Prowler Documentation¶
Welcome to Prowler Open Source v3 Documentation! 📄
For Prowler v2 Documentation, please go here to the branch and its README.md.
- You are currently in the Getting Started section where you can find general information and requirements to help you start with the tool.
- In the Tutorials section you will see how to take advantage of all the features in Prowler.
- In the Contact Us section you can find how to reach us out in case of technical issues.
- In the About section you will find more information about the Prowler team and license.
About Prowler¶
Prowler is an Open Source security tool to perform AWS, Azure and Google Cloud security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
About ProwlerPro¶
ProwlerPro gives you the benefits of Prowler Open Source plus continuous monitoring, faster execution, personalized support, visualization of your data with dashboards, alerts and much more.
Visit prowler.pro for more info.
Quick Start¶
Installation¶
Prowler is available as a project in PyPI, thus can be installed using pip with Python >= 3.9
:
Requirements:
Python >= 3.9
Python pip >= 3.9
- AWS, GCP and/or Azure credentials
Commands:
Requirements:
- Have
docker
installed: https://docs.docker.com/get-docker/. - AWS, GCP and/or Azure credentials
- In the command below, change
-v
to your local directory path in order to access the reports.
Commands:
Requirements for Ubuntu 20.04.3 LTS:
- AWS, GCP and/or Azure credentials
- Install python 3.9 with:
sudo apt-get install python3.9
- Remove python 3.8 to avoid conflicts if you can:
sudo apt-get remove python3.8
- Make sure you have the python3 distutils package installed:
sudo apt-get install python3-distutils
- To make sure you use pip for 3.9 get the get-pip script with:
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
- Execute it with the proper python version:
sudo python3.9 get-pip.py
- Now you should have pip for 3.9 ready:
pip3.9 --version
Commands:
Requirements for Developers:
- AWS, GCP and/or Azure credentials
git
,Python >= 3.9
,pip
andpoetry
installed (pip install poetry
)
Commands:
Requirements:
- AWS, GCP and/or Azure credentials
- Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with:
sudo yum install -y python3-pip
. - Make sure setuptools for python is already installed with:
pip3 install setuptools
Commands:
Requirements:
Brew
installed in your Mac or Linux- AWS, GCP and/or Azure credentials
Commands:
Prowler can be easely executed in AWS CloudShell but it has some prerequsites to be able to to so. AWS CloudShell is a container running with Amazon Linux release 2 (Karoo)
that comes with Python 3.7, since Prowler requires Python >= 3.9 we need to first install a newer version of Python. Follow the steps below to successfully execute Prowler v3 in AWS CloudShell:
Requirements:
-
First install all dependences and then Python, in this case we need to compile it because there is not a package available at the time this document is written:
Commands: -
Once Python 3.9 is available we can install Prowler from pip:
To download the results from AWS CloudShell, select Actions -> Download File and add the full path of each file. For the CSV file it will be something like
/home/cloudshell-user/output/prowler-output-123456789012-20221220191331.csv
Prowler container versions¶
The available versions of Prowler are the following:
latest
: in sync with master branch (bear in mind that it is not a stable version)<x.y.z>
(release): you can find the releases here, those are stable releases.stable
: this tag always point to the latest release.
The container images are available here:
High level architecture¶
You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell, Cloud9 and many more.
Basic Usage¶
To run Prowler, you will need to specify the provider (e.g aws, gcp or azure):
If no provider specified, AWS will be used for backward compatibility with most of v2 options.

Running the
prowler
command without options will use your environment variable credentials, see Requirements section to review the credentials settings.
If you miss the former output you can use --verbose
but Prowler v3 is smoking fast, so you won't see much ;)
By default, Prowler will generate a CSV, JSON and HTML reports, however you can generate a JSON-ASFF (used by AWS Security Hub) report with -M
or --output-modes
:
You can use -l
/--list-checks
or --list-services
to list all available checks or services within the provider.
For executing specific checks or services you can use options -c
/checks
or -s
/services
:
prowler azure --checks storage_blob_public_access_level_is_disabled
prowler aws --services s3 ec2
prowler gcp --services iam compute
Also, checks and services can be excluded with options -e
/--excluded-checks
or --excluded-services
:
prowler aws --excluded-checks s3_bucket_public_access
prowler azure --excluded-services defender iam
prowler gcp --excluded-services kms
More options and executions methods that will save your time in Miscellaneous.
You can always use -h
/--help
to access to the usage information and all the possible options:
AWS¶
Use a custom AWS profile with -p
/--profile
and/or AWS regions which you want to audit with -f
/--filter-region
:
By default,
prowler
will scan all AWS regions.
See more details about AWS Authentication in Requirements
Azure¶
With Azure you need to specify which auth method is going to be used:
# To use service principal authentication
prowler azure --sp-env-auth
# To use az cli authentication
prowler azure --az-cli-auth
# To use browser authentication
prowler azure --browser-auth --tenant-id "XXXXXXXX"
# To use managed identity auth
prowler azure --managed-identity-auth
See more details about Azure Authentication in Requirements
Prowler by default scans all the subscriptions that is allowed to scan, if you want to scan a single subscription or various specific subscriptions you can use the following flag (using az cli auth as example):
prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>
Google Cloud¶
Prowler will use by default your User Account credentials, you can configure it using:
gcloud init
to use a new accountgcloud config set account <account>
to use an existing account
Then, obtain your access credentials using: gcloud auth application-default login
Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument:
Prowler by default scans all the GCP Projects that is allowed to scan, if you want to scan a single project or various specific projects you can use the following flag:
See more details about GCP Authentication in Requirements