Skip to main content
Prowler requires AWS credentials to function properly. Authentication is available through the following methods:
  • Static Credentials
  • Assumed Role

Required Permissions

To ensure full functionality, attach the following AWS managed policies to the designated user or role:
  • arn:aws:iam::aws:policy/SecurityAudit
  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

Additional Permissions

For certain checks, additional read-only permissions are required. Attach the following custom policy to your role: prowler-additions-policy.json This method grants permanent access and is the recommended setup for production environments.
  • CloudFormation
  • Terraform
  1. Download the Prowler Scan Role Template Prowler Scan Role Template Download Role Template
  2. Open the AWS Console, search for CloudFormation CloudFormation Search
  3. Go to Stacks and click “Create stack” > “With new resources (standard)” Create Stack
  4. In Specify Template, choose “Upload a template file” and select the downloaded file Upload a template file Upload file from downloads
  5. Click “Next”, provide a stack name and the External ID shown in the Prowler Cloud setup screen External ID Stack Data
    An External ID is required when assuming the ProwlerScan role to prevent the confused deputy problem.
  6. Acknowledge the IAM resource creation warning and proceed Stack Creation Second Step
  7. Click “Submit” to deploy the stack Click on submit

Credentials

  • Long term credentials
  1. Go to the AWS Console, open CloudShell AWS CloudShell
  2. Run: 
    aws iam create-access-key