ben.carrasco/prowler

Fork 0

mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00

Go to file

Toni de la Fuente ae2fa29fe5 Updated README

2016-09-13 16:23:23 -04:00

LICENSE

Initial commit

2016-06-29 21:20:16 -04:00

prowler

Updated README

2016-09-13 16:14:35 -04:00

README.md

Updated README

2016-09-13 16:23:23 -04:00

README.md

Prowler: AWS CIS Benchmark Tool

Description

Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark (https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)

It covers hardening and security best practices for all regions related to:

Identity and Access Management (15 checks)
Logging (8 checks)
Monitoring (16 checks)
Neteworking (4 checks)

For a comprehesive list and resolution look at the guide on the link above.

Requirements

This script has been written in bash using AWS-CLI and is works in Linux and OSX.

Make sure your AWS-CLI is installed on your workstation, with Python pip already installed:

pip install awscli

Or install it using "brew", "apt", "yum" or manually from https://aws.amazon.com/cli/

Previous steps, from your workstation:

git clone https://github.com/Alfresco/aws-cis-security-benchmark
cd aws-cis-security-benchmark

Make sure you have properly configure your AWS-CLI with a valid Access Key and Region:

aws configure

Make sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is

arn:aws:iam::aws:policy/SecurityAudit

How to create a report

1 - Run the prowler.sh command without options (it will use your default credentials and run checks over all regions when needed):

./prowler

2 - For custom AWS-CLI profile and region use (it will use your custom profile and run checks over all regions when needed):

./prowler -p custom-profile -r us-east-1

3 - For a single check use option -c:

./prowler -c check310

or for custom profile and region

./prowler -p custom-profile -r us-east-1 -c check11

Valid check numbers are like in the AWS CIS Benchmark guide, while 1.1 is check11 or 3.10 is check310

4 - If you want to save your report for late analysis:

./prowler > prowler-report.txt

5 - For help use:

./prowler -h

USAGE:
      prowler -p <profile> -r <region> [ -v ] [ -h ]
  Options:
      -p <profile>  specify your AWS profile to use (i.e.: default)
      -r <region>   specify a desired AWS region to use (i.e.: us-east-1)
      -c <checknum> specify a check number from the AWS CIS benchmark (i.e.: check11 for check 1.1)
      -h            this help

How to fix all warnings:

Check your report and fix the issues following all specific guidelines per check in https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Screenshot

Troubleshooting

If you are using STS token for AWS-CLI and your session is expired you probably get this error:

 A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired

To fix it, please renew your token by authenticating again to the AWS API.

Description

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

aws azure cis-benchmark cloud compliance devsecops forensics gcp gdpr hardening iam multi-cloud python security security-audit security-hardening security-tools well-architected

Readme Apache-2.0 274 MiB