prowler/docs/tutorials/aws/role-assumption.md

AWS Assume Role

Prowler uses the AWS SDK (Boto3) underneath so it uses the same authentication methods.

However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on each use case:

1. You can just set up your custom profile inside ~/.aws/config with all needed information about the role to assume then call it with prowler aws -p/--profile your-custom-profile.

2. You can use -R/--role <role_arn> and Prowler will get those temporary credentials using aws sts assume-role, set them up as environment variables and run against that given account.

prowler aws -R arn:aws:iam::<account_id>:role/<role_name>

• Optionally, the session duration (in seconds, by deafult 3600) and the external ID of this role assumption can be defined:

prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R arn:aws:iam::<account_id>:role/<role_name>

To create a role to assume in multiple accounts easier either as CFN Stack or StackSet, look at this CloudFormation template and adapt it.

NOTE 1 about Session Duration: Depending on the mount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option -T <seconds> to allow up to 12h (43200 seconds). To allow more than 1h you need to modify "Maximum CLI/API session duration" for that particular role, read more here.

NOTE 2 about Session Duration: Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table here.