Prowler Cheat Sheet
AWS (and multi-cloud) security assessment tool with hundreds of checks mapped to CIS, PCI, and custom compliance frameworks.
Overview
Prowler runs automated security checks against cloud accounts (primarily AWS). Outputs CSV/JSON/HTML for auditors and pentesters validating IAM, logging, encryption, and network exposure.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
pip install prowleror
docker pull prowler/prowler:latestprowler -vEssential commands
AWS — all checks (can take long)
prowler awsQuick CIS level 1
prowler aws --compliance cis_aws_framework_level_1Single check
prowler aws --check s3_bucket_public_accessCommon workflows
Standard AWS audit —
export AWS_PROFILE=audit-readonlyprowler aws -M json html csv -o ./prowler-out/Filter failed only
prowler aws --status FAILBy service / severity —
prowler aws --service s3prowler aws --severity critical highprowler aws --category secretsAssume role (cross-account) —
prowler aws --role arn:aws:iam::123456789012:role/ProwlerScan --external-id prowlerAzure / GCP (Prowler 4+) —
prowler azure --az-cli-authprowler gcp --credentials-file sa-key.jsonFix info / muting —
prowler aws --list-checks | grep iamprowler aws --check-list-file my-checks.txtFlags reference
-M FORMAT | Output modes (json, html, csv) |
|---|---|
-o DIR | Output directory |
--compliance FRAMEWORK | Run mapped check set |
--status FAIL | Filter results |
--region REGION | Limit region |
--role ARN | Assume role |
--profile NAME | AWS profile |
Tips
- Requires broad SecurityAudit-style read permissions for full coverage.
- Re-run after remediation — compare HTML reports between runs.
- CloudTrail logs Describe* storms — schedule off-peak for prod.
- Use ScoutSuite for interactive HTML exploration; Prowler for compliance mapping.