Prowler 4.3.1 - The Alchemist

Fixes

• fix(autoscaling): change unexpected exception to error severity logger by @puchy22 in #4569
• fix(aws): Pass backup retention check if retention period is equal to minimum by @cetteup in #4593
• fix(typo): fix typo on PR template by @pedrooot in #4596
• fix(aws): only check artifacts that can be scanned for vulnerabilities by ecr_repositories_scan_vulnerabilities_in_latest_image by @kagahd in #4507
• fix(status): Recover status filtering by @jfagoagas in #4572

Chores

• chore(pr-template): Add Checklist by @jfagoagas in #4586
• chore(permissions): add missing ec2 permission by @sergargar in #4577
• chore(regions_update): Changes in regions for AWS services. by @jfagoagas in #4592

Tests

• test(GCP): Add remaining GCP tests for KMS checks by @danibarranqueroo in #4550
• fix(test): solve VPC import in tests by @sergargar in #4574

Dependencies

• chore(deps): bump botocore from 1.34.149 to 1.34.150 by @dependabot in #4567
• chore(deps): bump botocore from 1.34.150 to 1.34.151 by @dependabot in #4578
• chore(deps): bump google-api-python-client from 2.138.0 to 2.139.0 by @dependabot in #4579
• chore(deps): bump trufflesecurity/trufflehog from 3.80.2 to 3.80.3 by @dependabot in #4581
• chore(deps): bump boto3 from 1.34.149 to 1.34.151 by @dependabot in #4587
• chore(deps): bump trufflesecurity/trufflehog from 3.80.3 to 3.80.4 by @dependabot in #4601

New Contributors

• @cetteup made their first contribution in #4593

Full Changelog: 4.3.0...4.3.1

Prowler 4.3.0 - The Alchemist

I will return to this land
Rebuild where the ruins did stand
Chain of the demons set free
Strange alchemy

Prowler 4.3.0 - The Alchemist 🚀 brings a whole bunch of new checks, new features and fixes, also we offer you to listen to this Iron Maiden song.

Special thanks to our new engineers' contributions, @danibarranqueroo and @HugoPBrito, and to our new community contributors @sejimhp, @lshw54, @andoniaf, @shot4free, @jacky9813, @chaipot and @JOSHUAJEBARAJ 🥳

New features to highlight in this version

AWS

Prowler is improving its AWS coverage by including 24 new checks for DMS, DocumentDB, Elasticache, IAM, Neptune, NetworkFirewall and RDS. Special thanks to our external contributor @sansns for doing new checks 🙌

See all the new available checks with prowler aws --list-checks

• dms_instance_minor_version_upgrade_enabled
• dms_instance_multi_az_enabled
• dms_instance_no_public_access
• documentdb_cluster_backup_enabled
• documentdb_cluster_cloudwatch_log_export
• documentdb_cluster_deletion_protection
• elasticache_redis_cluster_backup_enabled
• elasticache_redis_cluster_in_transit_encryption_enabled
• elasticache_redis_cluster_multi_az_enabled
• elasticache_redis_cluster_rest_encryption_enabled
• iam_inline_policy_allows_privilege_escalation
• iam_inline_policy_no_full_access_to_cloudtrail
• iam_inline_policy_no_full_access_to_kms
• neptune_cluster_backup_enabled
• neptune_cluster_deletion_protection
• neptune_cluster_iam_authentication_enabled
• neptune_cluster_multi_az
• neptune_cluster_storage_encrypted
• networkfirewall_deletion_protection
• rds_cluster_backtrack_enabled
• rds_instance_default_admin
• rds_instance_event_subscription_security_groups
• rds_instance_iam_authentication_enabled
• rds_snapshots_encrypted

Also for AWS now you can make check eks_control_plane_logging_all_types_enabled configurable by @kagahd.

Azure

This release includes 8 new checks of security best practices for Azure App Functions thanks to the great work of @puchy22 🥇

See new available checks with prowler azure --list-checks --service app

• app_function_access_keys_configured
• app_function_app_insights_is_configured
• app_function_identity_without_admin_privileges
• app_function_identity_is_configured
• app_function_not_publicly_accessible
• app_function_runtime_is_the_latest
• app_function_vnet_integration_enabled
• app_function_ftps_deployment_disabled

GCP

• Service Account Impersonation supported!
  Instead of saving a credentials file or running Prowler inside a GCP workload, now you have the ability of impersonate a GCP Service Account using the argument --impersonate-service-account <service-account-email> and follow security best practices. See more information in our docs here.

