Finding security vulnerabilities in AWS with Prowler
Ensuring your cloud environments are configured securely is integral to your overall cloud security strategy. We want to narrow the window between a cloud security misconfiguration occurring and your organisation detecting and remediating them.
Let me introduce you to Prowler, an open-source cloud security assessment tool that has been actively developed and maintained by Toni de la Fuente for over five years and has gained popularity and a lot of functionality during this time. More than 240 security checks are available, covering a wide range of security frameworks like CIS, PCI-DSS, ISO27001 and many others.
In this post, we will explore running Prowler commands against a single environment and then look at an example of how you could run Prowler continuously across multiple accounts in an AWS Organisation and how you would deal with those findings.
Prowler is a bash script which enables you to run it under many different scenarios; let’s take a look at running it from our local machine.
Installation is very straightforward, you’ll need the AWS-CLI installed and configured for your AWS environment and clone the Prowler repository to a folder on the same machine, and you should be ready. See the Prowler repository for detailed installation instructions.
Let’s start by printing the help screen to show all the available options:
Next, let's take a look at all 240 security checks available to Prowler:
Prowler has grouped standard checks making it easy to run controls from a specific security standard or focus on a category like IAM, logging or monitoring:
Run scans across your environment
We can quickly run a scan with the -c option and the name of the security check we listed in the previous commands. In this example, I’ve selected check41, which looks for any Security Group which allows incoming SSH connections from anywhere:
./prowler -c check41
Run multiple security checks by separating the checks separated with a comma:
./prowler -c check41,check42,check43
Running a scan against a group of checks listed above using the -g flag. In this example, I’ve added the argument -g internet-exposed to show all publicly exposed resources.
./prowler -g internet-exposed
Running a complete scan in one account
As previously mentioned, Prowler offers you multiple ways to run this tool against your environment. The Prowler repository includes a few easy-to-use bash scripts and CloudFormation templates to help run Prowler in various scenarios.
One of these examples is an AWS CloudShell script called ShortCut.sh, which runs full scans in a single account using Prowler and another security tool called ScoutSuit that provides comprehensive reports for you to review. This option is advantageous as it allows you to run a full scan without provisioning IAM Access keys or EC2 instances.
Here are the steps to run a scan via the AWS CloudShell:
- Log into the AWS Console and go to AWS CloudShell.
- Once the session begins, upload the shortcut.sh file into the AWS CloudShell session by selecting Actions -> Upload File.
- Once the file is uploaded, run the following command within your AWS CloudShell session:
- After some time, the results for Prowler and ScoutSuite will be located in the following directory:
- To download the results from AWS CloudShell, select Actions -> Download File.
- In the Download File prompt, use the file path and file name to download the results.
Sending findings into Security Hub
Prowler’s primary function will scan your environment for security misconfigurations; the other role is reporting these findings so you can review them and take action. Prowler supports multiple output formats like printing results on-screen or outputting to a file in HTML, CSV, JUNIT or JSON. Support for ASFF (AWS Security Findings Format) was later added, which is the default format for ingesting findings into Security Hub.
Security Hub is a vulnerability management solution that gives you an overview of your security posture and includes the ability to select additional industry-standard best practice controls. Prowler also allows you to write your custom checks, and managing your findings in Security Hub makes it easier to initiate custom actions in response to these findings.
To send your findings into Security Hub, you need to make sure AWS Security Hub is enabled in each region you wish to scan and enable the Prowler integration, which allows Prowler to output its findings directly into Security Hub.
In this example, we’re running two checks separated by a comma looking for Security Groups with SSH and RDP services exposed to the world, and we’re going to limit the scan to a single region using the -f eu-west-1 argument and then send the findings directly to Security Hub by adding -M json-asff -S to the end of our command:
./prowler -f eu-west-1 -c check41,check42 -M json-asff -S
Scanning multi-account environments
It’s a good idea to scan all your accounts frequently to identify any issues as soon as possible after they appear. We’ve seen Prowler running in our local terminal and the AWS CloudShell against a single account, outputting the findings on screen, to files and directly into Security Hub. Let’s see an example of how you would run Prowler against multiple accounts.
One of the solutions provided in the GitHub repository shown below deploys Prowler with AWS Fargate to assess all accounts in an AWS Organisation on a daily schedule and outputs the results to Security Hub. See the GitHub repository for detailed installation instructions.
Prowler is a very flexible tool enabling multiple ways to scan your accounts for security misconfigurations, we’ve only just scratched the surface of what this tool can do.
Give it a go and reply with what you found in your environment!