Prowler 3.13.1 - El Dorado [YANKED]

Fixes

• fix(backup): handle if last_attempted_execution_date is None by @sergargar in #3394
• fix(inspector2): Report must have status field by @jfagoagas in #3419

Full Changelog: 3.13.0...3.13.1

Prowler 3.13.0 - El Dorado

El Dorado, come and play
El Dorado, step this way
Take a ticket for the ride
El Dorado streets of gold
See my ship is oversold
You got one last chance to try

Iron Maiden's El Dorado song is part of the Final Frontier album, and it won a Grammy Award as the best metal song, not bad uh? This song talks about economic situation back in 2010. In the current situation of companies all over the place laying off people, I wanted to give virtual hugs to all that people from the Prowler Team and remember, Open Source is always rewarding for you to learn and for others!

Prowler 3.13 is probably the latest of the 3 series (v4 looks promising!). As you can see, we are working hard on Azure and many other features.

Enjoy it! 🤘🏽🔥

New features to highlight in this version:

💪🏼 21 New Azure checks

• Prowler is improving its Azure coverage by including 21 new checks that appears in the CIS Benchmark v2.0.0.
  (Thanks @pedrooot and @puchy22 for their contributions and performance!)

See all the new available checks with prowler azure -l

✅ New CIS AWS Foundations Benchmark v3.0.0 Compliance

• On Jan 31st, CIS released the new v3.0.0 for Amazon Web Services Foundations and it is now available on Prowler. You can execute the new CIS version with with prowler aws --compliance cis_3.0_aws

📊 New AWS Account Security Onboarding Compliance

• It is based on the post from Artem Marusov, you can execute this checklist when onboarding new AWS Accounts to existing AWS Organization with prowler aws --compliance aws_account_security_onboarding_aws

🥳 Python 3.12 is now supported!

• Now you can execute Prowler using Python 3.12. Install Prowler with pip install prowler and that's all!

📝 Custom Output File in Quick Inventory

• Support for the already existing options -F (output file) when using the quick inventory feature (-i) on AWS. You can test it with prowler aws -i -F custom-output-file.csv

Features

• feat(azure): Add 4 new checks related to SQLServer and Vulnerability Assessment by @pedrooot in #3372
• feat(azure): Add check defender_auto_provisioning_log_analytics_agent_vms_on by @puchy22 in #3322
• feat(azure): Add check defender_ensure_system_updates_are_applied and defender_auto_provisioning_vulnerabilty_assessments_machines_on by @puchy22 in #3327
• feat(azure): Add new Azure check "iam_custom_role_permits_administering_resource_locks" by @pedrooot in #3317
• feat(azure): Add new check storage_ensure_private_endpoints_in_storage_accounts by @pedrooot in #3326
• feat(azure): Add new check storage_key_rotation_90_days by @pedrooot in #3323
• feat(azure): Defender checks related to defender settings by @puchy22 in #3347
• feat(azure): Defender checks related to security contacts and notifications by @puchy22 in #3344
• feat(azure): Defender check defender_ensure_iot_hub_defender_is_on by @puchy22 in #3367
• feat(azure): New Azure SQLServer related check sqlserver_auditing_retention_90_days by @pedrooot in #3345
• feat(azure): New check related to vulnerability assessment sqlserver_vulnerability_assessment_enabled by @pedrooot in #3349
• feat(azure): New check storage_ensure_soft_delete_is_enabled by @pedrooot in #3334
• feat(azure): SQLServer checks related to TDE encryption by @pedrooot in #3343
• feat(compliance): account security onboarding compliance framework by @pedrooot in #3286
• feat(defender): New Terraform URL for metadata checks by @puchy22 in #3374
• feat(python): support Python 3.12 by @sergargar in #3371
• feat(quick-inventory): custom output file in quick inventory by @Mohsen51 in #3306
• feat(cis): add new CIS AWS v3.0.0 by @sergargar in #3379

Fixes

• fix(acm): adding more details on remaining expiration days by @estemendoza in #3293
• fix(azure): Fix check sqlserver_auditing_retention_90_days by @pedrooot in #3365
• fix(BadRequest): add BadRequest exception to WellArchitected by @sergargar in #3300
• fix(defender): Manage 404 exception for "default" security contacts by @puchy22 in #3373
• fix(GuardDuty): fix class name by @puchy22 in #3337
• fix(NoSuchEntity): add NoSuchEntity exception to IAM by @sergargar in #3299
• fix(organizations): Handle non existent policy by @jfagoagas in #3319
• fix(rds): verify SGs in rds_instance_no_public_access by @sergargar in #3341
• fix(s3): add s3:Get* case to s3_bucket_policy_public_write_access by @sergargar in #3364
• fix(storage) Manage None type manage for key_expiration_period_in_days by @puchy22 in #3351
• fix(azure): Change class names from azure services and fix typing error by @pedrooot in #3350
• fix(allowlist): Handle tags and resources by @jfagoagas in #3376
• fix(cis): update CIS AWS v2.0 Section 2.1 refs by @strawp in #3375
• fix(alias): allow multiple check aliases by @sergargar in #3378

