Prowler 4.4.0 - Alexander the Great

Alexander the Great
His name struck fear into hearts of men
Alexander the Great
Became a legend 'mongst mortal men

Prowler 4.4.0 - Alexander the Great 🚀 is here, bringing a ton of new AWS checks and fixes! We also invite you to enjoy this Iron Maiden song.

A big shout-out to our engineers @danibarranqueroo, @MarioRgzLpz and @HugoPBrito for their fantastic work in developing new checks and to our new external contributors @abant07, @LefterisXefteris, @h4r5h1t, @Jude-Bae and @johannes-engler-mw for their PRs 🥳

New features to highlight in this version

AWS

🔐 Cover IAM non existing AWS actions/resources

Prowler now covers IAM scenarios where policies could have a non existing AWS actions in the NotAction statement allowing ALL actions in resources (same as non existing resources in NotResource) like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "NotAction": "prowler:action",
            "NotResource": "arn:aws:s3:::calculator"
        }
    ]
}

More info in LinkedIn post by @Chan9390 here.

🤔 How to Prevent AWS AI From Using Your Data

Recently, AWS may be using your data to train its AI models, and you may have unwittingly consented to it.
The new check organizations_opt_out_ai_services_policy ensure that you stop feeding AWS’s AI with your data.
You can see @QuinnyPig's helpful post about how to opt out here or using the AWS documentation.

🚀 More checks!

Prowler has expanded its AWS coverage with 74 new checks for ACM, CloudFront, CodeBuild, DMS, DocumentDB, DynamoDB, EC2, ECS, EKS, Elasticache, ELB, ELBv2, EKS, GuardDuty, IAM, KMS, Lambda, Neptune, Network Firewall, Organizations, RDS, S3, SageMaker and VPC.

See all the new available checks with prowler aws --list-checks

1. acm_certificates_with_secure_key_algorithms
2. awslambda_function_inside_vpc
3. awslambda_function_vpc_multi_az
4. cloudfront_distributions_custom_ssl_certificate
5. cloudfront_distributions_default_root_object
6. cloudfront_distributions_https_sni_enabled
7. cloudfront_distributions_multiple_origin_failover_configured
8. cloudfront_distributions_origin_traffic_encrypted
9. cloudfront_distributions_s3_origin_access_control
10. cloudfront_distributions_s3_origin_non_existent_bucket
11. codebuild_project_no_secrets_in_variables
12. codebuild_project_source_repo_url_no_sensitive_credentials
13. dms_endpoint_ssl_enabled
14. documentdb_cluster_public_snapshot
15. dynamodb_accelerator_cluster_in_transit_encryption_enabled
16. dynamodb_table_deletion_protection_enabled
17. dynamodb_table_protected_by_backup_plan
18. ec2_client_vpn_endpoint_connection_logging_enabled
19. ec2_ebs_volume_protected_by_backup_plan
20. ec2_instance_paravirtual_type
21. ec2_instance_uses_single_eni
22. ec2_launch_template_no_public_ip
23. ec2_networkacl_unused
24. ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
25. ec2_transitgateway_auto_accept_vpc_attachments
26. ecr_repositories_tag_immutability
27. ecs_service_no_assign_public_ip
28. ecs_task_definitions_containers_readonly_access
29. ecs_task_definitions_host_namespace_not_shared
30. ecs_task_definitions_host_networking_mode_users
31. ecs_task_definitions_logging_enabled
32. ecs_task_definitions_no_privileged_containers
33. eks_cluster_uses_a_supported_version
34. elasticache_redis_cluster_automatic_failover_enabled
35. elasticache_redis_cluster_auto_minor_version_upgrades
36. elasticache_redis_replication_group_auth_enabled
37. elbv2_is_in_multiple_az
38. elb_connection_draining_enabled
39. elb_cross_zone_load_balancing_enabled
40. elb_is_in_multiple_az
41. guardduty_rds_protection_enabled
42. guardduty_s3_protection_enabled
43. iam_group_administrator_access_policy
44. iam_user_administrator_access_policy
45. kms_cmk_not_deleted_unintentionally
46. neptune_cluster_copy_tags_to_snapshots
47. neptune_cluster_integration_cloudwatch_logs
48. neptune_cluster_public_snapshot
49. neptune_cluster_snapshot_encrypted
50. networkfirewall_policy_rule_group_associated
51. organizations_opt_out_ai_services_policy
52. rds_cluster_copy_tags_to_snapshots
53. rds_cluster_critical_event_subscription
54. rds_cluster_default_admin
55. rds_cluster_deletion_protection
56. rds_cluster_iam_authentication_enabled
57. rds_cluster_integration_cloudwatch_logs
58. rds_cluster_minor_version_upgrade_enabled
59. rds_cluster_multi_az
60. rds_cluster_non_default_port
61. rds_cluster_storage_encrypted
62. rds_instance_copy_tags_to_snapshots
63. rds_instance_critical_event_subscription
64. rds_instance_event_subscription_parameter_groups
65. rds_instance_inside_vpc
66. rds_instance_non_default_port
67. rds_instance_protected_by_backup_plan
68. s3_access_point_public_access_block
69. s3_bucket_cross_account_access
70. s3_bucket_cross_region_replication
71. s3_bucket_lifecycle_enabled
72. sagemaker_endpoint_config_prod_variant_instances
73. vpc_endpoint_for_ec2_enabled
74. vpc_vpn_connection_tunnels_up

