Prowler 3.9.0 - Flash of the Blade

As a young boy chasing dragons
With your wooden sword so mighty
You're St. George or you're David and you always killed the beast
Times change very quickly and you had to grow up early
A house in smoking ruins and the bodies at your feet

Sometimes chasing dragons and some times walking on the edge of the blade. This Iron Maiden's song Flash of the Blade tells a good history about what comes on the table these days. Enjoy this great song written by Bruce Dickinson back in 1984 (https://www.youtube.com/watch?v=Qx0s8OqgBIw) while reading what's new!

New features to highlight in this version:

⚙️ New checks for AWS!

• New AWS Athena service with two new checks athena_workgroup_encryption and athena_workgroup_enforce_configuration.
• New AWS S3 check s3_bucket_kms_encryption.
• New AWS EC2 check ec2_instance_detailed_monitoring_enabled.
• New AWS IAM check iam_inline_policy_no_administrative_privileges with a new feature in the IAM service which now is capable of retrieving the inline policies for the Users, Roles and Groups.
• Now in the AWS ECR ecr_repositories_scan_vulnerabilities_in_latest_image you can configure the minimum severity for this check to raise a FAIL finding using the ecr_repository_vulnerability_minimum_severity configuration value. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! 🔒

🖌️ New CLI flag

• List all the checks in JSON format, ready to be consumed by the --checks-file flag. Try it with prowler aws --list-checks-json.

📖 Developer Guide

• We keep improving the Prowler documentation, specially the Developer Guide to help our contributors. Check it in the following link https://docs.prowler.cloud/en/latest/developer-guide/introduction/.

🧑‍🤝‍🧑 Two new Prowler contributors!

• Many thanks to @vysakh-devopspace and @gerardocampo for including more checks and keep improving Prowler!

What's Changed

Features

• feat(s3): Add S3 KMS encryption check by @singergs in #2757
• feat(ec2): New check ec2_instance_detailed_monitoring_enabled by @vysakh-devopspace in #2735
• feat(checks): dump all checks as a json file by @jchrisfarris in #2683
• feat(ecr_repositories_scan_vulnerabilities_in_latest_image): Minimum severity is configurable by @jfagoagas in #2736
• feat(iam): Check inline policies in IAM Users, Groups & Roles for admin priv's by @gerardocampo in #2750
• feat(compliance): Update AWS compliance frameworks after PR 2750 by @gerardocampo in #2771
• feat(athena): New AWS Athena service + 2 workgroup checks by @jfagoagas in #2696

Fixes

• fix(azure): Status extended ends with a dot by @jfagoagas in #2725
• fix(is_account_only_allowed_in_condition): Context name on conditions are case-insensitive by @christiandavilakoobin in #2726
• fix(gcp): Status extended ends with a dot by @jfagoagas in #2734
• fix(get_checks_from_input_arn): fix function and add tests by @n4ch04 in #2749
• fix(get_checks_from_input_arn): fix logic and add tests by @n4ch04 in #2764
• fix(get_regions_from_audit_resources): fix logic and add tests by @n4ch04 in #2766
• fix(nacls): Tests by @jfagoagas in #2760
• fix(iam_policy_allows_privilege_escalation): Handle admin permission so * by @jfagoagas in #2763
• fix(checks_to_execute): --checks and --resource_arn working together by @jfagoagas in #2743
• fix(ec2_securitygroup_default_restrict_traffic): fix check only allow empty rules by @n4ch04 in #2777

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2733, #2737, #2741, #2744, #2748, #2759, #2767 and #2773, #2776
• chore(parser): Move provider logic to their folder by @jfagoagas in #2746
• chore(s3): Move lib to the AWS provider and include tests by @jfagoagas in #2664

Security

• fix(security): GitPython issue by @jfagoagas in #2720

Documentation

• docs(style): Add more details by @jfagoagas in #2724
• docs(testing): Mocking the service and the service client at the service client level by @jfagoagas in #2747
• docs(audit_config): How to use it by @jfagoagas in #2739
• docs: explain output formats by @jfagoagas in #2774
• docs: Include new config ecr_repository_vulnerability_minimum_severity by @jfagoagas in #2775

Dependencies

• build(deps-dev): bump vulture from 2.7 to 2.8 by @dependabot in #2727
• build(deps): bump mkdocs-material from 9.1.20 to 9.1.21 by @dependabot in #2728
• build(deps): bump google-api-python-client from 2.95.0 to 2.96.0 by @dependabot in #2729
• build(deps-dev): bump coverage from 7.2.7 to 7.3.0 by @dependabot in #2730
• build(deps): bump azure-identity from 1.13.0 to 1.14.0 by @dependabot in #2731
• build(deps): bump mkdocs-material from 9.1.21 to 9.2.1 by @dependabot in #2752
• build(deps): bump google-api-python-client from 2.96.0 to 2.97.0 by @dependabot in #2753
• build(deps-dev): bump pytest-randomly from 3.13.0 to 3.15.0 by @dependabot in #2755
• build(deps): bump azure-mgmt-storage from 21.0.0 to 21.1.0 by @dependabot in #2756
• build(deps): bump shodan from 1.29.1 to 1.30.0 by @dependabot in #2754

Tests

• test(python): Test with 3.9, 3.10, 3.11 by @jfagoagas in #2718
• test(coverage): Add Codecov by @jfagoagas in #2719
• test(s3): Mock S3Control when used by @jfagoagas in #2722
• fix(test-vpc): use the right import paths by @jfagoagas in #2732
• tests(check_security_group) by @jfagoagas in #2740
• chore(tests): Replace sure with standard assert by @jfagoagas in #2738
• test(vpc_endpoint_services_allowed_principals_trust_boundaries) by @jfagoagas in #2768
• fix(test): Update moto to 4.1.15 and update tests by @jfagoagas in #2769

New Contributors

• @vysakh-devopspace made their first contribution in #2735
• @gerardocampo made their first contribution in #2750

Full Changelog: 3.8.2...3.9.0