Chores

• chore(actions): Add AWS tag to the update regions bot by @jfagoagas in #3321
• chore(azure): Remove all unnecessary init methods in @DataClass by @pedrooot in #3324
• chore(compliance): make SocType attribute general by @sergargar in #3287
• chore(dependabot): Run for GHA by @jfagoagas in #3274
• chore(docs): update CODE_OF_CONDUCT.md by @toniblyx in #3352
• chore(docs): update documentation by @sergargar in #3297
• chore(docs): Update README.md by @toniblyx in #3353
• chore(inspector): refactor inspector2_findings_exist check into two by @sergargar in #3338
• chore(pre-commit): remove pytest from pre-commit by @sergargar in #3363
• chore(README): update syntax of supported Python versions by @sergargar in #3271
• chore(readme): Update readme with new numbers for Prowler checks by @pedrooot in #3354
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #3273, #3298, #3303, #3316, #3318, #3320, #3325, #3333, #3339, #3342, #3348, #3377
• docs(README): Update Kubernetes development status and Python supported versions by @toniblyx in #3270
• docs(security-hub): Add integration steps and images by @jfagoagas in #3304
• docs(security-hub): improve documentation and clarify steps by @jfagoagas in #3301

Dependencies

• build(deps): bump actions/checkout from 3 to 4 by @dependabot in #3284
• build(deps): bump actions/setup-python from 2 to 5 by @dependabot in #3277
• build(deps): bump aiohttp from 3.9.1 to 3.9.2 by @dependabot in #3366
• build(deps): bump aws-actions/configure-aws-credentials from 1 to 4 by @dependabot in #3278
• build(deps): bump azure-mgmt-security from 5.0.0 to 6.0.0 by @dependabot in #3312
• build(deps): bump codecov/codecov-action from 3 to 4 by @dependabot in #3360
• build(deps): bump cryptography from 41.0.6 to 42.0.0 by @dependabot in #3362
• build(deps): bump docker/build-push-action from 2 to 5 by @dependabot in #3281
• build(deps): bump docker/login-action from 2 to 3 by @dependabot in https://github...

Prowler 3.12.1 - Running Free

Fixes

• fix(rds): handle api call error response by @n4ch04 in #3258
• fix(apigatewayv2_api_access_logging_enabled): Finding ID should be unique by @jfagoagas in #3263
• fix(allowlist): Handle empty exceptions by @jfagoagas in #3266
• fix(fms): handle list compliance status error by @n4ch04 in #3259

Chores

• chore(release): update Prowler Version to 3.12.0 by @sergargar in #3242
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #3249, #3256, #3268
• chore(s3): Update log not to duplicate it by @jfagoagas in #3255
• chore(readme): remove deprecated library name by @sergargar in #3251
• chore(precommit): set trufflehog as command by @n4ch04 in #3262

Docs

• docs: Add Codecov badge by @jfagoagas in #3248

Dependencies

• build(deps-dev): bump moto from 4.2.12 to 4.2.13 by @dependabot in #3244
• build(deps): bump google-api-python-client from 2.111.0 to 2.113.0 by @dependabot in #3245
• build(deps-dev): bump flake8 from 6.1.0 to 7.0.0 by @dependabot in #3246
• build(deps-dev): bump gitpython from 3.1.37 to 3.1.41 by @dependabot in #3257
• build(deps): bump jinja2 from 3.1.2 to 3.1.3 by @dependabot in #3267

Full Changelog: 3.12.0...3.12.1

Prowler 3.12.0 - Running Free

Just sixteen, a pickup truck, out of money, out of luck
I've got nowhere to call my own, hit the gas, and here I go
I'm running free yeah, I'm running free
I'm running free yeah, oh I'm running free

Iron Maiden's Running Free song was published as single of their first album back in 1980. This song is all about running wild and running free as we do at Prowler, making cloud security open and transparent, easy to use and easy to customize, for you and thousands of organizations around the world.

hit the gas, and here I go! This version is full of new features and important improvements requested by our vibrant community. Go ahead and smash your electric guitar and use Prowler straightaway by yourself or just using our service at prowler.com.

Enjoy it! 🤘🏽🔥

New features to highlight in this version:

✍️ Custom Checks Metadata

• Now you can override the Severity from a check using the --custom-checks-metadata-file custom_checks_metadata.yaml. (Thanks @venkyvajrala for the feature!)

