This page contains detailed information about ProwlerPro's security.
ProwlerPro IAM Role
ProwlerPro uses a read-only IAM Role to scan your AWS account security status in search of vulnerable configurations.
This role, named ProwlerProScanRole, will be assumed by ProwlerPro Scanner which runs Prowler Open Source to find security findings in your account.
An External ID is required when assuming the ProwlerProScanRole to comply with AWS confused deputy prevention.
The ProwlerProScanRole has the following read-only permissions:
- Two IAM managed policies:
- And the following actions:
account:Get* apigateway:GET appstream:Describe* appstream:List* backup:List* cloudtrail:GetInsightSelectors codeartifact:List* codebuild:BatchGet* drs:Describe* ds:Get* ds:Describe* ds:List* ec2:GetEbsEncryptionByDefault ecr:Describe* ecr:GetRegistryScanningConfiguration elasticfilesystem:DescribeBackupPolicy glue:GetConnections glue:GetSecurityConfiguration* glue:SearchTables lambda:GetFunction* logs:FilterLogEvents macie2:GetMacieSession s3:GetAccountPublicAccessBlock s3:GetPublicAccessBlock shield:DescribeProtection shield:GetSubscriptionState securityhub:BatchImportFindings securityhub:GetFindings ssm:GetDocument ssm-incidents:List* support:Describe* tag:GetTagKeys wellarchitected:List*
The required template to deploy the ProwlerProScanRole can be found here:
We use encryption everywhere possible. The data and communications used by ProwlerPro are encrypted at-rest and in-transit.
Data Retention Policy
ProwlerPro is GDPR compliant in regards to personal data and the “right to be forgotten”. When a User submits a Request to Erase to help.prowler.pro, their User information will be deleted from ProwlerPro’s online and backup systems within 10 calendar days of receiving the request.
As an AWS Partner and we have passed the AWS Foundation Technical Review (FTR) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated:
banditfor code security review.
docklefor our containers security.
snykin Docker Hub and
quay/clairin Amazon ECR.
pylintfor formatting and best practices.
If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to [email protected].
The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability.
We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.