Skip to content

ProwlerPro SaaS Scan Role

ProwlerPro SaaS runs Prowler Open Source to find security findings in your account, for that reason as Prowler includes more checks more IAM permissions could be needed to run these checks.

In you need to update the permission template, please re-deploy the CloudFormation/Terraform template:

CloudFormation Update via AWS CLI

Execute the following AWS CLI command:

aws cloudformation update-stack \
  --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
  --stack-name "ProwlerProSaaSScanRole" \
  --template-url "https://s3.eu-west-1.amazonaws.com/prowler-pro-saas-pro-artifacts/templates/prowler-pro-scan-role.yaml" \
  --parameters "ParameterKey=ExternalId,UsePreviousValue=true"

CloudFormation Update via AWS Console

To update the ProwlerProScanRole using CloudFormation, please follow the next steps.

  1. Go to the CloudFormation service in the AWS region used to deploy the ProwlerProScanRole.

  2. Select the Stack Name, by default "ProwlerProSaaSScanRole" and click on "Update"

  3. Under prepare template, select "Replace current template" and "Upload a template file". Then, upload the new ProwlerProSaaSScanRole IAM Role template.

  4. In the next screen "Specify stack details" leave everything as it is, because the "ExternalID" value is required to scan your AWS account, and click on "Next".

  5. Then in the "Configure stack options" screen, again, leave everything as it is and click on "Next".

  6. Finally, under "Review ProwlerProSaaSScanRole", at the bottom click on "Update stack" and your ProwlerProSaaSScanRole will be updated to the new version.

Terraform Update

To update the ProwlerProScanRole using Terraform, please follow the next steps.

  1. Get the latest version of the Terraform files here

  2. Then, execute the following Terraform commands:

terraform init
terraform plan
terraform apply

During the terraform plan and terraform apply steps you will be asked for your AWS External ID which you can find here.

Note that Terraform will use the AWS credentials of your default profile.