See more in https://docs.prowler.cloud/en/latest/tutorials/custom-checks-metadata/

👷 Custom AWS Role Session name

• Now you can customize the Role Session name that Prowler uses when assuming an AWS Role with --role-session-name <role_session_name>.

See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#custom-role-session-name

🔧 Scan only AWS enabled regions

• Prowler now only scans AWS regions if they are enabled making the scan faster without the need to review services in regions that are not enabled.

🧵 Improved threading using ThreadPoolExecutor

• For the AWS Service now we use a ThreadPoolExecutor to improve concurrency management and allowing to parallelise per resources not only per regions. Thanks to @Fennerr for the improvement!

🐛 Bug fixing

• Now the AWS Lambda service scans each Lambda function for secrets without the need to persist the code in memory therefore reducing drastically the memory usage.
• Tons of bug fixes in services, outputs, checks and some other core functions.

Features

• feat(cognito): add Amazon Cognito service by @sergargar in #3060
• feat(custom_checks_metadata): Add checks metadata overide for severity by @venkyvajrala in #3038
• feat(aws): Added AWS role session name parameter by @Fennerr in #3234
• feat(securityhub): Send only FAILs but storing all in the output files by @jfagoagas in #3195

Fixes

• fix(access-analyzer): Handle ValidationException by @jfagoagas in #3165
• fix(allowlist): Analyse single and multi account allowlist if present by @jfagoagas in #3210
• fix(apigw_restapi_auth check): add method auth testing by @n4ch04 in #3183
• fix(aws_regions): Get enabled regions by @jfagoagas in #3095
• fix(clean local output dirs): change function description by @n4ch04 in #3068
• fix(cloudtrail): Handle UnsupportedOperationException by @jfagoagas in #3166
• fix(codeartifact): solve dependency confusion check by @congon4tor in #2999
• fix(deps): Add missing jsonschema by @jfagoagas in #3052
• fix(docs): csv fields by @n4ch04 in #3092
• fix(docs): typo in reporting/csv by @n4ch04 in #3094
• fix(elasticache): Handle CacheClusterNotFound by @jfagoagas in #3174
• fix(fms): Handle PolicyComplianceStatusList key error by @jfagoagas in #3230
• fix(gcp): fix UnknownApiNameOrVersion error by @sergargar in #3202
• fix(gcp): improve logging messages by @sergargar in #3185
• fix(gcp provider): move generate_client for consistency by @n4ch04 in #3064
• fix(generate_regional_clients): Global is not needed anymore by @jfagoagas in #3162
• fix(iam): Handle NoSuchEntity in list_group_policies by @jfagoagas in #3197
• fix(json-ocsf): add profile only for AWS provider by @sergargar in #3051
• fix(lambda): memory leakage with lambda function code by @Fennerr in #3167
• fix(organizations_scp_check_deny_regions): enhance check logic by @sergargar in #3239
• fix(outputs): initialize_file_descriptor is called dynamically by @n4ch04 in #3050
• fix(s3): Handle NoSuchBucket in the service by @jfagoagas in #3173
• fix(s3): handle NoSuchBucketPolicy error by @sergargar in #3217
• fix(send_to_s3_bucket): don't kill exec when fail by @n4ch04 in #3088
• fix(set_azure_audit_info): assign correct logging when no auth by @n4ch04 in #3063
• fix(threading): Improved threading for the AWS Service by @Fennerr in #3175
• fix(trustedadvisor): handle missing dict key by @n4ch04 in #3075
• fix(trustedadvisor): solve trustedadvisor check metadata by @sergargar in #3216
• fix(vpc_different_regions): Handle if there are no VPC by @williambrady in #3081
• revert(clean local dirs): delete clean local dirs output feature by @n4ch04 in #3087

Chores

• chore(actions): not launch linters for mkdocs.yml by @n4ch04 in #3093
• chore(actions prowler4): add prowler 4.0 branch to actions by @n4ch04 in #3184
• chore(elb): Improve status in elbv2_insecure_ssl_ciphers by @Fennerr in #3169
• chore(ens): do not apply recomendation type to score by @sergargar in #3058
• chore(moto): install all moto dependencies by @sergargar in #3048
• chore(python): update python version constraint <3.12 by @sergargar in #3047
• chore(s3 bucket input validation): validates input bucket by @n4ch04 in #3198
• chore(sqs_...not_publicly_accessible): less restrictive condition test by @n4ch04 in #3211
• chore: сhanged concatenation of strings to f-strings to improve readability by @eukub in #3227
• chore(exception): handle error in describing regions by @sergargar in #3241
• chore(role arguments): enhance role arguments validation by @sergargar in #3240
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #3045, #3168, #3059, #3079, #3065, #3074, #3182, #3189, #3196
• refactor(cloudwatch): simplify logic by @jfagoagas in #3172
• refactor(load_checks_to_execute): Refactor function and add tests by @jfagoagas in #3066
• refactor(severities): Define it in one place by @jfagoagas in #3086

