0
# Provider Framework
1
2
Multi-cloud provider abstraction supporting AWS, Azure, GCP, Kubernetes, GitHub, and Microsoft 365 with standardized authentication, session management, and credential handling. The provider framework enables consistent security assessments across different cloud platforms while maintaining platform-specific optimizations and capabilities.
3
4
## Capabilities
5
6
### Base Provider Interface
7
8
Abstract base class defining the common interface for all cloud providers.
9
10
```python { .api }
11
from abc import ABC, abstractmethod
12
13
class Provider(ABC):
14
"""
15
Abstract base class for all cloud providers.
16
17
Defines the standard interface that all provider implementations
18
must follow, ensuring consistent behavior across different cloud platforms.
19
20
Properties:
21
- type: str - Provider type identifier (aws, azure, gcp, etc.)
22
- identity: dict - Provider identity and account information
23
- session: object - Provider-specific session object
24
- audit_config: dict - Configuration for audit and compliance settings
25
"""
26
27
@property
28
@abstractmethod
29
def type(self) -> str:
30
"""
31
Provider type identifier.
32
33
Returns:
34
String identifier for the provider (e.g., 'aws', 'azure', 'gcp')
35
"""
36
37
@property
38
@abstractmethod
39
def identity(self) -> dict:
40
"""
41
Provider identity information.
42
43
Returns:
44
Dictionary containing account/subscription details and identity info
45
"""
46
47
@property
48
@abstractmethod
49
def session(self) -> object:
50
"""
51
Provider session object.
52
53
Returns:
54
Provider-specific session object for API interactions
55
"""
56
57
@property
58
@abstractmethod
59
def audit_config(self) -> dict:
60
"""
61
Audit configuration settings.
62
63
Returns:
64
Dictionary containing audit and compliance configuration
65
"""
66
67
@abstractmethod
68
def setup_session(self, **kwargs):
69
"""
70
Setup provider session with authentication.
71
72
Abstract method that each provider implements to establish
73
authenticated sessions using provider-specific methods.
74
75
Parameters:
76
**kwargs: Provider-specific authentication parameters
77
78
Raises:
79
ProwlerException: On authentication or session setup errors
80
"""
81
82
@abstractmethod
83
def print_credentials(self):
84
"""
85
Print provider credential information.
86
87
Abstract method for displaying current authentication
88
and authorization details in a standardized format.
89
90
Returns:
91
None (prints to stdout)
92
"""
93
94
@abstractmethod
95
def validate_arguments(self, **kwargs) -> bool:
96
"""
97
Validate provider-specific arguments.
98
99
Abstract method for validating configuration parameters
100
and ensuring provider requirements are met.
101
102
Parameters:
103
**kwargs: Provider-specific configuration parameters
104
105
Returns:
106
True if arguments are valid, False otherwise
107
108
Raises:
109
ProwlerException: On validation errors
110
"""
111
112
@staticmethod
113
def init_global_provider(provider_name: str, **kwargs):
114
"""
115
Initialize global provider instance.
116
117
Static method for creating and configuring the global
118
provider instance used throughout Prowler execution.
119
120
Parameters:
121
- provider_name: Name of provider to initialize
122
**kwargs: Provider-specific initialization parameters
123
124
Returns:
125
None (sets global provider instance)
126
127
Raises:
128
ProwlerException: On provider initialization errors
129
"""
130
131
@staticmethod
132
def get_global_provider():
133
"""
134
Get the current global provider instance.
135
136
Returns:
137
Current global Provider instance or None if not initialized
138
"""
139
```
140
141
### AWS Provider
142
143
Amazon Web Services provider implementation with support for multiple authentication methods and AWS Organizations.
144
145
```python { .api }
146
class AWSProvider(Provider):
147
"""
148
AWS provider implementation with comprehensive authentication and scanning capabilities.
149
150
Provides AWS security assessment capabilities with support for multiple
151
authentication methods, cross-account access, AWS Organizations integration,
152
resource filtering, and regional scanning.
