Strengthening Amazon EKS Security with Prowler: A Comprehensive Guide

4 minute read
Content level: Advanced
0

This repost focuses on securing Amazon Elastic Kubernetes Service (EKS) clusters using Prowler, an open-source multi-cloud security tool.

How to Install and Use Prowler for EKS Security

Securing cloud environments, especially Kubernetes clusters on Amazon Elastic Kubernetes Service (EKS), is a critical task for administrators. Prowler, an open-source multi-cloud security tool, simplifies this process by automating compliance checks and identifying vulnerabilities. This article provides a detailed guide on installing, using, and leveraging Prowler to enhance your security posture.

What is Prowler?

Prowler is an open-source security tool designed for multi-cloud environments like AWS, Azure, GCP, and Kubernetes. It supports compliance frameworks such as:

  • CIS Benchmarks
  • NIST
  • GDPR
  • HIPAA
  • PCI-DSS
  • & Many more including custom compliance frameworks

For Kubernetes, Prowler automates compliance checks against benchmarks like the CIS Kubernetes Benchmark, making it an essential tool for securing EKS clusters.

Key Features of Prowler

  • Multi-Cloud Security: Supports AWS, Azure, GCP, and Kubernetes.
  • Compliance Frameworks: Automates checks for CIS Benchmarks, NIST, GDPR, HIPAA, PCI-DSS, and more.
  • Kubernetes-Specific Checks: Ensures compliance with benchmarks like the CIS Kubernetes Benchmark.

Why Use Prowler for EKS?

Prowler offers several benefits:

  • Automated Security Checks: Simplifies the process of securing EKS clusters by automating critical checks.
  • Compliance Assurance: Ensures adherence to Kubernetes-specific standards like CIS Benchmarks.
  • Customizable Outputs: Generates reports in various formats (HTML, CSV, JSON-ASFF) for easy integration into dashboards or security tools.
  • Shodan Integration: Identifies exposed public IPs indexed by Shodan to mitigate risks.

Installation Steps

Prowler can be installed using multiple methods depending on your environment. Here’s how:

1) Prowler App Method

Download the Docker Compose file:

*Containers are built for linux/amd64. If your workstation's architecture is different, please set DOCKER_DEFAULT_PLATFORM=linux/amd64 in your environment or use the --platform linux/amd64 flag in the docker command.

 `curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml`
 `curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env`
 Start the Prowler App by running the command:
`docker compose up -d`

Register in Prowler App http://localhost:3000 by signing up with your email and password.`

2) Using Homebrew or Pip or run it from CloudShell

  • For macOS/Linux users with Homebrew:
    brew install prowler

  • For Python users:
    pip install prowler

  • Verify Installation:
    After installation, confirm the version. prowler -v

How Does Prowler Work?

Prowler scans cloud resources and Kubernetes configurations to generate compliance reports based on predefined benchmarks. The process includes:

  1. Identifying vulnerabilities and misconfigurations.
  2. Categorizing findings by severity (Critical, High, Medium, Low).
  3. Generating outputs in customizable formats for further analysis or integration.

Running Prowler Commands

Here’s how you can use Prowler effectively:

  1. Scanning EKS Clusters
    Run a scan of your EKS cluster using the kubeconfig file:
    prowler kubernetes --kubeconfig-file ~/.kube/config

  2. Customize Outputs
    You can use different formats for various integration (for example, json-asff for AWS Security Finding Format and json-ocsf for Open Cybersecurity Framework format):
    prowler kubernetes -M html csv json-asff json-ocsf

  • Json-asff can be used to integrate the results with AWS Security HUB.
  1. Checking Compliance Requirements
    List all supported compliance frameworks:
    prowler <provider> --list-compliance-requirements <compliance_framework(s)>

  2. Excluding Specific Checks
    Exclude specific services or checks during scans:
    prowler kubernetes --excluded-service rbac --namespace demo

Viewing Results:

  • Prowler provides detailed reports categorized by severity and stores them in files for review or integration into dashboards.

    Sample output file HTML

  • Here is an example - sample HTML file:

    Enter image description here

Launching the Dashboard:

  • To visualize scan results:

  • prowler dashboard

    Enter image description here

The dashboard displays metrics such as total clusters scanned, top findings by severity, and compliance adherence.

Here is an example dashboard

Sample Dashboard
Sample Dashboard