Docs

• docs(aws): Added debug information to inspect retries in API calls by @Fennerr in #3186
• docs(cloudshell): Add missing steps to workaround by @AlexGidarakos in #3191
• docs(cloudshell): Add workaround to clone from github by @jfagoagas in #3190
• docs(cloudshell): Update AWS CloudShell installation steps by @AlexGidarakos in #3192
• docs(parallel-execution): Combining the output files by @Fennerr in #3096
• docs(parallel-execution): How to execute it in parallel by @Fennerr in #3091

Dependencies

• build(deps): bump cryptography from 41.0.4 to 41.0.6 by @dependabot in #3078
• build(deps): bump google-api-python-client from 2.110.0 to 2.111.0 by @dependabot in #3224
• build(deps): bump google-auth-httplib2 from 0.1.1 to 0.2.0 by @dependabot in #3207
• build(deps): bump jsonschema from 4.18.0 to 4.20.0 by @dependabot in ...

Prowler 3.11.3 - Rime Of The Ancient Mariner

What's Changed

Fixes

• fix(securityhub): findings not being imported or archived in non-aws partitions by @johnny2lu in #3040
• fix(json): check if profile is None by @sergargar in #3043

Chores

• chore(release): update Prowler Version to 3.11.2 by @sergargar in #3037
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #3042

New Contributors

• @johnny2lu made their first contribution in #3040

Full Changelog: 3.11.2...3.11.3

Prowler 3.11.2 - Rime Of The Ancient Mariner

What's Changed

Fixes

• fix(ec2_securitygroup_not_used): check if security group is associated by @sergargar in #3026
• fix(GuardDuty): only execute checks if GuardDuty enabled by @sergargar in #3028
• fix(securityhub): Use enabled_regions instead of audited_regions by @jfagoagas in #3029

Chores

• chore(accessanalyzer): include service in allowlist_non_default_regions by @sergargar in #3025
• chore(args): make compatible severity and services arguments by @sergargar in #3024
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #3035
• chore(release): update Prowler Version to 3.11.1 by @sergargar in #3021
• chore: modify latest version msg by @R3DRUN3 in #3036
• chore(azure regions): support non default azure region by @n4ch04 in #3013

Builds

• build(deps): bump alive-progress from 3.1.4 to 3.1.5 by @dependabot in #3033
• build(deps): bump azure-storage-blob from 12.18.3 to 12.19.0 by @dependabot in #3034
• build(deps): bump google-api-python-client from 2.106.0 to 2.107.0 by @dependabot in #3032
• build(deps-dev): bump moto from 4.2.7 to 4.2.8 by @dependabot in #3030
• build(deps-dev): bump pytest-xdist from 3.3.1 to 3.4.0 by @dependabot in #3031

New Contributors

• @R3DRUN3 made their first contribution in #3036

Full Changelog: 3.11.1...3.11.2

Prowler 3.11.1 - Rime Of The Ancient Mariner

What's Changed

Fixes

• fix(aws): check all conditions in IAM policy parser by @mtronrd in #3006
• fix(clean local output dirs): clean dirs when output to S3 by @n4ch04 in #2997
• fix(cloudtrail): handle HasInsightSelectors key by @sergargar in #2996
• fix(docs): improve allowlist examples by @sergargar in #2995
• fix(iam): do not list tags for inline policies by @sergargar in #3014
• fix(iam-sqs): handle exceptions for non-existent resources by @jfagoagas in #3010
• fix(rds): check if engines exist in region by @sergargar in #3012
• fix(s3 race condition): catch error if a bucket does not exist any longer by @kagahd in #3000
• fix(SQS): fix invalid SQS ARNs by @mtronrd in #3016
• refactor(allowlist): simplify and handle corner cases with exceptions empty and * by @jfagoagas in #3019

Chores

• chore(brew): remove brew action by @sergargar in #2994
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2993, #2998, #3001, #3007, #3011, #3020, #2992, #3008 and #3019
• docs(gcp): update GCP permissions by @sergargar in #3008

Builds

• build(deps): bump google-api-python-client from 2.105.0 to 2.106.0 by @dependabot in #3005
• build(deps): bump mkdocs-material from 9.4.7 to 9.4.8 by @dependabot in #3004

New Contributors

• @mtronrd made their first contribution in #3006

Full Changelog: 3.11.0...3.11.1

Prowler 3.11.0 - Rime Of The Ancient Mariner 👻🎃

Sailing on and on and north across the sea
Sailing on and on and north 'til all is calm

Dare to delve into this spectral realm, where the frightful protection of Prowler awaits you.
Happy haunting and secure coding this Halloween! 🧛‍♂️🕸️🌙

New features to highlight in this version:

🔎 Ignore Findings from services not in actual use

• Prowler now allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports.
  prowler <provider> --ignore-unused-services

See more in https://docs.prowler.cloud/en/latest/tutorials/ignore-unused-services/

⚙️ New AWS Allowlist including AWS Control Tower resources

• New allowlist file that ensures that applies to all resources created by AWS Control Tower when setting up a landing zone:
  prowler aws --allowlist prowler/config/aws_allowlist.yaml

See more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/#default-aws-allowlist

🏷️ STS V2 Tokens

• Now Prowler will call Regional AWS STS endpoints to get session tokens valid in all AWS Regions.

