Back to Cookbook

AWS Cloud Audit with Prowler (Auth + AccessDenied Triage)

Stop permissions and credential errors from killing cloud assessments

Prowler scans fail or produce noisy logs because of missing read-only permissions, expired session tokens, or credentials not mounted into containers. This recipe standardizes authentication, documents required policies, and provides a repeatable triage flow for AccessDenied and InvalidClientTokenId.

House RecipeWork15 min

INGREDIENTS

PROMPT

Create a skill called "Prowler AWS Scan Doctor". Inputs I will provide: - How I'm authenticating (profile keys / SSO / assume role) - Any error logs (AccessDenied, InvalidClientTokenId, NoCredentialsError) - Targeted AWS services (if the engagement is scoped) Task: 1) Produce a minimal, scoped Prowler command that should work with my auth method. 2) If errors occur, classify them into: credential invalid/expired, missing allow, explicit deny (SCP/boundary), or container credential visibility. 3) Provide next-step commands to prove which case it is (aws sts get-caller-identity, policy simulator pointers, etc.). 4) Output should include a "run manifest" template for my engagement notes.

What this fixes

Common symptoms:

  • `AccessDeniedException` / `UnauthorizedOperation` during checks
  • `InvalidClientTokenId` / "security token included in the request is invalid"
  • Dockerized scans: `NoCredentialsError: Unable to locate credentials`

Prerequisites

  • Authorization to assess the AWS account(s)
  • AWS CLI configured OR an explicit role-arn and credentials source
  • Prowler installed (pipx/venv) or run via container
  • A secure place to store outputs (JSON/CSV/HTML)

Steps and commands

  1. Verify credentials and region:

`aws configure list`

`aws sts get-caller-identity`

  1. Ensure baseline read-only permissions (recommended by Prowler):
  • Attach AWS-managed policies to the scanning role/user:
  • `SecurityAudit`
  • `ViewOnlyAccess`
  1. Run a scoped scan first (reduce noise):

`prowler aws --services iam,s3,ec2 --output-formats json csv`

  1. If you see AccessDenied for specific APIs:
  • Determine whether it's missing identity permissions vs SCP/boundary explicit deny.
  • Add read-only permissions only when justified; record the diff for audit.
  1. If running in Docker and credentials aren't found:
  • Mount AWS config into the container (read-only):

`docker run --rm -it -v "$HOME/.aws:/root/.aws:ro" prowler/prowler aws --output-formats json`

  • Or pass environment variables (least preferred; avoid shell history exposure).
  1. Export and store artifacts:
  • Keep raw outputs + a run manifest:
  • account ID, role ARN, regions, start/end time, Prowler version

Expected outputs

  • JSON/CSV findings per service and a summary
  • A clean `aws sts get-caller-identity` result proving the scan identity
  • Reduced AccessDenied noise after least-privilege adjustments

Common errors and troubleshooting

  • InvalidClientTokenId / invalid security token
  • Session token expired or wrong credentials source.
  • Re-authenticate (SSO/MFA) and re-run `aws sts get-caller-identity`.
  • AccessDenied / UnauthorizedOperation
  • Missing allow in identity policy OR blocked by SCP/permission boundary.
  • Use the AWS IAM "access denied" troubleshooting flow.
  • Docker: Unable to locate credentials
  • Container can't access `~/.aws` or IMDS.
  • Bind-mount credentials into the container (read-only).

References

  • https://docs.prowler.com/user-guide/providers/aws/authentication
  • https://docs.prowler.com/troubleshooting
  • https://github.com/prowler-cloud/prowler/issues/4576
  • https://github.com/prowler-cloud/prowler/issues/5952
  • https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-troubleshooting.html
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html

Example inputs

  • AWS profile: pentest-audit
  • Role ARN: arn:aws:iam:::role/ProwlerScan
  • Output formats: json,csv
Tags:#pentesting#cloud#aws#prowler#iam#troubleshooting#reporting