📜 KISA ISMS-P AWS compliance framework added

Prowler now supports one of Korea’s key security compliance frameworks, the Personal Information & Information Security Management System (ISMS-P) from the Korea Internet & Security Agency (KISA) thanks to @Jude-Bae !

Azure

🆕 Azure Container Registries now supported!

@johannes-engler-mw added a new check containerregistry_admin_user_disabled for verifying if the admin user is disabled for Azure Container Registries.

You can try it with prowler azure -c containerregistry_admin_user_disabled

🔧 Other issues and bug fixes solved for all the cloud providers

Features

• feat(acm): Add new check for insecure algorithms in certificates by @MarioRgzLpz in #4551
• feat(aws): Add a test_connection method by @jfagoagas in #4563
• feat(aws): add custom exceptions class by @pedrooot in #4847
• feat(aws): Add new check to ensure Aurora MySQL DB Clusters publish audit logs to CloudWatch logs by @danibarranqueroo in #4916
• feat(aws): Add new check to ensure RDS DB clusters are encrypted at rest by @danibarranqueroo in #4931
• feat(aws): Add new check to ensure RDS db clusters copy tags to snapshots by @danibarranqueroo in #4846
• feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical cluster events by @danibarranqueroo in #4887
• feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database instance events by @danibarranqueroo in #4891
• feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database parameter group events by @danibarranqueroo in #4907
• feat(aws): Add new check to ensure RDS instances are not using default database engine ports by @danibarranqueroo in #4973
• feat(aws): Add new check opensearch_service_domains_access_control_enabled by @abant07 in #5203
• feat(aws): add new check organizations_opt_out_ai_services_policy by @sergargar in #5152
• feat(aws): Add new CodeBuild check to validate environment variables by @danibarranqueroo in #4632
• feat(aws): Add new KMS check to prevent unintentional key deletion by @danibarranqueroo in #4595
• feat(aws): Add new Neptune check for cluster snapshot visibility by @danibarranqueroo in #4709
• feat(aws): Add new RDS check for deletion protection enabled on clusters by @danibarranqueroo in #4738
• feat(aws): Add new RDS check to ensure db clusters are configured for multiple availability zones by @danibarranqueroo in #4781
• feat(aws): Add new RDS check to ensure db instances are protected by a backup plan by @danibarranqueroo in #4879
• feat(aws): Add new RDS check to verify that cluster minor version upgrade is enabled by @danibarranqueroo in #4725
• feat(aws): Add new RDS check to verify that db instances copy tags to snapshots by @danibarranqueroo in #4806
• feat(aws): Add new S3 check for public access block configuration in access points by @HugoPBrito in #4608
• feat(aws): add tags to Global Accelerator by @puchy22 in #5233
• feat(aws): Split the checks that mix RDS Instances and Clusters by @danibarranqueroo in #4730
• feat(aws) Add check to make sure EKS clusters have a supported version by @abant07 in https://github.com/prowler-cloud/prow...

