Prowler is one of the most comprehensive open-source cloud security tools available. Originally built purely for AWS, it has expanded to cover Azure and Google Cloud Platform too, making it a genuinely multi-cloud security auditing framework. It checks your cloud environment against hundreds of controls drawn from CIS Benchmarks, NIST, PCI-DSS, HIPAA, SOC2, ISO27001, and more. If you’re doing any kind of cloud security assessment or trying to harden your own infrastructure, Prowler should be one of the first tools you reach for.
What Prowler Does
Prowler works by calling cloud provider APIs — it doesn’t need agent installation or access to your instances directly. It checks your configuration against a library of security controls and reports on anything that’s misconfigured, overly permissive, or missing entirely. This includes things like:
- S3 buckets with public access enabled
- IAM users with no MFA, excessive permissions, or old access keys
- Security groups with unrestricted inbound access (0.0.0.0/0)
- CloudTrail, GuardDuty, or Config not enabled
- Unencrypted EBS volumes, RDS instances, and S3 buckets
- Root account usage and missing account-level controls
- Exposed secrets in Lambda environment variables
- EC2 instances with public IPs in private subnets
The checks are tagged by compliance framework, so you can filter down to just the controls relevant to a specific audit. Prowler ships with over 500 checks across AWS alone.
Installation
Prowler is a Python tool and installs cleanly via pip. Python 3.9 or later is required.
pip install prowler
Alternatively, run it via Docker without installing anything locally:
docker run -it --rm toniblyx/prowler:latest aws
Or clone the repo directly:
git clone https://github.com/prowler-cloud/prowler cd prowler pip install -r requirements.txt
Authentication
For AWS, Prowler uses your existing AWS credentials — the same ones the AWS CLI uses. The simplest approach is to configure a profile via the AWS CLI beforehand:
aws configure --profile my-audit-profile
Then pass that profile to Prowler:
prowler aws --profile my-audit-profile
For a read-only audit, Prowler recommends attaching the SecurityAudit and ViewOnlyAccess managed IAM policies to the account or role you’re using. This gives it enough permission to check everything without any risk of it modifying your environment.
For Azure, authenticate with the Azure CLI first:
az login prowler azure --az-cli-auth
For GCP, use application default credentials:
gcloud auth application-default login prowler gcp
Running a Basic AWS Scan
The simplest full scan of your AWS environment:
prowler aws
This runs all available checks against every supported service in every region. It’s comprehensive but can take a while on large accounts. To restrict to a specific region:
prowler aws --region eu-west-1
To restrict to a specific service (e.g. just IAM):
prowler aws --service iam
To run a single specific check by its ID:
prowler aws --check s3_bucket_public_access
Compliance Frameworks
One of Prowler’s most powerful features is the ability to run checks mapped to a specific compliance framework. This is useful when you need to produce evidence for an audit or quickly understand your posture against a particular standard. To run all checks mapped to the CIS AWS Foundations Benchmark:
prowler aws --compliance cis_1.5_aws
Other supported frameworks include pci_3.2.1_aws, hipaa_aws, soc2_aws, iso27001_2013_aws, and nist_800_53_revision_5_aws, among others. Run prowler aws --list-compliance to see the full list available for your provider.
Output and Reporting
By default Prowler prints findings to the terminal. For structured output, use the --output-formats flag. Supported formats include JSON, CSV, and HTML:
prowler aws --output-formats html json csv --output-directory ./prowler-results
The HTML report is particularly good — it gives a summary dashboard with pass/fail counts, filterable by severity and service, and is easy to hand over to a stakeholder who doesn’t want to read raw JSON.
Prowler also integrates with AWS Security Hub, allowing you to push findings directly into your Security Hub console for centralised management:
prowler aws --security-hub
Scanning Multiple Accounts
In an AWS Organisation, you’ll often want to scan all member accounts rather than just one. Prowler supports cross-account role assumption for this. If you have a role named ProwlerAuditRole in each member account, you can scan them by specifying the role to assume:
prowler aws --role arn:aws:iam::123456789012:role/ProwlerAuditRole
This makes Prowler genuinely useful at enterprise scale, not just for single-account assessments.
Prowler vs Manual Review
Prowler is excellent at finding low-hanging fruit quickly — misconfigured services, missing controls, and obvious policy violations that would take hours to check manually across hundreds of resources. What it won’t do is tell you whether your architecture makes business sense, identify logical access control flaws that require contextual understanding, or assess whether your incident response processes are effective. Use it as the starting point for a cloud security review, not the entirety of one.
For multi-cloud environments, pairing Prowler with ScoutSuite gives you good coverage — they overlap significantly but each surfaces things the other occasionally misses. Both are free, open-source, and read-only, making them low-risk to run against production environments.
You might also find the top penetration testing tools roundup useful for broader context on where cloud security tooling fits into a full security assessment.
Leave a Reply
You must be logged in to post a comment.