Cheat sheet — Posture auditing with Prowler & ScoutSuite¶
Companion to Module 05 — Posture & Misconfiguration Auditing · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Prowler — run the scan (the linter for your account)¶
prowler aws # scan the current AWS creds against all checks
prowler aws --profile audit # use a named profile
prowler aws --region us-east-1 eu-west-1 # limit regions (faster, cheaper)
prowler gcp | prowler azure | prowler kubernetes # other providers, same tool
Prowler — filter 400 findings into a triage queue¶
prowler aws --severity critical high # only the ones worth looking at first
prowler aws --status FAIL # hide the PASSes — see only violations
prowler aws --service s3 iam # scope to services (public-bucket hunt)
prowler aws --check s3_bucket_public_access # one specific check by id
prowler aws --compliance cis_3.0_aws # run a named benchmark (CIS L1/L2)
prowler aws --list-checks # every check id available
prowler aws --list-compliance # every compliance framework available
Prowler — machine-readable output for the pipeline¶
prowler aws --output-formats json-ocsf csv html # -M is the old alias
# artifacts land in ./output/ ; parse the JSON to build the triage queue:
prowler aws --status FAIL --output-formats json-ocsf
jq '.[] | select(.severity=="Critical") | {check:.metadata.event_code, res:.resources[0].uid}' \
output/*.ocsf.json
Triage — the actual job (not running the tool)¶
priority = severity × exploitability × blast radius (with asset context the tool CAN'T have)
public S3 bucket + regulated data + internet-reachable → the 2017 wave, whatever label it got
MEDIUM finding on a throwaway sandbox → noise
"stale" IAM key → is it stale, or serving a live service?
- Map each finding to its CIS control id (rationale + fix) and to ATT&CK (a public bucket → T1530 Data from Cloud Storage; a valid-account finding → T1078).
Suppress consciously — never as the default clear¶
# a mutelist/allowlist is a DOCUMENTED decision with a rationale, not a way to hide the noise
prowler aws --mutelist-file mutelist.yaml
# mutelist.yaml — suppress a known-accepted sandbox finding, with a reason in the comment
Mutelist:
Accounts:
"111122223333":
Checks:
"s3_bucket_public_access":
Regions: ["us-east-1"]
Resources: ["sandbox-demo-bucket"] # accepted: public demo assets, no PII — reviewed 2026-07
ScoutSuite — the second opinion (different blind spots)¶
scout aws # collect + render an HTML report
scout aws --profile audit
scout aws --report-dir ./scout-report # open scoutsuite-results/*.html in a browser
scout gcp --user-account | scout azure --cli # other providers
- Two linters, different coverage: note where ScoutSuite surfaces something Prowler missed and vice versa — neither is complete on its own.
Verify — remediation isn't done until FAIL → PASS¶
# 1. apply the fix (Terraform apply, or an awslocal one-liner for the seeded account)
# 2. RE-SCAN the single check and watch it flip:
prowler aws --check s3_bucket_public_access --status FAIL # should now return nothing
# 3. freeze it: the verified check is the guardrail that fails the moment the fix regresses
Gotchas worth remembering¶
- Running the scanner is one command; the value is entirely in triage. A 400-line report you treat line-by-line drowns the one finding that matters under 380 that don't.
- The tool's severity stamp is a guess. A MEDIUM on regulated, internet-reachable data outranks a HIGH on a sandbox — only you know which resource holds what and who can reach it.
- Closing all 400 and suppressing the noisy rule are both wrong. Suppression is a conscious, documented decision with a written rationale — never the default way to make a finding disappear.
- Triage without verification is a wish. "I'll fix the public bucket" is not done until the re-scan flips FAIL→PASS on that exact check. That flip is the seed of the CI guardrail (Module 06).
- Run two scanners. Prowler and ScoutSuite have different blind spots; the finding one misses is often the one that matters, and cross-checking is cheap.
Only scan accounts you own or have explicit written permission to assess.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).