See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#sts-endpoint-region

✅ New 9 checks for AWS!

• New Account check account_maintain_different_contact_details_to_security_billing_and_operations
• New CloudTrail check cloudtrail_multi_region_enabled_logging_management_events
• New EC2 DataLifecycle Manager service and check dlm_ebs_snapshot_lifecycle_policy_exists
• New EC2 EBS check ec2_ebs_volume_snapshots_exists
• New DocumentDB service and check documentdb_instance_storage_encrypted
• New Support check trustedadvisor_premium_support_plan_subscribed
• New Neptune service and check neptune_cluster_uses_public_subnet
• New Elasticache service and check elasticache_cluster_uses_public_subnet
• New IAM check iam_user_with_temporary_credentials

Thanks to Jit @jit-contrib for their help on this checks.

Try them with prowler aws and improve your security posture now! 🔒

📝 Check Aliases are now supported

• Now, Prowler allows you to use aliases for the checks. You only have to add the CheckAliases key to the check's metadata with a list of the aliases and then, you can execute it with: prowler <provider> -c/--checks <check_alias_1>

See more in https://docs.prowler.cloud/en/latest/tutorials/check-aliases/

What's Changed

Features

• feat(alias): add check alias functionality by @sergargar in #2971
• feat(allowlist): allowlist non-default regions configuration by @sergargar in #2974
• feat(aws): New CloudTrail, DLM, DocumentDB, EC2, Account and Support checks by @jit-contrib in #2675
• feat(aws): New Neptune, ElastiCache, APIGW and IAM checks by @jit-contrib in #2862
• feat(controltower): add AWS Control Tower resources to default Allowlist configuration file by @sergargar in #2953
• feat(ignore unused services): add --ignore-unused-services argument to ignore findings from services not in actual use by @sergargar in #2936
• feat(report interface): add reporting interface call after report by @n4ch04 in #2948
• feat(vpc): add vpc, nacl or subnet names in findings by @sergargar in #2928

Fixes

• fix(allowlist): verify if allowlist file exists by @sergargar in #2988
• fix(APIGateway): Improve check naming by @sergargar in #2952
• fix(cis): remove new lines in CIS csv by @sergargar #2989
• fix(cloudtrail service): typo in logging info by @n4ch04 in #2976
• fix(ec2_instance_imdsv2_enabled ): verify if metadata service is disabled by @therealtoastycat in #2978
• fix(ec2_securitygroup_not_used): Mock Lambda service by @jfagoagas in #2947
• fix(elbv2_desync_mitigation_mode): improve logic by @sergargar in #2986
• fix(gcp): set always location to lowercase by @sergargar in #2970
• fix(GuardDuty): Add enabled_in_account parameter by @jfagoagas in #2979
• fix(outputs): remove empty outputs by @sergargar #2990
• fix(resource filters): add missing resource filters by @sergargar in #2951
• fix(security group): check if security groups are used by Lambda by @sergargar in #2944
• fix(sqs): Handle AWS.SimpleQueueService.NonExistentQueue in list_queue_tags by @jfagoagas in #2939
• fix(sts): force v2 STS tokens by @sergargar in #2956
• fix(vpc): ignore com.amazonaws.vpce endpoints by @sergargar in #2929
• fix(vpc_endpoint_services_allowed_principals_trust_boundaries): Principal by @jfagoagas #2991
• fix(tests): remove tests folder after execution by @jfagoagas in #2962

Documentation

• chore(docs): Add report.region criteria by @jfagoagas in #2930
• docs(config): add missing configurable variables by @kagahd in #2941
• chore(docs): add STS Endpoint and Allowlist updates by @sergargar in #2964
• chore(docs): allowlist non-default regions by @sergargar in #2980
• docs(v2_v3_mapping): document prowler v3.10.0 changes by @kagahd in #2955

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2927, #2937, #2942, #2945, #2954, #2961
• chore(allowlist): Extract allowlist from report by @jfagoagas in #2975
• chore(allowlist): prettify allowlist names by @sergargar in #2963
• chore(APIGatewayV2): improve check naming by @sergargar in #2966
• chore(create_role_to_assume_cfn.yaml): Add DLM permissions by @sergargar in #2949
• chore(gcp): print inactive GCP APIs by @sergargar in #2987
• chore(github): ignore permissions path in GitHub actions by @sergargar in #2950
• chore(permissions): add DLM permissions by @sergargar in #2946

