Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com> Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>
4.0 KiB
Compliance
Prowler allows you to execute checks based on requirements defined in compliance frameworks. By default, it will execute and give you an overview of the status of each compliance framework:
You can find CSVs containing detailed compliance results in the compliance folder within Prowler's output folder.
Execute Prowler based on Compliance Frameworks
Prowler can analyze your environment based on a specific compliance framework and get more details, to do it, you can use option --compliance:
prowler <provider> --compliance <compliance_framework>
Standard results will be shown and additionally the framework information as the sample below for CIS AWS 2.0. For details a CSV file has been generated as well.
???+ note If Prowler can't find a resource related with a check from a compliance requirement, this requirement won't appear on the output
## List Available Compliance Frameworks
In order to see which compliance frameworks are covered by Prowler, you can use option --list-compliance:
prowler <provider> --list-compliance
AWS (36 frameworks)
aws_account_security_onboarding_awsaws_audit_manager_control_tower_guardrails_awsaws_foundational_security_best_practices_awsaws_foundational_technical_review_awsaws_well_architected_framework_reliability_pillar_awsaws_well_architected_framework_security_pillar_awscis_1.4_awscis_1.5_awscis_2.0_awscis_3.0_awscis_4.0_awscis_5.0_awscisa_awsens_rd2022_awsfedramp_low_revision_4_awsfedramp_moderate_revision_4_awsffiec_awsgdpr_awsgxp_21_cfr_part_11_awsgxp_eu_annex_11_awshipaa_awsiso27001_2013_awsiso27001_2022_awskisa_isms_p_2023_awskisa_isms_p_2023_korean_awsmitre_attack_awsnis2_awsnist_800_171_revision_2_awsnist_800_53_revision_4_awsnist_800_53_revision_5_awsnist_csf_1.1_awspci_3.2.1_awspci_4.0_awsprowler_threatscore_awsrbi_cyber_security_framework_awssoc2_aws
Azure (10 frameworks)
cis_2.0_azurecis_2.1_azurecis_3.0_azureens_rd2022_azureiso27001_2022_azuremitre_attack_azurenis2_azurepci_4.0_azureprowler_threatscore_azuresoc2_azure
GCP (10 frameworks)
cis_2.0_gcpcis_3.0_gcpcis_4.0_gcpens_rd2022_gcpiso27001_2022_gcpmitre_attack_gcpnis2_gcppci_4.0_gcpprowler_threatscore_gcpsoc2_gcp
Kubernetes (5 frameworks)
cis_1.10_kubernetescis_1.11_kubernetescis_1.8_kubernetesiso27001_2022_kubernetespci_4.0_kubernetes
M365 (3 frameworks)
cis_4.0_m365iso27001_2022_m365prowler_threatscore_m365
GitHub (1 framework)
cis_1.0_github
## List Requirements of Compliance Frameworks
For each compliance framework, you can use the --list-compliance-requirements option to list its requirements:
prowler <provider> --list-compliance-requirements <compliance_framework(s)>
Example for the first requirements of CIS 1.5 for AWS:
Listing CIS 1.5 AWS Compliance Requirements:
Requirement Id: 1.1
- Description: Maintain current contact details
- Checks:
account_maintain_current_contact_details
Requirement Id: 1.2
- Description: Ensure security contact information is registered
- Checks:
account_security_contact_information_is_registered
Requirement Id: 1.3
- Description: Ensure security questions are registered in the AWS account
- Checks:
account_security_questions_are_registered_in_the_aws_account
Requirement Id: 1.4
- Description: Ensure no 'root' user account access key exists
- Checks:
iam_no_root_access_key
Requirement Id: 1.5
- Description: Ensure MFA is enabled for the 'root' user account
- Checks:
iam_root_mfa_enabled
[redacted]
Create and contribute adding other Security Frameworks
This information is part of the Developer Guide and can be found here.