Prowler

A big part of the open cloud security movement is Transparency, so with that, lets tackle Prowler’s ability to use existing “Breadcrumbs” left by our cloud deployments to find it’s […]

TL;DR: Prowler 5 is now available. Sign up today to use Prowler to secure every cloud, in the SaaS or the CLI.

ProwlerPro Joins AWS Marketplace to Enhance Cloud Security Offerings

ProwlerPro has joined the AWS Marketplace. This collaboration aims to provide businesses with improved options for securing their cloud environments. ProwlerPro offers comprehensive features, including vulnerability management, compliance monitoring, and configuration auditing, tailored specifically for AWS deployments.

By joining the AWS Marketplace, ProwlerPro aims to simplify the process of discovering, purchasing, and deploying ProwlerPro. Customers can now access ProwlerPro seamlessly through the AWS Marketplace’s trusted platform. This integration showcases the ongoing efforts of ProwlerPro’s engineering team and highlights the collaborative work between ProwlerPro and AWS.

Toni de la Fuente, the lead engineer behind ProwlerPro, expressed enthusiasm for the collaboration, stating, “Prowler is already the top tool for securing the AWS cloud, we are thrilled to share ProwlerPro to help businesses secure their cloud environments effectively.”

ProwlerPro offers an array of features designed to enhance cloud security. Real-time vulnerability assessments, compliance monitoring based on industry standards, and comprehensive configuration auditing are just a few of the key capabilities. The tool’s user-friendly interface and robust reporting features enable businesses to identify and mitigate potential security risks efficiently.

We’re looking forward to a bright future where organizations of all sizes trust ProwlerPro to fortify their AWS cloud environments and navigate the evolving threat landscape effectively.

We’re hosting our first meetup in Madrid

Join us next week in Madrid!

🇪🇸 El día 22 de Junio en Madrid hacemos nuestro primer evento presencial para la comunidad de Seguridad en la Nube y DevSecOps. Aprenderás sobre Prowler Open Source y ProwlerPro, además nos acompañarán nuestros amigos de Jit.io con Aviram Shmueli para enseñarnos como implementar buenas prácticas en DevSecOps. Apúntate aquí! https://lnkd.in/dKsJWnW9

🇬🇧 This June 22nd in Madrid we celebrate our first in-person event for the Cloud Security and DevSecOps community. You will learn about Prowler Open Source and ProwlerPro, additionally we will have Jit.io with Aviram Shmueli that will teach us how to implement DevSecOps best practices.

Agenda:

10 AM: Bienvenida y Desayuno (café, infusiones, zumo, fruta y dulces).

10.30 AM: Prowler y ProwlerPro: Securiza tu infraestructura en la nube en minutos.

11 AM: Jit.io: Buenas prácticas de DevSecOps y cómo integrar Prowler en producción.

11.30 AM to 13.30: Workshops:

  • Uso avanzado y personalizaciĂłn de Prowler.
  • – CĂłmo comenzar a usar Jit.io y mejorar tu seguridad en CI/CD en minutos.

13.30: Comida: tapas variadas y networking

Register free for the meetup.

ProwlerPro Dashboards II

Join us on Slack

Hello again. This is Sergio, one of the engineers of ProwlerPro and Prowler Open Source. In the previous video, we saw all the features of the Home dashboard, such as the Global Security Status per Region, which shows you another status per AWS region, or the Security Posture Evolution panel, which contains an AWS service graph with a history of the past and failed findings over the scans.

This time we will cover the Simple Status per AWS Service dashboard, which shows you the security status of each AWS service that ProwlerPro scans. So let’s see how can we get to this dashboard in ProwlerPro.

Let’s log in to your ProwlerPro account in prowler.pro. In our case, we are going to log in to our demo account. Okay, so right now we are on the ProwlerPro overview page. To go to the dashboards, we have to click either on the dashboard button or in the results. As we show in the previous video, the very first dashboard that you’ll see is the home dashboard.

To access the rest of the dashboards, you will have to click in the List of Dashboards drop down menu. In this case, I’m selecting the Simplest Status by AWS Services dashboard. As we already mentioned, this dashboard shows the security status per AWS service that ProwlerPro scans. Green indicates that all checks were passed in that service and red indicates that one or more checks in that service failed.