153
"""
154
155
def __init__(
156
self,
157
retries_max_attempts: int = 3,
158
role_arn: str = None,
159
session_duration: int = 3600,
160
external_id: str = None,
161
role_session_name: str = None,
162
mfa: bool = False,
163
profile: str = None,
164
regions: set = set(),
165
organizations_role_arn: str = None,
166
scan_unused_services: bool = False,
167
resource_tags: list[str] = [],
168
resource_arn: list[str] = [],
169
config_path: str = None,
170
config_content: dict = None,
171
fixer_config: dict = {},
172
mutelist_path: str = None,
173
mutelist_content: dict = None,
174
aws_access_key_id: str = None,
175
aws_secret_access_key: str = None,
176
aws_session_token: str = None,
177
):
178
"""
179
Initialize AWS provider with comprehensive authentication and configuration options.
180
181
Parameters:
182
- retries_max_attempts: int = 3 - Maximum retry attempts for API calls
183
- role_arn: str = None - IAM role ARN to assume for cross-account access
184
- session_duration: int = 3600 - Session duration in seconds for assumed roles
185
- external_id: str = None - External ID for secure cross-account role assumption
186
- role_session_name: str = None - Custom session name for assumed role sessions
187
- mfa: bool = False - Whether to prompt for MFA token during authentication
188
- profile: str = None - AWS profile name from credentials/config files
189
- regions: set = set() - Set of AWS regions to include in scanning
190
- organizations_role_arn: str = None - Role ARN for AWS Organizations access
191
- scan_unused_services: bool = False - Whether to scan services not in use
192
- resource_tags: list[str] = [] - Resource tag filters for targeted scanning
193
- resource_arn: list[str] = [] - Specific resource ARNs to audit
194
- config_path: str = None - Path to custom configuration file
195
- config_content: dict = None - Configuration dictionary for inline config
196
- fixer_config: dict = {} - Configuration for automatic remediation
197
- mutelist_path: str = None - Path to mutelist (allowlist) file
198
- mutelist_content: dict = None - Mutelist dictionary for inline config
199
- aws_access_key_id: str = None - AWS access key ID for direct authentication
200
- aws_secret_access_key: str = None - AWS secret access key
201
- aws_session_token: str = None - AWS session token for temporary credentials
202
"""
203
204
# Properties
205
@property
206
def identity(self) -> 'AWSIdentityInfo':
207
"""AWS account and user identity information."""
208
209
@property
210
def type(self) -> str:
211
"""Returns 'aws'."""
212
213
@property
214
def session(self) -> 'AWSSession':
215
"""AWS session object for API interactions."""
216
217
@property
218
def organizations_metadata(self) -> 'AWSOrganizationsInfo':
219
"""AWS Organizations metadata and account information."""
220
221
@property
222
def audit_resources(self) -> list:
223
"""List of specific resources to audit."""
224
225
@property
226
def scan_unused_services(self) -> bool:
227
"""Whether unused services should be scanned."""
228
229
@property
230
def audit_config(self) -> dict:
231
"""Audit configuration settings."""
232
233
@property
234
def fixer_config(self) -> dict:
235
"""Automatic remediation configuration."""
236
237
@property
238
def mutelist(self) -> 'AWSMutelist':
239
"""AWS-specific mutelist configuration."""
240
241
# Instance Methods
242
def print_credentials(self) -> None:
243
"""Print current AWS authentication and identity information."""
244
245
def generate_regional_clients(self, service: str) -> dict:
246
"""
247
Generate boto3 clients for all enabled regions for a service.
248
249
Parameters:
250
- service: str - AWS service name (e.g., 'ec2', 's3', 'iam')
251
252
Returns:
253
dict: Dictionary mapping region names to boto3 service clients
254
"""
255
256
def get_checks_from_input_arn(self) -> set:
257
"""
258
Determine which checks to run based on input resource ARNs.
259
260
Returns:
261
set[str]: Set of check names that apply to the specified resources
262
"""
263
264
def get_regions_from_audit_resources(self, audit_resources: list) -> set:
265
"""
266
Extract AWS regions from resource ARNs.
267
268
Parameters:
269
- audit_resources: list - List of AWS resource ARNs
270
271
Returns:
272
set[str]: Set of AWS region names extracted from ARNs
273
"""
274
275
def get_tagged_resources(self, resource_tags: list[str]) -> list[str]:
276
"""
277
Find resources matching specified tag filters.
