@modular-intelligence/prowler
v1.0.2
Published
MCP server wrapping Prowler for AWS, Azure, and GCP security posture assessment
Readme
Prowler MCP Server
Model Context Protocol (MCP) server for cloud security posture management using Prowler. Provides security scanning capabilities for AWS, Azure, and GCP environments.
Features
- Multi-Cloud Support: Scan AWS, Azure, and GCP environments
- Comprehensive Scanning: Run security checks across all cloud services
- Compliance Frameworks: Generate reports for CIS, PCI, HIPAA, GDPR, SOC2, NIST, and ISO27001
- Detailed Findings: Get severity levels, remediation guidance, and resource details
- Dashboard Analytics: Aggregate security metrics by severity and service
- Read-Only: All operations are read-only security assessments
Prerequisites
1. Install Prowler CLI
# Using pip
pip install prowler
# Verify installation
prowler --version2. Configure Cloud Credentials
Prowler uses standard cloud provider credential mechanisms:
AWS
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_SESSION_TOKEN="your-session-token" # If using temporary credentialsOr use AWS CLI configuration:
aws configureAzure
# Service Principal authentication
export AZURE_CLIENT_ID="your-client-id"
export AZURE_CLIENT_SECRET="your-client-secret"
export AZURE_TENANT_ID="your-tenant-id"Or use Azure CLI:
az loginGCP
# Service account key file
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
# Or specify project
export GCP_PROJECT_ID="your-project-id"Or use gcloud CLI:
gcloud auth application-default loginInstallation
cd prowler
bun install
bun run buildUsage
Running the Server
bun run startThe server communicates over stdio and is designed to be used with MCP clients.
Available Tools
1. prowler_aws_scan
Scan AWS environment for security issues.
Parameters:
services(optional): Array of services to scan (e.g.,["s3", "iam", "ec2"])severity(optional): Minimum severity level (critical,high,medium,low,informational)region(optional): AWS region to scan (e.g.,us-east-1)compliance(optional): Compliance framework to check againstchecks(optional): Specific check IDs to runtimeout(optional): Scan timeout in seconds (60-1800, default: 600)
Example Response:
{
"provider": "aws",
"region": "us-east-1",
"results": [
{
"check_id": "aws_s3_bucket_public",
"check_title": "Check if S3 buckets are publicly accessible",
"status": "FAIL",
"severity": "high",
"service": "s3",
"resource_id": "my-public-bucket",
"resource_arn": "arn:aws:s3:::my-public-bucket",
"region": "us-east-1",
"status_extended": "Bucket allows public access",
"risk": "Data exposure risk",
"remediation": "Disable public access in bucket settings"
}
],
"summary": {
"pass": 150,
"fail": 12,
"manual": 3,
"total": 165
}
}2. prowler_azure_scan
Scan Azure environment for security issues.
Parameters:
services(optional): Array of services to scanseverity(optional): Minimum severity levelsubscription(optional): Azure subscription IDcompliance(optional): Compliance frameworktimeout(optional): Scan timeout in seconds
3. prowler_gcp_scan
Scan GCP environment for security issues.
Parameters:
services(optional): Array of services to scanseverity(optional): Minimum severity levelproject(optional): GCP project IDcompliance(optional): Compliance frameworktimeout(optional): Scan timeout in seconds
4. prowler_check_detail
Get detailed information about a specific security check.
Parameters:
check_id(required): Prowler check ID (e.g.,aws_iam_1)
Example Response:
{
"check_id": "aws_iam_1",
"title": "Avoid the use of the root account",
"description": "The root account has unrestricted access to all resources",
"severity": "critical",
"service": "iam",
"provider": "aws",
"remediation": "Create IAM users and assign least privilege permissions",
"risk": "Compromise of root account credentials leads to full account takeover",
"related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"compliance_frameworks": ["cis", "pci", "hipaa"]
}5. prowler_list_checks
List all available security checks for a cloud provider.
Parameters:
provider(required): Cloud provider (aws,azure,gcp)service(optional): Filter by service nameseverity(optional): Filter by severity level
Example Response:
{
"checks": [
{
"id": "aws_iam_1",
"title": "Avoid the use of the root account",
"severity": "critical",
"service": "iam"
}
],
"total": 234
}6. prowler_compliance_report
Generate a compliance report for a specific framework.
