Cyquins Logo

Client User Guide

Your guide to completing security assessments and understanding your cyber risk score

1

Access Your Dashboard

Use the credentials from your broker's invitation email to log in

2

Start Security Assessment

Click 'Start Security Assessment' and follow the step-by-step instructions

3

Complete Questionnaire

After scan completes, fill out organizational questionnaire for complete HDI score

Security Assessments

  • Scan AWS, Azure, GCP, and Microsoft 365 environments
  • Automated security checks powered by Prowler
  • View detailed compliance and security findings
  • Track scan history and progress
  • Review recommendations to fix each finding

Organizational Questionnaire

  • Answer security policy and practice questions
  • Contributes 30% to your final HDI score
  • Auto-saves progress as you complete

HDI Cyber Risk Score

  • Comprehensive cyber security rating (0-100)
  • Combines technical scans with organizational maturity
  • Track improvements over time
  • Both complete questionnaire answered and scans are needed to calculate it

Running Your First Security Scan

  1. 1.Click 'Start Security Assessment' from dashboard
  2. 2.Choose cloud provider (AWS, Azure, GCP, or M365)
  3. 3.Follow provider-specific setup instructions
  4. 4.Enter required credentials or access keys
  5. 5.Start scan and wait for completion (typically 5-15 minutes)

Completing the Questionnaire

  1. 1.Answer questions about security policies and practices
  2. 2.Progress saves automatically as you go
  3. 3.Submit when complete to calculate final HDI score

Viewing Your Results

  1. 1.Navigate to 'Previous Assessments' section
  2. 2.Click 'View Results' on completed scan
  3. 3.Review HDI score, compliance findings, and recommendations
AWS

Amazon Web Services (AWS)

Comprehensive security assessment for AWS infrastructure

Azure

Microsoft Azure

Azure cloud security scanning and compliance checks

GCP

Google Cloud Platform (GCP)

Google Cloud Platform security analysis

M365

Microsoft 365

Microsoft 365 security configuration review

This guide covers setting up authentication for AWS security scanning using IAM roles or access credentials.

This method grants permanent access and is the recommended setup for production environments.

CloudFormation Setup Steps:

  1. Alternative: Use the CloudFormation Quick Create link from the scan setup page

  2. Open the AWS Console and search for CloudFormation(AWS CloudFormation)
    CloudFormation Search
  3. Go to Stacks and click "Create stack" > "With new resources (standard)"
    Create Stack
  4. In Specify Template, choose "Upload a template file" and select the downloaded file
    Upload Template File
    Upload From Downloads
  5. Click "Next", provide a stack name and the External ID
    Fill Stack Data
  6. Acknowledge the IAM resource creation warning and proceed
    Stack Creation Second Step
  7. Click "Submit" to deploy the stack
    Submit Stack

Use AWS access keys for authentication. Prefer short-term credentials over long-term keys.

Short-term credentials (Recommended):

Temporary credentials automatically expire, providing enhanced security for one-time scans.

How to get temporary credentials:

  1. Go to the AWS Console and open CloudShell (AWS CloudShell)
    AWS CloudShell
  2. Run the following command to get temporary session credentials:
    # Get session token (valid for 1 hour)
    aws sts get-session-token --duration-seconds 3600

    This generates temporary credentials that expire after 1 hour (3600 seconds). You can adjust the duration up to 36 hours.

  3. The command returns three values you'll need:
    AccessKeyId: AKIAIOSFODNN7EXAMPLE
    SecretAccessKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    SessionToken: FwoGZXIvYXdzEBYaD...
  4. Copy all three values (AccessKeyId, SecretAccessKey, SessionToken) and paste them when scanning

Alternative:

If you're already in AWS CloudShell, you can use the existing session credentials:

env | grep AWS

Copy the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN values from the output.

Long-term/Static Credentials (Not Recommended)

Static credentials do not expire and pose a higher security risk. Use temporary credentials or IAM roles instead whenever possible.