278
279
Parameters:
280
- resource_tags: list[str] - List of tag filters in key=value format
281
282
Returns:
283
list[str]: List of resource ARNs matching the tag criteria
284
"""
285
286
def get_default_region(self, service: str) -> str:
287
"""
288
Get the default region for an AWS service.
289
290
Parameters:
291
- service: str - AWS service name
292
293
Returns:
294
str: Default region name for the service
295
"""
296
297
def get_global_region(self) -> str:
298
"""
299
Get the global region identifier based on AWS partition.
300
301
Returns:
302
str: Global region (us-east-1 for aws, us-gov-east-1 for aws-us-gov, etc.)
303
"""
304
305
def get_aws_enabled_regions(self, current_session: 'Session') -> set:
306
"""
307
Get all regions enabled for the AWS account.
308
309
Parameters:
310
- current_session: boto3.Session - Authenticated boto3 session
311
312
Returns:
313
set[str]: Set of enabled AWS region names
314
"""
315
316
def get_checks_to_execute_by_audit_resources(self) -> set[str]:
317
"""
318
Filter checks based on audit resources and configuration.
319
320
Returns:
321
set[str]: Set of check names to execute based on resource filters
322
"""
323
324
# Static Methods
325
@staticmethod
326
def setup_session(
327
profile: str = None,
328
aws_access_key_id: str = None,
329
aws_secret_access_key: str = None,
330
aws_session_token: str = None,
331
region: str = None,
332
retries_max_attempts: int = 3,
333
) -> 'Session':
334
"""
335
Create and configure a boto3 session.
336
337
Parameters:
338
- profile: str = None - AWS profile name
339
- aws_access_key_id: str = None - AWS access key ID
340
- aws_secret_access_key: str = None - AWS secret access key
341
- aws_session_token: str = None - AWS session token
342
- region: str = None - Default AWS region
343
- retries_max_attempts: int = 3 - Retry configuration
344
345
Returns:
346
boto3.Session: Configured boto3 session object
347
"""
348
349
@staticmethod
350
def test_connection(
351
provider_id: str,
352
credentials: dict = None,
353
) -> 'Connection':
354
"""
355
Test connectivity and permissions for AWS.
356
357
Parameters:
358
- provider_id: str - Provider identifier for testing
359
- credentials: dict = None - AWS credential parameters
360
361
Returns:
362
Connection: Connection test result with success/failure status
363
"""
364
365
@staticmethod
366
def assume_role(
367
session: 'Session',
368
assumed_role_info: 'AWSAssumeRoleInfo'
369
) -> 'AWSCredentials':
370
"""
371
Assume an IAM role and return temporary credentials.
372
373
Parameters:
374
- session: boto3.Session - Base session for role assumption
375
- assumed_role_info: AWSAssumeRoleInfo - Role assumption parameters
376
377
Returns:
378
AWSCredentials: Temporary credentials for the assumed role
379
"""
380
381
@staticmethod
382
def validate_credentials(
383
session: 'Session',
384
aws_region: str
385
) -> 'AWSCallerIdentity':
386
"""
387
Validate AWS credentials and return caller identity.
388
389
Parameters:
390
- session: boto3.Session - Session to validate
391
- aws_region: str - AWS region for STS calls
392
393
Returns:
394
AWSCallerIdentity: Caller identity information
395
"""
396
397
@staticmethod
398
def get_regions(partition: 'Partition' = None) -> set:
399
"""
400
Get all available AWS regions for a partition.
401
402
Parameters:
403
- partition: Partition = None - AWS partition (aws, aws-cn, aws-us-gov)
404
405
Returns:
406
set[str]: Set of available region names
407
"""
408
409
@staticmethod
410
def get_available_aws_service_regions(
411
service: str,
412
partition: str,
413
audited_regions: set
414
) -> set:
415
"""
416
Get available regions for a specific AWS service.
417
418
Parameters:
419
- service: str - AWS service name
420
- partition: str - AWS partition
421
- audited_regions: set - Regions being audited
422
423
Returns:
424
set[str]: Set of regions where the service is available
425
"""
426
```
427
428
### Azure Provider
429
430
Microsoft Azure provider implementation with support for service principals, managed identities, and multiple authentication methods.
431
432
```python { .api }
433
class AzureProvider(Provider):
434
"""
435
Azure provider implementation with multiple authentication methods.
