Terraform AWS [Prowler]

This module implements ...

How does it work

First use after you clone this repository or when .pre-commit-config.yaml is updated

Run pre-commit install to install any guardrails implemented using pre-commit.

See pre-commit installation on how to install pre-commit.

...

Usage

1. Prepare a Prowler-ready AMI

The EC2 dashboard instance bootstraps significantly faster when Prowler and its dependencies are already available on the image. When using an Ubuntu base AMI, install the tools shown below and register the resulting AMI in the account in which you run this module.

sudo apt update -y
sudo apt install pipx unzip -y
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
pipx install prowler
pipx ensurepath

2. Deploy the module

Reference this repository from your Terraform configuration and provide the required inputs for both the scan backend and the Cognito-protected frontend (VPC, Route53 zone, bucket name, scan definitions, etc.).

module "prowler_stack" {
  source = "git::https://github.com/wearetechnative/terraform-aws-module-prowler-frontend.git?ref=<release>"

  region                     = "eu-west-1"
  prowlersite_domain         = "example.com"
  vpc_id                     = "vpc-0123456789abcdef0"
  ecs_cluster_name           = "prowler"
  container_name             = "prowler"
  prowler_report_bucket_name = "prowler-reports-example"
  prowler_rolename_in_accounts = "ProwlerExecutionRole"
  prowler_ami                  = "ami-0abc123def4567890"
  allowed_ips                = ["203.0.113.10/32"]
  prowler_scans = {
    nightly = {
      prowler_schedule_timer       = "cron(0 1 * * ? *)"
      prowler_schedule_timezone    = "UTC"
      prowler_scan_regions         = ["eu-west-1"]
      prowler_report_output_format = "csv"
      task_definition_name         = "prowler-nightly"
      fargate_task_cpu             = "1024"
      fargate_memory               = "2048"
      ecr_image_uri                = "123456789012.dkr.ecr.eu-west-1.amazonaws.com/prowler:latest"
      prowler_account_list         = ["111122223333"]
      compliance_checks            = ["cis_aws"]
      severity                     = ["HIGH", "MEDIUM"]
    }
  }

  # See variables.tf for the remaining inputs such as kms_key_arn, dlq_arn, etc.
}

Run terraform init, terraform plan, and terraform apply to provision the scan pipeline, API Gateway, Cognito user pool, CloudFront distribution, and the dashboard infrastructure.

3. Create a Cognito user for the dashboard

Only authenticated Cognito users can open the dashboard or trigger scans. After the infrastructure is deployed, create at least one user in the Cognito user pool that the module created (its name is derived from var.prowlersite_name). This can be done through the AWS Console or the CLI:

aws cognito-idp admin-create-user \
  --user-pool-id <cognito_user_pool_id> \
  --username security@example.com \
  --user-attributes Name=email,Value=security@example.com \
  --temporary-password 'Prowler#2024'

Replace <cognito_user_pool_id> with the ID of the Cognito pool shown in the Amazon Cognito console (or obtained from Terraform state via terraform output -raw cognito_user_pool_id). Share the temporary password with the intended operator so they can update it at first login.

4. Subscribe to the SNS topic for scan notifications

The module creates an SNS topic named prowler_security_check_fail_notifier that receives events whenever a scan finishes with failing checks. Subscribe your operations mailbox (or another notification target) so you receive those alerts:

aws sns subscribe \
  --topic-arn <topic_arn> \
  --protocol email \
  --notification-endpoint secops@example.com

The topic ARN is visible in the Amazon SNS console or through the Terraform state using terraform output -raw sns_topic_arn. Confirm the subscription from the email that AWS sends. Without this step you will not receive alerts about failed scans.

Providers

Name	Version
aws	5.96.0
null	n/a

Modules

Name	Source	Version
api_endpoints	./modules/api_gateway	n/a
ec2_instance_role	git@github.com:wearetechnative/terraform-aws-iam-role	0fe916c27097706237692122e09f323f55e8237e
iam_role_lambda_prowler	git@github.com:wearetechnative/terraform-aws-iam-role.git	9229bbd0280807cbc49f194ff6d2741265dc108a
iam_role_lambda_prowler_failed_task	git@github.com:wearetechnative/terraform-aws-iam-role.git	9229bbd0280807cbc49f194ff6d2741265dc108a
iam_role_lambda_terminate_dashboard	git@github.com:wearetechnative/terraform-aws-iam-role.git	9229bbd0280807cbc49f194ff6d2741265dc108a
key_pair	terraform-aws-modules/key-pair/aws	2.0.2
lambda_prowler	git@github.com:wearetechnative/terraform-aws-lambda.git	13eda5f9e8ae40e51f66a45837cd41a6b35af988
lambda_prowler_failed_task	git@github.com:wearetechnative/terraform-aws-lambda.git	13eda5f9e8ae40e51f66a45837cd41a6b35af988
lambda_terminate_dashboard	git@github.com:wearetechnative/terraform-aws-lambda.git	13eda5f9e8ae40e51f66a45837cd41a6b35af988
prowler	./modules/scan	n/a