If you must use static credentials:

  1. Sign in to the AWS Management Console
  2. Navigate to IAM > Users (IAM Users)
  3. Select your user or create a new IAM user with SecurityAudit and ViewOnlyAccess policies
  4. Go to Security credentials tab
  5. Click "Create access key" and select "Third-party service" or "Other" as the use case
  6. Copy the Access Key ID and Secret Access Key (Session Token is not provided for static credentials)

Security Warning: Remember to delete these static credentials within 7 days after your scan is complete. Go to IAM > Users > Security credentials and delete the access key.

Deploy Prowler scanning role across all accounts in your AWS Organization using CloudFormation StackSets.

Step 1: Account Discovery Phase

Before scanning, you need to discover all accounts in your AWS Organization. This is a temporary step that requires management account credentials.

Required Permissions for Discovery

The user or role used for discovery must have these AWS Organizations permissions:

organizations:ListAccounts
organizations:DescribeOrganization

How to set up a discovery role in your management account:

  1. Sign in to your AWS management account
  2. Go to IAM > Roles and click "Create role"
  3. Select "AWS account" as trusted entity type, and choose "Another AWS account"
  4. Enter your management account ID (to allow assuming from the same account)
  5. Attach a policy with organizations:ListAccounts and organizations:DescribeOrganization permissions
  6. Name the role (e.g., "ProwlerDiscoveryRole") and copy the role ARN to use for discovery

Using the discovery role:

  1. Create temporary credentials that can assume the discovery role (use aws sts assume-role or CloudShell)
  2. Toggle "Scan Entire Organization" and provide the temporary access keys
  3. Click "Discover Accounts" to fetch all accounts from AWS Organizations API
  4. Review discovered accounts and uncheck any you want to exclude from scanning
  5. Switch to IAM Role authentication for secure scanning across all selected accounts

Important: The access keys provided must have permission to assume the discovery role with Organizations permissions. These credentials are only used temporarily for discovery and are NOT stored. After discovery, you must use IAM Role for secure organization-wide scanning.

CloudFormation StackSets Deployment Steps:

  1. Log in to your AWS management account
  2. Navigate to CloudFormation > StackSets (CloudFormation StackSets)
  3. Click "Create StackSet" and choose "Service-managed permissions"
  4. For template source, choose "Amazon S3 URL" and paste the template URL
  5. Provide the External ID parameter (shown in the scan setup page)
  6. Deploy to your entire organization or specific OUs, then wait for completion across all accounts

StackSet Template S3 URL:

https://prowler-cyquins-scan-templates-951042686288.s3.us-east-1.amazonaws.com/templates/v1/prowler-scan-role-cyquins.yml

Important: The External ID must match the one shown in your scan setup page. Use the same External ID for all accounts in the organization.

GCP supports two authentication methods. Choose the one that best fits your needs.

This method uses a service account with a downloaded JSON key file for authentication.

Steps to create a Service Account:

  1. Go to the Service Accounts page in the GCP Console
  2. Click "Create Service Account"
  3. Fill in the service account details and click "Create and Continue"
  4. Grant the service account the "Reader" role
  5. Click "Done"
  6. Find your service account in the list and click on it
  7. Go to the "Keys" tab
  8. Click "Add Key" → "Create new key"
  9. Select "JSON" and click "Create"
  10. Save the downloaded key file securely and paste its contents when scanning

This method uses the Google Cloud CLI to authenticate and is suitable for development and testing environments.

Steps to obtain OAuth2 credentials:

  1. In the GCP Console, click on "Activate Cloud Shell"
    Activate Cloud Shell
  2. Click "Authorize Cloud Shell" when prompted
    Authorize Cloud Shell
  3. Run the following command:gcloud auth application-default login
    Run gcloud auth command
  4. Type Y when prompted
  5. Open the authentication URL provided in a browser and select your Google account
    Choose account
  6. Follow the steps to obtain the authentication code
    Copy auth code
  7. Paste the authentication code back in Cloud Shell
    Enter auth code
  8. Use cat ~/.config/gcloud/application_default_credentials.json to view the temporary credentials file
    View credentials file

Extract these values for scanning:

  • client_id
  • client_secret
  • refresh_token
Extract values

Required Permissions

  • Reader role must be granted at the project, folder, or organization level
  • IAM API must be enabled in at least one project
  • Service Usage Consumer role is required for resource scanning
  • A quota project must be configured

This guide covers Service Principal authentication, the recommended method for secure access to your Azure subscriptions.

Required Permissions

Microsoft Entra ID Permissions

These permissions allow Prowler to retrieve metadata and perform Entra checks. While not mandatory, they enhance functionality.

Steps to assign required API permissions:

  1. Go to your App Registration > "API permissions"
    API Permission Page
  2. Click "+ Add a permission" > "Microsoft Graph" > "Application permissions"
    Add API Permission
    Microsoft Graph Detail
  3. Search and select the following permissions:
    • Directory.Read.All
    • Policy.Read.All
    • UserAuthenticationMethod.Read.All
    Domain Permission
  4. Click "Add permissions", then grant admin consent
    Grant Admin Consent

Subscription Scope Permissions

These RBAC roles must be assigned per subscription to perform security checks:

  • ReaderGrants read-only access to Azure resources
  • ProwlerRoleCustom role with minimal permissions for specific checks

Assigning "Reader" Role at the Subscription Level:

  1. Navigate to the subscription you want to audit
  2. In the left menu, select "Access control (IAM)"
  3. Click "+ Add" and select "Add role assignment"
  4. Search for "Reader", select it and click "Next"
  5. In the "Members" tab, click "+ Select members", then add the accounts
  6. Click "Review + assign" to finalize the role assignment

Assigning "ProwlerRole" Permissions:

  1. Download the Prowler Azure Custom Role JSON file
    Download Prowler Role
  2. Modify "assignableScopes" to match your Subscription ID
  3. Go to your Azure Subscription > "Access control (IAM)"
    IAM Azure Page
  4. Click "+ Add" > "Add custom role", choose "Start from JSON" and upload the file
    Add Custom Role
  5. Click "Review + Create" to finish
    Review and Create
  6. Return to "Access control (IAM)" and assign both Reader and ProwlerRole to your service principal
    Add Role Assignment

Creating the Service Principal

For detailed instructions on creating a service principal with the required credentials, visit the official documentation.

View Creating Prowler Service Principal Guide

This guide covers setting up app registration and permissions for Microsoft 365 security scanning.

Create Application Registration

  1. Access Microsoft Entra ID (Microsoft Entra ID)
    Microsoft Entra ID
  2. Navigate to "Applications" > "App registrations" (App Registrations)
    App Registration Menu
  3. Click "+ New registration", complete the form, and click "Register"
    New Registration
  4. Go to "Certificates & secrets" > "Client secrets" > "+ New client secret"
    Certificates & Secrets
  5. Fill in the required fields and click "Add", then copy the generated value
    New Client Secret

Grant Microsoft Graph API Permissions

  1. Go to App Registration > Select your app > click on "API permissions"
    API Permissions Page
  2. Click "+ Add a permission" > "Microsoft Graph" > "Application permissions"
    Add API Permission
  3. Search and select the required permissions:
    • AuditLog.Read.All
    • Directory.Read.All
    • Policy.Read.All
    • SharePointTenantSettings.Read.All
    Directory Permission
    Application Permissions
  4. Click "Add permissions", then click "Grant admin consent"

Grant PowerShell Module Permissions

Add Exchange API:

  1. Search and select "Office 365 Exchange Online" API
    Exchange API
  2. Select "Exchange.ManageAsApp" permission and click "Add permissions"
    Exchange Permission
  3. Assign Global Reader role to the app via "Roles and administrators"
    Roles and Administrators
    Global Reader Role

Add Teams API:

  1. Search and select "Skype and Teams Tenant Admin API"
    Teams API
  2. Select "application_access" permission and click "Add permissions"
    Teams Permission

Click "Grant admin consent" to grant admin consent for all permissions

Grant Admin Consent
Final Permissions

Certificate-based authentication replaces the client secret with an X.509 certificate. This is the recommended approach for production environments.

Generate the Certificate

Use OpenSSL to create a private key and self-signed certificate (macOS/Linux):

# Create a private key (keep this file private)
openssl genrsa -out prowlerm365.key 2048
# Create a self-signed certificate valid for two years
openssl req -x509 -new -nodes -key prowlerm365.key -sha256 -days 730 -out prowlerm365.cer -subj "/CN=ProwlerM365Cert"
# Package into a passwordless PFX bundle
openssl pkcs12 -export \
-out prowlerm365.pfx \
-inkey prowlerm365.key \
-in prowlerm365.cer \
-passout pass:

Important: Guard prowlerm365.key and prowlerm365.pfx files. Only upload the .cer file to Entra ID portal.

Upload the Certificate to Microsoft Entra ID

  1. Open Microsoft Entra ID > App registrations > your application
  2. Go to Certificates & secrets > Certificates
  3. Select Upload certificate and choose prowlerm365.cer
  4. Confirm the certificate appears with the expected expiration date

Encode Certificate for Prowler

base64 -i prowlerm365.pfx -o prowlerm365.pfx.b64
cat prowlerm365.pfx.b64 | tr -d '\n'

Copy the resulting single-line Base64 string to use in your credentials.

Provide Certificate to Prowler

Paste the Base64-encoded PFX content in the certificate field when scanning.

This method uses a client secret for authentication. Suitable for initial setup, but certificate authentication is recommended for production.

Steps to use Client Secret Authentication:

  1. Complete the App Registration steps above to create your application
  2. In the "Certificates & secrets" section, create a new client secret and copy the value
  3. Use the following values when configuring the scan:
AZURE_CLIENT_ID: From App Registration overview
AZURE_TENANT_ID: From App Registration overview
AZURE_CLIENT_SECRET: The secret value you copied

Note: Client secrets are long-lived credentials. For better security, use Certificate Authentication instead.

Assessment Mode

Trial mode - unlimited scans available. You can test all cloud providers before insurance activation.

Monthly Reporting Mode

Active insurance - 1 scan per provider per calendar month. Your insurance is active with monthly reporting.

Expired

Insurance expired - no scans available. Contact your broker to renew insurance coverage.

Your HDI Cyber Risk Score is a comprehensive security rating that combines technical infrastructure scans with organizational security practices:

Technical Scan Results
70%
Organizational Assessment
30%

Score Ranges:

80-100: Advanced - Good security posture
60-79: Progressive - Solid overall security
30-59: Intermediate - Needs improvements
<30: Poor - Immediate action needed

Initial Security Assessment

Run scans for all your cloud providers during trial period, complete questionnaire, review results with broker.

Monthly Reporting Scan

Run monthly scan to track security improvements and identify new issues in your infrastructure.

Improving Your Score

Use scan findings and recommendations to fix security issues, re-scan to see improvements reflected in score.

  • Complete questionnaire immediately after scan for most accurate HDI score
  • Review detailed findings in scan results to understand specific security issues
  • In monthly reporting mode, use monthly scan allowance strategically after implementing fixes
  • Contact your broker if you need help understanding results or recommendations
  • Keep credentials secure - never share scan access keys or passwords

If you need assistance with your security assessments or have questions about your results:

Contact Your Broker

Your broker's contact information is displayed in the 'Your Insurance Broker' section on your dashboard.