AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Prowler 5 Full Setup in 2026 (CLI + Prowler Cloud)

2026-06-09 3 min read

Search "Prowler setup" and most of what ranks predates Prowler 5 — the jump to a unified multi-cloud platform. Some guides are actively broken (the old CloudShell walkthrough stopped working after storage changes and the v3 HTML-output deprecation). Here's a clean setup for 2026, current to the 5.x line, covering both the CLI and the hosted Prowler Cloud.

CLI install

Prowler is a Python package. Use a virtual environment — don't pollute system Python:

python3 -m venv prowler-env
source prowler-env/bin/activate
pip install prowler
prowler --version   # confirm you're on 5.x

Containers work too, and are cleaner for CI:

docker run -t toniblyx/prowler:latest aws --version

Give it credentials (read-only)

Prowler only needs read access. Don't hand it admin. The cleanest path is a dedicated role with the AWS-managed SecurityAudit and ViewOnlyAccess policies attached. With a profile configured:

prowler aws --profile security-audit

For an Organization, run against a role you can assume into each member account rather than wiring credentials per account.

Your first scan — but filtered

A raw scan against a real account returns hundreds of findings. Filter from the very first run so you're looking at signal:

prowler aws \
  --profile security-audit \
  --status FAIL \
  --severity critical high \
  --output-formats json-ocsf csv html
  • --status FAIL — hide the passes; you want what's wrong.
  • --severity critical high — start at the top of the risk stack.
  • json-ocsf — the modern, tool-friendly output (OCSF is the open security schema); html for a human-readable report; csv for a spreadsheet.

Scope it to what matters

Two flags save enormous time:

# Only run the checks for a specific compliance framework
prowler aws --compliance cis_3.0_aws

# Only scan specific services
prowler aws --services s3 iam ec2

Running every check across every service on the first pass is how you get 1,000 findings and give up. Scope, triage, expand.

Prowler Cloud (the hosted UI)

The CLI is perfect for engineers and CI. For sharing results with a team or a CISO, Prowler Cloud (the hosted app) is the better surface — a web UI over the same engine, with history, trends, and the ThreatScore view. Connect an account read-only via a CloudFormation role, and scans run on a schedule without you babysitting a terminal.

The decision is simple: CLI for automation and CI gates; Prowler Cloud for visibility and trend-sharing. Most teams end up using both.

CI gate (the high-value move)

The real payoff is failing a pipeline on new critical findings:

prowler aws --status FAIL --severity critical \
  --output-formats json-ocsf || exit 1

Drop that in your deployment pipeline and misconfigurations get caught before they ship, not in next quarter's audit.

Next: what to do with the findings

Setup is the easy 20%. The 80% is triage — turning the scan into a plan. That's covered in From 500 Prowler findings to a plan, and the risk-ranking framework behind it is ThreatScore.

If your scans tie back to APRA obligations, the CPS 234 → AWS Controls cheatsheet maps the findings to the clauses they satisfy.

Primary sources: Prowler (GitHub) · Prowler 5.6 release

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts