Prowler 4.3.0 - The Alchemist

I will return to this land
Rebuild where the ruins did stand
Chain of the demons set free
Strange alchemy

Prowler 4.3.0 - The Alchemist 🚀 brings a whole bunch of new checks, new features and fixes, also we offer you to listen to this Iron Maiden song.

Special thanks to our new engineers' contributions, @danibarranqueroo and @HugoPBrito, and to our new community contributors @sejimhp, @lshw54, @andoniaf, @shot4free, @jacky9813, @chaipot and @JOSHUAJEBARAJ 🥳

New features to highlight in this version

AWS

Prowler is improving its AWS coverage by including 24 new checks for DMS, DocumentDB, Elasticache, IAM, Neptune, NetworkFirewall and RDS. Special thanks to our external contributor @sansns for doing new checks 🙌

See all the new available checks with prowler aws --list-checks

• dms_instance_minor_version_upgrade_enabled
• dms_instance_multi_az_enabled
• dms_instance_no_public_access
• documentdb_cluster_backup_enabled
• documentdb_cluster_cloudwatch_log_export
• documentdb_cluster_deletion_protection
• elasticache_redis_cluster_backup_enabled
• elasticache_redis_cluster_in_transit_encryption_enabled
• elasticache_redis_cluster_multi_az_enabled
• elasticache_redis_cluster_rest_encryption_enabled
• iam_inline_policy_allows_privilege_escalation
• iam_inline_policy_no_full_access_to_cloudtrail
• iam_inline_policy_no_full_access_to_kms
• neptune_cluster_backup_enabled
• neptune_cluster_deletion_protection
• neptune_cluster_iam_authentication_enabled
• neptune_cluster_multi_az
• neptune_cluster_storage_encrypted
• networkfirewall_deletion_protection
• rds_cluster_backtrack_enabled
• rds_instance_default_admin
• rds_instance_event_subscription_security_groups
• rds_instance_iam_authentication_enabled
• rds_snapshots_encrypted

Also for AWS now you can make check eks_control_plane_logging_all_types_enabled configurable by @kagahd.

Azure

This release includes 8 new checks of security best practices for Azure App Functions thanks to the great work of @puchy22 🥇

See new available checks with prowler azure --list-checks --service app

• app_function_access_keys_configured
• app_function_app_insights_is_configured
• app_function_identity_without_admin_privileges
• app_function_identity_is_configured
• app_function_not_publicly_accessible
• app_function_runtime_is_the_latest
• app_function_vnet_integration_enabled
• app_function_ftps_deployment_disabled

GCP

• Service Account Impersonation supported!
  Instead of saving a credentials file or running Prowler inside a GCP workload, now you have the ability of impersonate a GCP Service Account using the argument --impersonate-service-account <service-account-email> and follow security best practices. See more information in our docs here.

🔧 Other issues and bug fixes solved for all the cloud providers

Features

• feat(app): Add new Azure functions checks by @puchy22 in #4189
• feat(AWS): make check eks_control_plane_logging_all_types_enabled configurable by @kagahd in #4553
• feat(DMS): Add Database Migration Service (DMS) by @sansns in #4249
• feat(DocumentDB): New DocumentDB checks by @sansns in #4247
• feat(Elasticache): Additional Elasticache checks by @sansns in #4317
• feat(GCP): add service account impersonation by @sergargar in #4291
• feat(IAM): Add inline policies checks and improve custom policy checks by @puchy22 in #4255
• feat(Neptune): Additional Neptune checks by @sansns in #4243
• feat(NetworkFirewall): Add Deletion Protection Check by @sansns in #4318
• feat(output): Add a setter for the file descriptor and include extension by @jfagoagas in #4468
• feat(RDS): Additional RDS checks by @sansns in #4233
• feat(RDS): Add security group event subscription check by @sansns in #4130

