Prowler 3.1.4 - Revelations

Chores

• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1812
• chore(issues): update bug_report.md by @toniblyx in #1844
• chore(security hub): improve securityhub_enabled check logic by @sergargar in #1851
• build(deps-dev): bump moto from 4.1.1 to 4.1.2 by @dependabot in #1845
• build(deps-dev): bump sure from 2.0.0 to 2.0.1 by @dependabot in #1847
• build(deps-dev): bump openapi-spec-validator from 0.5.4 to 0.5.5 by @dependabot in #1846
• build(deps-dev): bump pylint from 2.16.0 to 2.16.1 by @dependabot in #1823

Fixes

• fix(readme): correct PyPi download link by @sergargar in #1836
• fix(lambda-runtime): Init value must be empty string by @jfagoagas in #1837
• fix(errors): solve CloudWatch, KMS, EMR and OpenSearch service errors by @sergargar in #1843
• fix(kms): call GetKeyRotationStatus only for Customer Keys by @sergargar in #1842
• fix(checks): solve different errors in EFS, S3 and VPC by @sergargar in #1841
• fix(exit_code): change sys exit code to 1 in Critical Errors by @sergargar in #1853
• fix(iam): change prowler additional policy json due errors in creation by @theist in #1852

New Contributors

• @theist made their first contribution in #1852

Full Changelog: 3.1.3...3.1.4

Prowler 3.1.3 - Revelations

Chores

• chore(readme): add prowler PyPi stats by @sergargar in #1798
• chore(regions): Change feat to chore by @jfagoagas in #1805
• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1812
• chore(logs): improve check error logs by @sergargar in #1818
• chore(audit metadata): retrieve audit metadata from execution by @n4ch04 in #1803
• build(deps-dev): bump pylint from 2.15.10 to 2.16.0 by @dependabot in #1815
• build(deps-dev): bump openapi-spec-validator from 0.5.2 to 0.5.4 by @dependabot in #1821

Fixes

• fix(kms): add symmetric condition to kms_cmk_rotation_enabled check by @sergargar in #1788
• fix(partition): add dynamic partition in CloudTrail S3 DataEvents checks by @sergargar in #1787
• fix(metadata): use docs.aws.amazon.com like other aws checks, not docs.amazonaws.cn by @ifduyue in #1790
• fix(allowlist): validate allowlist for any database format (file, dynamo, s3, etc) by @pplu in #1792
• fix(accessanalyzer_enabled_without_findings): fixed status findings by @n4ch04 in #1799
• fix(iam_policy_no_administrative_privileges): check only : permissions by @sergargar in #1802
• fix(iam_avoid_root_usage): correct date logic by @sergargar in #1801
• fix(ec2_securitygroup_not_used): ignore default security groups by @sergargar in #1800
• fix(accessanalyzer): no analyzers using pydantic by @n4ch04 in #1806
• fix(cloudtrail): improve cloudtrail_cloudwatch_logging_enabled status extended by @sergargar in #1813
• fix(KeyError): handle service key errors by @sergargar in #1819
• fix(metadata) fixed typo in title for awslambda_function_not_publicly… by @daftkid in #1826
• fix(KeyError): handle service key errors by @sergargar in #1831
• fix(cloudtrail): included advanced data events selectors by @n4ch04 in #1814
• fix(shub): update link to Security Hub documentation by @sergargar in #1830
• fix(awslambda_function_no_secrets_in_code): Retrieve Code if set by @jfagoagas in #1833
• fix(action): Build from release branch by @jfagoagas in #1834
• fix(errors): solve different errors in KMS, EFS and Lambda by @sergargar in #1835

New Contributors

• @ifduyue made their first contribution in #1790
• @pplu made their first contribution in #1792
• @daftkid made their first contribution in #1826

Full Changelog: 3.1.2...3.1.3

Prowler 3.1.2 - Revelations

Chores

• chore(contrib): Enables a new CloudFormation of CodeBuild for v3 by @sergargar in #1764
• chore(readme): Update pip package name, now prowler or prowler-cloud can be used to install Prowler by @sergargar in #1768

