Files
prowler/docs/user-guide/providers/aws/authentication.mdx
2025-11-27 09:57:05 -05:00

125 lines
4.2 KiB
Plaintext

---
title: 'AWS Authentication in Prowler'
---
Prowler requires AWS credentials to function properly. Authentication is available through the following methods:
- Static Credentials
- Assumed Role
## Required Permissions
To ensure full functionality, attach the following AWS managed policies to the designated user or role:
- `arn:aws:iam::aws:policy/SecurityAudit`
- `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
### Additional Permissions
For certain checks, additional read-only permissions are required. Attach the following custom policy to your role: [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json)
## Assume Role (Recommended)
This method grants permanent access and is the recommended setup for production environments.
<Tabs>
<Tab title="CloudFormation">
1. Download the [Prowler Scan Role Template](https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/permissions/templates/cloudformation/prowler-scan-role.yml)
![Prowler Scan Role Template](/images/providers/prowler-scan-role-template.png)
![Download Role Template](/images/providers/download-role-template.png)
2. Open the [AWS Console](https://console.aws.amazon.com), search for **CloudFormation**
![CloudFormation Search](/images/providers/cloudformation-nav.png)
3. Go to **Stacks** and click "Create stack" > "With new resources (standard)"
![Create Stack](/images/providers/create-stack.png)
4. In **Specify Template**, choose "Upload a template file" and select the downloaded file
![Upload a template file](/images/providers/upload-template-file.png)
![Upload file from downloads](/images/providers/upload-template-from-downloads.png)
5. Click "Next", provide a stack name and the **External ID** shown in the Prowler Cloud setup screen
![External ID](/images/providers/prowler-cloud-external-id.png)
![Stack Data](/images/providers/fill-stack-data.png)
<Info>
An **External ID** is required when assuming the *ProwlerScan* role to prevent the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
</Info>
6. Acknowledge the IAM resource creation warning and proceed
![Stack Creation Second Step](/images/providers/stack-creation-second-step.png)
7. Click "Submit" to deploy the stack
![Click on submit](/images/providers/submit-third-page.png)
</Tab>
<Tab title="Terraform">
To provision the scan role using Terraform:
1. Run the following commands:
```bash
terraform init
terraform plan
terraform apply
```
</Tab>
</Tabs>
---
## Credentials
<Tabs>
<Tab title="Long term credentials">
1. Go to the [AWS Console](https://console.aws.amazon.com), open **CloudShell**
![AWS CloudShell](/images/providers/aws-cloudshell.png)
2. Run:
```bash
aws iam create-access-key
```
</Tab>
<Tab title="Short term credentials (Recommended)">
Use the [AWS Access Portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html) or the CLI:
1. Retrieve short-term credentials for the IAM identity using this command:
```bash
aws sts get-session-token --duration-seconds 900
```
<Note>
Check the aws documentation [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/sts_example_sts_GetSessionToken_section.html)
</Note>
2. Copy the output containing:
- `AccessKeyId`
- `SecretAccessKey`
- `SessionToken`
> Sample output:
```json
{
"Credentials": {
"AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
"Expiration": "2020-05-19T18:06:10+00:00"
}
}
```
</Tab>
</Tabs>