prowler/docs/user-guide/providers/aws/getting-started-aws.mdx

---
title: 'Getting Started With AWS on Prowler'
---

## Prowler Cloud

<iframe width="560" height="380" src="https://www.youtube-nocookie.com/embed/RPgIWOCERzY" title="Prowler Cloud Onboarding AWS" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="1"></iframe>

> Walkthrough video onboarding an AWS Account using Assumed Role.

### Step 1: Get Your AWS Account ID

1. Log in to the [AWS Console](https://console.aws.amazon.com)
2. Locate your AWS account ID in the top-right dropdown menu

![Account ID detail](/images/providers/aws-account-id.png)


### Step 2: Access Prowler Cloud

1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
2. Go to "Configuration" > "Providers"

    ![Providers Page](/images/prowler-app/cloud-providers-page.png)

3. Click "Add Provider"

    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)

4. Select "Amazon Web Services"

    ![Select AWS Provider](/images/providers/select-aws.png)

5. Enter your AWS Account ID and optionally provide a friendly alias

    ![Add account ID](/images/providers/add-account-id.png)

6. Choose the preferred authentication method (next step)

    ![Select auth method](./img/select-auth-method.png)


### Step 3: Set Up AWS Authentication

Before proceeding, choose the preferred authentication mode:

**Credentials**

* Quick scan using an IAM user's access keys
* No extra setup in AWS
* Static keys can be rotated or revoked at any time

**Assumed Role**

* Recommended for production
* With AWS SDK Default as the credential source, no long-lived keys are stored in Prowler (Access & Secret Key still requires pasted keys)
* Requires permission to create an IAM role in the target account


---

#### Assume Role (Recommended)

This method grants permanent access and is the recommended setup for production environments.

![Assume Role Overview](/images/providers/assume-role-overview.png)

For detailed instructions on how to create the role, see [Authentication > Assume Role](/user-guide/providers/aws/authentication#assume-role-recommended).

7. Once the role is created, go to the **IAM Console**, click on the "ProwlerScan" role to open its details:

    ![ProwlerScan role info](/images/providers/prowler-scan-pre-info.png)

8. Copy the **Role ARN**

    ![New Role Info](/images/providers/get-role-arn.png)

9. Paste the ARN into the corresponding field in Prowler Cloud or Prowler App

    ![Input the Role ARN](/images/providers/paste-role-arn-prowler.png)

10. Select the credential source Prowler should use to call `sts:AssumeRole`. The option label differs between deployments but both map to the same `aws-sdk-default` credential type:

    - **"Prowler Cloud will assume your IAM role"** (default in Prowler Cloud) / **"AWS SDK Default"** (in self-hosted Prowler App): Prowler uses the credentials available in the API and worker environment through the [AWS SDK default credential chain](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html). In self-hosted Prowler App, these containers have no AWS credentials by default — see [Configuring AWS SDK Default for Self-Hosted Prowler App](/user-guide/providers/aws/authentication#configuring-aws-sdk-default-for-self-hosted-prowler-app) before choosing this option, or the connection test will fail with `InvalidClientTokenId`.
    - **Access & Secret Key**: Paste an IAM user's `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` (and optional `AWS_SESSION_TOKEN`) into the form. The IAM principal must be allowed to assume the target role and must match the `IAMPrincipal` parameter of the scan role template (default: `role/prowler*`).

11. Click "Next", then "Launch Scan"

    ![Next button in Prowler Cloud](/images/providers/next-button-prowler-cloud.png)
    ![Launch Scan](/images/providers/launch-scan-button-prowler-cloud.png)

<Note>
Check if your AWS Security Token Service (STS) has the EU (Ireland) endpoint active. If not, we will not be able to connect to your AWS account.

If that is the case your STS configuration may look like this:

<img src="/images/sts-configuration.png" alt="AWS Role" width="800" />

To solve this issue, please activate the EU (Ireland) STS endpoint.

</Note>

---

#### Credentials (Static Access Keys)

AWS accounts can also be configured using static credentials (not recommended for long-term use):

![Connect via credentials](/images/providers/connect-via-credentials.png)

For detailed instructions on how to create the credentials, see [Authentication > Credentials](/user-guide/providers/aws/authentication#credentials).

1. Complete the form in Prowler Cloud or Prowler App and click "Next"

    ![Filled credentials page](/images/providers/prowler-cloud-credentials-next.png)

2. Click "Launch Scan"

    ![Launch Scan](/images/providers/launch-scan-button-prowler-cloud.png)

---

## Prowler CLI

### Configure AWS Credentials

To authenticate with AWS, use one of the following methods:

```console
aws configure
```

or

```console
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
```

These credentials must be associated with a user or role with the necessary permissions to perform security checks.

More details on Assume Role settings from the CLI in [Assume Role](/user-guide/providers/aws/role-assumption) page.


### AWS Profiles

To use a custom AWS profile, specify it with the following command:

```console
prowler aws -p/--profile <profile_name>
```

### Multi-Factor Authentication (MFA)

For IAM entities requiring Multi-Factor Authentication (MFA), use the `--mfa` flag. Prowler prompts for the following values to initiate a new session:

- **ARN of your MFA device**
- **TOTP (time-based one-time password)**