Fixes

• fix(docs): Changed the azure subscription file text #HSFDPMUW by @Leon114m in #1749
• fix(inventory): update resource type for SQS and SNS by @vabagaria in #1747
• fix(metadata): solve metadata replace by @sergargar in #1755
• fix(iam): IAM status messages switched fail and pass text and some grammar by @acknosyn in #1756
• fix(iam): handle credential report errors by @sergargar in #1765
• fix(json): close Json correctly when no findings by @sergargar in #1773
• fix(apigatewayv2): correct apigatewayv2_access_logging_enabled check title by @sergargar in #1769
• fix(IAM): remove duplicate list_policies function by @sergargar in #1763
• fix(cloudtrail_multi_region_enabled): fixed region when no trails by @n4ch04 in #1774
• fix(severity): update severities for Security Hub, GuardDuty and NACL related checks by @sergargar in #1775

Docs

• docs(grammar): Improved grammar in the Documentation paragraph by @Ozan-Ekinci in #1776
• docs(grammar): Improved grammar in the AZ CLI / Browser / Managed Identity authentication paragraph by @Ozan-Ekinci in #1745

New Contributors

• @vabagaria made their first contribution in #1747

Full Changelog: 3.1.1...3.1.2

Prowler 3.1.1 - Revelations

Chores

• chore(release): add PyPi GitHub Action by @sergargar in #1724
• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1730
• chore(dispatch): dispatch triggered actions by @n4ch04 in #1739
• chore(code-ql): Include security linter by @jfagoagas in #1703

Fixes

• fix(arguments): improve quiet option by @sergargar in #1723
• fix(allowlist): add yaml structure validator by @sergargar in #1735
• fix(pipeline): fixed typo in main pipeline by @n4ch04 in #1740
• fix(rds): remove DocumentDB from RDS by @sergargar in #1737
• fix(actions): Exclude docs folder in action by @jfagoagas in #1743
• fix(IAM): add missing permissions for Prowler by @sergargar in #1731
• fix(allowlist): remove re.escape by @sergargar in #1734
• fix(lambda): solve lambda errors by @sergargar in #1732
• fix(pypi): replicate package to have Prowler in PyPi by @sergargar in #1727

Docs

• docs(mapping): add mapping of v2 to v3 checks and update pip package name by @toniblyx in #1742

Full Changelog: 3.1.0...3.1.1

Prowler 3.1.0 - Revelations

"The swords of scorn divide,
Take not thy thunder from us,
But take away our pride."

Revelations is the second song of the Peace of Mind album of Iron Maiden that was written by Bruce Dickinson.

This last month has been a real revelation for us and we realize how big is our community and how well accepted has been version 3. We have passed the number of 2 Million of downloads 🚀 since the project started (not counting forks). As a reference see OSS Insight stats in the last month https://ossinsight.io/collections/security-tool, we became the Top 1 tool thanks to all of you!

What's Changed:

New AWS check iam_role_cross_service_confused_deputy_prevention:

Ensure IAM Service Roles prevents against a cross-service confused deputy attack. Use the aws:SourceArn and aws:SourceAccount global condition context keys in trust relationship policies to limit the permissions that a service has to a specific resource. More information at https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention.

• feat(check): add iam_role_cross_service_confused_deputy_prevention check by @Fennerr and @sergargar in #1710
• feat(report): Support to custom report interface by @n4ch04 in #1702
• feat(ecs_task_definitions_no_environment_secrets): Update resource_id by @Fennerr in #1665
• feat(iam): Add IAM Role Class by @sergargar in #1709
• feat(only_logs): New logging flag to only show execution logs by @jfagoagas in #1708
• feat(regions_update): Changes in regions for AWS services by @github-actions

Fixes:

• fix(trustedadvisor_errors_and_warnings): add region by @sergargar in #1662
• fix(docs): Include a comma in the permissions paragraph #HSFDPMUW by @Leon114m in #1668
• fix(s3): Add S3 ResourceArn by @gabrielsoltz in #1666
• fix(shub): associate resource_arn as resourceId in Security Hub by @sergargar in #1672
• fix(compliance): Security Hub working with compliance by @sergargar in #1673
• fix(config): path error in Windows environment by @sergargar in #1684
• docs: Edit troubleshooting page by @n4ch04 in #1685
• fix: remove unnecessary print by @sergargar in #1686
• fix(services): Handle KeyErrors from AWS by @sergargar in #1690
• fix(path): aws_regions_by_service.json: FileNotFoundError[13] by @sergargar in #1689
• fix: deleted test exclusion in name loading checks by @n4ch04 in #1694
• fix(docs): Add security section and solve images location by @sergargar in #1696
• fix(cloudwatch_service): set default region in CloudWatch by @sergargar in #1693
• fix: VPC Key Error by @sergargar in #1695
• fix: Solve IAM policy Errors by @sergargar in #1692
• fix(quick_inventory): Prowler quick inventory for US GovCloud and China by @toniblyx in #1698
• fix(docs): correct permissions links by @sergargar in #1701
• fix(docs): Include a new comma in the Basic Usage paragraph #HSFDPMUW by @Leon114m in #1705
• fix(docs): Include multiple commas in the troubleshooting file #HSFDPMUW by @Leon114m in #1706
• fix(apigateway): Add ApiGateway ResourceArn and check fixes by @gabrielsoltz in #1707
• fix(ec2_elastic_ip_unassgined): Incorrect ResourceType for check ec2_elastic_ip_unassgined by @gabrielsoltz in #1711
• fix(action): add permissions to Github action by @sergargar in #1712
• fix(fill_html_overview_statistics): Handle if file exists by @jfagoagas in #1718
• fix(error): ecr_repositories_scan_vulnerabilities_in_latest_image report not found by @sergargar in #1719
• build(deps-dev): bump pytest from 7.2.0 to 7.2.1 by @dependabot in #1715
• build(deps-dev): bump pylint from 2.15.9 to 2.15.10 by @dependabot in #1676
• build(deps-dev): bump moto from 4.0.13 to 4.1.0 by @dependabot in #1675
• build(deps-dev): bump coverage from 7.0.3 to 7.0.4 by @dependabot in #1678
• build(deps-dev): bump vulture from 2.6 to 2.7 by @dependabot in #1677
• build(deps-dev): bump coverage from 7.0.4 to 7.0.5 by @dependabot in #1688
• build(deps-dev): bump openapi-spec-validator from 0.5.1 to 0.5.2 by @dependabot in #1716
• docs: Placed a comma in the Service Principal authentication paragraph by @Ozan-Ekinci in #1713
• docs(SECURITY.md): Include Security Policy by @toniblyx in #1697

New Contributors:

• @Leon114m made their first contribution in #1668
• @Ozan-Ekinci made their first contribution in #1713
• @Fennerr made their first contributions in in #1665 and #1710

Full Changelog: 3.0.2...3.1.0

Prowler 3.0.2 - Piece of Mind

Features

• feat(regions_update): changes in regions for AWS services. by @github-actions in #1629 and #1646
• feat(aws-regions): update refresh regions action by @sergargar in #1641
• feat(ec2): add ResourceArn by @gabrielsoltz in #1649
• feat(ecs_task_definitions_no_environment_secrets): update recommendation by @Fennerr in #1658
• feat(ecs_task_definitions_no_environment_secrets): add ECS task revision number by @Fennerr in #1657

