Skip to main content

Documentation Index

Fetch the complete documentation index at: https://prowler-prowler-1359-docs-improve-developer-documentation-f.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed, AuthN, AuthZ, and more).

Detect Secrets

Prowler uses detect-secrets library to search for any secrets that are stores in plaintext within your environment. The actual checks that have this functionality are the following:
  • autoscaling_find_secrets_ec2_launch_configuration
  • awslambda_function_no_secrets_in_code
  • awslambda_function_no_secrets_in_variables
  • cloudformation_stack_outputs_find_secrets
  • ec2_instance_secrets_user_data
  • ec2_launch_template_no_secrets
  • ecs_task_definitions_no_environment_secrets
  • ssm_document_secrets
To execute detect-secrets related checks, you can run the following command: 
prowler <provider> --categories secrets

Internet Exposed Resources

Several checks analyse resources that are exposed to the Internet, these are:
  1. apigateway_restapi_public
  • appstream_fleet_default_internet_access_disabled
  • awslambda_function_not_publicly_accessible
  • ec2_ami_public
  • ec2_ebs_public_snapshot
  • ec2_instance_internet_facing_with_instance_profile
  • ec2_instance_port_X_exposed_to_internet (where X is the port number)
  • ec2_instance_public_ip
  • ec2_networkacl_allow_ingress_any_port
  • ec2_securitygroup_allow_wide_open_public_ipv4
  • ec2_securitygroup_allow_ingress_from_internet_to_any_port
  • ecr_repositories_not_publicly_accessible
  • eks_control_plane_endpoint_access_restricted
  • eks_endpoints_not_publicly_accessible
  • eks_control_plane_endpoint_access_restricted
  • eks_endpoints_not_publicly_accessible
  • elbv2_internet_facing
  • kms_key_not_publicly_accessible
  • opensearch_service_domains_not_publicly_accessible
  • rds_instance_no_public_access
  • rds_snapshots_public_access
  • s3_bucket_policy_public_write_access
  • s3_bucket_public_access
  • sagemaker_notebook_instance_without_direct_internet_access_configured
  • sns_topics_not_publicly_accessible
  • sqs_queues_not_publicly_accessible
  • network_public_ip_shodan
To execute Internet-exposed related checks, you can run the following command: 
prowler <provider> --categories internet-exposed

Shodan

Prowler can check whether any public IPs in cloud environments are exposed in Shodan using the -N/--shodan option. Set the SHODAN_API_KEY environment variable to avoid exposing the API key in process listings and shell history: 
export SHODAN_API_KEY=<shodan_api_key>
Then run Prowler with the --shodan flag (no value needed): 
prowler aws --shodan -c ec2_elastic_ip_shodan

prowler azure --shodan -c network_public_ip_shodan

prowler gcp --shodan -c compute_public_address_shodan

Using the CLI Flag

Alternatively, pass the API key directly on the command line: 
prowler aws --shodan <shodan_api_key> -c ec2_elastic_ip_shodan
Passing secret values directly on the command line exposes them in process listings and shell history. Prowler CLI displays a warning when this pattern is detected. Use the SHODAN_API_KEY environment variable instead.