Prowler 4.3.7 - The Alchemist

What's Changed

Fixes

• fix(action): solve pypi-release action by @sergargar in #5134
• fix(regions): show all for empty regions by @pedrooot in #5143
• fix(iam): fill resource id with inline policy entity by @prowler-bot in #5147

Full Changelog: 4.3.6...4.3.7

Prowler 4.3.6 - The Alchemist

What's Changed

Fixes

• fix(asff): include status extended in ASFF output by @prowler-bot in #5116
• fix(audit): solve resources audit by @prowler-bot in #4988
• fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4950
• fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4862
• fix(aws): handle AWS key-only tags by @github-actions in #4854
• fix(aws): make intersection to retrieve checks to execute by @prowler-bot in #4974
• fix(gcp): solve errors in GCP services by @prowler-bot in #5124
• fix(gcp): add default project for org level checks by @prowler-bot in #5132
• fix(iam-gcp): add getters in iam_service for gcp by @prowler-bot in #5001
• fix(lightsail): Remove second call to is_resource_filtered by @prowler-bot in #5125
• fix(main): logic for resource_tag and resource_arn usage by @prowler-bot in #4982
• fix(metadata): change description from documentdb_cluster_deletion_protection by @prowler-bot in #4913
• fix(rds): Modify RDS Event Notification Subscriptions for Security Groups Events check by @prowler-bot in #4977
• fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4953
• fix(vpc): check all routes tables in subnet by @prowler-bot in #5122

Chores

• chore(aws): Remove token from log line by @prowler-bot in #4905
• chore(aws_mutelist): Add more Control Tower resources and tests by @prowler-bot in #4902
• chore(ssm): add trusted accounts variable to ssm check by @prowler-bot in #5118

Full Changelog: 4.3.5...4.3.6

Prowler 3.16.17 - Back in the Village

What's Changed

Fixes

• fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4949
• fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4861
• fix(ec2): Manage UnicodeDecodeError when reading user data by @github-actions in #4788
• fix(gcp): solve errors in GCP services by @prowler-bot in #5123
• fix(inspector2): Ensure Inspector2 is enabled for ECR, EC2, Lambda and Lambda Code by @prowler-bot in #5066
• fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4952
• fix(v3): remove not supported checks by @sergargar in #5126
• fix(vpc): check all routes tables in subnet by @prowler-bot in #5121

Chores

• chore(aws): match all AWS resource types with SecurityHub supported types in metadata by @prowler-bot in #5064
• chore(aws): Remove token from log line by @jfagoagas in #4904
• chore(awslambda): Enhance function public access check called from other resource by @github-actions in #4793
• chore(azure): Fix CIS 2.1 mapping by @github-actions in #4780
• chore(docs): change ResourceType link of Security Hub by @prowler-bot in #5096
• chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5083
• chore(ssm): add trusted accounts variable to ssm check by @prowler-bot in #5117
• chore(test): improve iam_root_hardware_mfa_enabled tests by @github-actions in #4834
• chore(version): update version logic in Prowler by @github-actions in #4776

