ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a1232446c1308daa65ef294a90b869adbba1ccc7
prowler/docs/tutorials/aws/getting-started-aws.md
Andoni Alonso a1232446c1 docs: refactor several sections (#8570)
2025-08-26 09:55:18 +02:00

6.7 KiB
Raw Blame History

Getting Started with AWS on Prowler Cloud/App

Set up your AWS account to enable security scanning using Prowler Cloud/App.

Requirements

To configure your AWS account, youll need:

  1. Access to Prowler Cloud/App
  2. Properly configured AWS credentials (either static or via an assumed IAM role)

Step 1: Get Your AWS Account ID

  1. Log in to the AWS Console
  2. Locate your AWS account ID in the top-right dropdown menu

Account ID detail

Step 2: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App

  2. Go to Configuration > Cloud Providers

    Cloud Providers Page

  3. Click Add Cloud Provider

    Add a Cloud Provider

  4. Select Amazon Web Services

    Select AWS Provider

  5. Enter your AWS Account ID and optionally provide a friendly alias

    Add account ID

  6. Choose your preferred authentication method (next step)

    Select auth method

Step 3: Set Up AWS Authentication

Before proceeding, choose your preferred authentication mode:

Credentials

  • Quick scan as current user
  • No extra setup
  • Credentials time out

Assumed Role

  • Preferred Setup
  • Permanent Credentials
  • Requires access to create role

🔐 Assume Role (Recommended)

Assume Role Overview

This method grants permanent access and is the recommended setup for production environments.

=== "CloudFormation"

1. Download the [Prowler Scan Role Template](https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/permissions/templates/cloudformation/prowler-scan-role.yml)

    ![Prowler Scan Role Template](./img/prowler-scan-role-template.png)

    ![Download Role Template](./img/download-role-template.png)

2. Open the [AWS Console](https://console.aws.amazon.com), search for **CloudFormation**

    ![CloudFormation Search](./img/cloudformation-nav.png)

3. Go to **Stacks** and click `Create stack` > `With new resources (standard)`

    ![Create Stack](./img/create-stack.png)

4. In **Specify Template**, choose `Upload a template file` and select the downloaded file

    ![Upload a template file](./img/upload-template-file.png)
    ![Upload file from downloads](./img/upload-template-from-downloads.png)

5. Click `Next`, provide a stack name and the **External ID** shown in the Prowler Cloud setup screen

    ![External ID](./img/prowler-cloud-external-id.png)
    ![Stack Data](./img/fill-stack-data.png)

    !!! info
        An **External ID** is required when assuming the *ProwlerScan* role to comply with AWS [confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).

6. Acknowledge the IAM resource creation warning and proceed

    ![Stack Creation Second Step](./img/stack-creation-second-step.png)

7. Click `Submit` to deploy the stack

    ![Click on submit](./img/submit-third-page.png)

=== "Terraform"

To provision the scan role using Terraform:

1. Run the following commands:

    ```bash
    terraform init
    terraform plan
    terraform apply
    ```

2. During `plan` and `apply`, you will be prompted for the **External ID**, which is available in the Prowler Cloud/App UI:

    ![Get External ID](./img/get-external-id-prowler-cloud.png)

> 💡 Note: Terraform will use the AWS credentials of your default profile.

Finish Setup with Assume Role

  1. Once the role is created, go to the IAM Console, click on the ProwlerScan role to open its details:

    ProwlerScan role info

  2. Copy the Role ARN

    New Role Info

  3. Paste the ARN into the corresponding field in Prowler Cloud/App

    Input the Role ARN

  4. Click Next, then Launch Scan

    Next button in Prowler Cloud Launch Scan

🔑 Credentials (Static Access Keys)

You can also configure your AWS account using static credentials (not recommended for long-term use):

Connect via credentials

=== "Long term credentials"

1. Go to the [AWS Console](https://console.aws.amazon.com), open **CloudShell**

    ![AWS CloudShell](./img/aws-cloudshell.png)

2. Run:

    ```bash
    aws iam create-access-key
    ```

3. Copy the output containing:

    - `AccessKeyId`
    - `SecretAccessKey`

    ![CloudShell Output](./img/cloudshell-output.png)

> ⚠️ Save these credentials securely and paste them into the Prowler Cloud/App setup screen.

=== "Short term credentials (Recommended)"

You can use your [AWS Access Portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html) or the CLI:

1. Retrieve short-term credentials for the IAM identity using this command:

    ```bash
    aws sts get-session-token --duration-seconds 900
    ```

    ???+ note
        Check the aws documentation [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/sts_example_sts_GetSessionToken_section.html)

2. Copy the output containing:

    - `AccessKeyId`
    - `SecretAccessKey`

    > Sample output:
        ```json
        {
            "Credentials": {
                "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
                "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
                "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
                "Expiration": "2020-05-19T18:06:10+00:00"
            }
        }
        ```

> ⚠️ Save these credentials securely and paste them into the Prowler Cloud/App setup screen.

Complete the form in Prowler Cloud/App and click Next

Filled credentials page

Click Launch Scan

Launch Scan

Reference in New Issue View Git Blame Copy Permalink