AWS Security
Security Solutions
Prowler
- Prowler, FOSS security assessment tool
Example
Example of doing just the group 1.0 checks (IAM related) for specific region and producing an HTML report.
❯ ./prowler -p mg -g group1 -r us-east-1 -M csv
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.5.0-12August2021
|_| the handy cloud security tool
Date: Tue Oct 12 11:01:16 CDT 2021
Generating AWS IAM Credential Report... - []
1.1 [check11] Avoid the use of the root account - iam [High]
PASS! us-east-1: Root user in the account wasn't accessed in the last 1 days
1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - iam [High]
FAIL! us-east-1: User admin2 has Password enabled but MFA disabled
1.3 [check13] Ensure credentials unused for 90 days or greater are disabled - iam [Medium]
FAIL! us-east-1: User admin has not logged into the console in the past 90 days
FAIL! us-east-1: User admin2 has never logged into the console since creation and their password not changed in the past 90 days
FAIL! us-east-1: User admin has not used access key 1 in the past 90 days
FAIL! us-east-1: User admin2 has never used access key 1 since creation and not rotated it in the past 90 days
PASS! us-east-1: User admin has used access key 2 in the past 90 days
1.4 [check14] Ensure access keys are rotated every 90 days or less - iam [Medium]
FAIL! us-east-1: admin has not rotated access key 1 in over 90 days
FAIL! us-east-1: admin2 has not rotated access key 1 in over 90 days
FAIL! us-east-1: admin has not rotated access key 2 in over 90 days
1.5 [check15] Ensure IAM password policy requires at least one uppercase letter - iam [Medium]
PASS! us-east-1: Password Policy requires upper case
1.6 [check16] Ensure IAM password policy require at least one lowercase letter - iam [Medium]
PASS! us-east-1: Password Policy requires lower case
1.7 [check17] Ensure IAM password policy require at least one symbol - iam [Medium]
FAIL! us-east-1: Password Policy missing symbol requirement
1.8 [check18] Ensure IAM password policy require at least one number - iam [Medium]
PASS! us-east-1: Password Policy requires number
1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater - iam [Medium]
FAIL! us-east-1: Password Policy missing or weak length requirement
1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater - iam [Medium]
FAIL! us-east-1: Password Policy has weak reuse requirement (lower than 24)
1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less - iam [Medium]
FAIL! us-east-1: Password expiration is not set
1.12 [check112] Ensure no root account access key exists - iam [Critical]
PASS! us-east-1: No access key 1 found for root
PASS! us-east-1: No access key 2 found for root
1.13 [check113] Ensure MFA is enabled for the root account - iam [Critical]
PASS! us-east-1: Virtual MFA is enabled for root
1.14 [check114] Ensure hardware MFA is enabled for the root account - iam [Critical]
FAIL! us-east-1: Only Virtual MFA is enabled for root
1.15 [check115] Ensure security questions are registered in the AWS account - support [Medium]
INFO! No command available for check 1.15. Login to the AWS Console as root & click on the Account. Name -> My Account -> Configure Security Challenge Questions.
1.16 [check116] Ensure IAM policies are attached only to groups or roles - iam [Low]
FAIL! us-east-1: admin has managed policy directly attached
FAIL! us-east-1: admin2 has managed policy directly attached
1.17 [check117] Maintain current contact details - support [Medium]
INFO! No command available for check 1.17. See section 1.17 on the CIS Benchmark guide for details.
1.18 [check118] Ensure security contact information is registered - support [Medium]
INFO! No command available for check 1.18. See section 1.18 on the CIS Benchmark guide for details.
1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances - ec2 [Medium]
INFO! eu-north-1: No EC2 instances found
INFO! ap-south-1: No EC2 instances found
INFO! eu-west-3: No EC2 instances found
INFO! eu-west-2: No EC2 instances found
INFO! eu-west-1: No EC2 instances found
INFO! ap-northeast-3: No EC2 instances found
INFO! ap-northeast-2: No EC2 instances found
INFO! ap-northeast-1: No EC2 instances found
INFO! sa-east-1: No EC2 instances found
INFO! ca-central-1: No EC2 instances found
INFO! ap-southeast-1: No EC2 instances found
INFO! ap-southeast-2: No EC2 instances found
INFO! eu-central-1: No EC2 instances found
INFO! us-east-1: No EC2 instances found
INFO! us-east-2: No EC2 instances found
INFO! us-west-1: No EC2 instances found
INFO! us-west-2: No EC2 instances found
1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support - iam [Medium]
FAIL! us-east-1: Support Policy not applied to any Role
1.21 [check121] Do not setup access keys during initial user setup for all IAM users that have a console password - iam [Medium]
FAIL! us-east-1: User admin2 has never used access key 1
PASS! us-east-1: No users found with access key 2 never used
1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not created - iam [Medium]
PASS! us-east-1: No custom policy found that allow full "*:*" administrative privileges
7.74 [extra774] Ensure credentials unused for 30 days or greater are disabled - iam [Medium]
FAIL! us-east-1: User admin has not logged into the console in the past 30 days
FAIL! us-east-1: User admin2 has never logged into the console since creation and their password not changed in the past 30 days
FAIL! us-east-1: User admin has not used access key 1 in the past 30 days
FAIL! us-east-1: User admin2 has never used access key 1 since creation and not rotated it in the past 30 days
PASS! us-east-1: User admin has used access key 2 in the past 30 days