Post

Automating Prowler for Compliance Checking in AWS

Automating Prowler for Compliance Checking in AWS

Whether you are looking to improve your AWS security posture or checking compliance against cybersecurity frameworks, Prowler is an amazing open source tool developed by Toni de la Fuente. Toni has created a tool to check over 200 security controls in AWS ranging from ensuring S3 buckers are not publicly accessible to encryption everywhere.

Toni’s Github portal provides extensive documentation on how to use the tool, but I wanted to share a CloudFormation template that I created to automate the deployment in AWS to run compliance checks and then decommission the stack and remove all resources.

Launching EC2 Instance for Prowler

First, we will want launch an EC2 instance and run a bash script to download the necessary software, install, and configure Prowler.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
  ProwlerInstance:
    Type: 'AWS::EC2::Instance'
    Properties:
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      SubnetId: !Ref SubnetId
      SecurityGroupIds:
        - !Ref InstanceSecurityGroup
      KeyName: !Ref KeyName
      IamInstanceProfile: !Ref ProwlerInstanceProfile
      Tags:
        -
          Key: Name
          Value: Prowler
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            VolumeSize: 8
            Encrypted: true
# Run bash to install and configure Prowler
      UserData:
        Fn::Base64:
          !Sub |
            #!/bin/bash -xe
            sudo yum update -y
            sudo yum remove -y awscli
            cd /home/ec2-user
            curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/home/ec2-user/awscliv2.zip"
            unzip /home/ec2-user/awscliv2.zip
            sudo /home/ec2-user/aws/install
            sudo yum install -y python3 jq git
            sudo pip3 install detect-secrets==1.0.3
            git clone https://github.com/prowler-cloud/prowler /home/ec2-user/prowler
            chown -R ec2-user:ec2-user /home/ec2-user/prowler

Create an instance profile

Create an instance profile tied to a role with necessary permissions to run the audit.

1
2
3
4
5
6
7
  ProwlerInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: prowler-ec2-instance-profile
      Path: /
      Roles:
       - !Ref ProwlerEc2InstanceRole

Provide access to run Prowler

Next we will want to generate a role that has view-only and security audit permission that is required by Prowler to run compliance checks.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
  ProwlerEc2InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: prowler-ec2-instance-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/SecurityAudit
        - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
      Path: /

Security Group

We’ll want to create a security group to only allow SSH access into the EC2 instance.

1
2
3
4
5
6
7
8
9
10
11
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow ssh from specific host
        GroupName: ProwlerSecurityGroup
        VpcId: !Ref VpcId
        SecurityGroupIngress:
          - IpProtocol: 'tcp'
            FromPort: '22'
            ToPort: '22'
            CidrIp: !Ref CidrIp

Parameters

Lastly, to improve automation, we will pass parameters into the CloudFormation template. If you launch the template via the console, some of these settings will be selected via a dropdown. For launching via the command-line interface, pass the parameters through a JSON file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
ImageId : Default is AWS Linux 2 ami-0e1d30f2c40c4c701
InstanceType : Default is t3.micro
VpcId : VPC to launch EC2 instance into
SubnetId : Subnet for EC2 instance
KeyName : Keypair to use
CidrIp : CIDR range for SSH x.x.x.x/x

Parameters:
  ImageId:
    Type: String
    Description: AMI - Linux 2
    Default: 'ami-0e1d30f2c40c4c701'
  InstanceType:
    Type: String
    Description: Instance type to be used - t3.micro default
    Default: t3.micro
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC to be used
  SubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: Subnet to be used
  KeyName:
    Type: AWS::EC2::KeyPair::KeyName
    Description: Keyname
  CidrIp:
    Type: String
    Description: CidrIp to be used to connect from x.x.x.x/x
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: "Network Configuration"
        Parameters:
          - ImageId
          - InstanceType
          - VpcId
          - SubnetId
          - KeyName
          - CidrIp

Final YAML Script

After putting all this together. The final YAML scripts looks like the following. The code is also available at Github.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EC2 instanace with Prowler pre-configured and tied to roles to run"
# Template Parameters
# ImageId : Default is AWS Linux 2 ami-0e1d30f2c40c4c701
# InstanceType : Default is t3.micro
# VpcId : VPC to launch in
# SubnetId : Subnet to connect
# KeyName : Keypair to use
# CidrIp : CIDR range for SSH x.x.x.x/x
Resources:
# Create Prowler Instance - Parameters for ImageId, InstanceType, SubnetId, SecurityGroupIds, and KeyName
  ProwlerInstance:
    Type: 'AWS::EC2::Instance'
    Properties:
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      SubnetId: !Ref SubnetId
      SecurityGroupIds:
        - !Ref InstanceSecurityGroup
      KeyName: !Ref KeyName
      IamInstanceProfile: !Ref ProwlerInstanceProfile
      Tags:
        -
          Key: Name
          Value: Prowler
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            VolumeSize: 8
            Encrypted: true
# Run bash to install and configure Prowler
      UserData:
        Fn::Base64:
          !Sub |
            #!/bin/bash -xe
            sudo yum update -y
            sudo yum remove -y awscli
            cd /home/ec2-user
            curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/home/ec2-user/awscliv2.zip"
            unzip /home/ec2-user/awscliv2.zip
            sudo /home/ec2-user/aws/install
            sudo yum install -y python3 jq git
            sudo pip3 install detect-secrets==1.0.3
            git clone https://github.com/prowler-cloud/prowler /home/ec2-user/prowler
            chown -R ec2-user:ec2-user /home/ec2-user/prowler
  ProwlerInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: prowler-ec2-instance-profile
      Path: /
      Roles:
       - !Ref ProwlerEc2InstanceRole
# Create Security Group
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow ssh from specific host
        GroupName: ProwlerSecurityGroup
        VpcId: !Ref VpcId
        SecurityGroupIngress:
          - IpProtocol: 'tcp'
            FromPort: '22'
            ToPort: '22'
            CidrIp: !Ref CidrIp
# Create EC2 Instance Role to run security checks and attach to instance
  ProwlerEc2InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: prowler-ec2-instance-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/SecurityAudit
        - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
      Path: /
# Parameters for cloudformation template with some defaults
Parameters:
  ImageId:
    Type: String
    Description: AMI - Linux 2
    Default: 'ami-0e1d30f2c40c4c701'
  InstanceType:
    Type: String
    Description: Instance type to be used - t3.micro default
    Default: t3.micro
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC to be used
  SubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: Subnet to be used
  KeyName:
    Type: AWS::EC2::KeyPair::KeyName
    Description: Keyname
  CidrIp:
    Type: String
    Description: CidrIp to be used to connect from x.x.x.x/x
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: "Network Configuration"
        Parameters:
          - ImageId
          - InstanceType
          - VpcId
          - SubnetId
          - KeyName
          - CidrIp
Conditions: {}

Running Prowler

After launching the CloudFormation template, simply sign into the EC2 instance and change into the /home/ec2-user/prowler directory.

To start, I recommend running Prowler with the HTML output file option. This provides a dynamic HTML file that you can review all the findings.

./prowler -M html You can run direct output to multiple formats at once such as csv and json

./prowler -M csv,json,html Decommissioning the resources

After you run Prowler, copy the output files to another system or S3 for review and record keeping. Go back into CloudFormation and delete the stack to remove all the resources that were generated.

Next steps

Prowler is also supported by AWS Security Hub, so you can send your findings directly to Security Hub. There’s also a workshop available to build security dashboards in Quicksight from Prowler data. Details for this integration can be found at Building Prowler into a QuickSight powered AWS Security Dashboard.

This post is licensed under CC BY 4.0 by the author.