You can also play with the filters in this dashboard. For example, the AWS account filter lets you choose the accounts that you’d like to see the findings of, which is going to be useful when we release the multi-account feature. The assessment date lets you choose the date for which you want to see the services’ status and the AWS region lets you choose all the available AWS regions where you’re going to see the status of the services.

This filter can have one, more, or all regions. As you can see, the filters are applied automatically and the dashboard changes. Remember that all the panels are clickable. You can click in any service and see the details of the failed findings for each of them. For example, let’s click on the EC2 service.

We can see the failed findings that caused the EC2 service panel to be in red. These are four default BBC security groups that allow all types of traffic in four different regions. And for regions that doesn’t have the EBS default encryption activated. You can also play with the filters in this panel, for example, by selecting the severity you want to see.

Moreover, this panel allows you to export the results into a CSV or Excel format, so you can share these failed findings to a member of your team. To do this, click on the table title and select inspect data on the drill down menu that will appear. Now the CSV can be downloaded by clicking on Download CSV. The option download for Excel can be activated for using this CSV in Excel.

And that is all in this video. If you have any questions, please join our Slack group and post it in the Ask-a-Question channel. You can find the link below or at prowler.pro. It was a pleasure having you in this video. See you soon.

Sergio Garcia

Engineer at ProwlerPro

I’m a Cloud Security Engineer with experience in AWS. Among my roles, I completed an internship at Amazon and supported a digital bank to secure its assets in the cloud. I’m passionate about cloud automation, even more if it helps to ease security management.

    ProwlerPro Dashboards I

    Join us on Slack

    Hello everyone. My name is Sergio, one of the engineers of ProwlerPro, the most comprehensive AWS security tool trusted by teams and organizations at any scale. ProwlerPro gives you a holistic view of the security status in your cloud infrastructure with detailed dashboard that you can drill down into. This is the first of a series of videos where we will show you the ProwlerPro dashboards as well as some other great features.

    When you get started with ProwlerPro, one of the first things you will see is the home dashboard, which we are covering this video. So let’s go through an example of accessing your results in your very first scan.

    Okay, so right now we are on the ProwlerPro overview page. To go to the dashboards, we have to click either in the dashboard folder or in the results. The first dashboard that you’ll see is the home dashboard, which is the one we cover in this video. In a single glance, this dashboard shows general indicators regarding the security posture of your cloud account.

    But first of all, let’s take a look at the filters. This contains dynamic variables, and there are three of them. The AWS account filter lets you choose the counts that you’d like to see the findings, which is going to be useful when we release the multi-account feature. The assessment date, lets you choose the date for which you want to see the result, and the AWS region lets you choose all the valuable AWS regions where you want to see the results.

    This filter can have one, more, or all regions. As you can see, the filters are ultimately applied and the dashboard changes. Now let’s repeat the panels. We can see some numerical indicators such as the cloud accounts. In this case, there is only one cloud account since the free tier only allows one AWS account per user. We can also see the total findings, the text executed, and the services that were outdated.

    The total findings are broken down based on its status, which can either fail, pass, or allowlisted. This allowlisted status appears because the allowlisted functionality will be available soon in Prowlerpro. This breakdown can also be seen in the overall status by result, by chart, or in the security post revolution time series panel which represents an historic security status.

    The time range of this graph can be changed in the top right corner. Let’s change it to seven days. Now you can see that this graph has changed to a seven days period. The failed findings are also broken down based on its severity, which can be either critical, high, medium, low, or informational. This information is also presented in the count of failed findings by severity pie chart.

    Remember that all the panels are clickable. For example, you can click on the critical failed findings and see details of those findings. For instance, there is a critical finding since a hardware MFA is not enabled for the root account, and you can see all the information here such as the result extended and the remediation.

    This panel allows you to export the results into a CSV or Excel format. To do this, click on the table title and select inspect data on the drill down menu that will appear. Now, the CSV can be downloaded by clicking on the download CSV button. Optionally, the option download for Excel can be activated for using this CSV in Excel.

    Okay, so let’s go back to the home dashboard. We can do this by either selecting it on the list of dashboards drill down menu, or clicking on the ProwlerPro logo. The global security status per region panel, shows a dot per AWS region, and gives you an overview of the findings when the mouse hovers over the regions. The color for its AWS region depends on how many failed findings there are.