Parameters:
provider(required): Cloud providerframework(required): Compliance framework (cis,pci,hipaa,gdpr,soc2,nist_800_53,nist_csf,iso27001,aws_well_architected)region(optional): Specific region to scantimeout(optional): Scan timeout in seconds
Example Response:
{
"framework": "cis",
"provider": "aws",
"requirements": [
{
"id": "1.1",
"description": "Maintain current contact details",
"status": "PASS",
"checks_pass": 3,
"checks_fail": 0
},
{
"id": "1.2",
"description": "Ensure security contact information is registered",
"status": "FAIL",
"checks_pass": 0,
"checks_fail": 2
}
],
"compliance_score": 85,
"total_pass": 42,
"total_fail": 8
}7. prowler_dashboard_data
Get aggregated security metrics for dashboard visualization.
Parameters:
provider(required): Cloud providertimeout(optional): Scan timeout in seconds
Example Response:
{
"provider": "aws",
"scan_time": "2024-01-15T10:30:00Z",
"total_checks": 234,
"by_severity": {
"critical": { "pass": 45, "fail": 2 },
"high": { "pass": 89, "fail": 5 },
"medium": { "pass": 78, "fail": 8 },
"low": { "pass": 42, "fail": 3 },
"informational": { "pass": 12, "fail": 0 }
},
"by_service": {
"s3": { "pass": 25, "fail": 3 },
"iam": { "pass": 18, "fail": 4 },
"ec2": { "pass": 42, "fail": 2 }
},
"top_failing_checks": [
{
"id": "aws_s3_bucket_public",
"title": "Check if S3 buckets are publicly accessible",
"fail_count": 12
}
],
"overall_score": 92
}Security
Read-Only Operations
All Prowler scans are read-only and do not modify cloud resources.
Blocked Flags
The following Prowler flags are blocked for security:
--role- Prevents role assumption--session-duration- Prevents session manipulation--send-sh-only- Blocks external notifications--mutelist-file/--allowlist-file- Prevents filter bypass--slack/--security-hub- Blocks external integrations
Credential Management
- Credentials are provided via environment variables only
- No credentials are stored or logged by the MCP server
- Follow cloud provider security best practices for credential management
Timeouts and Limits
- Maximum scan timeout: 1800 seconds (30 minutes)
- Maximum output buffer: 50 MB (cloud scans can be large)
- Commands are killed with SIGKILL on timeout
Common Use Cases
Quick Security Assessment
// Scan AWS with high severity issues only
prowler_aws_scan({
severity: "high",
timeout: 300
})Compliance Audit
// Generate PCI compliance report for AWS
prowler_compliance_report({
provider: "aws",
framework: "pci",
timeout: 900
})Service-Specific Scan
// Check only S3 and IAM in specific region
prowler_aws_scan({
services: ["s3", "iam"],
region: "us-east-1",
timeout: 600
})Security Dashboard
// Get aggregated metrics for dashboard
prowler_dashboard_data({
provider: "aws",
timeout: 1200
})Troubleshooting
Prowler Not Found
# Verify Prowler is installed and in PATH
which prowler
prowler --version
# If not found, install it
pip install prowlerAuthentication Errors
# Test AWS credentials
aws sts get-caller-identity
# Test Azure credentials
az account show
# Test GCP credentials
gcloud auth listTimeout Issues
For large environments, increase the timeout parameter:
prowler_aws_scan({
timeout: 1800 // 30 minutes
})Large Output Handling
The server supports up to 50MB of JSON output. For very large environments, use filters:
prowler_aws_scan({
services: ["s3"], // Scan one service at a time
region: "us-east-1" // Scan one region at a time
})Development
Building
bun run buildTesting
# Test AWS scan (requires AWS credentials)
echo '{"method":"tools/call","params":{"name":"prowler_aws_scan","arguments":{"severity":"critical"}}}' | bun run start
# Test check listing
echo '{"method":"tools/call","params":{"name":"prowler_list_checks","arguments":{"provider":"aws"}}}' | bun run startLicense
MIT