436
437
Provides Azure security assessment capabilities with support for Azure CLI
438
authentication, service principals, browser-based authentication, and
439
managed identity authentication across multiple subscriptions.
440
"""
441
442
def __init__(
443
self,
444
az_cli_auth: bool = False,
445
sp_env_auth: bool = False,
446
browser_auth: bool = False,
447
managed_identity_auth: bool = False,
448
tenant_id: str = None,
449
region: str = "AzureCloud",
450
subscription_ids: list = [],
451
config_path: str = None,
452
config_content: dict = None,
453
fixer_config: dict = {},
454
mutelist_path: str = None,
455
mutelist_content: dict = None,
456
client_id: str = None,
457
client_secret: str = None,
458
):
459
"""
460
Initialize Azure provider with comprehensive authentication options.
461
462
Parameters:
463
- az_cli_auth: bool = False - Use Azure CLI authentication
464
- sp_env_auth: bool = False - Use service principal from environment variables
465
- browser_auth: bool = False - Use interactive browser-based authentication
466
- managed_identity_auth: bool = False - Use managed identity authentication
467
- tenant_id: str = None - Azure Active Directory tenant ID
468
- region: str = "AzureCloud" - Azure cloud environment (AzureCloud, AzureChinaCloud, etc.)
469
- subscription_ids: list = [] - List of subscription IDs to audit
470
- config_path: str = None - Path to custom configuration file
471
- config_content: dict = None - Configuration dictionary for inline config
472
- fixer_config: dict = {} - Configuration for automatic remediation
473
- mutelist_path: str = None - Path to mutelist (allowlist) file
474
- mutelist_content: dict = None - Mutelist dictionary for inline config
475
- client_id: str = None - Service principal client ID
476
- client_secret: str = None - Service principal client secret
477
"""
478
479
# Properties
480
@property
481
def identity(self) -> 'AzureIdentityInfo':
482
"""Azure tenant and subscription identity information."""
483
484
@property
485
def type(self) -> str:
486
"""Returns 'azure'."""
487
488
@property
489
def session(self) -> 'DefaultAzureCredential':
490
"""Azure credential object for API authentication."""
491
492
@property
493
def region_config(self) -> 'AzureRegionConfig':
494
"""Azure cloud region configuration."""
495
496
@property
497
def locations(self) -> dict:
498
"""Available Azure locations by subscription."""
499
500
@property
501
def audit_config(self) -> dict:
502
"""Audit configuration settings."""
503
504
@property
505
def fixer_config(self) -> dict:
506
"""Automatic remediation configuration."""
507
508
@property
509
def mutelist(self) -> 'AzureMutelist':
510
"""Azure-specific mutelist configuration."""
511
512
# Instance Methods
513
def print_credentials(self) -> None:
514
"""Print current Azure authentication and identity information."""
515
516
def get_locations(self) -> dict[str, list[str]]:
517
"""
518
Retrieve available locations for each subscription.
519
520
Returns:
521
dict[str, list[str]]: Dictionary mapping subscription IDs to lists of available location names
522
"""
523
524
def get_regions(self, subscription_ids: list[str] = None) -> set:
525
"""
526
Get all available regions across specified subscriptions.
527
528
Parameters:
529
- subscription_ids: list[str] = None - Optional list of subscription IDs to check
530
531
Returns:
532
set[str]: Set of available Azure region names
533
"""
534
535
def setup_identity(self, **kwargs) -> 'AzureIdentityInfo':
536
"""
537
Setup Azure identity information from authentication context.
538
539
Parameters:
540
**kwargs: Authentication-specific parameters
541
542
Returns:
543
AzureIdentityInfo: Populated identity information object
544
"""
545
546
# Static Methods
547
@staticmethod
548
def validate_arguments(**kwargs) -> None:
549
"""
550
Validate Azure authentication arguments and configuration.
551
552
Parameters:
553
**kwargs: Authentication and configuration parameters
554
555
Raises:
556
ProwlerException: On validation errors or conflicting authentication methods
557
"""
558
559
@staticmethod
560
def setup_region_config(region: str) -> 'AzureRegionConfig':
561
"""
562
Setup Azure cloud region configuration.