Dependencies

• chore(dependencies): update boto3 and botocore packages by @prowler-bot in #4986
• chore(deps): bump azure-identity from 1.17.1 to 1.18.0 by @dependabot in #5105
• chore(deps): bump azure-mgmt-compute from 32.0.0 to 33.0.0 by @dependabot in #4858
• chore(deps): bump azure-mgmt-containerservice from 31.0.0 to 32.0.0 by @dependabot in #5040
• chore(deps): bump azure-mgmt-cosmosdb from 9.5.1 to 9.6.0 by @dependabot in #5103
• chore(deps): bump azure-mgmt-web from 7.3.0 to 7.3.1 by @dependabot in #4810
• chore(deps): bump azure-storage-blob from 12.22.0 to 12.23.0 by @dependabot in #5078
• chore(deps): bump boto3 from 1.35.21 to 1.35.23 by @dependabot in #5114
• chore(deps): bump botocore from 1.35.22 to 1.35.23 by @dependabot in #5101
• chore(deps): bump google-api-python-client from 2.145.0 to 2.146.0 by @dependabot in #5079
• chore(deps): bump msgraph-sdk from 1.7.0 to 1.8.0 by @dependabot in #5102
• chore(deps): bump peter-evans/create-pull-request from 6 to 7 by @dependabot in #4924
• chore(deps): bump pydantic from 1.10.17 to 1.10.18 by @dependabot in #4857
• chore(deps): bump pytz from 2024.1 to 2024.2 by @dependabot in #5006
• chore(deps): bump setuptools from 74.1.2 to 75.1.0 by @dependabot in #5054
• chore(deps): bump slack-sdk from 3.33.0 to 3.33.1 by @dependabot in #5104
• chore(deps): bump tj-actions/changed-files from 44 to 45 by @dependabot in #4823
• chore(deps): bump trufflesecurity/trufflehog from 3.82.1 to 3.82.2 by @dependabot in #5051
• chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.8 to 1.2.9 by @dependabot in #5020
• chore(deps-dev): bump moto from 5.0.13 to 5.0.14 by @dependabot in #4963
• chore(deps-dev): bump pylint from 3.2.6 to 3.2.7 by @dependabot in #4919
• chore(deps-dev): bump pytest-env from 1.1.4 to 1.1.5 by @dependabot in #5092
• chore(deps-dev): bump pytest from 8.3.2 to 8.3.3 by @dependabot in #4994
• chore(deps-dev): bump safety from 3.2.6 to 3.2.7 by @dependabot in #4897
• chore(deps-dev): bump vulture from 2.11 to 2.12 by @dependabot in #5075

Full Changelog: 3.16.16...3.16.17

Prowler 4.3.5 - The Alchemist [HOTFIX]

What's Changed

Hotfix

• fix: handle empty input regions by @github-actions in #4842

Full Changelog: 4.3.4...4.3.5

Prowler 4.3.4 - The Alchemist [YANKED]

What's Changed

Fixes

• fix(aws): enhance resource arn filtering by @github-actions in #4837
• fix(aws): run Prowler as IAM Root or Federated User by @github-actions in #4773
• fix(ec2): Manage UnicodeDecodeError when reading user data by @github-actions in #4789
• fix(ecr): change log level of non-scanned images by @github-actions in #4769
• fix(ecr): handle non-existing findingSeverityCounts key by @github-actions in #4767
• fix(iam): handle no arn serial numbers for MFA devices by @github-actions in #4711
• fix(iam): update logic of Root Hardware MFA check by @github-actions in #4775
• fix(mutelist): change logic for tags in aws mutelist by @github-actions in #4803
• fix(outputs): refactor unroll_tags to use str as tags by @github-actions in #4819
• fix(version): update version flag logic by @github-actions in #4771

Chores

• chore(awslambda): Enhance function public access check called from other resource by @github-actions in #4794
• chore(azure): fix CIS 2.1 mapping by @github-actions in #4792
• chore(test): improve iam_root_hardware_mfa_enabled tests by @github-actions in #4835

