Integrating Doppler with Prowler CSPM (AWS)

The information security landscape has witnessed remarkable advancements in security tools and technologies over the past decade. Notable innovations include agent-less cloud security posture management systems such as Wiz, Prowler, and ORCA, which have transformed how organizations approach security in the cloud. Additionally, Application Security Orchestration and Correlation (ASOC) tools like SEMplicity and Aikido have emerged, further enhancing the ability to integrate and automate security processes across various applications and ecosystems. However, despite these advancements, security tooling is not immune to vulnerabilities, particularly concerning improper authentication mechanisms. For instance, the use of long-lived and overly scoped credentials remains a significant risk that organizations must address.

In this article, we will provide a detailed exploration of how you can effectively utilize the Doppler Secrets platform in conjunction with the industry-leading, open-source cloud security posture management tool, Prowler. We will guide you through the process of applying these technologies to secure your AWS environment, whether you are managing a single AWS account or an entire AWS organizational hierarchy. By leveraging the dynamic secrets feature of Doppler AWS, you can enhance your security posture and mitigate risks associated with credential management.

What is a CSPM?

A Cloud Security Posture Management (CSPM) system is an essential tool designed to help organizations manage their cloud security effectively. This system plays a crucial role in assessing, monitoring, and improving the security posture of cloud environments. By continuously analyzing configurations, identifying vulnerabilities, and ensuring compliance with security best practices, a CSPM system empowers businesses to protect their sensitive data and applications hosted in the cloud.

One notable example of a CSPM solution is Prowler, an open-source tool that enhances cloud security by providing a comprehensive framework for auditing and monitoring cloud environments, particularly those hosted on Amazon Web Services (AWS). Prowler allows organizations to assess their security configurations against industry standards and best practices, offering valuable insights into potential weaknesses. By integrating Prowler into their security strategy, businesses can gain visibility into their cloud infrastructure, enabling proactive risk management and the ability to respond swiftly to potential threats. This combination of features makes Prowler a vital component of any organization's cloud security posture management efforts.

Traditional Prowler Workflow

The conventional installation process for a prowler requires users to utilize specific predefined -env variables to authenticate the scanner effectively. This authentication step is crucial as it ensures that only authorized users can engage with the scanner. Additionally, the credentials employed in this process must be linked to a pre-defined read-only policy established within AWS. This setup provides a layer of security, as it restricts any operational capabilities that could lead to unauthorized changes or deployments within our account. However, it is important to note that even if leaked credentials do not grant a malicious actor the ability to deploy resources into our account, they would still possess sufficient access to gather significant intelligence. This intelligence could include detailed information about various service configurations, as well as any existing misconfiguration that may pose security risks.

A conventional running of the prowler scanner would follow a pattern as defined in the snapshot below. The goal here is to generate a temporary AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to allow Prowler to run its scans in an ephemeral manner.

Preparing the AWS account

In order for Doppler to be able to generate credentials in the targeted account, it is going to need a specific role and policy to be created. At the time of writing, you will need to create a role with the following policy attached to it. Please refer to the official Doppler documentation for any future alterations to this policy. After the role and policy have been created, note the role ARN as it will be used later in this walkthrough.

Implementing Doppler AWS Dynamic Secrets

To effectively mitigate the risk associated with long-lived credentials, it's essential to implement the Doppler AWS Dynamic Secrets feature within a new project. My preferred approach for managing Doppler projects is through Terraform, which provides a robust framework for infrastructure as code. Once you have successfully created a new Doppler project, the next step is to select an environment that corresponds to the specific account you are targeting. In this particular instance, I am focusing on a lab account, so my configuration details will be situated in the ‘dev’ environment.

From this point, you can proceed to configure a dynamic AWS credential within the settings of your project. This involves referencing the IAM role ARN that was established in the instructional video mentioned earlier. Furthermore, it is crucial to input the comprehensive AWS IAM Policy that you intend to assign to the user upon credential generation. For the purpose of this configuration, it is important to note that Prowler requires a role that includes the following policies:

arn:aws:iam::aws:policy/SecurityAudit and arn:aws:iam::aws:policy/job-function/ViewOnlyAccess.

The maintainers of the prowler source code have their permissions model available here. You can reference this as new AWS service offerings are created.

Putting it all together.

Now that we have successfully configured our AWS account with the essential AWS Identity and Access Management (IAM) policies and roles, and we have also installed Prowler on our local machine, we are ready to proceed with the next steps. To obtain temporary AWS credentials tailored specifically for the requirements of the Prowler scanner, you can execute the command:

doppler secrets download —no-file —<project_name> —config <config_name>

This command will generate credentials that are scoped directly to meet the needs of the Prowler scans. After acquiring these credentials, you have the flexibility to set up your Prowler scans and designate report directories according to your organization's specific requirements and preferences. This customization is crucial for ensuring that the scanning process aligns with your operational standards and facilitates efficient reporting.

Ready to streamline your secrets management? Create your demo account today and explore the powerful features of Doppler Secrets risk-free!

👉 Start Your Free Demo

Experience seamless collaboration and enhanced security for your projects. Don’t miss out—sign up now!