Prowler Cheat Sheet

AWS (and multi-cloud) security assessment tool with hundreds of checks mapped to CIS, PCI, and custom compliance frameworks.

Cloud & ContainersawsciscomplianceUpdated 2026-06-02

Overview

Prowler runs automated security checks against cloud accounts (primarily AWS). Outputs CSV/JSON/HTML for auditors and pentesters validating IAM, logging, encryption, and network exposure.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

pip install prowler

docker pull prowler/prowler:latest

prowler -v

Essential commands

AWS — all checks (can take long)

prowler aws

Quick CIS level 1

prowler aws --compliance cis_aws_framework_level_1

Single check

prowler aws --check s3_bucket_public_access

Common workflows

Standard AWS audit —

export AWS_PROFILE=audit-readonly

prowler aws -M json html csv -o ./prowler-out/

Filter failed only

prowler aws --status FAIL

By service / severity —

prowler aws --service s3

prowler aws --severity critical high

prowler aws --category secrets

Assume role (cross-account) —

prowler aws --role arn:aws:iam::123456789012:role/ProwlerScan --external-id prowler

Azure / GCP (Prowler 4+) —

prowler azure --az-cli-auth

prowler gcp --credentials-file sa-key.json

Fix info / muting —

prowler aws --list-checks | grep iam

prowler aws --check-list-file my-checks.txt

Flags reference

`-M FORMAT`	Output modes (json, html, csv)
`-o DIR`	Output directory
`--compliance FRAMEWORK`	Run mapped check set
`--status FAIL`	Filter results
`--region REGION`	Limit region
`--role ARN`	Assume role
`--profile NAME`	AWS profile

Tips

Requires broad SecurityAudit-style read permissions for full coverage.
Re-run after remediation — compare HTML reports between runs.
CloudTrail logs Describe* storms — schedule off-peak for prod.
Use ScoutSuite for interactive HTML exploration; Prowler for compliance mapping.