Full Changelog: 4.3.3...4.3.4

Prowler 3.16.16 - Back in the Village

What's Changed

Fixes

• fix(ecr): handle non-existing findingSeverityCounts key by @github-actions in #4766
• fix(ecr): change log level of non-scanned images by @github-actions in #4768
• fix(aws): run Prowler as IAM Root or Federated User by @github-actions in #4772
• fix(iam): update logic of Root Hardware MFA check by @github-actions in #4774

Chores

• chore(deps): bump google-api-python-client from 2.140.0 to 2.141.0 by @dependabot in #4749
• chore(deps): bump trufflesecurity/trufflehog from 3.81.8 to 3.81.9 by @dependabot in #4755
• chore(deps): bump botocore from 1.34.160 to 1.34.162 by @dependabot in #4757
• chore(regions_update): Changes in regions for AWS services. by @github-actions in #4770

Full Changelog: 3.16.15...3.16.16

Prowler 3.16.15 - Back in the Village

What's Changed

Fixes

• fix(autoscaling): Add exception manage while decoding UserData by @github-actions in #4675
• fix(aws): only check artifacts that can be scanned for vulnerabilities by ecr_repositories_scan_vulnerabilities_in_latest_image by @github-actions in #4677
• fix(ecs): use threads for describing task definitions by @sergargar in #4733
• fix(iam): handle no arn serial numbers for MFA devices by @github-actions in #4710
• fix(sns): add condition to sns topics (#4498) backport for v3 by @github-actions
• fix(test): solve VPC import in tests by @github-actions in #4674

Dependencies

• chore(deps): bump azure-storage-blob from 12.21.0 to 12.22.0 by @dependabot in #4660
• chore(deps): bump boto3 from 1.34.158 to 1.34.160 by @dependabot in #4743
• chore(deps): bump botocore from 1.34.159 to 1.34.160 by @dependabot in #4736
• chore(deps): bump google-api-python-client from 2.139.0 to 2.140.0 by @dependabot in #4658
• chore(deps): bump msgraph-sdk from 1.5.3 to 1.5.4 by @dependabot in #4623
• chore(deps): bump trufflesecurity/trufflehog from 3.81.7 to 3.81.8 by @dependabot in #4718
• chore(deps): Update certifi version by @pedrooot in #4708
• chore(deps-dev): bump black from 24.4.2 to 24.8.0 by @dependabot in #4624
• chore(deps-dev): bump coverage from 7.6.0 to 7.6.1 by @dependabot in #4646
• chore(deps-dev): bump flake8 from 7.1.0 to 7.1.1 by @dependabot in #4649
• chore(deps-dev): bump moto from 5.0.11 to 5.0.12 by @dependabot in #4648
• chore(deps-dev): bump safety from 3.2.4 to 3.2.5 by @dependabot in #4716

Full Changelog: 3.16.14...3.16.15

Prowler 4.3.3 - The Alchemist

What's Changed

Fixes

• fix(tags): handle AWS dictionary type tags by @github-actions in #4685

Chores

• chore(actions): Run for v4.* branch by @github-actions in #4683
• chore(version): update Prowler version by @sergargar in #4639
• chore(version): update version logic in Prowler for v4.3 by @sergargar in #4680
• chore(version): update version logic in Prowler by @github-actions in #4689

Full Changelog: 4.3.2...4.3.3

Prowler 4.3.2 - The Alchemist

What's Changed

Fixes

• fix(mutelist): Fix tags match by @jfagoagas in #4606
• fix(sns): add condition to sns topics by @pedrooot in #4498
• fix(gcp): use KMS key id in checks by @sergargar in #4610
• fix(gcp): check next rotation time in KMS keys by @pedrooot in #4633
• fix(gcp): check cloudsql sslMode by @pedrooot in #4635

Refactor

• refactor(tags): convert tags to a dictionary by @sergargar in #4598
• refactor(mutelist): Remove re.match and improve docs by @jfagoagas in #4637

Full Changelog: 4.3.1...4.3.2