Fixes

• fix(autoscaling): Add exception manage while decoding UserData by @puchy22 in #4562
• fix(aws): Assume role for Gov Cloud by @jfagoagas in #4254
• fix(aws): aws check and metadata fixes by @mtronrd in #4251
• fix(aws): parallelize functions per resource by @sergargar in #4323
• fix(checks): ensure CheckID is correct in check's metadata by @sergargar in #4522
• fix(cis): add missing fields and reorder by @sergargar in #4424
• fix(codebuild): enhance service functions by @sergargar in #4319
• fix(compliance): check if custom check has compliance metadata by @sergargar in #4208
• fix(config/html): handle encoding issues and improve error handling in config and HTML file loading functions by @lshw54 in #4203
• fix(csv-outputs): compliance outputs not showing consistents values by @pedrooot in #4287
• fix(custom): execute custom checks by @sejimhp in #4202
• fix(custom_checks): workaround to fix execution by @jfagoagas in #4256
• fix(dashboard): fix styles in overview page by @pedrooot in #4204
• fix(docs): Rewrite dashboard docs by @pedrooot in #4327
• fix(docs): update deprecated command by @sergargar in #4401
• fix(entra): Change to correct service in entra_user_with_vm_access_has_mfa metadata by @puchy22 in #4454
• fix(gcp): false positive for iam_sa_no_administrative_privilege check by @JOSHUAJEBARAJ in #4500
• fix(gcp): Not all gcp projects have name by @jacky9813 in #4387
• fix(glue): add getters for connection attributes by @pedrooot in #4445
• fix(html): fix status from HTML outputs by @pedrooot in #4206
• fix(html): handle muted status to html outputs by @pedrooot in #4195
• fix(html): resolve html changing finding status by @pedrooot in #4199
• fix(iam_avoid_root_usage): change timestamp format by @pedrooot in #4446
• fix(inspector2): add more efficient way to check if any active findings by @sergargar in #4505
• fix(main): change module name by @pedrooot in #4477
• fix(organizations): Fix types errors related to policies and json.loads function by @puchy22 in #4554
• fix(rds): handle not existing endpoint by @sergargar in #4285
• fix(readme): update note syntax by @sergargar in #4250
• fix(s3): enhance threading in s3 service by @sergargar in #4530
• fix(s3): handle empty Action in bucket policy by @sergargar in #4328
• fix(s3): Send HTML also by @jfagoagas in #4240
• fix(ssm): add missing ResourceArn to SSM check by @sergargar in #4482
• fix(templates): solve broken GitHub issues templates by @sergargar in #4423
• fix(test-csv): fix test using tempfile by @pedrooot in #4356
• fix: Some minor fixes in several parts by @jfagoagas in #4237

Chores

• chore(acm): Improve near-expiration certificates check by @puchy22 in #4207
• chore(aws): add AWS Well-Architected output class by @sergargar in #4439
• chore(aws): handle new permissions by @pedrooot in #4289
• chore(cis): add CIS output class by @sergargar in #4400
• chore(cloudsql): Change default cases for CloudSQL checks and remaining tests by @puchy22 in #4537
• chore(CODEOWNERS): protect unauthorized changes by @jfagoagas in #4493
• chore(CODEOWNERS): update for sdk and checks by @jfagoagas in #4480
• chore(CODEOWNERS): update team by @jfagoagas in #4527
• chore(compliance): add manual requirements to compliance output by @sergargar in #4449
• chore(compliance): change compliance model names by @sergargar in #4466
• chore(compliance): simplify ComplianceOutput class by @sergargar in #4467
• chore(csv): add CSVOutput class by @pedrooot in #4315
• chore(csv): remove old CSV functions by @sergargar in #4469
• chore(dependabot): Run daily by @jfagoagas in #4334
• chore(dms): Change checks IDs to match with metadata by @puchy22 in #4520
• chore(docs): update checks reference link by @andoniaf in #4258
• chore(docs): update remediation of custom checks metadata by @chaipot in #4470
• chore(elasticache): enhance service and checks by @sergargar in #4329
• chore(ens): add ENS output class by @sergargar in #4435
• chore(GenericCompliance): add Generic Compliance class by @pedrooot in #4447
• chore(html): add HTML class by @sergargar in #4360
• chore(iam): improve iam user console access check by @puchy22 in #4211
• chore(iam): Improve status extended adding the resource type by @puchy22 in #4378
• chore(iam): Remove unnecesary attached policy in a inline policy by @puchy22 in #4359
• chore(iso27001): add ISO27001 output class by @sergargar in #4441
• chore(k8s): Add helm-chart by @shot4free in #4370
• chore(labeler): add outputs and integrations by @jfagoagas in #4422
• chore(mitre): add MITRE ATT&CK output class by @sergargar in #4425
• chore(mutelist): create new class to encapsulate the logic by @jfagoagas in #4413
• chore(network): Reduce network watchers azure check findings by @puchy22 in #4242
• chore(ocsf): add OCSF class for outputs by @pedrooot in #4355
• chore(output): review report function by @pedrooot in #4465
• chore(python): update vulnerable anyio library by @sergargar in #4322
• chore(readme): update checks number by @sergargar in #4290
• chore(s3): create class and refactor by @jfagoagas in #4457
• chore(s3): reduce false positive in s3 public check by @puchy22 in #4281
• chore(safety): update vulnerable library version by @sergargar in #4284
• chore(templates): update to remove titles by @jfagoagas in #4421
• chore(version): update Prowler version by @sergargar in #4201
• chore: rename test function in the HTML test class by @jfagoagas in #4395
• refactor(ASFF): create class by @jfagoagas in #4368
• refactor(SecurityHub): create class to handle integration by @jfagoagas in #4397

Docs

• docs(debugging): Improve actual VSCode debugging file by @puchy22 in #4279
• docs(requirements): Add management group for multiple subscriptions by @puchy22 in #4282
• docs(azure): Review actual roles necessary to execute Prowler by @puchy22 in #4501
• docs(developer): improve developers docs with Trufflehog and --no-verify by @pedrooot in #4502
• docs(developer-guide): How to fork the repo by @jfagoagas in #4238
• docs(gcp): Fix typo in title by @jfagoagas in #4434
• docs(kubernetes): add docs about kubernetes in tutorials page by @pedrooot in #4288
• docs(readme): add Prowler animation gif to README by @pedrooot in #4492
• docs(readme): update check number on readme by @pedrooot in #4377
• docs(readme): Update checks number by @pedrooot in #4197
• docs(readme): update dashboard screenshot in README by @pedrooot in #4479
• docs(readme): update README.md by @eltociear in #4483
• docs(services): Fixed changed links by @HugoPBrito in #4536

Tests

• chore(test): add missing acm imported certificate test by @sergargar in #4485
• chore(test): enhance OCSF tests by @pedrooot in #4386
• chore(tests): add for empty findings and little renamings by @jfagoagas in #4388
• chore(tests): Improve CloudTrail tests checking for multiregional trails by @jfagoagas in #4177
• test(cloudstorage): Add remaining GCP tests for CloudStorage checks by @danibarranqueroo in #4464
• test(compute): Add remaining tests for Compute service in GCP provider by @puchy22 in #4458
• test(gcp): Add bigquery and half of cloudsql check tests by @puchy22 in #4462
• test(gcp): Add remaining CloudSQL tests by @puchy22 in #4380
• test(gcp): Test GCP provider new auth and print credentials by @puchy22 in #4331
• test(iam): Add remaining GCP tests for IAM checks by @danibarranqueroo in #4519
• test(logging): Add remaining tests for Logging checks by @puchy22 in #4481

