
- GitHub — prowler-cloud/prowler: Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
