Gabe Bidot

After building the S3 vault with Terraform, CyberLab finally had some of the core protections you'd expect in a cloud environment: versioning, immutability, encryption, and access control. But there was still a critical gap. How do I know if the environment I built is actually secure?

That's where security tooling comes into play. Without visibility, security is little more than good intentions.

Why Security Tooling Matters

Cloud environments fail not just because of advanced threats but because of everyday misconfigurations. An IAM role that is too permissive, an S3 bucket left without encryption, or a security group with an open port can all become an attacker's first foothold.

The problem is, you can't fix what you don't see. Reading policies or Terraform code line by line won't reliably catch issues, especially as the environment grows. I needed tooling that could surface risks automatically and show me where CyberLab was exposed.

Introducing Prowler

For this stage, I turned to Prowler, an open-source tool built for auditing AWS environments against best practices and compliance frameworks. Prowler stood out because it:

Runs directly against an AWS account, checking for misconfigurations and insecure defaults.
Maps findings to compliance standards like CIS benchmarks, which makes results easier to understand.
Produces reports in multiple formats, giving me flexibility in how I analyze the data.

Running it inside CyberLab was straightforward, but I wanted to make the process structured and repeatable. I decided to containerize the workflow using Docker, which meant every run was consistent and isolated from my local system. To keep track of results, I organized reports into timestamped directories and exported them in CSV, JSON, and HTML formats.

The CSV files were easy to filter and sort, the JSON outputs could be integrated into future automation, and the HTML reports gave me a clear, human-readable view of risks.

What I Found

The first Prowler scans were eye-opening.

Overly broad IAM permissions: One of my Terraform roles had permissions that were far too wide. In a real environment, that could have allowed privilege escalation. Fixing it required tightening policies to align with the principle of least privilege.
S3 bucket without strict access controls: Even though encryption and versioning were in place, one test bucket wasn't restricted enough. That's exactly the kind of oversight attackers look for when scanning environments.
Unused but active IAM keys: Prowler flagged an IAM access key that wasn't tied to any active use. That's the type of dormant credential that could become dangerous if exposed.

Each issue became a feedback loop: fix it in Terraform, redeploy, and rerun the scan. Seeing the red flags disappear from the HTML reports was a tangible sign of progress.

Why This Stage Matters

This phase of CyberLab reinforced an important lesson: security isn't about the absence of incidents, it's about the presence of visibility. Without scanning, I would have assumed my Terraform setup was airtight. With Prowler, I had proof of where it wasn't.

The exercise also made something else clear. While tools like Prowler are powerful, they only get you so far. They tell you what's wrong, but they don't help you prioritize which issues matter most in your specific environment. That's where enterprises begin layering more advanced solutions like Cloud Security Posture Management (CSPM) or Cloud-Native Application Protection Platforms (CNAPP).

The Road Ahead

CyberLab was now at a stage where I could build, test, and validate. But the bigger question remained: how do organizations scale beyond individual misconfigurations into holistic protection? That's what the next phase is about, and why I started exploring tools that go beyond checks and into full lifecycle security.

Ready to explore? Check out CyberLab and see the hands-on security learning platform in action. Remember: it's for educational and research purposes only!