Fixes

• fix(typo): Prowler for Azure by @cclauss in #1619
• fix(output_filename): Use custom output filename when set by @jfagoagas in #1632
• fix(iam_user_mfa_enabled_console_access): password enabled issues by @n4ch04 in #1634
• fix(security-hub): apply -q to security hub by @sergargar in #1637
• fix(security): update pipfile.lock by @sergargar in #1639
• fix(dockerfile): Remove additional apk update in Dockerfile by @PeterDaveHello in #1617
• fix(actions): add Github Action contents: write permission by @sergargar in #1643
• fix(actions): add GH Action pull-requests: write permissions by @sergargar in #1644
• fix(codeartifact): set Namespace attribute as optional by @sergargar in #1648
• fix(assume-role): Refresh credentials when assuming role by @n4ch04 in #1636
• fix(glacier): handle no vault policy error by @sergargar in #1650
• fix(contrib): update contrib folder by @sergargar in #1635

Docs

• docs(AWS-Role): fixed typo by @eltociear in #1610
• docs(installation): add multiple ways to install prowler in tabs by @toniblyx in #1627

New Contributors

• @eltociear made their first contribution in #1610
• @cclauss made their first contribution in #1619
• @PeterDaveHello made their first contribution in #1617

Full Changelog: 3.0.1...3.0.2

Prowler 3.0.1 - Piece of Mind

Fixes

• fix(logs): add check_name to logs by @sergargar in #1574
• test(credential_report): Improve credential report tests by @jfagoagas in #1579
• build(deps-dev): bump coverage from 6.5.0 to 7.0.0 by @dependabot in #1568
• docs(links): Update broken links to permissions folder by @JonoB in #1584
• build(deps-dev): bump moto from 4.0.11 to 4.0.12 by @dependabot in #1570
• build(deps-dev): bump pylint from 2.15.8 to 2.15.9 by @dependabot in #1569
• fix(errors): handle S3 errors by @sergargar in #1585
• fix(ECR): handle ECR errors by @sergargar in #1586
• fix(iam): handle NoSuchEntity error by @sergargar in #1589
• fix(vpc): endpoint policy error by @sergargar in #1588
• fix(list services): Solve list services issue by @n4ch04 in #1587
• fix(shub): Handle Security Hub InvalidAccessException error by @sergargar in #1590
• fix(efs): handle PolicyNotFound error by @sergargar in #1591
• fix(aws-cn partition): solve aws-cn partition errors by @sergargar in #1576
• feat(errors): prettify unknown service errors by @sergargar in #1592
• fix(sqs): get sqs encryption by @sergargar in #1596
• fix(refresh-aws-regions): Change branch by @jfagoagas in #1598
• fix(check_report): Init status field and fix stats output by @jfagoagas in #1580
• fix(send to s3): fixed send to s3 feature by @n4ch04 in #1599
• docs: Include Azure requirements in README by @n4ch04 in #1600
• fix(global_services): handle global regions correctly by @sergargar in #1594
• fix(output-filename): Handle argument by @jfagoagas in #1604

New Contributors

• @JonoB made their first contribution in #1584

Full Changelog: 3.0.0...3.0.1

Prowler 3.0.0 - Piece of Mind

Today we are releasing a new major version of Prowler 🎉🥳🎊🍾, the Version 3 aka Piece of Mind.

Take Prowler v3 as our 🎄Christmas gift 🎁 for the Cloud Security Community.

Artwork property of Iron Maiden

Piece of Mind was the fourth studio album of Iron Maiden. Its meaning fits perfectly with what we do with Prowler in both senses: being protected and at the same time, this is the software I would have wanted to write when I started Prowler back in 2016 (this is now, more than ever, a piece of my mind). Now this has been possible thanks to my awesome team at Verica.

No doubt that 2022 has been a pretty interesting year for us, we launched ProwlerPro and released many minor versions of Prowler. Now enjoy Sun and Steel while you keep reading these release notes.

If you are an Iron Maiden fan as I am, you have noticed the latest minor release of Prowler (2.12) was a song from this very same album, just a clue of what was coming! In Piece of Mind you can find one of the most popular heavy metal songs of all times, The Trooper, which will be a Prowler version to be released during 2023.

