prowler aws -help
Jump to navigation
Jump to search
prowler aws -help
usage: prowler aws [-h] [-q]
[-M {csv,json,json-asff,html,json-ocsf} [{csv,json,json-asff,html,json-ocsf} ...]]
[-F [OUTPUT_FILENAME]] [-o [OUTPUT_DIRECTORY]] [--verbose] [-z] [-b]
[--slack] [--unix-timestamp]
[--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
[--log-file [LOG_FILE]] [--only-logs] [-c CHECKS [CHECKS ...]]
[-C [CHECKS_FILE]] [-s SERVICES [SERVICES ...]]
[--severity {critical,high,medium,low,informational} [{critical,high,medium,low,informational} ...]]
[--compliance {cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} [{cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} ...]]
[--categories CATEGORIES [CATEGORIES ...]] [-x [CHECKS_FOLDER]]
[-e EXCLUDED_CHECKS [EXCLUDED_CHECKS ...]]
[--excluded-services EXCLUDED_SERVICES [EXCLUDED_SERVICES ...]]
[-l | --list-checks-json | --list-services | --list-compliance | --list-compliance-requirements {cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} [{cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} ...]
| --list-categories] [--config-file [CONFIG_FILE]]
[--custom-checks-metadata-file [CUSTOM_CHECKS_METADATA_FILE]]
[-p [PROFILE]] [-R [ROLE]] [--role-session-name [ROLE_SESSION_NAME]]
[--sts-endpoint-region [STS_ENDPOINT_REGION]] [--mfa]
[-T [SESSION_DURATION]] [-I [EXTERNAL_ID]]
[-f {cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} [{cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} ...]]
[-O [ORGANIZATIONS_ROLE]] [-S] [--skip-sh-update]
[--send-sh-only-fails] [-i] [-B [OUTPUT_BUCKET] | -D
[OUTPUT_BUCKET_NO_ASSUME]] [-N [SHODAN]] [-w [ALLOWLIST_FILE]]
[--resource-tags RESOURCE_TAGS [RESOURCE_TAGS ...] | --resource-arn
RESOURCE_ARN [RESOURCE_ARN ...]]
[--aws-retries-max-attempts [AWS_RETRIES_MAX_ATTEMPTS]]
[--ignore-unused-services]
optional arguments:
-h, --help show this help message and exit
-c CHECKS [CHECKS ...], --checks CHECKS [CHECKS ...]
List of checks to be executed.
-C [CHECKS_FILE], --checks-file [CHECKS_FILE]
JSON file containing the checks to be executed. See
config/checklist_example.json
-s SERVICES [SERVICES ...], --services SERVICES [SERVICES ...]
List of services to be executed.
--compliance {cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} [{cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} ...]
Compliance Framework to check against for. The format should be
the following: framework_version_provider (e.g.: ens_rd2022_aws)
--categories CATEGORIES [CATEGORIES ...]
List of categories to be executed.
-l, --list-checks List checks
--list-checks-json Output a list of checks in json for use with --checks-file
--list-services List services
--list-compliance List compliance frameworks
--list-compliance-requirements {cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} [{cisa_aws,soc2_aws,cis_1.4_aws,cis_1.5_aws,mitre_attack_aws,gdpr_aws,aws_foundational_security_best_practices_aws,iso27001_2013_aws,hipaa_aws,cis_2.0_aws,gxp_21_cfr_part_11_aws,aws_well_architected_framework_security_pillar_aws,gxp_eu_annex_11_aws,nist_800_171_revision_2_aws,nist_800_53_revision_4_aws,nist_800_53_revision_5_aws,aws_account_security_onboarding_aws,cis_3.0_aws,ens_rd2022_aws,aws_foundational_technical_review_aws,nist_csf_1.1_aws,aws_well_architected_framework_reliability_pillar_aws,aws_audit_manager_control_tower_guardrails_aws,rbi_cyber_security_framework_aws,ffiec_aws,pci_3.2.1_aws,fedramp_moderate_revision_4_aws,fedramp_low_revision_4_aws,cis_2.0_gcp} ...]
List compliance requirements for a given compliance framework
--list-categories List the available check's categories
Outputs:
-q, --quiet Store or send only Prowler failed findings
-M {csv,json,json-asff,html,json-ocsf} [{csv,json,json-asff,html,json-ocsf} ...], --output-modes {csv,json,json-asff,html,json-ocsf} [{csv,json,json-asff,html,json-ocsf} ...]
Output modes, by default csv, html and json
-F [OUTPUT_FILENAME], --output-filename [OUTPUT_FILENAME]
Custom output report name without the file extension, if not
specified will use default output/prowler-output-ACCOUNT_NUM-
OUTPUT_DATE.format
-o [OUTPUT_DIRECTORY], --output-directory [OUTPUT_DIRECTORY]
Custom output directory, by default the folder where Prowler is
stored
--verbose Display detailed information about findings
-z, --ignore-exit-code-3
Failed checks do not trigger exit code 3
-b, --no-banner Hide Prowler banner
--slack Send a summary of the execution with a Slack APP in your channel.
Environment variables SLACK_API_TOKEN and SLACK_CHANNEL_ID are
required (see more in https://docs.prowler.cloud/en/latest/tutoria
ls/integrations/#slack).
