ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bfd148b41a06a91289d19d01bcab14bdca61c695
prowler/README.md
Alex McCormack bfd148b41a Update README.md for spelling and clarity
2016-09-13 16:30:21 -05:00

101 lines
3.1 KiB
Markdown
Raw Blame History

# Prowler: AWS CIS Benchmark Tool
## Description
Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the [CIS Amazon Web Services Foundations Benchmark](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
It covers hardening and security best practices for all regions related to:
- Identity and Access Management (15 checks)
- Logging (8 checks)
- Monitoring (16 checks)
- Networking (4 checks)
For a comprehesive list and resolution look at the guide on the link above.
## Requirements
This script has been written in bash using AWS-CLI and it works in Linux and OSX.
- Make sure your AWS-CLI is installed on your workstation, with Python pip already installed:
```
pip install awscli
```
Or install it using "brew", "apt", "yum" or manually from https://aws.amazon.com/cli/
- Previous steps, from your workstation:
```
git clone https://github.com/Alfresco/aws-cis-security-benchmark
cd aws-cis-security-benchmark
```
- Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
```
aws configure
```
- Make sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
```
arn:aws:iam::aws:policy/SecurityAudit
```
## How to create a report
1 - Run the prowler.sh command without options (it will use your default credentials and run checks over all regions when needed):
```
./prowler
```
2 - For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
```
./prowler -p custom-profile -r us-east-1
```
3 - For a single check use option -c:
```
./prowler -c check310
```
or for custom profile and region
```
./prowler -p custom-profile -r us-east-1 -c check11
```
Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
4 - If you want to save your report for later analysis:
```
./prowler > prowler-report.txt
```
5 - For help use:
```
./prowler -h
USAGE:
prowler -p <profile> -r <region> [ -v ] [ -h ]
Options:
-p <profile> specify your AWS profile to use (i.e.: default)
-r <region> specify a desired AWS region to use (i.e.: us-east-1)
-c <checknum> specify a check number from the AWS CIS benchmark (i.e.: check11 for check 1.1)
-h this help
```
## How to fix all warnings:
Check your report and fix the issues following all specific guidelines per check in https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
## Screenshot
<img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
## Troubleshooting
If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
```
A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired
```
To fix it, please renew your token by authenticating again to the AWS API.
Reference in New Issue View Git Blame Copy Permalink