563
564
Parameters:
565
- region: str - Azure cloud environment name
566
567
Returns:
568
AzureRegionConfig: Region configuration object
569
"""
570
571
@staticmethod
572
def setup_session(**kwargs) -> 'DefaultAzureCredential':
573
"""
574
Setup Azure authentication session with specified method.
575
576
Parameters:
577
**kwargs: Authentication parameters for the chosen method
578
579
Returns:
580
DefaultAzureCredential: Azure credential object for API calls
581
"""
582
583
@staticmethod
584
def test_connection(
585
provider_id: str,
586
credentials: dict = None,
587
) -> 'Connection':
588
"""
589
Test connectivity and permissions for Azure.
590
591
Parameters:
592
- provider_id: str - Provider identifier for testing
593
- credentials: dict = None - Azure credential parameters
594
595
Returns:
596
Connection: Connection test result with success/failure status
597
"""
598
599
@staticmethod
600
def check_service_principal_creds_env_vars() -> None:
601
"""
602
Check for service principal credentials in environment variables.
603
604
Validates presence of AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID
605
environment variables when using service principal authentication.
606
607
Raises:
608
ProwlerException: If required environment variables are missing
609
"""
610
611
@staticmethod
612
def validate_static_credentials(**kwargs) -> dict:
613
"""
614
Validate static credential parameters for service principal authentication.
615
616
Parameters:
617
**kwargs: Credential parameters to validate
618
619
Returns:
620
dict: Validated credential information
621
622
Raises:
623
ProwlerException: On credential validation errors
624
"""
625
626
@staticmethod
627
def verify_client(tenant_id: str, client_id: str, client_secret: str) -> None:
628
"""
629
Verify service principal client credentials.
630
631
Parameters:
632
- tenant_id: str - Azure AD tenant ID
633
- client_id: str - Service principal client ID
634
- client_secret: str - Service principal client secret
635
636
Raises:
637
ProwlerException: On authentication failure or invalid credentials
638
"""
639
```
640
641
### GCP Provider
642
643
Google Cloud Platform provider implementation with support for service accounts and Application Default Credentials.
644
645
```python { .api }
646
class GCPProvider(Provider):
647
"""
648
GCP provider implementation with comprehensive project and authentication management.
649
650
Provides Google Cloud Platform security assessment capabilities with support for
651
service account authentication, Application Default Credentials, service account
652
impersonation, and organization-wide project discovery.
653
"""
654
655
def __init__(
656
self,
657
retries_max_attempts: int = None,
658
organization_id: str = None,
659
project_ids: list = None,
660
excluded_project_ids: list = None,
661
credentials_file: str = None,
662
impersonate_service_account: str = None,
663
list_project_ids: bool = False,
664
config_path: str = None,
665
config_content: dict = None,
666
fixer_config: dict = {},
667
mutelist_path: str = None,
668
mutelist_content: dict = None,
669
client_id: str = None,
670
client_secret: str = None,
671
refresh_token: str = None,
672
service_account_key: dict = None,
673
):
674
"""
675
Initialize GCP provider with comprehensive authentication and project management.
676
677
Parameters:
678
- retries_max_attempts: int = None - Maximum retry attempts for API calls
679
- organization_id: str = None - GCP organization ID for organization-wide scanning
680
- project_ids: list = None - List of specific project IDs to audit
681
- excluded_project_ids: list = None - List of project IDs to exclude from auditing
682
- credentials_file: str = None - Path to service account JSON key file
683
- impersonate_service_account: str = None - Service account email for impersonation
684
- list_project_ids: bool = False - Whether to list available project IDs and exit
685
- config_path: str = None - Path to custom configuration file
686
- config_content: dict = None - Configuration dictionary for inline config
687
- fixer_config: dict = {} - Configuration for automatic remediation
688
- mutelist_path: str = None - Path to mutelist (allowlist) file
689
- mutelist_content: dict = None - Mutelist dictionary for inline config
690
- client_id: str = None - OAuth 2.0 client ID
691
- client_secret: str = None - OAuth 2.0 client secret
692
- refresh_token: str = None - OAuth 2.0 refresh token
693
- service_account_key: dict = None - Service account key as dictionary
694
"""
695
696
# Properties
697
@property
698
def identity(self) -> 'GCPIdentityInfo':
699
"""GCP authentication and user identity information."""
700
701
@property
702
def type(self) -> str:
703
"""Returns 'gcp'."""