Prowler v3 is more than a new version of Prowler, it is a whole new piece of software, we have fully rewritten it in Python and we have made it multi-cloud adding Azure as our second supported Cloud Provider. Prowler v3 is also way faster, being able to scan an entire AWS account across all regions 37 times faster than before, yes! you read it correctly, what before took hours now it takes literally few minutes or even seconds.

Toni de la Fuente.

New documentation site:

We are also releasing today our brand new documentation site for Prowler at https://docs.prowler.cloud and it is also stored in the docs folder in the repo.

What's Changed:

Here is a list of the most important changes in Prowler v3:

• 🐍 Python: we got rid of all bash and it is now all in Python. pip install prowler then run prowler that’s all.
• 🚀 Faster: huge performance improvements.
  Scanning the same account takes from 2.5 hours to 4 minutes.
• 💻 Developers and Community: we have made it easier to contribute with new checks and new compliance frameworks. We also included unit tests and native logging features. And now the CLI supports long arguments and options.
• ☁️ Multi-cloud: in addition to AWS, we have added Azure.
• ✅ Checks and Groups: all checks are now more comprehensive and we provide resolution actions in most of them. Their ID is no longer tight to CIS but they are self-explanatory. Groups now are dynamically generated based on checks metadata like services, categories, severity and more).
• ⚖️ Compliance: we are including full support for CIS 1.4, CIS 1.5 and the new Spanish ENS in this release, more to come soon! Compliance also has its own output file with their own metadata and to create your own is easier than ever before making more comprehensive reports.
• 🧩 Compatibility with v2: most of the options are the same in this version in order to support backward compatibility however some options like assume role or AWS Organizations query are now different and easier to use.
• 🔄 Consolidated output formats: now both CSV and JSON reports come with the same attributes and compared to v2, they come with more than 40 values per finding. HTML, CSV and JSON are created every time you run prowler.
• 📊 Quick Inventory: introduced in v2, we have fine tuned the Quick Inventory feature and now you can get a list of all resources in your AWS accounts within seconds.

Prowler new default overview:

Prowler updated HTML report:

Prowler compliance overview:

Prowler list of Azure checks:

What is coming next?

• More Cloud Providers and more checks: in addition to keep adding new checks to AWS and Azure, we plan to include GCP and OCI soon, let us know if you want to contribute!
• XML-JUNIT support: we didn’t add that to v3, if you miss it, let us know in https://github.com/prowler-cloud/prowler/discussions
• Compliance: we will add more compliance frameworks to have as many as in Prowler v2, we appreciate help though!
• Tags based audit: you will be able to scan only those resources with specific tags.

New Contributors

In addition to the Prowler rock stars @jfagoagas @n4ch04 @sergargar we have a couple of new contributors in this release:

• @StylusFrost made their first contribution in #1350
• @alexr3y made their first contribution in #1502

For more information and a detailed list of changes see below:

Full Changelog: 2.10.0...3.0.0

Prowler 2.12.1

Fixes

• fix(extra7195): Update title by @Fennerr in #1440
• fix(extra71): Modified wrong remediation by @n4ch04 in #1445
• fix(README): include more details about db connector by @n4ch04 in #1507
• fix(extra723): corrected some typos for check_extra723 by @kagahd in #1511
• fix(CloudTrail): Fix CloudTrail trail S3 logging public bucket false positive result when trail bucket doesn't exist by @acknosyn in #1505

New Contributors

• @Fennerr made their first contribution in #1440

Full Changelog: 2.12.0...2.12.1

Prowler 2.12.0 - Where Eagles Dare

It's snowing outside, the rumbling sound
Of engines roar in the night
The mission is near, the confident men
Are waiting to drop from the sky

Where Eagles Dare is the song that opens the Piece of Mind album of Iron Maiden, released back in 1983, the first one with Nicko McBrain as drummer after Clive Burr left the band, note his first seconds on this piece, it is like Nicko saying "here I go!". This song relates the adventure of a team of soldiers raiding a castle in Germany during the WWII, that is related in the movie with the same name starred by Clint Eastwood and Richard Burton.