🔧 Other issues and bug fixes solved for all the cloud providers

Features

• feat(app): Add new Azure functions checks by @puchy22 in #4189
• feat(AWS): make check eks_control_plane_logging_all_types_enabled configurable by @kagahd in #4553
• feat(DMS): Add Database Migration Service (DMS) by @sansns in #4249
• feat(DocumentDB): New DocumentDB checks by @sansns in #4247
• feat(Elasticache): Additional Elasticache checks by @sansns in #4317
• feat(GCP): add service account impersonation by @sergargar in #4291
• feat(IAM): Add inline policies checks and improve custom policy checks by @puchy22 in #4255
• feat(Neptune): Additional Neptune checks by @sansns in #4243
• feat(NetworkFirewall): Add Deletion Protection Check by @sansns in #4318
• feat(output): Add a setter for the file descriptor and include extension by @jfagoagas in #4468
• feat(RDS): Additional RDS checks by @sansns in #4233
• feat(RDS): Add security group event subscription check by @sansns in #4130

Fixes

• fix(autoscaling): Add exception manage while decoding UserData by @puchy22 in #4562
• fix(aws): Assume role for Gov Cloud by @jfagoagas in #4254
• fix(aws): aws check and metadata fixes by @mtronrd in #4251
• fix(aws): parallelize functions per resource by @sergargar in #4323
• fix(checks): ensure CheckID is correct in check's metadata by @sergargar in #4522
• fix(cis): add missing fields and reorder by @sergargar in #4424
• fix(codebuild): enhance service functions by @sergargar in #4319
• fix(compliance): check if custom check has compliance metadata by @sergargar in #4208
• fix(config/html): handle encoding issues and improve error handling in config and HTML file loading functions by @lshw54 in #4203
• fix(csv-outputs): compliance outputs not showing consistents values by @pedrooot in #4287
• fix(custom): execute custom checks by @sejimhp in #4202
• fix(custom_checks): workaround to fix execution by @jfagoagas in #4256
• fix(dashboard): fix styles in overview page by @pedrooot in #4204
• fix(docs): Rewrite dashboard docs by @pedrooot in #4327
• fix(docs): update deprecated command by @sergargar in #4401
• fix(entra): Change to correct service in entra_user_with_vm_access_has_mfa metadata by @puchy22 in #4454
• fix(gcp): false positive for iam_sa_no_administrative_privilege check by @JOSHUAJEBARAJ in #4500
• fix(gcp): Not all gcp projects have name by @jacky9813 in #4387
• fix(glue): add getters for connection attributes by @pedrooot in #4445
• fix(html): fix status from HTML outputs by @pedrooot in #4206
• fix(html): handle muted status to html outputs by @pedrooot in #4195
• fix(html): resolve html changing finding status by @pedrooot in #4199
• fix(iam_avoid_root_usage): change timestamp format by @pedrooot in #4446
• fix(inspector2): add more efficient way to check if any active findings by @sergargar in #4505
• fix(main): change module name by @pedrooot in #4477
• fix(organizations): Fix types errors related to policies and json.loads function by @puchy22 in #4554
• fix(rds): handle not existing endpoint by @sergargar in #4285
• fix(readme): update note syntax by @sergargar in #4250
• fix(s3): enhance threading in s3 service by @sergargar in #4530
• fix(s3): handle empty Action in bucket policy by @sergargar in #4328
• fix(s3): Send HTML also by @jfagoagas in #4240
• fix(ssm): add missing ResourceArn to SSM check by @sergargar in #4482
• fix(templates): solve broken GitHub issues templates by @sergargar in #4423
• fix(test-csv): fix test using tempfile by @pedrooot in #4356
• fix: Some minor fixes in several parts by @jfagoagas in #4237

Chores

• chore(acm): Improve near-expiration certificates check by @puchy22 in #4207
• chore(aws): add AWS Well-Architected output class by @sergargar in #4439
• chore(aws): handle new permissions by @pedrooot in #4289
• chore(cis): add CIS output class by @sergargar in #4400
• chore(cloudsql): Change default cases for CloudSQL checks and remaining tests by @puchy22 in #4537
• chore(CODEOWNERS): protect unauthorized changes by @jfagoagas in #4493
• chore(CODEOWNERS): update for sdk and checks by @jfagoagas in #4480
• chore(CODEOWNERS): update team by @jfagoagas in #4527
• chore(compliance): add manual requirements to compliance output by @sergargar in #4449
• chore(compliance): change compliance model names by @sergargar...