704
705
@property
706
def session(self) -> 'Credentials':
707
"""GCP credentials object for API authentication."""
708
709
@property
710
def projects(self) -> dict:
711
"""Dictionary of accessible GCP projects keyed by project ID."""
712
713
@property
714
def default_project_id(self) -> str:
715
"""Default project ID for the current session."""
716
717
@property
718
def impersonated_service_account(self) -> str:
719
"""Service account being impersonated, if any."""
720
721
@property
722
def project_ids(self) -> list:
723
"""List of project IDs to be audited."""
724
725
@property
726
def excluded_project_ids(self) -> list:
727
"""List of project IDs excluded from auditing."""
728
729
@property
730
def audit_config(self) -> dict:
731
"""Audit configuration settings."""
732
733
@property
734
def fixer_config(self) -> dict:
735
"""Automatic remediation configuration."""
736
737
@property
738
def mutelist(self) -> 'GCPMutelist':
739
"""GCP-specific mutelist configuration."""
740
741
# Instance Methods
742
def print_credentials(self) -> None:
743
"""Print current GCP authentication and identity information."""
744
745
def update_projects_with_organizations(self) -> None:
746
"""
747
Update project information with organization metadata.
748
749
Enriches project objects with organizational context when organization_id
750
is specified and the authenticated principal has appropriate permissions.
751
"""
752
753
def is_project_matching(self, input_project: str, project_to_match: str) -> bool:
754
"""
755
Check if project identifiers match using flexible matching rules.
756
757
Parameters:
758
- input_project: str - Input project identifier (can be project ID or number)
759
- project_to_match: str - Project identifier to match against
760
761
Returns:
762
bool: True if projects match, False otherwise
763
"""
764
765
def get_regions(self) -> set:
766
"""
767
Get all available regions for the configured project IDs.
768
769
Returns:
770
set[str]: Set of available GCP region names
771
"""
772
773
# Static Methods
774
@staticmethod
775
def setup_session(**kwargs) -> tuple:
776
"""
777
Setup GCP authentication session and return credentials.
778
779
Parameters:
780
**kwargs: Authentication parameters (credentials_file, service_account_key, etc.)
781
782
Returns:
783
tuple: (credentials_object, default_project_id) for API authentication
784
"""
785
786
@staticmethod
787
def test_connection(
788
provider_id: str,
789
credentials: dict = None,
790
) -> 'Connection':
791
"""
792
Test connectivity and permissions for GCP.
793
794
Parameters:
795
- provider_id: str - Provider identifier for testing
796
- credentials: dict = None - GCP credential parameters
797
798
Returns:
799
Connection: Connection test result with success/failure status
800
"""
801
802
@staticmethod
803
def get_projects(**kwargs) -> dict[str, 'GCPProject']:
804
"""
805
Discover and retrieve accessible GCP projects.
806
807
Parameters:
808
**kwargs: Authentication and filtering parameters
809
810
Returns:
811
dict[str, GCPProject]: Dictionary mapping project IDs to project objects
812
"""
813
814
@staticmethod
815
def validate_static_arguments(**kwargs) -> dict:
816
"""
817
Validate static authentication arguments for GCP.
818
819
Parameters:
820
**kwargs: Authentication parameters to validate
821
822
Returns:
823
dict: Validated authentication information
824
825
Raises:
826
ProwlerException: On validation errors or missing required parameters
827
"""
828
829
@staticmethod
830
def validate_project_id(provider_id: str, credentials: str = None) -> None:
831
"""
832
Validate that a project ID exists and is accessible.
833
834
Parameters:
835
- provider_id: str - GCP project ID to validate
836
- credentials: str = None - Optional credentials for validation
837
838
Raises:
839
ProwlerException: If project ID is invalid or inaccessible
840
"""
841
```
842
843
### Additional Providers
844
845
Similar provider implementations for specialized platforms:
846
847
```python { .api }
848
class KubernetesProvider(Provider):
849
"""
850
Kubernetes provider for cluster security assessments.
851
852
Supports kubeconfig files, in-cluster authentication,
853
and service account tokens.
854
"""
855
856
class GitHubProvider(Provider):
857
"""
858
GitHub provider for repository and organization security.
859
860
Supports GitHub tokens, GitHub Apps, and organization scanning.
