Introduction
Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening, and incident response.
It follows the guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 190 additional checks related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2, and others.
Prowler assessment
Scan with Prowler takes time depending upon the number of services enabled in your AWS account. Once the scan is complete the report is stored in the Prowler folder itself in a sub-directory called output. Prowler’s report can be reviewed to prioritize the findings as critical, high, medium, and low.
The Prowler report follows the CIS Benchmark and accordingly the findings are present in the report.
Audit results
Prowler produces results as findings and does not show the resolutions for findings in the report. The findings in the report are categorized as below:
- INFO: Informational, no action required. This includes results that are overridden
- PASS: It is the recommended value
- WARNING: A best practice recommendation
- FAIL: A security issue or invalid AWS configuration. A fix is required.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.