Prowler Cloud (Pay per use)

We have been using Prowler for one year. The main use case of Prowler is to ensure we are ready with compliance, and we can also check our configurations of cloud environments. We can check our misconfiguration, ensuring we comply with many frameworks like SOC 2 and NIST. Using Prowler, we can check whether our cloud is secure and compliant.

We are currently building a SaaS platform, and in production, we have integrated Prowler. When a CISO audit came for that SaaS platform, we downloaded the report from Prowler and sent it to that CISO. Through this approach, we have achieved compliance without logging into cloud accounts. At one time, we discovered that our public S3 buckets were publicly open; using Prowler, we found out that our public buckets were open, and after that, we disabled them to secure our cloud environment.

We are not using Prowler day-to-day, but we use it when creating a new cloud account or a new environment. After that, we integrate Prowler, check the configuration, and any time an audit comes, we go to Prowler, download any compliance report we need, and send it to the auditors.

The best feature Prowler offers is that it is agentless; we just need to provide IAM roles, and it does not require hardcoded access keys or secret keys. Using sessions, Prowler can access our account whenever needed. Prowler has read-only policies, and the attack map that Prowler provides is the best feature we can get.

The agent setup is very smooth; you don't have to do anything complicated. We got CloudFront and CloudStack script; we just have to deploy that and create the policies and roles by itself. After creating that, we just give the external ID for Prowler to access our cloud environment. It is very smooth and easy to set up. After checking all the configurations, Prowler builds the attack map, which shows how hackers might attack our resources using that map, making it very useful for us.

Before using Prowler, we were spending hours of our engineers' efforts on compliance and misconfiguration checks, saving that configuration in Excel sheets. After switching to Prowler, these processes are super smooth and easy, and we are currently saving our engineers' time. We can also do audits on time, ensuring we don't miss deadlines on audits.

Prowler definitely results in faster audits and eliminates human errors, with our engineers saving fifty to sixty percent of the time they previously spent on misconfiguration checks.

For the reports, Prowler does not provide PDF reports for all compliances; it only gives reports for the Prowler configuration. Prowler could include PDFs for all the compliances, which would be super useful for users.

One feature Prowler can improve is providing PDFs for all the compliances, which would be very useful for users. Also, after identifying misconfigurations, Prowler should have a remediate button so that when using Prowler, we can apply those fixes automatically without going to the cloud and fixing them manually.

Prowler's governance and security capabilities are very robust, and I have also used the AI features, where you need to provide your API keys. By using chat, we can see whether there are any misconfigurations.

The output from Prowler's AI is eighty to ninety percent accurate, and I find it to be ninety-five percent reliable.

My advice for those looking into using Prowler is that small teams or big teams dealing with compliance, or even teams spending hours of engineers' efforts or millions of dollars on compliance, can use Prowler and make their cloud compliant. Everyone can benefit from Prowler, whether you are a small team or a big team, especially if you are investing significant effort and resources in compliance. Prowler is a super useful open-source product to have. I rate this product a nine out of ten.

Public Cloud

Amazon Web Services (AWS)

My main use case for Prowler is identifying the vulnerabilities in an infrastructure hosted on AWS.

A quick specific example of how I used Prowler to identify vulnerabilities is that in our code build hosted on AWS, we had secrets in plain text that should have been in secrets manager, so it helped us identify the vulnerability that could have caused major problems.

The best features Prowler offers include its ability to help us identify vulnerabilities first, which in turn helps us fix them frequently.

When it comes to identifying vulnerabilities, the specific scanning capabilities and reporting features in Prowler that stand out for me are that the findings are presented in a well-documented report.

Prowler has positively impacted my organization by helping us on the security front by improving compliance.

Some of the findings in Prowler are not that critical but come in the critical category, so that could be improved. The categorization of vulnerabilities could be improved.

I have used Prowler for an extended period.

Prowler is stable.

Prowler's scalability is good.

Prowler's customer support is good.

I have seen a return on investment as compliance has been improved.

My experience with pricing, setup cost, and licensing is positive.

Prowler is a good software; I recommend it. It helps reduce vulnerabilities. On a scale of one to ten, I would rate Prowler an eight because of the features and limitations mentioned above. I give it this rating because it is a good software that helps reduce vulnerabilities.

Public Cloud

Amazon Web Services (AWS)