Compliance monitoring is a critical aspect of maintaining a secure and well-managed infrastructure. Prowler, an open-source tool written in Python, allows you to automate compliance scanning and monitoring for AWS environments. In this blog post, we'll explore how to use Prowler on AWS Lambda using Terraform, eliminating the need for an EC2 instance and simplifying the compliance monitoring process.
Setting up the Infrastructure
To get started, we'll use Terraform to provision the necessary infrastructure components on AWS. Here's an example of the Terraform code required:
region = "eu-west-2"
}
resource "aws_cloudwatch_event_rule" "prowler_schedule" {
name = "ProwlerSchedule"
description = "Scheduled rule for running Prowler"
schedule_expression = "rate(1 day)"
}
resource "aws_cloudwatch_event_target" "prowler_target" {
rule = aws_cloudwatch_event_rule.prowler_schedule.name
target_id = "ProwlerLambdaTarget"
arn = aws_lambda_function.prowler_lambda.arn
}
resource "aws_lambda_function" "prowler_lambda" {
filename = "prowler.zip"
function_name = "ProwlerLambda"
role = aws_iam_role.prowler_lambda_role.arn
handler = "lambda_function.lambda_handler"
runtime = "python3.8"
memory_size = 128
timeout = 300
source_code_hash = filebase64sha256("prowler.zip")
}
resource "aws_iam_role" "prowler_lambda_role" {
name = "ProwlerLambdaRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "prowler_lambda_policy_attachment" {
role = aws_iam_role.prowler_lambda_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
}
Let's break down the Terraform code:
We define the AWS provider and specify the region.
The aws_cloudwatch_event_rule resource creates a CloudWatch Event Rule to schedule the Prowler scan. In this example, we set it to run once a day, but you can customise the schedule as needed.
The aws_cloudwatch_event_target resource associates the CloudWatch Event Rule with the Lambda function. This ensures that the Lambda function is triggered based on the defined schedule.
The aws_lambda_function resource creates the Lambda function. We provide the Python code for the Lambda function, as well as the necessary configuration such as the runtime, memory size, and timeout.
The aws_iam_role resource creates an IAM role for the Lambda function, allowing it to access the required AWS services.
Finally, the aws_iam_role_policy_attachment resource attaches the necessary IAM policies to the IAM role. In this example, we attach the "AmazonEC2ReadOnlyAccess" policy to allow the Lambda function to start the Prowler scan on EC2 instances.
Once you have the Terraform code ready, run terraform init, terraform plan, and terraform apply to provision the infrastructure on AWS. Make sure you have the AWS CLI configured with the appropriate credentials.
Writing the Lambda Function
The next step is to write the Python code for the Lambda function. Here's an example code snippet:
import prowlerlib
# Define the Prowler configuration
config = prowlerlib.Config(config_file='my_config_file.yml', no_color=True)
try:
# Run Prowler with the specified configuration
prowlerlib.run_prowler(config)
except Exception as e:
# Handle any errors that occur during the execution of Prowler
print(f"Error executing Prowler: {e}")
Let's break down the Python code:
We import the boto3 library, which allows us to interact with AWS services.
The lambda_handler function is the entry point for the Lambda function. It receives an event and context object as parameters.
Inside the lambda_handler, we create an EC2 client using boto3.client('ec2').
We use the describe_instances method to retrieve the instances with the "Prowler" tag. You can customise this filter to match your specific requirements.
For each instance returned, we extract the instance ID and use the start_instances method to start the instance. This triggers the Prowler scan on the EC2 instance.
Finally, we print a message for each instance started, and return a success message.
You can customise this Python code to include additional functionality, such as sending scan results to an S3 bucket or notifying stakeholders via SNS.
Deploying and Running Prowler on Lambda
To deploy and run Prowler on AWS Lambda, follow these steps:
Package the Python code and any dependencies into a zip file. For example, create a file called prowler.zip and include the lambda_function.py file and any additional Python modules required by Prowler.
Run terraform init, terraform plan, and terraform apply to provision the infrastructure and deploy the Lambda function. Make sure to have the AWS CLI configured with appropriate credentials.
Once the infrastructure is provisioned and the Lambda function is deployed, the Prowler scan will be triggered based on the schedule defined in the CloudWatch Event Rule.
Monitor the CloudWatch Logs for the Lambda function to view the scan results and any logs generated by Prowler.
Remember to adjust the region, schedule, and other configurations as needed to match your requirements.
Note: This is a simplified example to demonstrate the concept. In production environments, consider adding error handling, logging, and security measures as necessary.
Wrap Up!
Automating compliance monitoring with Prowler on AWS Lambda can greatly simplify the process and help ensure the security and compliance of your AWS environment. By leveraging Terraform and Python, you can easily set up the infrastructure and deploy the Lambda function. This enables you to run Prowler scans on a regular schedule without the need for an EC2 instance.
You should experiment with different schedules, customise the Python code, and extend the solution to meet your specific compliance monitoring needs.
Happy compliance monitoring!