Cloud Security Assessment Tool using Prowler on Azure/AWS/GCP
Cloud security assessment tool using Prowler. Open source cloud security tool for Azure, AWS, Microsoft 365 and Google GCP. Cloud Security Posture Management (CSPM) tool powered by Prowler, that performs automated security assessments, audits, incident response, and compliance checks across Microsoft Azure, Microsoft 365, AWS, Google GCP and Kubernetes. It helps organizations identify misconfigurations, enforce security best practices, and maintain compliance with industry standards such as CIS Benchmarks (2.0, 2.1, 3.0, 4.0), NIST 800, NIST CSF, CISA, ISO27001, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, MITRE ATT&CK & ENS compliance checks and more.
Cloud Security Assessment Tool using Prowler
Deploy on Azure
Deploy on AWS
Deploy on GCP
Getting Started with Cloud Security Tool Prowler
Once your Prowler server has been deployed, the following links explain how to connect to a Linux VM:
- How to connect to a Linux VM on Azure
- How to connect to a Linux VM on AWS
- How to connect to a Linux VM on GCP
Once connected and logged in, you’re now ready to start using your new cloud security assessment tool.
Azure Security Assessment using Prowler
In order for Prowler to assess your Azure tenant you first need to create an Azure service principal account with the required permissions. This Service Principal is going to be used to authenticate against Azure and retrieve the metadata needed to perform the checks.
Step 1) Azure Application Registration
- Access to Microsoft Entra ID
- In the left menu bar, go to “App registrations“
- Once there, in the menu bar click on “+ New registration” to register a new application
- Fill the “Name, select the “Supported account types (Single Tenant)” and click on “Register. You will be redirected to the applications page.
- Once in the application page, in the left menu bar, select “Certificates & secrets“
- In the “Certificates & secrets” view, click on “+ New client secret“
- Fill in a “Description” of your choice and your desired “Expires” fields and click on “Add“
- Copy the value of the secret, it is going to be used as
AZURE_CLIENT_SECRETenvironment variable later.
1.1) Assigning Application Permissions
To allow Prowler to retrieve metadata from the identity assumed and run specific Entra checks, it is needed to assign the following permissions:
- Directory.Read.All
- Policy.Read.All
- UserAuthenticationMethod.Read.All (used only for the Entra checks related with multifactor authentication)
- Access Microsoft Entra ID
- In the left menu bar, go to “App registrations“
- Once there, select the application that you have created
- In the left menu bar, select “API permissions“
- Then click on “+ Add a permission” and select “Microsoft Graph“
- Once in the “Microsoft Graph” view, select “Application permissions“
- Finally, search for “Directory“, “Policy” and “UserAuthenticationMethod” select the following permissions:
Directory.Read.AllPolicy.Read.AllUserAuthenticationMethod.Read.All
- Click on “Add permissions” to apply the new permissions.
- Finally, an admin should click on “Grant admin consent for [your tenant]” to apply the permissions.
1.2 Azure Subscriptions Scope
Next is to set permissions of your Azure subscription.
- Access to the subscription you want to scan with Prowler.
- Select “Access control (IAM)” in the left menu.
- Click on “+ Add” and select “Add role assignment“.
- In the search bar, type
Reader, select it and click on “Next“. - In the Members tab, click on “+ Select members” and add the app service principal you created in previous steps you want to assign this role.
- Click on “Review + assign” to apply the new role.
Ref: https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/azure/subscriptions/
Step 2) Set Azure Authentication for Prowler
Once you’ve configured your Azure application, we now need to give these credentials to Prowler in order for it to be able to scan your Azure tenant. Login to the Prowler VM using your SSH client. Once logged into the terminal run the following commands replacing the X with your newly created Azure application credentials:
export AZURE_CLIENT_ID="XXXXXXXXX"
export AZURE_TENANT_ID="XXXXXXXXX"
export AZURE_CLIENT_SECRET="XXXXXXX"
Step 3) Perform Azure Security Scan
Prowler uses a powerful CLI that is used to execute all the checks based on your compliance framework requirements.
For a list of available compliance frameworks that Prowler will check against refer to:
https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/
To run a scan for all frameworks against your Azure tenant, run the following command:
prowler azure --sp-env-auth
It will then run through all the security & compliance checks and you will receive a report on your terminal and it will also generate CSV, JSON & HTML outputs.
