Prowler 3.12.0 - Running Free

Just sixteen, a pickup truck, out of money, out of luck
I've got nowhere to call my own, hit the gas, and here I go
I'm running free yeah, I'm running free
I'm running free yeah, oh I'm running free

Iron Maiden's Running Free song was published as single of their first album back in 1980. This song is all about running wild and running free as we do at Prowler, making cloud security open and transparent, easy to use and easy to customize, for you and thousands of organizations around the world.

hit the gas, and here I go! This version is full of new features and important improvements requested by our vibrant community. Go ahead and smash your electric guitar and use Prowler straightaway by yourself or just using our service at prowler.com.

Enjoy it! 🤘🏽🔥

New features to highlight in this version:

✍️ Custom Checks Metadata

• Now you can override the Severity from a check using the --custom-checks-metadata-file custom_checks_metadata.yaml. (Thanks @venkyvajrala for the feature!)

See more in https://docs.prowler.cloud/en/latest/tutorials/custom-checks-metadata/

👷 Custom AWS Role Session name

• Now you can customize the Role Session name that Prowler uses when assuming an AWS Role with --role-session-name <role_session_name>.

See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#custom-role-session-name

🔧 Scan only AWS enabled regions

• Prowler now only scans AWS regions if they are enabled making the scan faster without the need to review services in regions that are not enabled.

🧵 Improved threading using ThreadPoolExecutor

• For the AWS Service now we use a ThreadPoolExecutor to improve concurrency management and allowing to parallelise per resources not only per regions. Thanks to @Fennerr for the improvement!

🐛 Bug fixing

• Now the AWS Lambda service scans each Lambda function for secrets without the need to persist the code in memory therefore reducing drastically the memory usage.
• Tons of bug fixes in services, outputs, checks and some other core functions.

Features

• feat(cognito): add Amazon Cognito service by @sergargar in #3060
• feat(custom_checks_metadata): Add checks metadata overide for severity by @venkyvajrala in #3038
• feat(aws): Added AWS role session name parameter by @Fennerr in #3234
• feat(securityhub): Send only FAILs but storing all in the output files by @jfagoagas in #3195

Fixes

• fix(access-analyzer): Handle ValidationException by @jfagoagas in #3165
• fix(allowlist): Analyse single and multi account allowlist if present by @jfagoagas in #3210
• fix(apigw_restapi_auth check): add method auth testing by @n4ch04 in #3183
• fix(aws_regions): Get enabled regions by @jfagoagas in #3095
• fix(clean local output dirs): change function description by @n4ch04 in #3068
• fix(cloudtrail): Handle UnsupportedOperationException by @jfagoagas in #3166
• fix(codeartifact): solve dependency confusion check by @congon4tor in #2999
• fix(deps): Add missing jsonschema by @jfagoagas in #3052
• fix(docs): csv fields by @n4ch04 in #3092
• fix(docs): typo in reporting/csv by @n4ch04 in #3094
• fix(elasticache): Handle CacheClusterNotFound by @jfagoagas in #3174
• fix(fms): Handle PolicyComplianceStatusList key error by @jfagoagas in #3230
• fix(gcp): fix UnknownApiNameOrVersion error by @sergargar in #3202
• fix(gcp): improve logging messages by @sergargar in #3185
• fix(gcp provider): move generate_client for consistency by @n4ch04 in #3064
• fix(generate_regional_clients): Global is not needed anymore by @jfagoagas in #3162
• fix(iam): Handle NoSuchEntity in list_group_policies by @jfagoagas in #3197
• fix(json-ocsf): add profile only for AWS provider by @sergargar in #3051
• fix(lambda): memory leakage with lambda function code by @Fennerr in #3167
• fix(organizations_scp_check_deny_regions): enhance check logic by @sergargar in #3239
• fix(outputs): initialize_file_descriptor is called dynamically by @n4ch04 in #3050
• fix(s3): Handle NoSuchBucket in the service by @jfagoagas in #3173
• fix(s3): handle NoSuchBucketPolicy error by @sergargar in #3217
• fix(send_to_s3_bucket): don't kill exec when fail by @n4ch04 in #3088
• fix(set_azure_audit_info): assign correct logging when no auth by @n4ch04 in #3063
• fix(threading): Improved threading for the AWS Service by @Fennerr in #3175
• fix(trustedadvisor): handle missing dict key by @n4ch04 in #3075
• fix(trustedadvisor): solve trustedadvisor check metadata by @sergargar in #3216
• fix(vpc_different_regions): Handle if there are no VPC by @williambrady in #3081
• revert(clean local dirs): delete clean local dirs output feature by @n4ch04 in #3087

