Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark
It covers hardening and security best practices for all regions related to:
- Identity and Access Management (15 checks)
- Logging (8 checks)
- Monitoring (16 checks)
- Networking (4 checks)
For a comprehesive list and resolution look at the guide on the link above.
This script has been written in bash using AWS-CLI and it works in Linux and OSX.
- Make sure your AWS-CLI is installed on your workstation, with Python pip already installed:
pip install awscli
Or install it using "brew", "apt", "yum" or manually from https://aws.amazon.com/cli/
- Previous steps, from your workstation:
git clone https://github.com/Alfresco/aws-cis-security-benchmark
cd aws-cis-security-benchmark
- Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
aws configure
- Make sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
arn:aws:iam::aws:policy/SecurityAudit
1 - Run the prowler.sh command without options (it will use your default credentials and run checks over all regions when needed):
./prowler
2 - For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
./prowler -p custom-profile -r us-east-1
3 - For a single check use option -c:
./prowler -c check310
or for custom profile and region
./prowler -p custom-profile -r us-east-1 -c check11
Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
4 - If you want to save your report for later analysis:
./prowler > prowler-report.txt
5 - For help use:
./prowler -h
USAGE:
prowler -p <profile> -r <region> [ -v ] [ -h ]
Options:
-p <profile> specify your AWS profile to use (i.e.: default)
-r <region> specify a desired AWS region to use (i.e.: us-east-1)
-c <checknum> specify a check number from the AWS CIS benchmark (i.e.: check11 for check 1.1)
-h this help
Check your report and fix the issues following all specific guidelines per check in https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired
To fix it, please renew your token by authenticating again to the AWS API.