Skip to content

Prowler 3.11.0 - Rime Of The Ancient Mariner 👻🎃
Compare
Choose a tag to compare
@jfagoagas jfagoagas released this 31 Oct 13:24
· 2312 commits to master since this release
3.11.0
ab7ead2

Sailing on and on and north across the sea
Sailing on and on and north 'til all is calm

Dare to delve into this spectral realm, where the frightful protection of Prowler awaits you.
Happy haunting and secure coding this Halloween! 🧛‍♂️🕸️🌙

New features to highlight in this version:

🔎 Ignore Findings from services not in actual use

  • Prowler now allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports.
    prowler <provider> --ignore-unused-services

See more in https://docs.prowler.cloud/en/latest/tutorials/ignore-unused-services/

⚙️ New AWS Allowlist including AWS Control Tower resources

  • New allowlist file that ensures that applies to all resources created by AWS Control Tower when setting up a landing zone:
    prowler aws --allowlist prowler/config/aws_allowlist.yaml

See more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/#default-aws-allowlist

🏷️ STS V2 Tokens

  • Now Prowler will call Regional AWS STS endpoints to get session tokens valid in all AWS Regions.

See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#sts-endpoint-region

New 9 checks for AWS!

  • New Account check account_maintain_different_contact_details_to_security_billing_and_operations
  • New CloudTrail check cloudtrail_multi_region_enabled_logging_management_events
  • New EC2 DataLifecycle Manager service and check dlm_ebs_snapshot_lifecycle_policy_exists
  • New EC2 EBS check ec2_ebs_volume_snapshots_exists
  • New DocumentDB service and check documentdb_instance_storage_encrypted
  • New Support check trustedadvisor_premium_support_plan_subscribed
  • New Neptune service and check neptune_cluster_uses_public_subnet
  • New Elasticache service and check elasticache_cluster_uses_public_subnet
  • New IAM check iam_user_with_temporary_credentials

Thanks to Jit @jit-contrib for their help on this checks.

Try them with prowler aws and improve your security posture now! 🔒

📝 Check Aliases are now supported

  • Now, Prowler allows you to use aliases for the checks. You only have to add the CheckAliases key to the check's metadata with a list of the aliases and then, you can execute it with: prowler <provider> -c/--checks <check_alias_1>

See more in https://docs.prowler.cloud/en/latest/tutorials/check-aliases/

What's Changed

Features

  • feat(alias): add check alias functionality by @sergargar in #2971
  • feat(allowlist): allowlist non-default regions configuration by @sergargar in #2974
  • feat(aws): New CloudTrail, DLM, DocumentDB, EC2, Account and Support checks by @jit-contrib in #2675
  • feat(aws): New Neptune, ElastiCache, APIGW and IAM checks by @jit-contrib in #2862
  • feat(controltower): add AWS Control Tower resources to default Allowlist configuration file by @sergargar in #2953
  • feat(ignore unused services): add --ignore-unused-services argument to ignore findings from services not in actual use by @sergargar in #2936
  • feat(report interface): add reporting interface call after report by @n4ch04 in #2948
  • feat(vpc): add vpc, nacl or subnet names in findings by @sergargar in #2928

Fixes

  • fix(allowlist): verify if allowlist file exists by @sergargar in #2988
  • fix(APIGateway): Improve check naming by @sergargar in #2952
  • fix(cis): remove new lines in CIS csv by @sergargar #2989
  • fix(cloudtrail service): typo in logging info by @n4ch04 in #2976
  • fix(ec2_instance_imdsv2_enabled ): verify if metadata service is disabled by @therealtoastycat in #2978
  • fix(ec2_securitygroup_not_used): Mock Lambda service by @jfagoagas in #2947
  • fix(elbv2_desync_mitigation_mode): improve logic by @sergargar in #2986
  • fix(gcp): set always location to lowercase by @sergargar in #2970
  • fix(GuardDuty): Add enabled_in_account parameter by @jfagoagas in #2979
  • fix(outputs): remove empty outputs by @sergargar #2990
  • fix(resource filters): add missing resource filters by @sergargar in #2951
  • fix(security group): check if security groups are used by Lambda by @sergargar in #2944
  • fix(sqs): Handle AWS.SimpleQueueService.NonExistentQueue in list_queue_tags by @jfagoagas in #2939
  • fix(sts): force v2 STS tokens by @sergargar in #2956
  • fix(vpc): ignore com.amazonaws.vpce endpoints by @sergargar in #2929
  • fix(vpc_endpoint_services_allowed_principals_trust_boundaries): Principal by @jfagoagas #2991
  • fix(tests): remove tests folder after execution by @jfagoagas in #2962

Documentation

  • chore(docs): Add report.region criteria by @jfagoagas in #2930
  • docs(config): add missing configurable variables by @kagahd in #2941
  • chore(docs): add STS Endpoint and Allowlist updates by @sergargar in #2964
  • chore(docs): allowlist non-default regions by @sergargar in #2980
  • docs(v2_v3_mapping): document prowler v3.10.0 changes by @kagahd in #2955

Chores

  • chore(regions_update): Changes in regions for AWS services. by @sergargar in #2927, #2937, #2942, #2945, #2954, #2961
  • chore(allowlist): Extract allowlist from report by @jfagoagas in #2975
  • chore(allowlist): prettify allowlist names by @sergargar in #2963
  • chore(APIGatewayV2): improve check naming by @sergargar in #2966
  • chore(create_role_to_assume_cfn.yaml): Add DLM permissions by @sergargar in #2949
  • chore(gcp): print inactive GCP APIs by @sergargar in #2987
  • chore(github): ignore permissions path in GitHub actions by @sergargar in #2950
  • chore(permissions): add DLM permissions by @sergargar in #2946

Dependencies

New Contributors

Full Changelog: 3.10.0...3.11.0

Contributors

jfagoagas, kagahd, and 5 other contributors
Assets 2
Loading