Skip to content

Security

This page contains detailed information about ProwlerPro's security.

ProwlerPro IAM Role

ProwlerPro uses a read-only IAM Role to scan your AWS account security status in search of vulnerable configurations. This role, named ProwlerProScanRole, will be assumed by ProwlerPro Scanner which runs Prowler Open Source to find security findings in your account.

An External ID is required when assuming the ProwlerProScanRole to comply with AWS confused deputy prevention.

Read-only Permissions

The ProwlerProScanRole has the following read-only permissions:

  • Two IAM managed policies:
policy/SecurityAudit  
policy/job-function/ViewOnlyAccess 
  • And the following actions:
account:Get*
appstream:Describe*
codeartifact:List*
codebuild:Batch*
ds:Get*
ds:Describe*
ds:List*
ec2:GetEbsEncryptionByDefault
ecr:Describe*
elasticfilesystem:DescribeBackupPolicy
eks:List*
glue:GetConnections
glue:GetSecurityConfiguration
glue:SearchTables
lambda:GetFunction
macie2:GetMacieSession
s3:GetAccountPublicAccessBlock
s3:GetEncryptionConfiguration
s3:GetPublicAccessBlock
shield:DescribeProtection
shield:GetSubscriptionState
securityhub:BatchImportFindings
ssm:GetDocument
support:Describe*
tag:GetTagKeys

Templates

The required template to deploy the ProwlerProScanRole can be found here:

Encryption

We use encryption everywhere possible. The data and communications used by ProwlerPro are encrypted at-rest and in-transit.

Data Retention Policy

ProwlerPro is GDPR compliant in regards to personal data and the “right to be forgotten”. When a User submits a Request to Erase to help.prowler.pro, their User information will be deleted from ProwlerPro’s online and backup systems within 10 calendar days of receiving the request.