Prowler: Building a Multi-Cloud Security Scanner That Maps Attack Paths
Hook
A single misconfigured S3 bucket can cascade into full AWS account compromise through IAM role assumptions and privilege escalations—and most security tools won't show you that path. Prowler does.
Context
Cloud security posture management has traditionally been a fragmented nightmare. AWS users rely on Security Hub, Azure teams use Defender for Cloud, and GCP shops depend on Security Command Center. Each tool speaks a different language, maps to different compliance frameworks, and leaves multi-cloud organizations stitching together disparate reports for auditors. Worse, these native tools treat security findings as isolated issues—they'll flag an overly permissive IAM role and a publicly accessible RDS instance as separate problems, missing that an attacker could chain them together.
Prowler emerged from this chaos as an open-source alternative that speaks every cloud provider's API. Started as an AWS-focused security assessment tool, it evolved into a comprehensive CSPM (Cloud Security Posture Management) platform covering nine cloud providers with over 1200 security checks. But what sets Prowler apart isn't just breadth—it's the Attack Paths feature that combines infrastructure topology graphs with security findings to automatically identify exploit chains. This transforms raw vulnerability data into actionable threat intelligence, showing exactly how an attacker could move laterally through your cloud environment.
Technical Insight
Prowler's architecture centers on a provider-plugin system where each cloud platform gets its own namespace of check modules. When you run a scan, Prowler instantiates provider-specific clients (boto3 for AWS, Azure SDK, Google Cloud Client Libraries), then iterates through enabled checks, executing them concurrently to minimize scan time. Each check module follows a consistent pattern: query the cloud API for resource configurations, evaluate against security controls, and return structured finding objects.
Here's what a simplified AWS S3 check looks like:
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.s3.s3_client import s3_client
class s3_bucket_public_access(Check):
def execute(self):
findings = []
for bucket in s3_client.buckets.values():
report = Check_Report_AWS(self.metadata())
report.region = bucket.region
report.resource_id = bucket.name
report.resource_arn = bucket.arn
if bucket.public_access_block:
if not bucket.public_access_block.block_public_acls:
report.status = "FAIL"
report.status_extended = f"S3 Bucket {bucket.name} allows public ACLs"
else:
report.status = "PASS"
report.status_extended = f"S3 Bucket {bucket.name} blocks public ACLs"
else:
report.status = "FAIL"
report.status_extended = f"S3 Bucket {bucket.name} has no public access block configuration"
findings.append(report)
return findings
The s3_client is a singleton service object that caches API responses, preventing redundant calls when multiple checks examine the same resources. This caching layer is critical—scanning a large AWS organization with hundreds of accounts and thousands of resources would be impossibly slow without it.
Compliance mapping happens through metadata decorators on each check. A check module can declare which frameworks it satisfies:
class s3_bucket_public_access(Check):
def metadata(self):
return {
"CheckID": "s3_bucket_public_access",
"ServiceName": "s3",
"Severity": "high",
"Compliance": [
{"Framework": "CIS-1.5", "Control": "2.1.5"},
{"Framework": "PCI-DSS-v4.0", "Control": "1.2.1"},
{"Framework": "GDPR", "Article": "32"}
]
}
When you generate a compliance report, Prowler filters checks by framework and aggregates pass/fail rates per control. This turns an overwhelming list of 1200+ findings into a structured audit document that auditors actually understand.
The real architectural innovation is Attack Paths. Prowler integrates with Cartography, a Netflix-created tool that builds Neo4j graphs of cloud infrastructure relationships. After a Prowler scan completes, it can push findings into Neo4j alongside Cartography's infrastructure graph. A Cypher query can then traverse the graph to find attack chains:
MATCH (s3:S3Bucket {public_access: true})-[:HAS_POLICY]->(policy)
WHERE policy.allows_sts_assume_role = true
MATCH (role:IAMRole)<-[:CAN_ASSUME]-(policy)
MATCH (role)-[:CAN_ACCESS]->(rds:RDSInstance)
WHERE rds.publicly_accessible = true
RETURN s3.name, role.name, rds.identifier
This query identifies S3 buckets with public access that have policies allowing role assumption, then traces which RDS instances those roles can access—a complete attack path from public internet to database. Prowler's dashboard visualizes these paths as interactive graphs, letting security teams prioritize remediation based on actual exploitability rather than isolated severity scores.
The ThreatScore weighting system adds another prioritization layer. Rather than treating all HIGH severity findings equally, Prowler calculates a weighted score based on resource exposure (public vs. private), data sensitivity tags, and exploitability. A publicly exposed RDS instance with unencrypted PII gets a higher ThreatScore than an isolated EC2 instance with an outdated AMI, even if both are marked HIGH severity.
Gotcha
The AWS-first development history shows clearly in the check distribution. AWS has 595 security checks covering obscure services like Ground Station and RoboMaker, while Azure gets 167 checks and GCP only 102. If you're primarily an Azure or GCP shop, you'll find coverage gaps, especially for newer services or advanced configurations. The Prowler team is actively expanding coverage, but AWS will likely remain the most comprehensively supported platform for the foreseeable future.
Attack Paths sounds incredible in theory, but the operational overhead is substantial. You need to deploy and maintain Neo4j infrastructure, configure Cartography to continuously sync your cloud inventory, then set up Prowler to push findings into the graph database. For the full dashboard experience, you're running Django web servers, Celery workers for distributed scanning, and PostgreSQL for storing scan history. This isn't a "run one CLI command" tool anymore—it's a full application stack. Small teams or those wanting quick security assessments will find the standalone CLI sufficient, but you'll miss the attack path visualization that makes Prowler truly differentiate from competitors. Scan performance can also be frustrating. Running all 595 AWS checks across a multi-account organization with dozens of regions can take 30+ minutes even with concurrent execution. You'll want to tune which checks run in CI/CD pipelines versus comprehensive monthly audits.
Verdict
Use if: You're managing multi-cloud environments (especially AWS-heavy) and need a single tool for compliance reporting across CIS, PCI-DSS, HIPAA, or SOC2 frameworks. The open-source CLI is perfect for integrating security checks into CI/CD pipelines or running scheduled audits via cron/Lambda. If you have the infrastructure chops to deploy the full stack with Neo4j, the Attack Paths feature provides threat modeling capabilities that dedicated CSPM vendors charge enterprise prices for. Skip if: You're on a single cloud platform and that provider's native security tools (Security Hub, Defender, SCC) already meet your needs—vendor lock-in concerns aside, they're tighter integrated and faster. Also skip if you need runtime threat detection or workload protection; Prowler excels at configuration assessment, not detecting active compromises or malware. For smaller teams wanting occasional security snapshots without infrastructure overhead, consider ScoutSuite's simpler architecture or Steampipe's SQL-based approach for custom analysis workflows.
