Skip to main content

Documentation Index

Fetch the complete documentation index at: https://prowler-docs-sdk-scan-unused-services-coverage.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

This feature is currently available only for the AWS provider.
By default, Prowler scans only actively used cloud services (services with resources deployed). This reduces unnecessary findings in reports. To include unused services in the scan, use the following command: 
prowler <provider> --scan-unused-services

Services Ignored

AWS

ACM (AWS Certificate Manager)

Certificates stored in ACM without active usage in AWS resources are excluded. By default, Prowler only scans actively used certificates. Unused certificates are not evaluated for expiration, transparency logging, or weak key algorithms.
  • acm_certificates_expiration_check
  • acm_certificates_transparency_logs_enabled
  • acm_certificates_with_secure_key_algorithms

Athena

Upon AWS account creation, Athena provisions a default primary workgroup for the user. Prowler verifies if this workgroup is enabled and used by checking for queries within the last 45 days. If Athena is unused, findings related to its checks will not appear.
  • athena_workgroup_encryption
  • athena_workgroup_enforce_configuration
  • athena_workgroup_logging_enabled

Amazon Bedrock

Generative AI workloads benefit from private VPC endpoint connectivity to keep prompt and model traffic off the public internet. Prowler only evaluates this configuration for VPCs in use (with active ENIs).
  • bedrock_vpc_endpoints_configured

AWS CloudTrail

AWS CloudTrail should have at least one trail with a data event to record all S3 object-level API operations. Before flagging this issue, Prowler verifies if S3 buckets exist in the account.
  • cloudtrail_s3_dataevents_read_enabled
  • cloudtrail_s3_dataevents_write_enabled

AWS Elastic Compute Cloud (EC2)

If Amazon Elastic Block Store (EBS) default encryption is not enabled, sensitive data at rest remains unprotected in EC2. Prowler only generates a finding if EBS volumes exist where default encryption could be enforced.
  • ec2_ebs_default_encryption
EBS Snapshot Public Access: Public EBS snapshots can leak data. Prowler only evaluates the account-level block setting if EBS snapshots exist in the account.
  • ec2_ebs_snapshot_account_block_public_access
EC2 Instance Metadata Service (IMDS): Enforcing IMDSv2 at the account level mitigates SSRF-based credential theft. Prowler only evaluates the account-level setting if EC2 instances exist in the account.
  • ec2_instance_account_imdsv2_enabled
Security Groups: Misconfigured security groups increase the attack surface. Prowler scans only attached security groups to report vulnerabilities in actively used configurations. Applies to:
  • 20 security group-related checks, including open ports and ingress/egress traffic rules.
    • ec2_securitygroup_allow_ingress_from_internet_to_port_X
    • ec2_securitygroup_default_restrict_traffic
    • ec2_securitygroup_allow_wide_open_public_ipv4
  • 3 network ACL-related checks, ensuring only active ACLs with open ports are flagged.
    • ec2_networkacl_allow_ingress_X_port

AWS Glue

AWS Glue best practices recommend encrypting metadata and connection passwords in Data Catalogs. Prowler verifies service usage by checking for existing Data Catalog tables before applying findings.
  • glue_data_catalogs_connection_passwords_encryption_enabled
  • glue_data_catalogs_metadata_encryption_enabled

Amazon Inspector

Amazon Inspector is a vulnerability discovery service that automates continuous security scans for Amazon EC2, Amazon ECR, and AWS Lambda environments. Prowler recommends enabling Amazon Inspector and addressing all findings. By default, Prowler only triggers alerts if there are Lambda functions, EC2 instances, or ECR repositories in the region where Amazon Inspector should be enabled.
  • inspector2_is_enabled

AWS Key Management Service (KMS)

Customer managed Customer Master Keys (CMKs) in the Disabled state cannot be used for cryptographic operations, so Prowler skips the unintentional-deletion check on them by default. Enable the flag to evaluate disabled CMKs as well.
  • kms_cmk_not_deleted_unintentionally

Amazon Macie

Amazon Macie leverages machine learning to automatically discover, classify, and protect sensitive data in S3 buckets. Prowler only generates findings if Macie is disabled and there are S3 buckets in the AWS account.
  • macie_is_enabled

Network Firewall

A network firewall is essential for monitoring and controlling traffic within a Virtual Private Cloud (VPC). Prowler only alerts for VPCs in use, specifically those containing ENIs (Elastic Network Interfaces).
  • networkfirewall_in_all_vpc

Amazon Relational Database Service (RDS)

RDS event subscriptions notify operators of critical database events. Prowler only evaluates these subscription checks when RDS clusters or instances exist in the account.
  • rds_cluster_critical_event_subscription
  • rds_instance_critical_event_subscription
  • rds_instance_event_subscription_parameter_groups
  • rds_instance_event_subscription_security_groups

Amazon S3

To prevent unintended data exposure: Public Access Block should be enabled at the account level. Prowler only checks this setting if S3 buckets exist in the account.
  • s3_account_level_public_access_blocks

Virtual Private Cloud (VPC)

VPC settings directly impact network security and availability.
  • VPC Flow Logs: Provide visibility into network traffic for security monitoring. Prowler only checks if Flow Logs are enabled for VPCs in use, i.e., those with active ENIs.
    • vpc_flow_logs_enabled
  • VPC Endpoint for EC2: Routes EC2 API calls through a private VPC endpoint to keep traffic off the public internet. Prowler only evaluates this configuration for VPCs in use, i.e., those with active ENIs.
    • vpc_endpoint_for_ec2_enabled
  • VPC Subnet Public IP Restrictions: Prevent unintended exposure of resources to the internet. Prowler only checks this configuration for VPCs in use, i.e., those with active ENIs.
    • vpc_subnet_no_public_ip_by_default
  • Separate Private and Public Subnets: Best practice to avoid exposure risks. Prowler only checks this configuration for VPCs in use, i.e., those with active ENIs.
    • vpc_subnet_separate_private_public
  • Multi-AZ Subnet Distribution: VPCs should have subnets in different availability zones to prevent a single point of failure. Prowler only checks this configuration for VPCs in use, i.e., those with active ENIs.
    • vpc_subnet_different_az