Skip to main content

Documentation Index

Fetch the complete documentation index at: https://prowler-prowler-1359-docs-improve-developer-documentation-f.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Prowler Cloud

Walkthrough video onboarding an AWS Account using Assumed Role.

Step 1: Get Your AWS Account ID

  1. Log in to the AWS Console
  2. Locate your AWS account ID in the top-right dropdown menu
Account ID detail

Step 2: Access Prowler Cloud

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click “Add Cloud Provider” Add a Cloud Provider
  4. Select “Amazon Web Services” Select AWS Provider
  5. Enter your AWS Account ID and optionally provide a friendly alias Add account ID
  6. Choose the preferred authentication method (next step) Select auth method

Step 3: Set Up AWS Authentication

Before proceeding, choose the preferred authentication mode: Credentials
  • Quick scan using an IAM user’s access keys
  • No extra setup in AWS
  • Static keys can be rotated or revoked at any time
Assumed Role
  • Recommended for production
  • With AWS SDK Default as the credential source, no long-lived keys are stored in Prowler (Access & Secret Key still requires pasted keys)
  • Requires permission to create an IAM role in the target account
This method grants permanent access and is the recommended setup for production environments. Assume Role Overview For detailed instructions on how to create the role, see Authentication > Assume Role.
  1. Once the role is created, go to the IAM Console, click on the “ProwlerScan” role to open its details: ProwlerScan role info
  2. Copy the Role ARN New Role Info
  3. Paste the ARN into the corresponding field in Prowler Cloud or Prowler App Input the Role ARN
  4. Select the credential source Prowler should use to call sts:AssumeRole. The option label differs between deployments but both map to the same aws-sdk-default credential type:
    • “Prowler Cloud will assume your IAM role” (default in Prowler Cloud) / “AWS SDK Default” (in self-hosted Prowler App): Prowler uses the credentials available in the API and worker environment through the AWS SDK default credential chain. In self-hosted Prowler App, these containers have no AWS credentials by default — see Configuring AWS SDK Default for Self-Hosted Prowler App before choosing this option, or the connection test will fail with InvalidClientTokenId.
    • Access & Secret Key: Paste an IAM user’s AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and optional AWS_SESSION_TOKEN) into the form. The IAM principal must be allowed to assume the target role and must match the IAMPrincipal parameter of the scan role template (default: role/prowler*).
  5. Click “Next”, then “Launch Scan” Next button in Prowler Cloud Launch Scan
Check if your AWS Security Token Service (STS) has the EU (Ireland) endpoint active. If not, we will not be able to connect to your AWS account.If that is the case your STS configuration may look like this:AWS RoleTo solve this issue, please activate the EU (Ireland) STS endpoint.

Credentials (Static Access Keys)

AWS accounts can also be configured using static credentials (not recommended for long-term use): Connect via credentials For detailed instructions on how to create the credentials, see Authentication > Credentials.
  1. Complete the form in Prowler Cloud or Prowler App and click “Next” Filled credentials page
  2. Click “Launch Scan” Launch Scan

Prowler CLI

Configure AWS Credentials

To authenticate with AWS, use one of the following methods: 
aws configure
or 
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
These credentials must be associated with a user or role with the necessary permissions to perform security checks. More details on Assume Role settings from the CLI in Assume Role page.

AWS Profiles

To use a custom AWS profile, specify it with the following command: 
prowler aws -p/--profile <profile_name>

Multi-Factor Authentication (MFA)

For IAM entities requiring Multi-Factor Authentication (MFA), use the --mfa flag. Prowler prompts for the following values to initiate a new session:
  • ARN of your MFA device
  • TOTP (time-based one-time password)