Dependencies

• build(deps): bump azure-identity from 1.14.1 to 1.15.0 by @dependabot in #2982
• build(deps): bump azure-storage-blob from 12.18.2 to 12.18.3 by @dependabot in #2931
• build(deps): bump google-api-python-client from 2.104.0 to 2.105.0 by @dependabot in #2985
• build(deps): bump mkdocs-material from 9.4.6 to 9.4.7 by @dependabot in #2983
• build(deps): bump shodan from 1.30.0 to 1.30.1 by @dependabot in #2935
• build(deps): bump urllib3 from 1.26.17 to 1.26.18 by @dependabot in #2940
• build(deps-dev): bump moto from 4.2.6 to 4.2.7 by @dependabot in #2984
• build(deps-dev): bump openapi-spec-validator from 0.6.0 to 0.7.1 by @dependabot in #2958
• build(deps-dev): bump pylint from 3.0.1 to 3.0.2 by @dependabot in #2957
• build(deps-dev): bump pytest from 7.4.2 to 7.4.3 by @dependabot in #2981
• build(deps-dev): bump vulture from 2.9.1 to 2.10 by @dependabot in #2960
• build(deps-dev): bump werkzeug from 2.3.4 to 3.0.1 by @dependabot in #2968

New Contributors

• @therealtoastycat made their first contribution in #2978

Full Changelog: 3.10.0...3.11.0

Prowler 3.10.0 - Dance of Death

Then they summoned me over to join in with them
At the dance of the dead
Into the circle of fire I followed them
Into the middle I was led

Dance of Death is an Iron Maiden's song, released on their 2003 album of the same name. The song combines the band's signature heavy metal sound with progressive elements. Lyrically, the song tells a story of a medieval dance of death, a symbolic representation of mortality and the inevitability of death. The lyrics are filled with vivid and dark imagery, and the song features intricate guitar work and powerful vocals from Bruce Dickinson. Enjoy this great song (https://www.youtube.com/watch?v=3659fTXvFts) while reading what's new! 🎸

New features to highlight in this version:

⚙️ New checks for AWS!

• New AWS IAM check iam_role_administratoraccess_policy.
• New AWS WAFv2 check wafv2_webacl_logging_enabled.
• Now the AWS IAM credentials checks (iam_disable_90_days_credentials, iam_disable_45_days_credentials and iam_disable_30_days_credentials) have been changed to two generic checks called iam_user_accesskey_unused and iam_user_console_access_unused. By default, it will fail when they are unused for 45 days, you can configure this value using the max_unused_access_keys_days and max_console_access_days configuration values. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! 🔒

🏷️ Security Hub Tagging

• Now Prowler will add AWS Resource Tags to every Security Hub finding and to json-asff outputs!

🧑‍🤝‍🧑 Five new Prowler contributors!

• Many thanks to @CameronTStark, @sbldevnet, @JackStuart, @devopspacellp and @taylerhaviland for including more checks and keep improving Prowler!

What's Changed

Features

• feat(Dockerfile): add curl package to docker image by @n4ch04 in #2812
• feat(iam): add new check iam_role_administratoraccess_policy by @kagahd in #2822
• feat(iam): improve disable credentials checks by @sergargar in #2909
• feat(json-asff): adds AWS resource tags in json-asff and SecurityHub findings by @sbldevnet in #2786
• feat(unix timestamp): add the --unix-timestamp flag to docs by @n4ch04 in #2816
• feat(unix timestamp): add unix timestamp to outputs by @n4ch04 in #2813
• feat(wafv2): Add check wafv2_webacl_logging_enabled by @devopspacellp in #2898