Chores

• chore(actions): not launch linters for mkdocs.yml by @n4ch04 in #3093
• chore(actions prowler4): add prowler 4.0 branch to actions by @n4ch04 in #3184
• chore(elb): Improve status in elbv2_insecure_ssl_ciphers by @Fennerr in #3169
• chore(ens): do not apply recomendation type to score by @sergargar in #3058
• chore(moto): install all moto dependencies by @sergargar in #3048
• chore(python): update python version constraint <3.12 by @sergargar in #3047
• chore(s3 bucket input validation): validates input bucket by @n4ch04 in #3198
• chore(sqs_...not_publicly_accessible): less restrictive condition test by @n4ch04 in #3211
• chore: сhanged concatenation of strings to f-strings to improve readability by @eukub in #3227
• chore(exception): handle error in describing regions by @sergargar in #3241
• chore(role arguments): enhance role arguments validation by @sergargar in #3240
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #3045, #3168, #3059, #3079, #3065, #3074, #3182, #3189, #3196
• refactor(cloudwatch): simplify logic by @jfagoagas in #3172
• refactor(load_checks_to_execute): Refactor function and add tests by @jfagoagas in #3066
• refactor(severities): Define it in one place by @jfagoagas in #3086

Docs

• docs(aws): Added debug information to inspect retries in API calls by @Fennerr in #3186
• docs(cloudshell): Add missing steps to workaround by @AlexGidarakos in #3191
• docs(cloudshell): Add workaround to clone from github by @jfagoagas in #3190
• docs(cloudshell): Update AWS CloudShell installation steps by @AlexGidarakos in #3192
• docs(parallel-execution): Combining the output files by @Fennerr in #3096
• docs(parallel-execution): How to execute it in parallel by @Fennerr in #3091

Dependencies

• build(deps): bump cryptography from 41.0.4 to 41.0.6 by @dependabot in #3078
• build(deps): bump google-api-python-client from 2.110.0 to 2.111.0 by @dependabot in #3224
• build(deps): bump google-auth-httplib2 from 0.1.1 to 0.2.0 by @dependabot in #3207
• build(deps): bump jsonschema from 4.18.0 to 4.20.0 by @dependabot in #3057
• build(deps): bump mkdocs-material from 9.5.2 to 9.5.3 by @dependabot in #3220
• build(deps): bump shodan from 1.30.1 to 1.31.0 by @dependabot in #3221
• build(deps): bump slack-sdk from 3.26.0 to 3.26.1 by @dependabot in #3107
• build(deps): bump tj-actions/changed-files from 39 to 41 in /.github/workflows by @dependabot in #3235
• build(deps-dev): bump bandit from 1.7.5 to 1.7.6 by @dependabot in #3179
• build(deps-dev): bump coverage from 7.3.4 to 7.4.0 by @dependabot in #3233
• build(deps-dev): bump docker from 6.1.3 to 7.0.0 by @dependabot in #3180
• build(deps-dev): bump freezegun from 1.3.1 to 1.4.0 by @dependabot in #3222
• build(deps-dev): bump moto from 4.2.11 to 4.2.12 by @dependabot in #3205
• build(deps-dev): bump pylint from 3.0.2 to 3.0.3 by @dependabot in #3203
• build(deps-dev): bump pytest-xdist from 3.4.0 to 3.5.0 by @dependabot in #3071
• build(deps-dev): bump pytest from 7.4.3 to 7.4.4 by @dependabot in #3232

Tests

• test(audit_info): refactor services tests by @n4ch04 and @jfagoagas in #3103, #3112, #3099, #3098, #3100, #3102, #3101, #3104, #3105, #3110, #3116, #3119, #3118, #3117, #3121, #3120, #3122, #3125, #3123, #3124, #3126, #3127, #3129, #3130, #3128, #3133, #3134, #3135, #3131, #3136, #3137, #3138, #3139, #3140, #3141, #3143, #3142, #3145, #3144, #3146, #3147, #3150, #3149, #3148, #3151, #3152, #3155, #3156, #3157, #3153, #3158, #3154, #3159, #3161, #3132, #3111, #3160, #3097, #3163, #3164, #3113, #3114, #3115
• test(aws_account_id): refactor by @jfagoagas in #3161

New Contributors

• @venkyvajrala made their first contribution in #3038
• @AlexGidarakos made their first contribution in #3191
• @eukub made their first contribution in #3227

Full Changelog: 3.11.3...3.12.0