For all of you that have contributed to this version (see list below), thank you ❤️!!! And reach out to me on Twitter (@toniblyx - DMs are open) if you want some laptop stickers.

🔥Important changes in this version (read this!)🔥:

New checks:

7.195 [check7195] Ensure CodeArtifact internal packages do not allow external public source publishing. - codeartifact [Critical]

Other changes:

• CloudTrail checks check21, check22, check23, check24, check26, check27 now include shadow trails in the results (those trails used for multi-region and AWS organizations)
• New group called cisig2 for CIS Critical Security Controls v8 by @artfulbodger
• We have deprecated Discord and now we only use Slack, join us here!

New features:

• feat(checks): Adding commands for checks 117 and 118 by @belialboy in #1289
• feat(extra780): Check for Cognito or SAML authentication on OpenSearch by @kagahd in #1291
• feat(extra7195): Added check for dependency confusion in codeartifact by @congon4tor in #1329
• feat(group): CIS Critical Security Controls v8 by @artfulbodger in #1347
• feat(audit_id): add optional audit_id field to postgres connector by @sergargar in #1362
• feat(db-connector): Include UUID for findings ID by @n4ch04 in #1368
• feat(slack): add Slack badge to README instead of deprecated Discord by @sergargar in #1401
• feat(extra7111): Exception handling by @n4ch04 in #1408
• feat(stable tag): Inclusion of stable tag point to last release by @n4ch04 in #1419
• docs(spelling): Typo corrections by @olivier987654 in #1394

Enhancements:

• chore(issues): Link Q&A by @jfagoagas in #1305
• docs(outputs): added CVS and JSON details by @jfagoagas in #1313
• docs(dockerfile): Dockerfile build instructions by @walkerab in #1370
• chore(actions): Bump Trufflehog to v3.13.0 by @gliptak in #1382
• delete(shortcut.sh): Remove ScoutSuite by @jfagoagas in #1388
• fix(checks): CloudTrail checks 2.X now include shadow trails in the results (those trails used for multi-region and AWS organizations)

Fixes:

• fix(check12): Improve remediation by @jfagoagas in #1281
• fix(extra712): changed Macie service detection by @williambrady in #1286
• fix(permissions): Include missing appstream:DescribeFleets permission by @jfagoagas in #1278
• fix(appstream): Handle timeout errors by @jfagoagas in #1296
• fix(security-groups): Include TCP as the IpProtocol by @jfagoagas in #1323
• fix(credential_report): Do not generate for 117 and 118 by @jfagoagas in #1322
• fix(inventory): Variable assigning syntax in inventory mode by @JArmandoG in #1283
• fix(check120): correct AWS support policy name by @JArmandoG in #1328
• fix(postgresql): Connector field by @jfagoagas in #1372
• fix(postgresql): Missing space by @jfagoagas in #1374
• fix(checks): Include missing output in checks by @n4ch04 in #1380
• fix(checks): Handle checks not returning result by @n4ch04 in #1383
• fix(inventory): quick inventory input fixed by @sergargar in #1397
• fix(check_extra77): Add missing check_resource_id to the report by @kagahd in #1402
• fix(missing permissions): add missing permissions of checks by @sergargar in #1403
• fix(region_bugs): Remove duplicate outputs by @sergargar in #1390
• fix(extra740): remove additional info and fix max_items by @sergargar in #1405
• fix(extra77): Deleted resource id from exception results by @n4ch04 in #1409
• fix(extra7183): Exception handling error UnsupportedOperationException by @n4ch04 in #1410
• fix(extra7184): Error handling GetSnapshotLimits api call by @n4ch04 in #1411

New Contributors:

• @williambrady made their first contribution in #1286
• @belialboy made their first contribution in #1289
• @kagahd made their first contribution in #1291
• @JArmandoG made their first contribution in #1283
• @congon4tor made their first contribution in #1329
• @artfulbodger made their first contribution in #1347
• @walkerab made their first contribution in #1370
• @olivier987654 made their first contribution in #1394

Full Changelog: 2.11.0...2.12.0