StackZone Feature: Prowler
Available in StackZone v4.10.0
Ryan Ware
Last Update 2 jaar geleden
What is Prowler?
Prowler is an open-source command line tool which can be run securely from within your own AWS environment, it's purpose is to highlight AWS security assesment and auditing and can generate reports to help you visualise this. Prowler is constructed within the StackZone Security account, and has the ability to audit all AWS Accounts in your AWS Organization.
Prowler is able to perform a variety of checks which cover security best practices related to a diverse number of guidelines and groups.
Activate Prowler with StackZone
Here in the StackZone User Interface we can activate Prowler and configure which Groups to use as a compliance set of checks for Prowler to perform against all AWS Accounts in your AWS Organization. For instance, if you're interested in knowing if your AWS Accounts are GDPR Compliant, choose the gdpr group. If you want to know if your AWS Accounts are in line with HIPAA Guidelines, choose the hipaa group.
The current list of accepted Groups in which Prowler uses to run reports across your AWS Organization are as follows;
- Identity and Access Management [group1]
- Logging [group2]
- Monitoring [group3]
- Networking [group4]
- CIS Level 1 [cislevel1]
- CIS Level 2 [cislevel2]
- Forensics related group of checks [forensics-ready]
- GDPR [gdpr]
- HIPAA [hipaa]
- Trust Boundaries [trustboundaries]
- Secrets [secrets]
- Internet exposed resources [internetexposed]
- EKS-CIS [eks-cis]
- PCI-DSS [pci]
- ISO-27001 [iso27001]
- FFIEC [ffiec]
- SOC2 [soc2]
- Esquema Nacional de Seguridad of Spain [ens]
- AWS FTR [FTR]
Prowler Reports
Prowler will run at the specified time you set, in the Schedule box located in the StackZone console. When this executes, it will generate a html report which is then uploaded and saved in your Prowler S3 Bucket located in your Security account.
They are all stored within the same S3 Bucket, so you can filter by datetime or AWS account number should you want to review any of these reports.
This example report above focuses on one particular AWS account in the AWS Organization. We can see from the summary at the top, we are 50% compliant with our chosen group, CIS Level 1.
We start by summarising the overall results, and in the html report page, you are able to browse all resources which were scanned by Prowler. This will be colour coded to represent whether the check was a Pass or a Fail. What is also useful is that the Prowler Report will be able to offer remediations for checks against your AWS resources.
This is very useful if you're looking to increase that Prowler score to be fully compliant against your chosen group!
Troubleshooting
Q: I cannot view my Reports from my S3 Bucket
The Prowler Report html files are all stored in the root directory of the Prowler Output S3 Bucket. If you click on a report output object within the bucket and cannot "Open" this object then you might be using a role with insufficient privileges.
Ensure that your current IAM User or Role has the correct access required to Amazon S3 in the Security Account and try again.
For more on Amazon S3 Bucket Permission Issues, click here.
Q: I don't see any data in my Report
If you have opened a Prowler Report html file from the Prowler Output Amazon S3 Bucket and it is empty, it is likely there was an issue with the CodeBuild which performs the Prowler scans.
Within the Security Account where Prowler is deployed, head to the CodeBuild Dashboard and look at Build / Build Projects.
Here you will see the deployed StackZone-ProwlerSecurityAssessments project. By drilling down into this project, you will be able to see more information about the build history and details. Each build history comes with it's own set of logs which will help explain why you have run into issues.
Some pitfalls may arise if you have Service Control Policies (SCP's) which is blocking CodeBuild from functioning.
You will also need to check that Prowler's Role it is trying to assume in your target accounts still exists and has not been modified from the original version deployed via StackZone to your AWS accounts.
Q: I can't find my Prowler S3 Bucket
By Default, the Prowler output S3 Bucket is created within your designated Security Account.
Within your Security Account S3 Dashboard, you will be able to see an S3 Bucket which has the following prefix: "stackzone-prowler-reports-"
The second part of this S3 Bucket Name is unique to ensure that there are no naming clashes.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here