861
"""
862
863
class M365Provider(Provider):
864
"""
865
Microsoft 365 provider for tenant security assessments.
866
867
Supports application authentication and delegated permissions.
868
"""
869
```
870
871
## Usage Examples
872
873
### AWS Provider Setup
874
875
```python
876
from prowler.providers.aws.aws_provider import AwsProvider
877
from prowler.providers.aws.models import AWSCredentials
878
879
# Initialize with access keys
880
aws_provider = AwsProvider(
881
aws_access_key_id="AKIAIOSFODNN7EXAMPLE",
882
aws_secret_access_key="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
883
region="us-east-1"
884
)
885
886
# Initialize with AWS profile
887
aws_provider = AwsProvider(
888
profile_name="production",
889
region="us-west-2"
890
)
891
892
# Initialize with role assumption
893
aws_provider = AwsProvider(
894
role_arn="arn:aws:iam::123456789012:role/ProwlerRole",
895
external_id="unique-external-id",
896
role_session_name="prowler-scan"
897
)
898
899
# Setup session and validate
900
aws_provider.setup_session()
901
aws_provider.print_credentials()
902
```
903
904
### Azure Provider Setup
905
906
```python
907
from prowler.providers.azure.azure_provider import AzureProvider
908
909
# Initialize with service principal
910
azure_provider = AzureProvider(
911
client_id="12345678-1234-1234-1234-123456789012",
912
client_secret="your-client-secret",
913
tenant_id="87654321-4321-4321-4321-210987654321",
914
subscription_id="abcdef12-3456-7890-abcd-ef1234567890"
915
)
916
917
# Initialize with managed identity
918
azure_provider = AzureProvider(
919
subscription_id="abcdef12-3456-7890-abcd-ef1234567890",
920
use_managed_identity=True
921
)
922
923
# Setup and validate
924
azure_provider.setup_session()
925
azure_provider.print_credentials()
926
```
927
928
### GCP Provider Setup
929
930
```python
931
from prowler.providers.gcp.gcp_provider import GCPProvider
932
933
# Initialize with service account file
934
gcp_provider = GcpProvider(
935
service_account_file="/path/to/service-account.json",
936
project_ids=["project-1", "project-2", "project-3"]
937
)
938
939
# Initialize with Application Default Credentials
940
gcp_provider = GcpProvider(
941
project_ids=["my-project"]
942
)
943
944
# Setup and validate
945
gcp_provider.setup_session()
946
gcp_provider.print_credentials()
947
```
948
949
### Multi-Provider Usage
950
951
```python
952
from prowler.providers.common.provider import Provider
953
954
# Initialize global provider
955
Provider.init_global_provider("aws", profile_name="default")
956
957
# Get current provider
958
current_provider = Provider.get_global_provider()
959
print(f"Current provider type: {current_provider.type}")
960
print(f"Provider identity: {current_provider.identity}")
961
962
# Switch to different provider
963
Provider.init_global_provider("azure",
964
subscription_id="sub-id",
965
use_managed_identity=True
966
)
967
```
968
969
### Provider Authentication Validation
970
971
```python
972
from prowler.providers.aws.aws_provider import AwsProvider
973
974
aws_provider = AwsProvider(profile_name="test")
975
976
# Validate configuration before scanning
977
if aws_provider.validate_arguments():
978
print("AWS configuration is valid")
979
aws_provider.setup_session()
980
981
# Check permissions
982
identity = aws_provider.identity
983
print(f"Authenticated as: {identity['arn']}")
984
print(f"Account ID: {identity['account_id']}")
985
else:
986
print("AWS configuration validation failed")
987
```
988
989
### Cross-Account Scanning
990
991
```python
992
from prowler.providers.aws.aws_provider import AwsProvider
993
994
# Setup cross-account role assumption
995
aws_provider = AwsProvider(
996
role_arn="arn:aws:iam::TARGET-ACCOUNT:role/OrganizationAccessRole",
997
external_id="shared-external-id",
998
role_session_name="prowler-cross-account-scan"
999
)
1000
1001
aws_provider.setup_session()
1002
1003
# Verify cross-account access
1004
identity = aws_provider.identity
1005
print(f"Scanning account: {identity['account_id']}")
1006
print(f"Using role: {identity['arn']}")
1007
```