    The color will be green if there are zero failed findings in the corresponding region. This regional occupation is also represented in the count of past and failed findings per region bar chart panel where we can see the total findings per region. The last three panels are bar charts too. First, we have the services with more failed resources, which represents the AWS services with the most failed findings, then the count of any result by service name, which shows the total findings for its AWS service.

    And finally, the affected resources by check ID bar chart, which displays the number of failed findings per Prowler check. And that was all. If you have any questions about this task board, please join our Slack group and post it in the Ask a Question channel. Find the link below or at prowler.pro. It was a pleasure having you in this video.

    See you soon.

    Sergio Garcia

    Engineer at ProwlerPro

    I’m a Cloud Security Engineer with experience in AWS. Among my roles, I completed an internship at Amazon and supported a digital bank to secure its assets in the cloud. I’m passionate about cloud automation, even more if it helps to ease security management.

      Preventing AWS Ransomware Attacks With Prowler Open Source

      It’s criminally easy to roll out a fear-mongering list of industries, victims, and financial penalties related to ransomware. Gas pipelines, healthcare systems, local governments, all have been hit. Nearly every headline is some form of: “And it’s only getting worse—are Ransomware attacks the new digital pandemic?”  It can seem inevitable, but when it comes to your AWS environment, there’s a few things you can do to protect yourself by reducing your attack surface, and then use Prowler to keep an eye on it all continuously. 

      AWS Ransomware Best Practices

      Ransomware attacks are only successful when you don’t have backups of your data so the attacker can hold your data hostage. Reducing your attack surface and putting consistent data backup/recovery processes in place will help you thwart malicious activity (and recover from application failures as well).

      Implement IAM Best Practices 

      These include setting least privilege policies, preventing IAM key leakage, applying policies only at the group level, and more. See our previous post on IAM checks in Prowler for all the details on this.

      Enable S3 Object Versioning 

      Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover more easily from both unintended user actions and application failures. 

      Replicate S3 Buckets 

      AWS offers a built-in mechanism for replicating buckets to different S3 buckets for backup purposes, including mitigating malicious delete operations.

      Prevent Deletion with S3 Object Lock 

      Per AWS, Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. You can use S3 Object Lock to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion.

      Use GuardDuty S3 Findings 

      GuardDuty monitors and generates findings for suspicious access to data stored in your S3 buckets.

      Prowler Ransomware Checks

      Running a Prowler check is quick and easy. The basic command is prowler, and if you run it without options it will use your environment variable credentials (if they exist) or will default to using the ~/.aws/credentials file and run checks over all regions when needed. To install prowler just make sure you have Python 3.9 or newer and PIP then pip install prowler.

      To run a single check, use option -c and the check ID:

      prowler aws -c cloudtrail_logs_s3_bucket_is_not_publicly_accessible

      For multiple checks, separate them with a comma: 

      prowler aws -c cloudtrail_logs_s3_bucket_is_not_publicly_accessible \
           ec2_ebs_public_snapshot \
           s3_bucket_public_access

      Check out the Prowler docs for the full usage details and tutorials. 

      Check for open common ports

      • SSH access via EC2 Security Group (Server-level control)
      • RDP access via EC2 Security Group (Server-level control)
      • SSH access via Network ACL (Subnet-level control)
      • Microsoft RDP via Network ACL
      • FTP ports 20 or 21
      • Kafka port 9092
      • Telnet port 23
      • Windows SQL Server ports 1433 or 1434
      • Network ACLs ingress from 0.0.0.0/0 to any port
      • Security groups ingress from 0.0.0.0/0 or ::/0 to any port
      • Oracle ports 1521 or 2483
      • MySQL port 3306
      • Postgres port 5432
      • Redis port 6379
      • MongoDB ports 27017 and 27018
      • Cassandra ports 7199 or 9160 or 8888
      • Memcached port 11211
      • Elasticsearch/Kibana ports

      Check now if you have any of those ports open to the internet with:

      prowler aws -c ec2_networkacl_allow_ingress_any_port \
ec2_networkacl_allow_ingress_tcp_port_22 \
ec2_networkacl_allow_ingress_tcp_port_3389 \
ec2_securitygroup_allow_ingress_from_internet_to_any_port \
ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434 \
ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23

      Internet-exposed Resources

      The list of things you don’t want exposed to the internet is pretty significant. Thankfully, Prowler has you covered with these checks for resources that could be set as public:

