KiloClawPowered by OpenClaw
Back to Cookbook
OpenClaw recipe

AWS Prowler Cloud Security Scan Fixer

aka “AWS Cloud Audit with Prowler (Auth + AccessDenied Triage)

Stop permissions and credential errors from killing cloud assessments

Prowler scans fail or produce noisy logs because of missing read-only permissions, expired session tokens, or credentials not mounted into containers. This recipe standardizes authentication, documents required policies, and provides a repeatable triage flow for AccessDenied and InvalidClientTokenId.

House RecipeWork15 min
Try in KiloClawFree 7-day trial

PROMPT

Create a skill called "Prowler AWS Scan Doctor". Inputs I will provide: - How I'm authenticating (profile keys / SSO / assume role) - Any error logs (AccessDenied, InvalidClientTokenId, NoCredentialsError) - Targeted AWS services (if the engagement is scoped) Task: 1) Produce a minimal, scoped Prowler command that should work with my auth method. 2) If errors occur, classify them into: credential invalid/expired, missing allow, explicit deny (SCP/boundary), or container credential visibility. 3) Provide next-step commands to prove which case it is (aws sts get-caller-identity, policy simulator pointers, etc.). 4) Output should include a "run manifest" template for my engagement notes.

What this fixes

Common symptoms:

  • `AccessDeniedException` / `UnauthorizedOperation` during checks
  • `InvalidClientTokenId` / "security token included in the request is invalid"
  • Dockerized scans: `NoCredentialsError: Unable to locate credentials`

Prerequisites

  • Authorization to assess the AWS account(s)
  • AWS CLI configured OR an explicit role-arn and credentials source
  • Prowler installed (pipx/venv) or run via container
  • A secure place to store outputs (JSON/CSV/HTML)

Steps and commands

  1. Verify credentials and region:

`aws configure list`

`aws sts get-caller-identity`

  1. Ensure baseline read-only permissions (recommended by Prowler):
  • Attach AWS-managed policies to the scanning role/user:
  • `SecurityAudit`
  • `ViewOnlyAccess`
  1. Run a scoped scan first (reduce noise):

`prowler aws --services iam,s3,ec2 --output-formats json csv`

  1. If you see AccessDenied for specific APIs:
  • Determine whether it's missing identity permissions vs SCP/boundary explicit deny.
  • Add read-only permissions only when justified; record the diff for audit.
  1. If running in Docker and credentials aren't found:
  • Mount AWS config into the container (read-only):

`docker run --rm -it -v "$HOME/.aws:/root/.aws:ro" prowler/prowler aws --output-formats json`

  • Or pass environment variables (least preferred; avoid shell history exposure).
  1. Export and store artifacts:
  • Keep raw outputs + a run manifest:
  • account ID, role ARN, regions, start/end time, Prowler version

Expected outputs

  • JSON/CSV findings per service and a summary
  • A clean `aws sts get-caller-identity` result proving the scan identity
  • Reduced AccessDenied noise after least-privilege adjustments

Common errors and troubleshooting

  • InvalidClientTokenId / invalid security token
  • Session token expired or wrong credentials source.
  • Re-authenticate (SSO/MFA) and re-run `aws sts get-caller-identity`.
  • AccessDenied / UnauthorizedOperation
  • Missing allow in identity policy OR blocked by SCP/permission boundary.
  • Use the AWS IAM "access denied" troubleshooting flow.
  • Docker: Unable to locate credentials
  • Container can't access `~/.aws` or IMDS.
  • Bind-mount credentials into the container (read-only).

References

  • https://docs.prowler.com/user-guide/providers/aws/authentication
  • https://docs.prowler.com/troubleshooting
  • https://github.com/prowler-cloud/prowler/issues/4576
  • https://github.com/prowler-cloud/prowler/issues/5952
  • https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-troubleshooting.html
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html

Example inputs

  • AWS profile: pentest-audit
  • Role ARN: arn:aws:iam:::role/ProwlerScan
  • Output formats: json,csv
Tags:#pentesting#cloud#aws#prowler#iam#troubleshooting#reporting

Related Recipes

PingCastle AD Health Check Runbook

Preflight connectivity, reduce false positives, handle AV flags

PingCastle AD assessments commonly fail or mislead due to DNS/DC discovery issues, missing SMB connectivity for GPO retrieval, absent ADWS (slow scans), and AV/EDR false positives. This runbook makes those failure modes explicit and gives a repeatable preflight-to-report workflow.

Work12 min

Cost Bloodhound

Find the $15K/month in orphaned resources nobody knows about

Hunts through your cloud accounts for wasted spend — orphaned EBS volumes, idle load balancers, oversized instances, forgotten snapshots, unused Elastic IPs. Generates a cleanup report with estimated savings and the commands to fix each one.

Work5 min

Render Hang Triage

A playbook for "stops at the same frame" and "freeze mid-render" failures

Renders freeze at a consistent percentage or frame — often caused by a bad clip, a heavy effect, a Fusion comp issue, or "stop render on error" settings. This recipe classifies the failure pattern and gives you a structured triage plan instead of blind re-exports.

Creative3 min

Audio Input Lag Fixer

Fix a common Premiere playback-lag issue caused by audio input device settings

Severe playback lag and stutter in Premiere Pro that looks like a codec performance problem but is actually caused by audio hardware input settings. This recipe provides a quick decision tree to test and fix the issue — often resolved in under a minute by switching the default input to "No Input."

Creative3 min