Within the CLI output it will show the path of where the (CSV, JSON & HTML) reports were exported to
The individual compliance CSV exports are located in /home/useraccount/output/compliance
The full report (CSV, JSON & HTML) exports will be located in /home/useraccount/output
To download these reports refer to using Webmin section below on how to download them via the Webmin web portal.
To view them in the dashboard that is available, scroll down to ‘Prowler Dashboard‘ and ‘Prowler App‘.
Prowler Dashboard
To view your compliance reports on the Prowler dashboard, run the following command on your terminal:
Note: Make sure you’re in the root of your server. Type ‘cd‘ to return to the root first.
HOST=0.0.0.0 prowler dashboard
This will setup a local webserver for you to view your compliances reports in a local dashboard and you should receive this output if successful:
To access the dashboard, simply open a web browser and enter your IP address followed by the port reference in the output in your terminal, as in the screenshot above. So in my test server i would enter:
http://172.184.136.192:11666/
Note: If using any network security groups or firewalls, make sure this port is open incase you’re unable to access..
And you should see the following dashboard:
If you click on Compliance in the left menu you will be able to see all the individual Azure compliance checks such as:
- CIS 2.0 Azure Level 1
- CIS 2.0 Azure Level 2
- CIS 2.1 Azure Level 1
- CIS 2.1 Azure Level 2
- CIS 3.0 Azure Level 1
- CIS 3.0 Azure Level 2
- ENS RD2022 Azure
- ISO27001 2022 Azure
- MITRE_Attack Azure
- PCI 4.0 Azure
- More checks are being added in the future..
Prowler App
Prowler comes with 2 dashboards to choose from. You can also use Prowler App that allows you to:
- Schedule scans
- Invite team members
- View misconfigurations
- View IAM Issues
- View High Risk findings
- Trigger a scan from the dashboard instead of the CLI
To use the Prowler App instead of the Prowler Dashboard, you need to first edit the local .env file with your server details.
Make sure you’re on the root of your server first, type ‘cd’
Prowler App use Docker Compose. This server image is already configured with Docker and Docker Compose, so all you need to do is run the following commands to get the Prowler App running:
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
Now we need to edit the .env file, run:
sudo nano .env
Within the file replace http://localhost:3000 with your servers IP address, for example as per the following screenshot, making sure to keep the port number of :3000. Save and exit the file.
Now run the following command to build and start the Docker container.
sudo docker compose up -d
When Docker container setup has completed, you can now login to the new Prowler App dashboard using the following URL: http://ipaddress:3000.
You’ll first see a login page, simply create a new account and login using these new credentials.
Once logged in, you’re now ready to start using Prowler app. You’ll first need to onboard your cloud provider.
Click on Add Provider and follow the instructions for adding your cloud providers.
Full documentation on adding cloud providers on:
https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/prowler-app/
Once you’ve added your cloud providers and run your first scan, you’ll see the dashboard populated with the findings:
Using Webmin to Download Reports
If you’re only using the CLI and want to a way to download the CSV, JSON & HTML reports you can use Webmin. Access via the following URL: http://IPAddress:10000
Login using your servers root username and password.
Once logged in, browse using the left menu > Tools / File Manager / Home / User Name / Output
Right click on your files and select Download.
Firewall Ports
This cloud security assessment tool using Prowler uses the following firewall ports:
- TCP 11666
- TCP 3000
- TCP 10000
The links below explain how to modify / create firewall rules depending on which cloud platform you are using.
To setup AWS firewall rules refer to – AWS Security Groups
To setup Azure firewall rules refer to – Azure Network Security Groups
To setup Google GCP firewall rules refer to – Creating GCP Firewalls
Support & Documentation
If you’re having issues deploying this solution in your cloud environment please contact us.
For support issues related to Prowler, use the Git repo: https://github.com/prowler-cloud/prowler/issues
For documentation and tutorials, refer to: https://docs.prowler.com/
Disclaimer: Prowler is licensed under the Apache License 2.0. This image is provided & maintained by Cloud Infrastructure Services. This solution is not affiliated with or endorsed by Prowler. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.