      • EBS Snapshots
      • EC2 AMIs
      • ECR repositories
      • RDS instances
      • Elastic Load Balancers 
      • EC2 Instances
      • EC2 instances with Instance Profiles attached
      • Redshift Clusters
      • Elasticsearch Service (ES) domains (or if it has open policy access)
      • RDS and Cluster Snapshots
      • SQS queues policy 
      • SNS topics policy 
      • API Gateway endpoint
      • Exposed KMS keys
      • S3 bucket for CloudTrail logs: Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.
      • Lambda functions’ resource-based policies

      Check now if you have internet exposed resources with:

      prowler aws -c ec2_ebs_public_snapshot \
           ec2_ami_public \
           ecr_repositories_not_publicly_accessible \
           rds_instance_no_public_access \
           elb_internet_facing \
           elbv2_internet_facing \
           ec2_instance_public_ip \
           ec2_instance_internet_facing_with_instance_profile \
           redshift_cluster_public_access \
           opensearch_service_domains_not_publicly_accessible \
           rds_snapshots_public_access \
           sqs_queues_not_publicly_accessible \
           sns_topics_not_publicly_accessible \
           apigateway_endpoint_public \
           kms_key_not_publicly_accessible \
           cloudtrail_logs_s3_bucket_is_not_publicly_accessible \
           awslambda_function_not_publicly_accessible

      There’s a few other useful checks in this set: 

      • Are CloudFront distributions set to HTTPS
      • S3 buckets that are open to Everyone or Any AWS user
      • S3 buckets which allow WRITE access
      • Ensure a log metric filter and alarm exist for S3 bucket policy changes: Monitoring unauthorized API calls will help reveal application errors and detect malicious activity.
      • Do S3 buckets have Object-level logging enabled in CloudTrail: You can’t use logs for threat analysis if they don’t exist! 
      • Do S3 buckets have default encryption (SSE) enabled: Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. This will ensure data-at-rest is encrypted.
      • Check if EFS File systems have backup enabled
      • Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled
      • Find VPC security groups with wide-open public IPv4 CIDR ranges 
      • Restrict Access to the EKS Control Plane Endpoint
      • Check if any of the Elastic or Public IP are in Shodan 
      • Check connection and authentication for both:
        • Internet exposed Elasticsearch/Kibana ports 
        • Internet exposed Amazon Elasticsearch Service (ES) domains 

      Check all these with:

      prowler aws -c cloudfront_distributions_https_enabled \
           s3_bucket_public_access \
           s3_bucket_policy_public_write_access \
           cloudwatch_log_metric_filter_for_s3_bucket_policy_changes \
           cloudtrail_s3_dataevents_write_enabled \
           s3_bucket_default_encryption \
           cloudfront_distributions_logging_enabled \
           eks_endpoints_not_publicly_accessible \
           ec2_securitygroup_allow_wide_open_public_ipv4 \
           eks_control_plane_endpoint_access_restricted \
           ec2_instance_public_ip

      If you have a Shodan.io API key, add this at the end:

      --shodan <shodan_api_key>

      RDS Checks

      • Publicly accessible RDS instances: Publicly accessible databases could expose sensitive data to bad actors—check if they exist, and if so, confirm there is a legitimate business reason.
      • Are RDS Snapshots or Cluster Snapshots public: If your RDS snapshot is public then the data which is backed up in that snapshot is accessible to all other AWS accounts.
      • Is storage encrypted: Use a CMK where possible, which will provide additional management and privacy benefits.
      • Is automated backup enabled: Be sure you have automated backup established for production data, with a clearly defined retention period. 
      • Are RDS instances integrated with CloudWatch logs: These logs help you monitor how your services are being used and assist with threat analysis when needed.
      • Is deletion protection enabled: If not, you can set it up in your AWS management console for any of your production instances.
      • Is minor version upgrade enabled: Auto Minor Version Upgrade does pretty much what it says: it automatically upgrades when a new minor database engine version is available. Such minor version upgrades often patch security vulnerabilities and fix bugs.
      • Is enhanced monitoring enabled: First you need to create an IAM role and then you can enable Enhanced Monitoring, which uses a smaller monitoring interval for more frequent reporting of OS metrics.
      • Is multi-AZ enabled: With a single-AZ deployment configuration, Amazon RDS can’t automatically fail over to a standby availability zone.