--unix-timestamp Set the output timestamp format as unix timestamps instead of iso
format timestamps (default mode).
Logging:
--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Select Log Level
--log-file [LOG_FILE]
Set log file name
--only-logs Print only Prowler logs by the stdout. This option sets --no-
banner.
Specify checks/services to run:
--severity {critical,high,medium,low,informational} [{critical,high,medium,low,informational} ...]
List of severities to be executed ['critical', 'high', 'medium',
'low', 'informational']
-x [CHECKS_FOLDER], --checks-folder [CHECKS_FOLDER]
Specify external directory with custom checks (each check must
have a folder with the required files, see more in
https://docs.prowler.cloud/en/latest/tutorials/misc/#custom-
checks).
Exclude checks/services to run:
-e EXCLUDED_CHECKS [EXCLUDED_CHECKS ...], --excluded-checks EXCLUDED_CHECKS [EXCLUDED_CHECKS ...]
Checks to exclude
--excluded-services EXCLUDED_SERVICES [EXCLUDED_SERVICES ...]
Services to exclude
Configuration:
--config-file [CONFIG_FILE]
Set configuration file path
Custom Checks Metadata:
--custom-checks-metadata-file [CUSTOM_CHECKS_METADATA_FILE]
Path for the custom checks metadata YAML file. See example
prowler/config/custom_checks_metadata_example.yaml for reference
and format. See more in
https://docs.prowler.cloud/en/latest/tutorials/custom-checks-
metadata/
Authentication Modes:
-p [PROFILE], --profile [PROFILE]
AWS profile to launch prowler with
-R [ROLE], --role [ROLE]
ARN of the role to be assumed
--role-session-name [ROLE_SESSION_NAME]
An identifier for the assumed role session. Defaults to
ProwlerAssessmentSession
--sts-endpoint-region [STS_ENDPOINT_REGION]
Specify the AWS STS endpoint region to use. Read more at https://d
ocs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable
-regions.html
--mfa IAM entity enforces MFA so you need to input the MFA ARN and the
TOTP
-T [SESSION_DURATION], --session-duration [SESSION_DURATION]
Assumed role session duration in seconds, must be between 900 and
43200. Default: 3600
-I [EXTERNAL_ID], --external-id [EXTERNAL_ID]
External ID to be passed when assuming role
AWS Regions:
-f {cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} [{cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} ...], --region {cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} [{cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} ...], --filter-region {cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} [{cn-north-1,us-east-1,us-west-1,ap-southeast-3,af-south-1,us-gov-east-1,ap-northeast-1,eu-central-2,eu-north-1,ap-south-1,ap-southeast-2,eu-central-1,sa-east-1,ap-northeast-3,me-central-1,eu-west-2,il-central-1,us-gov-west-1,eu-south-2,ap-northeast-2,ap-east-1,ca-central-1,eu-south-1,eu-west-1,us-west-2,ap-southeast-4,ca-west-1,me-south-1,us-east-2,eu-west-3,ap-southeast-1,ap-south-2,cn-northwest-1} ...]
AWS region names to run Prowler against
AWS Organizations:
-O [ORGANIZATIONS_ROLE], --organizations-role [ORGANIZATIONS_ROLE]
Specify AWS Organizations management role ARN to be assumed, to
get Organization metadata
AWS Security Hub:
-S, --security-hub Send check output to AWS Security Hub
--skip-sh-update Skip updating previous findings of Prowler in Security Hub
--send-sh-only-fails Send only Prowler failed findings to SecurityHub
Quick Inventory:
-i, --quick-inventory
Run Prowler Quick Inventory. The inventory will be stored in an
output csv by default
AWS Outputs to S3:
-B [OUTPUT_BUCKET], --output-bucket [OUTPUT_BUCKET]
Custom output bucket, requires -M <mode> and it can work also with
-o flag.
-D [OUTPUT_BUCKET_NO_ASSUME], --output-bucket-no-assume [OUTPUT_BUCKET_NO_ASSUME]
Same as -B but do not use the assumed role credentials to put
objects to the bucket, instead uses the initial credentials.
3rd Party Integrations:
-N [SHODAN], --shodan [SHODAN]
Shodan API key used by check ec2_elastic_ip_shodan.
Allowlist:
-w [ALLOWLIST_FILE], --allowlist-file [ALLOWLIST_FILE]
Path for allowlist yaml file. See example
prowler/config/aws_allowlist.yaml for reference and format. It
also accepts AWS DynamoDB Table or Lambda ARNs or S3 URIs, see
more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/
AWS Based Scans:
--resource-tags RESOURCE_TAGS [RESOURCE_TAGS ...]
Scan only resources with specific AWS Tags (Key=Value), e.g.,
Environment=dev Project=prowler
--resource-arn RESOURCE_ARN [RESOURCE_ARN ...]
Scan only resources with specific AWS Resource ARNs, e.g.,
arn:aws:iam::012345678910:user/test arn:aws:ec2:us-
east-1:123456789012:vpc/vpc-12345678
Boto3 Config:
--aws-retries-max-attempts [AWS_RETRIES_MAX_ATTEMPTS]
Set the maximum attemps for the Boto3 standard retrier config
(Default: 3)
Ignore Unused Services:
--ignore-unused-services
Ignore findings in unused services
Advertising:
