Prowler 3.10.0 - Dance of Death

Then they summoned me over to join in with them
At the dance of the dead
Into the circle of fire I followed them
Into the middle I was led

Dance of Death is an Iron Maiden's song, released on their 2003 album of the same name. The song combines the band's signature heavy metal sound with progressive elements. Lyrically, the song tells a story of a medieval dance of death, a symbolic representation of mortality and the inevitability of death. The lyrics are filled with vivid and dark imagery, and the song features intricate guitar work and powerful vocals from Bruce Dickinson. Enjoy this great song (https://www.youtube.com/watch?v=3659fTXvFts) while reading what's new! 🎸

New features to highlight in this version:

⚙️ New checks for AWS!

• New AWS IAM check iam_role_administratoraccess_policy.
• New AWS WAFv2 check wafv2_webacl_logging_enabled.
• Now the AWS IAM credentials checks (iam_disable_90_days_credentials, iam_disable_45_days_credentials and iam_disable_30_days_credentials) have been changed to two generic checks called iam_user_accesskey_unused and iam_user_console_access_unused. By default, it will fail when they are unused for 45 days, you can configure this value using the max_unused_access_keys_days and max_console_access_days configuration values. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! 🔒

🏷️ Security Hub Tagging

• Now Prowler will add AWS Resource Tags to every Security Hub finding and to json-asff outputs!

🧑‍🤝‍🧑 Five new Prowler contributors!

• Many thanks to @CameronTStark, @sbldevnet, @JackStuart, @devopspacellp and @taylerhaviland for including more checks and keep improving Prowler!

What's Changed

Features

• feat(Dockerfile): add curl package to docker image by @n4ch04 in #2812
• feat(iam): add new check iam_role_administratoraccess_policy by @kagahd in #2822
• feat(iam): improve disable credentials checks by @sergargar in #2909
• feat(json-asff): adds AWS resource tags in json-asff and SecurityHub findings by @sbldevnet in #2786
• feat(unix timestamp): add the --unix-timestamp flag to docs by @n4ch04 in #2816
• feat(unix timestamp): add unix timestamp to outputs by @n4ch04 in #2813
• feat(wafv2): Add check wafv2_webacl_logging_enabled by @devopspacellp in #2898

Fixes

• fix(acm): add certificate id by @sergargar in #2903
• fix(apigw): KeyError name by @jfagoagas in #2858
• fix(apikeys_..._90_days): fix key creation time with dinamic date by @n4ch04 in #2798
• fix(autoscaling_find_secrets_ec2_launch_configuration): Fix UnicodeDecodeError by @jfagoagas in #2870
• fix(aws): Include missing ARNs by @jfagoagas in #2880
• fix(azure): Typo in SQL check by @JackStuart in #2881
• fix(cloudtrail_s3_dataevents_read/write_enabled): Handle S3 ARN by @jfagoagas in #2844
• fix(cloudwatch): ignore new lines in filters by @sergargar in #2912
• fix(custom checks): fix import from s3 by @n4ch04 in #2901
• fix(dockerfile): Use latest curl by @jfagoagas in #2897
• fix(Dockerfile): update alpine version by @n4ch04 in #2925
• fix(ds): GetSnapshotLimits for MicrosoftAD by @jfagoagas in #2859
• fix(ebs): improve snapshot encryption logic and typos by @taylerhaviland in #2836
• fix(ec2 ebs/instance checks): unify checks logic by @n4ch04 in #2795
• fix(ec2 nacl checks):unify logic by @n4ch04 in #2799
• fix(ec2 tests): add region and delete search sg checks by @n4ch04 in #2788
• fix(ec2 tests): add tags and region non sg checks by @n4ch04 in #2781
• fix(ec2_elastic_ip_unassigned): rename check by @n4ch04 in #2882
• fix(ec2_instance_..._ssm): mock ssm service and client in all the tests by @n4ch04 in #2804
• fix(eks_control_plane_endpoint_access_restricted): handle endpoint private access by @Fennerr in #2824
• fix(eks_endpoints_not_publicly_accessible): handle endpoint private access by @Fennerr in #2825
• fix(elb): add resource ARN to checks by @sergargar in #2906
• fix(elbv2): Handle LoadBalancerNotFound by @jfagoagas in #2860
• fix(findingID): remove duplicate finding IDs by @sergargar in #2890
• fix(html): unroll regions set prior concat by @n4ch04 in #2790
• fix(iam): findings of some checks may have been lost by @kagahd in #2847
• fix(iam): Handle NoSuchEntityException in ListRolePolicies by @jfagoagas in #2857
• fix(iam): Handle NoSuchEntity when calling list_role_policies by @jfagoagas in #2872
• fix(iam credentials checks): unify logic by @n4ch04 in #2883
• fix(iam creds checks): add missing tests and fix current ones by @n4ch04 in #2888
• fix(iam creds tests): dont use search and negative indexes by @n4ch04 in #2899
• fix(iam_inline_policy_no_administrative_privileges): set resource id as the entity name by @sergargar in #2820
• fix(iam_policy_no_administrative_privileges): check does not exist and maps not to check122 by @kagahd in #2797
• fix(is_valid_arn): include . into resource name by @n4ch04 in #2789
• fix(outputs_unix_timestamp): Remove subsecond by @jfagoagas in #2861
• fix(pipeline): launch linters with file changes by @n4ch04 in #2911
• fix(policy_condition_parser): add StringEquals aws:SourceArn condition by @n4ch04 in #2793
• fix(pre-commit): add file filter to python linters by @n4ch04 in #2818
• fix(remove_custom_checks_module): delete service folder if empty by @n4ch04 in #2885
• fix(s3_bucket_policy_public_write_access): Handle S3 Policy without Principal by @jfagoagas in #2871
• fix(securityhub): archive SecurityHub findings in empty regions by @sergargar in #2908
• fix(sqs_queues_not_publicly_accessible): Improve status extended by @Fennerr in #2848
• fix(storage_ensure_minimum_tls_version_12): misspelling in metadata by @CameronTStark in #2835
• fix(testing docs): fix testing docs typos and syntax by @n4ch04 in #2803
• fix(version): add timeout and check HTTP errors by @sergargar in #2886
• fix(vpc): solves CidrBlock KeyError by @sergargar in #2817
• fix(vpc_peering_routing_tables_with_least_privilege): check only peering routes by @sergargar in #2887
• fix(pull-request.yml): launch linters when source code modified by @n4ch04 in #2922
• fix(build-lint-push pipeline): pass pipeline when ignored files by @n4ch04 in #2915

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2779, #2787, #2791, #2794, #2801, #2802, #2814, #2819, #2821, #2833, #2842, #2845, #2846, #2852, #2853, #2863, #2869, #2873, #2875, #2879, #2902, #2905, #2907 and #2923
• chore(iam): add IAM privilege escalation cases by @sergargar in #2921
• docs(aws): Move regions and profiles to AWS by @jfagoagas in #2874
• docs(developer-guide): fix typos by @jfagoagas in #2878
• docs(misc): add option -z by @sergargar in #2914
• docs(pull-request): Include check list to create/review PR by @jfagoagas in #2913
• refactor(security_hub): Send findings in batches by @jfagoagas in #2868
• test(utils): Include missing tests by @jfagoagas in #2884
• test(ec2_instance_managed_by_ssm): missing tests by @n4ch04 in #2800
• test(vpc_peering_routing_tables_with_least_privilege): add test by @sergargar in #2889

Dependencies

• build(deps): bump azure-storage-blob from 12.18.1 to 12.18.2 by @dependabot in #2916
• build(deps): bump cryptography from 41.0.3 to 41.0.4 by @dependabot in #2856
• build(deps): bump google-api-python-client from 2.101.0 to 2.102.0 by @dependabot in #2918
• build(deps): bump google-auth-httplib2 from 0.1.0 to 0.1.1 by @dependabot in #2826
• build(deps): bump mkdocs-material from 9.4.3 to 9.4.4 by @dependabot in #2917
• build(deps): bump mkdocs from 1.5.2 to 1.5.3 by @dependabot in #2849
• build(deps): bump pydantic from 1.10.12 to 1.10.13 by @dependabot in #2891
• build(deps): bump slack-sdk from 3.22.0 to 3.23.0 by @dependabot in #2919
• build(deps): bump urllib3 from 1.26.15 to 1.26.17 by @dependabot in #2896
• build(deps-dev): bump coverage from 7.3.1 to 7.3.2 by @dependabot in #2895
• build(deps-dev): bump gitpython from 3.1.35 to 3.1.37 by @dependabot in #2924
• build(deps-dev): bump moto from 4.2.4 to 4.2.5 by @dependabot in #2892
• build(deps-dev): bump pylint from 3.0.0 to 3.0.1 by @dependabot in #2920
• build(deps-dev): bump pytest from 7.4.1 to 7.4.2 by @dependabot in #2827
• build(deps-dev): bump vulture from 2.8 to 2.9.1 by @dependabot in #2785

New Contributors

• @CameronTStark made their first contribution in #2835
• @taylerhaviland made their first contribution in #2836
• @JackStuart made their first contribution in #2881
• @sbldevnet made their first contribution in #2786
• @devopspacellp made their first contribution in #2898

Full Changelog: 3.9.0...3.10.0