Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described here.
Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy prowler-additions-policy.json to the role you are using.
If your IAM entity enforces MFA you can use
--mfa and Prowler will ask you to input the following values to get a new session:
- ARN of your MFA device
- TOTP (Time-Based One-Time Password)
Prowler for azure supports the following authentication types:
- Service principal authentication by environment variables (Enterprise Application)
- Current az cli credentials stored
- Interactive browser authentication
- Managed identity authentication
Service Principal authentication¶
To allow Prowler assume the service principal identity to start the scan it is needed to configure the following environment variables:
If you try to execute Prowler with the
--sp-env-auth flag and those variables are empty or not exported, the execution is going to fail.
AZ CLI / Browser / Managed Identity authentication¶
The other three cases does not need additional configuration,
--managed-identity-auth are automated options. To use
--browser-auth the user needs to authenticate against Azure using the default browser to start the scan, also
tenant-id is required.
To use each one you need to pass the proper flag to the execution. Prowler fro Azure handles two types of permission scopes, which are:
- Azure Active Directory permissions: Used to retrieve metadata from the identity assumed by Prowler and future AAD checks (not mandatory to have access to execute the tool)
- Subscription scope permissions: Required to launch the checks against your resources, mandatory to launch the tool.
Azure Active Directory scope¶
Azure Active Directory (AAD) permissions required by the tool are the following:
The best way to assign it is through the azure web console:
Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
Prowler will follow the same credentials search as Google authentication libraries:
- GOOGLE_APPLICATION_CREDENTIALS environment variable
- User credentials set up by using the Google Cloud CLI
- The attached service account, returned by the metadata server
Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials:
- Security Reviewer
- Stackdriver Account Viewer
prowlerwill scan all accessible GCP Projects, use flag
--project-idsto specify the projects to be scanned.