Introduction

This page contains detailed information about Prowler security.

AWS Scanner IAM Role

Prowler SaaS uses a read-only IAM Role to scan your AWS account security status in search of vulnerable configurations. This role, named ProwlerProScanRole, will be assumed by Prowler SaaS Scanner which runs Prowler Open Source to find security findings in your account.

An External ID is required when assuming the ProwlerProScanRole to comply with AWS confused deputy prevention.

Read-only Permissions

The ProwlerProScanRole has the following read-only permissions:

• Two IAM managed policies:

  policy/SecurityAudit  
  policy/job-function/ViewOnlyAccess 
  

• And the following actions:
  

  account:Get*
  apigateway:GET
  appstream:Describe*
  appstream:List*
  backup:List*
  cloudtrail:GetInsightSelectors
  codeartifact:List*
  codebuild:BatchGet*
  dlm:Get*
  drs:Describe*
  ds:Get*
  ds:Describe*
  ds:List*
  ec2:GetEbsEncryptionByDefault
  ecr:Describe*
  ecr:GetRegistryScanningConfiguration
  elasticfilesystem:DescribeBackupPolicy
  glue:GetConnections
  glue:GetSecurityConfiguration*
  glue:SearchTables
  lambda:GetFunction*
  logs:FilterLogEvents
  macie2:GetMacieSession
  s3:GetAccountPublicAccessBlock
  s3:GetPublicAccessBlock
  shield:DescribeProtection
  shield:GetSubscriptionState
  securityhub:BatchImportFindings
  securityhub:GetFindings
  ssm:GetDocument
  ssm-incidents:List*
  support:Describe*
  tag:GetTagKeys
  wellarchitected:List*
  

Templates

The required template to deploy the ProwlerProScanRole can be found here:

• CloudFormation Template
• Terraform Template

Encryption

We use encryption everywhere possible. The data and communications used by Prowler SaaS are encrypted at-rest and in-transit.

Data Retention Policy

Prowler SaaS is GDPR compliant in regards to personal data and the right to be forgotten. Upon cancellation of their account, users can be assured that their personal information will be permanently removed from both our online and backup systems within 10 calendar days of submitting the request.

Software Security

As an AWS Partner and we have passed the AWS Foundation Technical Review (FTR) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated:

• bandit for code security review.
• safety and dependabot for dependencies.
• hadolint and dockle for our containers security.
• snyk in Docker Hub and quay/clair in Amazon ECR.
• vulture, flake8, black and pylint for formatting and best practices.

Reporting Vulnerabilities

If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or Prowler SaaS service, please submit the information by contacting to support.prowler.com.

The information you share with Prowler SaaS as part of this process is kept confidential within Prowler SaaS. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.

We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.

You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability.

We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.