Fixes

• fix(acm): add certificate id by @sergargar in #2903
• fix(apigw): KeyError name by @jfagoagas in #2858
• fix(apikeys_..._90_days): fix key creation time with dinamic date by @n4ch04 in #2798
• fix(autoscaling_find_secrets_ec2_launch_configuration): Fix UnicodeDecodeError by @jfagoagas in #2870
• fix(aws): Include missing ARNs by @jfagoagas in #2880
• fix(azure): Typo in SQL check by @JackStuart in #2881
• fix(cloudtrail_s3_dataevents_read/write_enabled): Handle S3 ARN by @jfagoagas in #2844
• fix(cloudwatch): ignore new lines in filters by @sergargar in #2912
• fix(custom checks): fix import from s3 by @n4ch04 in #2901
• fix(dockerfile): Use latest curl by @jfagoagas in #2897
• fix(Dockerfile): update alpine version by @n4ch04 in #2925
• fix(ds): GetSnapshotLimits for MicrosoftAD by @jfagoagas in #2859
• fix(ebs): improve snapshot encryption logic and typos by @taylerhaviland in #2836
• fix(ec2 ebs/instance checks): unify checks logic by @n4ch04 in #2795
• fix(ec2 nacl checks):unify logic by @n4ch04 in #2799
• fix(ec2 tests): add region and delete search sg checks by @n4ch04 in #2788
• fix(ec2 tests): add tags and region non sg checks by @n4ch04 in #2781
• fix(ec2_elastic_ip_unassigned): rename check by @n4ch04 in #2882
• fix(ec2_instance_..._ssm): mock ssm service and client in all the tests by @n4ch04 in #2804
• fix(eks_control_plane_endpoint_access_restricted): handle endpoint private access by @Fennerr in #2824
• fix(eks_endpoints_not_publicly_accessible): handle endpoint private access by @Fennerr in #2825
• fix(elb): add resource ARN to checks by @sergargar in #2906
• fix(elbv2): Handle LoadBalancerNotFound by @jfagoagas in #2860
• fix(findingID): remove duplicate finding IDs by @sergargar in #2890
• fix(html): unroll regions set prior concat by @n4ch04 in #2790
• fix(iam): findings of some checks may have been lost by @kagahd in #2847
• fix(iam): Handle NoSuchEntityException in ListRolePolicies by @jfagoagas in #2857
• fix(iam): Handle NoSuchEntity when calling list_role_policies by @jfagoagas in #2872
• fix(iam credentials checks): unify logic by @n4ch04 in #2883
• fix(iam creds checks): add missing tests and fix current ones by @n4ch04 in #2888
• fix(iam creds tests): dont use search and negative indexes by @n4ch04 in #2899
• fix(iam_inline_policy_no_administrative_privileges): set resource id as the entity name by @sergargar in #2820
• fix(iam_policy_no_administrative_privileges): check does not exist and maps not to check122 by @kagahd in #2797
• fix(is_valid_arn): include . into resource name by @n4ch04 in #2789
• fix(outputs_unix_timestamp): Remove subsecond by @jfagoagas in #2861
• fix(pipeline): launch linters with file changes by @n4ch04 in #2911
• fix(policy_condition_parser): add StringEquals aws:SourceArn condition by @n4ch04 in #2793
• fix(pre-commit): add file filter to python linters by @n4ch04 in #2818
• fix(remove_custom_checks_module): delete service folder if empty by @n4ch04 in #2885
• fix(s3_bucket_policy_public_write_access): Handle S3 Policy without Principal by @jfagoagas in #2871
• fix(securityhub): archive SecurityHub findings in empty regions by @sergargar in #2908
• fix(sqs_queues_not_publicly_accessible): Improve status extended by @Fennerr in #2848
• fix(storage_ensure_minimum_tls_version_12): misspelling in metadata by @CameronTStark in #2835
• fix(testing docs): fix testing docs typos and syntax by @n4ch04 in #2803
• fix(version): add timeout and check HTTP errors by @sergargar in #2886
• fix(vpc): solves CidrBlock KeyError by @sergargar in #2817
• fix(vpc_peering_routing_tables_with_least_privilege): check only peering routes by @sergargar in #2887
• fix(pull-request.yml): launch linters when source code modified by @n4ch04 in #2922
• fix(build-lint-push pipeline): pass pipeline when ignored files by @n4ch04 in #2915

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2779, #2787, #2791, #2794, #2801, #2802, #2814, #2819, #2821, #2833, #2842, #2845, #2846, #2852, #2853, #2863, #2869, #2873, #2875, #2879, https://github.com/prowler-cloud/prowler/pull/...

Prowler 3.9.0 - Flash of the Blade

As a young boy chasing dragons
With your wooden sword so mighty
You're St. George or you're David and you always killed the beast
Times change very quickly and you had to grow up early
A house in smoking ruins and the bodies at your feet

Sometimes chasing dragons and some times walking on the edge of the blade. This Iron Maiden's song Flash of the Blade tells a good history about what comes on the table these days. Enjoy this great song written by Bruce Dickinson back in 1984 (https://www.youtube.com/watch?v=Qx0s8OqgBIw) while reading what's new!

New features to highlight in this version:

⚙️ New checks for AWS!

• New AWS Athena service with two new checks athena_workgroup_encryption and athena_workgroup_enforce_configuration.
• New AWS S3 check s3_bucket_kms_encryption.
• New AWS EC2 check ec2_instance_detailed_monitoring_enabled.
• New AWS IAM check iam_inline_policy_no_administrative_privileges with a new feature in the IAM service which now is capable of retrieving the inline policies for the Users, Roles and Groups.
• Now in the AWS ECR ecr_repositories_scan_vulnerabilities_in_latest_image you can configure the minimum severity for this check to raise a FAIL finding using the ecr_repository_vulnerability_minimum_severity configuration value. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! 🔒

🖌️ New CLI flag

• List all the checks in JSON format, ready to be consumed by the --checks-file flag. Try it with prowler aws --list-checks-json.