Resources

Name	Type
aws_api_gateway_authorizer.prowler	resource
aws_api_gateway_deployment.prowler	resource
aws_api_gateway_rest_api.prowler	resource
aws_api_gateway_stage.prod	resource
aws_cloudwatch_event_rule.failed_task	resource
aws_cloudwatch_event_rule.terminate_schedule	resource
aws_cloudwatch_event_target.failed_task	resource
aws_cloudwatch_event_target.lambda_target	resource
aws_cloudwatch_log_group.prowler_cw_log_group	resource
aws_ecs_cluster.prowler_ecs_cluster	resource
aws_iam_instance_profile.ec2_profile	resource
aws_iam_policy.dashboard_ec2	resource
aws_iam_role.executionrole	resource
aws_iam_role.schedulerole	resource
aws_iam_role.taskrole	resource
aws_iam_role_policy.allow_bucket	resource
aws_iam_role_policy.allow_passrole_schedule	resource
aws_iam_role_policy.update_trust_relationship	resource
aws_iam_role_policy_attachment.dashboard_ec2	resource
aws_iam_role_policy_attachment.ecr-policy	resource
aws_iam_role_policy_attachment.task-execution-policy	resource
aws_lambda_permission.allow_all_apigateway_calls	resource
aws_lambda_permission.allow_eventbridge	resource
aws_lambda_permission.failed_task	resource
aws_launch_template.compute	resource
aws_lb.dashboard	resource
aws_lb_listener.dashboard_http	resource
aws_lb_target_group.dashboard	resource
aws_route53_record.dashboard	resource
aws_s3_bucket.prowler_bucket	resource
aws_s3_bucket_lifecycle_configuration.reports	resource
aws_s3_bucket_policy.allow_access_from_another_account	resource
aws_s3_bucket_public_access_block.public_access_block	resource
aws_s3_bucket_versioning.bucket_versioning	resource
aws_s3_object.mutelist	resource
aws_security_group.alb_sg	resource
aws_security_group.dashboard_sg	resource
aws_security_group.prowler	resource
aws_security_group_rule.alb_to_dashboard	resource
aws_security_group_rule.dashboard_cloudfront	resource
aws_security_group_rule.inbound_dashboard_ec2	resource
aws_security_group_rule.inbound_ssh_ec2	resource
aws_security_group_rule.outbound_dashboard_ec2	resource
aws_security_group_rule.prowler_out	resource
aws_sns_topic.check_fail	resource
aws_sns_topic_policy.check_fail	resource
null_resource.stage_blocker	resource
aws_iam_policy_document.allow_getobject_from_other_accounts	data source
aws_iam_policy_document.dashboard_ec2	data source
aws_iam_policy_document.lambda_list_tasks	data source
aws_iam_policy_document.lambda_pass_role	data source
aws_iam_policy_document.lambda_run_task	data source
aws_iam_policy_document.launch_dashboard	data source
aws_iam_policy_document.publish_failed_task	data source
aws_iam_policy_document.s3_access	data source
aws_iam_policy_document.sns_topic_policy	data source
aws_iam_policy_document.terminate_dashboard	data source
aws_iam_policy_document.update_trust_relationship	data source
aws_route53_zone.this	data source

Inputs

Name	Description	Type	Default	Required
allowed_ips	ips allowed to access prowler dashboard (add /32 to ips)	list(string)	n/a	yes
cognito_id_provider_arns	List of arns of cognito identity providers you want to allow to run prowler scans	list(any)	n/a	yes
container_name	Name of the Container within AWS Fargate	string	n/a	yes
dashboard_frontend_url	Frontend page to launch dashboard from	string	n/a	yes
dashboard_uptime	Running time of prowler dashboard ec2, will self-terminate after certain amount of time (1d, 1h, 2h, 15m)	string	"1h"	no
dlq_arn	ARN for DLQ for lambda	string	n/a	yes
domain	Domain for dashboard dns record	string	n/a	yes
ecs_cluster_name	Name of cluster	string	n/a	yes
kms_key_arn	ARN of kms key for lambda	string	n/a	yes
mutelist	Contents of the mutelist yaml file	string	"Mutelist: []"	no
prowler_ami	AMI id with prowler pre-installed (fast boot time)	string	n/a	yes
prowler_container_subnet	Provide a Subnet ID to launch Prowler container	string	n/a	yes
prowler_dashboard_subnet	Provide a Subnet ID to launch Prowler dashboard	string	""	no
prowler_report_bucket_name	Name of the bucket where output reports are saved	string	n/a	yes
prowler_rolename_in_accounts	Name of the role in all the accounts that prowler assumes to scan	string	n/a	yes
prowler_scans	prowler config	map(object({ prowler_schedule_timer = string prowler_schedule_timezone = string prowler_scan_regions = list(string) prowler_report_output_format = string task_definition_name = string fargate_task_cpu = string fargate_memory = string ecr_image_uri = string prowler_account_list = list(string) compliance_checks = list(string) severity = list(string) }))	n/a	yes
region	Region to deploy the resources.	string	n/a	yes
report_retention	Number of days to retain prowler reports in bucket	number	n/a	yes
vpc_id	Provide a VPC ID where prowler_container_subnet resides	string	n/a	yes

Outputs

Name	Description
api_gateway_stage_invoke_url	n/a
bucket_arn	n/a
eip_allocation_id	n/a