      Check  RDS now with:

      prowler aws --service rds

      Stay tuned for the next post in this series!

      Sign up for Prowler Training

      This free course covers everything from the history of Prowler to advanced features.

      Toni de la Fuente

      Founder of Prowler Open Source & Lead of Prowler Pro

      I’m founder of Prowler Open Source, tool for AWS security best practices. I also worked for AWS as security engineer and security consultant. I’m passionate about FLOSS (Free Libre Open Source Software) in general and Information Security, Incident Response and Digital Forensics in particular. I like everything related to cloud computing and automation. I have done some things for security and the Open Source community like Prowler, phpRADmin, Nagios plugin for Alfresco, Alfresco BART (backup tool). I’ve also contributed in books and courses related to Linux, Monitoring and AWS Security for PacktPublishing.

        Continuous AWS IAM Security With Prowler

        Ensuring proper, consistent Identity and Access Management (IAM) in AWS is both a toil-heavy chore and a persistent risk. Often, engineers are expected to be responsible for this when they may or may not know what the specific access should look like for their application. In other cases, a lone (and typically overwhelmed) cloud security expert is saddled with an insurmountable amount of custom policy development, which can significantly slow down engineering and product release velocity. In the worst case scenario, overly permissive configurations can lead to an event like the Capital One hack in 2019.

        It doesn’t have to be this way. You can have development velocity and security working in lockstep with just a few easy Prowler IAM checks. (If you’re not familiar with Prowler, check out our first post in this series.) For each check we list below, you’ll also get remediation steps to help if your environment fails that check.

        The Prowler IAM checks fall into roughly 5 groupings that are based off the AWS IAM Security best practices:

        Root Account Protections

        AWS recommends that you treat your root user access key “like you would your credit card numbers or any other sensitive secrets.” You only want it to set up your admin account, and then you want to use roles and groups to delegate permissions. This set of checks helps you see if/when the root account has been accessed, ensure MFA is enabled, and control access keys for the root account, including:

        Key and Credential Rotation

        AWS recommends rotating access keys every 90 days, and disabling credentials that are unused for 90 days or greater. These checks confirm those timelines, plus an extra one for those that prefer a shorter window.

        Password Hygiene

        Policing passwords is no fun, and if you use SAML you don’t have to worry about this (but having these checks properly set up is still a good practice)! If you are using AWS IAM as a user and password database, these checks make it simple to see if something snuck through that shouldn’t have. This set checks for:

        Admin/Ops Details

        Keep your who, where, what details up to date in case something goes wrong. This set covers important details like:

        Users, Roles, and Groups

        By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. AWS recommends that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity may in turn reduce the opportunity for a user to inadvertently receive or retain excessive privileges. This set verifies that:

        Privilege Escalation

        We made a special category for this, because it’s something that can catch you off guard in really nasty ways. Essentially, users with some IAM permissions may be allowed to elevate their privileges up to administrator rights. It’s critical to know if you have any of those privileges lurking in your infrastructure that an attacker could potentially exploit, from things like creating a new version of an IAM policy, to making a new EC2 instance and gaining access to all the permissions that the associated instance profile/service role has, or creating a new user access key that could grant them full administrator access (and a bunch more bad things that stem from privilege escalation). 

        Logs and Alerts

        Root account logins, unauthorized API calls, and policy changes or auth failures could all be simple mistakes or signs of malicious activity. Either way, find out as soon as possible with this set of checks that makes sure log metric filters and alarms exist for:

        This is the tip of the Prowler iceberg, which has over 240 checks for comprehensive coverage of all your AWS use cases. Stay tuned for our next post in this series, which covers key Prowler checks for preventing ransomware attacks.

        Sign up for Prowler Training

        This free course covers everything from the history of Prowler to advanced features.

        Toni de la Fuente

        Founder of Prowler Open Source & Lead of Prowler Pro

        I’m founder of Prowler Open Source, tool for AWS security best practices. I also worked for AWS as security engineer and security consultant. I’m passionate about FLOSS (Free Libre Open Source Software) in general and Information Security, Incident Response and Digital Forensics in particular. I like everything related to cloud computing and automation. I have done some things for security and the Open Source community like Prowler, phpRADmin, Nagios plugin for Alfresco, Alfresco BART (backup tool). I’ve also contributed in books and courses related to Linux, Monitoring and AWS Security for PacktPublishing.