📖 Developer Guide

• We keep improving the Prowler documentation, specially the Developer Guide to help our contributors. Check it in the following link https://docs.prowler.cloud/en/latest/developer-guide/introduction/.

🧑‍🤝‍🧑 Two new Prowler contributors!

• Many thanks to @vysakh-devopspace and @gerardocampo for including more checks and keep improving Prowler!

What's Changed

Features

• feat(s3): Add S3 KMS encryption check by @singergs in #2757
• feat(ec2): New check ec2_instance_detailed_monitoring_enabled by @vysakh-devopspace in #2735
• feat(checks): dump all checks as a json file by @jchrisfarris in #2683
• feat(ecr_repositories_scan_vulnerabilities_in_latest_image): Minimum severity is configurable by @jfagoagas in #2736
• feat(iam): Check inline policies in IAM Users, Groups & Roles for admin priv's by @gerardocampo in #2750
• feat(compliance): Update AWS compliance frameworks after PR 2750 by @gerardocampo in #2771
• feat(athena): New AWS Athena service + 2 workgroup checks by @jfagoagas in #2696

Fixes

• fix(azure): Status extended ends with a dot by @jfagoagas in #2725
• fix(is_account_only_allowed_in_condition): Context name on conditions are case-insensitive by @christiandavilakoobin in #2726
• fix(gcp): Status extended ends with a dot by @jfagoagas in #2734
• fix(get_checks_from_input_arn): fix function and add tests by @n4ch04 in #2749
• fix(get_checks_from_input_arn): fix logic and add tests by @n4ch04 in #2764
• fix(get_regions_from_audit_resources): fix logic and add tests by @n4ch04 in #2766
• fix(nacls): Tests by @jfagoagas in #2760
• fix(iam_policy_allows_privilege_escalation): Handle admin permission so * by @jfagoagas in #2763
• fix(checks_to_execute): --checks and --resource_arn working together by @jfagoagas in #2743
• fix(ec2_securitygroup_default_restrict_traffic): fix check only allow empty rules by @n4ch04 in #2777

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2733, #2737, #2741, #2744, #2748, #2759, #2767 and #2773, #2776
• chore(parser): Move provider logic to their folder by @jfagoagas in #2746
• chore(s3): Move lib to the AWS provider and include tests by @jfagoagas in #2664

Security

• fix(security): GitPython issue by @jfagoagas in #2720

Documentation

• docs(style): Add more details by @jfagoagas in #2724
• docs(testing): Mocking the service and the service client at the service client level by @jfagoagas in #2747
• docs(audit_config): How to use it by @jfagoagas in #2739
• docs: explain output formats by @jfagoagas in #2774
• docs: Include new config ecr_repository_vulnerability_minimum_severity by @jfagoagas in #2775

Dependencies

• build(deps-dev): bump vulture from 2.7 to 2.8 by @dependabot in #2727
• build(deps): bump mkdocs-material from 9.1.20 to 9.1.21 by @dependabot in #2728
• build(deps): bump google-api-python-client from 2.95.0 to 2.96.0 by @dependabot in #2729
• build(deps-dev): bump coverage from 7.2.7 to 7.3.0 by @dependabot in #2730
• build(deps): bump azure-identity from 1.13.0 to 1.14.0 by @dependabot in #2731
• build(deps): bump mkdocs-material from 9.1.21 to 9.2.1 by @dependabot in #2752
• build(deps): bump google-api-python-client from 2.96.0 to 2.97.0 by @dependabot in #2753
• build(deps-dev): bump pytest-randomly from 3.13.0 to 3.15.0 by @dependabot in #2755
• build(deps): bump azure-mgmt-storage from 21.0.0 to 21.1.0 by @dependabot in #2756
• build(deps): bump shodan from 1.29.1 to 1.30.0 by @dependabot in #2754

Tests

• test(python): Test with 3.9, 3.10, 3.11 by @jfagoagas in #2718
• test(coverage): Add Codecov by @jfagoagas in #2719
• test(s3): Mock S3Control when used by @jfagoagas in #2722
• fix(test-vpc): use the right import paths by @jfagoagas in #2732
• tests(check_security_group) by @jfagoagas in #2740
• chore(tests): Replace sure with standard assert by @jfagoagas in #2738
• test(vpc_endpoint_services_allowed_principals_trust_boundaries) by @jfagoagas in #2768
• fix(test): Update moto to 4.1.15 and update tests by @jfagoagas in #2769

New Contributors

• @vysakh-devopspace made their first contribution in #2735
• @gerardocampo made their first contribution in #2750

Full Changelog: 3.8.2...3.9.0