BLACKSHIELD

Guide public

Deploy the Cloud Scanner on AWS

Scan your AWS environment for misconfigurations with Prowler, deployed as a Lambda container on EventBridge Scheduler — no EC2, no always-on compute. Audience: Cloud engineers, security engineers, platform teams. Temps moyen de mise en place: 5 minutes.

Avant de commencer

  • Install AWS CDK v2: npm install -g aws-cdk@latest
  • Ensure AWS CLI is configured with credentials for the target account.
  • Create an ingestion API key in Settings → API Keys with Ingestion scope.

Étapes

Étape 1

Prerequisites and API key

Install the CDK, store your API key in Secrets Manager, and bootstrap the target account.

  • Install AWS CDK v2: npm install -g aws-cdk@latest
  • Create an Ingestion API key in Settings → API Keys.
  • Store it: aws secretsmanager create-secret --name secplatform/cloud-scanner/api-key --secret-string sp_xxxx
  • Bootstrap the account+region: cdk bootstrap (once per account/region).

Étape 2

Deploy the CDK stack

Three commands deploy Lambda + EventBridge + IAM + CloudWatch logging.

  • Bootstrap the local source bundle first, then run cd deploy/aws-cloud-scanner && pip install -r requirements.txt
  • Set SECPLATFORM_API_URL and SCANNER_IMAGE_URI environment variables.
  • Run: cdk deploy --require-approval never
  • The stack creates a 3 GB Lambda, IAM role with SecurityAudit + ViewOnlyAccess, and an EventBridge schedule.

Étape 3

Verify and scale to multiple accounts

Trigger a manual run, confirm findings, then roll out to the entire AWS Organization.

  • Trigger manually: aws lambda invoke --function-name SecPlatformCloudScanner --invocation-type Event /tmp/out.json
  • Tail logs: aws logs tail /aws/lambda/SecPlatformCloudScanner --follow
  • Confirm findings appear in the platform with scanner=cloud.
  • For multi-account: use CloudFormation StackSets targeting your OU — see the Developer Guide.

Get the source bundle

Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.

AWS cloud scanner source

Creates the AWS CDK project under `deploy/aws-cloud-scanner/` so the Lambda deployment commands on this page work unchanged.

deploy/aws-cloud-scanner/
bash
bash <(curl -fsSL https://stg-blackshield.chaplau.com/source-bundles/aws-cloud-scanner.sh)
cd deploy/aws-cloud-scanner
Download source

Exécuter

Store API key + deploy (three commands)

bash
# Bootstrap the local source bundle first
bash <(curl -fsSL https://app.yourdomain.com/source-bundles/aws-cloud-scanner.sh)

cd deploy/aws-cloud-scanner
pip install -r requirements.txt

# 1. Store API key (once per account)
aws secretsmanager create-secret \
  --name "secplatform/cloud-scanner/api-key" \
  --secret-string "sp_xxxx"

# 2. Bootstrap CDK (once per account+region)
cdk bootstrap

# 3. Deploy — Lambda runs Prowler every 6 hours
SECPLATFORM_API_URL=https://api.yourdomain.com \
SCANNER_IMAGE_URI=ghcr.io/your-org/secplatform-cloud-scanner:1.0.0 \
cdk deploy --require-approval never

Trigger manual scan + tail logs

bash
# Invoke Lambda manually
aws lambda invoke \
  --function-name SecPlatformCloudScanner \
  --invocation-type Event \
  /tmp/response.json

# Follow execution logs in real time
aws logs tail /aws/lambda/SecPlatformCloudScanner --follow

# Check findings arrived
curl -sf \
  -H "X-API-Key: sp_xxxx" \
  "https://api.yourdomain.com/api/v1/findings?scanner=cloud&limit=5" \
  | python3 -m json.tool

Vérifications de réussite

  • cdk deploy completes without errors and outputs the Lambda function ARN.
  • Manual Lambda invocation succeeds: aws lambda invoke --function-name SecPlatformCloudScanner --invocation-type Event /tmp/out.json
  • Cloud posture findings appear in the platform Findings view within 15 minutes.
Deploy the Cloud Scanner on AWS | BlackShield Docs