Dependencies

• chore(deps): bump azure-identity from 1.16.1 to 1.17.1 by @dependabot in #4300
• chore(deps): bump azure-mgmt-compute from 31.0.0 to 32.0.0 by @dependabot in #4541
• chore(deps): bump azure-mgmt-containerservice from 30.0.0 to 31.0.0 by @dependabot in #4513
• chore(deps): bump azure-mgmt-cosmosdb from 9.5.0 to 9.5.1 by @dependabot in #4298
• chore(deps): bump azure-mgmt-keyvault from 10.3.0 to 10.3.1 by @dependabot in #4474
• chore(deps): bump azure-mgmt-network from 25.4.0 to 26.0.0 by @dependabot in #4543
• chore(deps): bump azure-mgmt-storage from 21.1.0 to 21.2.0 by @dependabot in #4297
• chore(deps): bump azure-mgmt-storage from 21.2.0 to 21.2.1 by @dependabot in #4339
• chore(deps): bump azure-mgmt-web from 7.2.0 to 7.3.0 by @dependabot in #4301
• chore(deps): bump azure-storage-blob from 12.20.0 to 12.21.0 by @dependabot in #4490
• chore(deps): bump boto3 from 1.34.148 to 1.34.149 by @dependabot in #4556
• chore(deps): bump botocore from 1.34.148 to 1.34.149 by @dependabot in #4539
• chore(deps): bump certifi from 2024.2.2 to 2024.7.4 by @dependabot in #4392
• chore(deps): bump cryptography from 42.0.6 to 43.0.0 by @dependabot in #4512
• chore(deps): bump dash from 2.17.0 to 2.17.1 by @dependabot in #4272
• chore(deps): bump docker/build-push-action from 5 to 6 by @dependabot in #4260
• chore(deps): bump google-api-python-client from 2.137.0 to 2.138.0 by @dependabot in #4542
• chore(deps): bump jsonschema from 4.22.0 to 4.23.0 by @dependabot in #4402
• chore(deps): bump kubernetes from 29.0.0 to 30.1.0 by @dependabot in #4226
• chore(deps): bump msgraph-sdk from 1.4.0 to 1.5.2 by @dependabot in #4426
• chore(deps): bump msgraph-sdk from 1.5.2 to 1.5.3 by @dependabot in #4475
• chore(deps): bump numpy from 1.26.4 to 2.0.0 by @dependabot in #4275
• chore(deps): bump numpy from 2.0.0 to 2.0.1 by @dependabot in #4510
• chore(deps): bump setuptools from 69.5.1 to 70.0.0 by @dependabot in #4450
• chore(deps): bump slack-sdk from 3.30.0 to 3.31.0 by @dependabot in #4384
• chore(deps): bump trufflesecurity/trufflehog from 3.80.1 to 3.80.2 by @dependabot in #4557
• chore(deps): bump urllib3 from 1.26.18 to 1.26.19 by @dependabot in #4276
• chore(deps): bump zipp from 3.18.1 to 3.19.1 by @dependabot in #4414
• chore(deps): update cryptography to 42.0.6 by @pedrooot in #4499
• chore(deps-dev): bump authlib from 1.3.0 to 1.3.1 by @dependabot in #4213
• chore(deps-dev): bump bandit from 1.7.8 to 1.7.9 by @dependabot in #4271
• chore(deps-dev): bump coverage from 7.5.4 to 7.6.0 by @dependabot in #4438
• chore(deps-dev): bump flake8 from 7.0.0 to 7.1.0 by @dependabot in #4269
• chore(deps-dev): bump moto from 5.0.10 to 5.0.11 by @dependabot in #4404
• chore(deps-dev): bump pylint from 3.2.5 to 3.2.6 by @dependabot in #4509
• chore(deps-dev): bump pytest from 8.3.1 to 8.3.2 by @dependabot in #4540
• chore(deps-dev): bump safety from 3.2.0 to 3.2.3 by @dependabot in #4232
• chore(deps-dev): bump safety from 3.2.3 to 3.2.4 by @dependabot in #4385

New Contributors

• @sejimhp made their first contribution in #4202
• @lshw54 made their first contribution in #4203
• @andoniaf made their first contribution in #4258
• @shot4free made their first contribution in #4370
• @jacky9813 made their first contribution in #4387
• @chaipot made their first contribution in #4470
• @danibarranqueroo made their first contribution in #4464
• @HugoPBrito made their first contribution in #4536
• @JOSHUAJEBARAJ made their first contribution in #4500

Full Changelog: 4.2.4...4.3.0