Files
prowler/docs/user-guide/providers/aws/getting-started-aws.mdx
2025-10-15 16:38:56 +02:00

144 lines
4.1 KiB
Plaintext

---
title: 'Getting Started With AWS on Prowler'
---
## Prowler App
<iframe width="560" height="380" src="https://www.youtube-nocookie.com/embed/RPgIWOCERzY" title="Prowler Cloud Onboarding AWS" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="1"></iframe>
> Walkthrough video onboarding an AWS Account using Assumed Role.
### Step 1: Get Your AWS Account ID
1. Log in to the [AWS Console](https://console.aws.amazon.com)
2. Locate your AWS account ID in the top-right dropdown menu
![Account ID detail](/images/providers/aws-account-id.png)
### Step 2: Access Prowler Cloud or Prowler App
1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
2. Go to "Configuration" > "Cloud Providers"
![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
3. Click "Add Cloud Provider"
![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
4. Select "Amazon Web Services"
![Select AWS Provider](/images/providers/select-aws.png)
5. Enter your AWS Account ID and optionally provide a friendly alias
![Add account ID](/images/providers/add-account-id.png)
6. Choose the preferred authentication method (next step)
![Select auth method](/images/providers/select-auth-method.png)
### Step 3: Set Up AWS Authentication
Before proceeding, choose the preferred authentication mode:
**Credentials**
* Quick scan as current user
* No extra setup
* Credentials time out
**Assumed Role**
* Preferred Setup
* Permanent Credentials
* Requires access to create role
---
#### Assume Role (Recommended)
This method grants permanent access and is the recommended setup for production environments.
![Assume Role Overview](/images/providers/assume-role-overview.png)
For detailed instructions on how to create the role, see [Authentication > Assume Role](/user-guide/providers/aws/authentication#assume-role-recommended).
8. Once the role is created, go to the **IAM Console**, click on the "ProwlerScan" role to open its details:
![ProwlerScan role info](/images/providers/prowler-scan-pre-info.png)
9. Copy the **Role ARN**
![New Role Info](/images/providers/get-role-arn.png)
10. Paste the ARN into the corresponding field in Prowler Cloud or Prowler App
![Input the Role ARN](/images/providers/paste-role-arn-prowler.png)
11. Click "Next", then "Launch Scan"
![Next button in Prowler Cloud](/images/providers/next-button-prowler-cloud.png)
![Launch Scan](/images/providers/launch-scan-button-prowler-cloud.png)
---
#### Credentials (Static Access Keys)
AWS accounts can also be configured using static credentials (not recommended for long-term use):
![Connect via credentials](/images/providers/connect-via-credentials.png)
For detailed instructions on how to create the credentials, see [Authentication > Credentials](/user-guide/providers/aws/authentication#credentials).
1. Complete the form in Prowler Cloud or Prowler App and click "Next"
![Filled credentials page](/images/providers/prowler-cloud-credentials-next.png)
2. Click "Launch Scan"
![Launch Scan](/images/providers/launch-scan-button-prowler-cloud.png)
---
## Prowler CLI
### Configure AWS Credentials
To authenticate with AWS, use one of the following methods:
```console
aws configure
```
or
```console
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
```
These credentials must be associated with a user or role with the necessary permissions to perform security checks.
More details on Assume Role settings from the CLI in [Assume Role](/user-guide/providers/aws/role-assumption) page.
### AWS Profiles
To use a custom AWS profile, specify it with the following command:
```console
prowler aws -p/--profile <profile_name>
```
### Multi-Factor Authentication (MFA)
For IAM entities requiring Multi-Factor Authentication (MFA), use the `--mfa` flag. Prowler prompts for the following values to initiate a new session:
- **ARN of your MFA device**
- **TOTP (time-based one-time password)**