Prowler 3.16.14 - Back in the Village

What's Changed

Chores

• chore(CODEOWNERS): update team by @jfagoagas in #4528
• chore(backport): update v3 with latest changes by @sergargar in #4555
  • fix(s3): enhance threading in s3 service (#4530)
  • chore(regions_update): Changes in regions for AWS services. (#4552)
  • fix(organizations): Fix types errors related to policies and json.loads function (#4554)

Dependencies

• chore(deps-dev): bump pylint from 3.2.5 to 3.2.6 by @dependabot in #4516
• chore(deps-dev): bump pytest from 8.2.2 to 8.3.1 by @dependabot in #4518
• chore(deps): bump boto3 from 1.34.144 to 1.34.145 by @dependabot in #4517
• chore(deps): bump botocore from 1.34.145 to 1.34.146 by @dependabot in #4514
• chore(deps): bump boto3 from 1.34.145 to 1.34.146 by @dependabot in #4523
• chore(deps): bump botocore from 1.34.146 to 1.34.147 by @dependabot in #4524
• chore(deps): bump azure-mgmt-containerservice from 30.0.0 to 31.0.0 by @dependabot in #4515
• chore(deps): bump botocore from 1.34.147 to 1.34.148 by @dependabot in #4533
• chore(deps): bump boto3 from 1.34.146 to 1.34.148 by @dependabot in #4535
• chore(deps): bump botocore from 1.34.148 to 1.34.149 by @dependabot in #4548
• chore(deps): bump google-api-python-client from 2.137.0 to 2.138.0 by @dependabot in #4544
• chore(deps): bump azure-mgmt-compute from 31.0.0 to 32.0.0 by @dependabot in #4547
• chore(deps-dev): bump pytest from 8.3.1 to 8.3.2 by @dependabot in #4546
• chore(deps): bump azure-mgmt-network from 25.4.0 to 26.0.0 by @dependabot in #4545

Full Changelog: 3.16.13...3.16.14

Prowler 3.16.13 - Back in the Village

What's Changed

Fixes

• fix(inspector2): add more efficient way to check if any active findings by @sergargar in https://github.com/prowler-cloud/prowler/pull/4495
• fix(network): solve network client locations KeyError by @puchy22 in #4456

Chores

• chore(dependencies): update vulnerable dependencies by @sergargar in #4496
• chore(deps): bump azure-mgmt-keyvault from 10.3.0 to 10.3.1 by @dependabot in #4472
• chore(deps): bump azure-storage-blob from 12.20.0 to 12.21.0 by @dependabot in #4487
• chore(deps): bump botocore from 1.34.144 to 1.34.145 by @dependabot in #4488
• chore(deps): bump msgraph-sdk from 1.5.2 to 1.5.3 by @dependabot in #4473
• chore(deps): bump trufflesecurity/trufflehog from 3.79.0 to 3.80.0 by @dependabot in #4476
• chore(deps): bump trufflesecurity/trufflehog from 3.80.0 to 3.80.1 by @dependabot in #4489
• chore(release): update v3 with latest changes by @sergargar in #4504
  • fix(ssm): add missing ResourceArn to SSM check (#4482)
  • chore(regions_update): Changes in regions for AWS services. (#4478)
  • chore(regions_update): Changes in regions for AWS services. (#4463)

Full Changelog: 3.16.12...3.16.13

Prowler 3.16.12 - Back in the Village

What's Changed

Chores

• chore(v3): update latest changes from v4 by @sergargar in #4459
  • fix(glue): add getters for connection attributes (#4445)
  • fix(iam_avoid_root_usage): change timestamp format (#4446)
  • fix(entra): Change to correct service in entra_user_with_vm_access_has_mfa metadata (#4454)

Dependencies

• chore(deps): bump boto3 from 1.34.143 to 1.34.144 by @dependabot in #4452
• chore(deps): bump botocore from 1.34.143 to 1.34.144 by @dependabot in #4443
• chore(deps): bump google-api-python-client from 2.136.0 to 2.137.0 by @dependabot in #4418
• chore(deps): bump jsonschema from 4.22.0 to 4.23.0 by @dependabot in #4406
• chore(deps): bump msgraph-sdk from 1.4.0 to 1.5.2 by @dependabot in #4430
• chore(deps): bump slack-sdk from 3.30.0 to 3.31.0 by @dependabot in #4381
• chore(deps-dev): bump coverage from 7.5.4 to 7.6.0 by @dependabot in #4436
• chore(deps-dev): bump moto from 5.0.10 to 5.0.11 by @dependabot in #4408
• chore(deps-dev): bump safety from 3.2.3 to 3.2.4 by @dependabot in #4382

Full Changelog: 3.16.11...3.16.12

Prowler 3.16.11 - Back in the Village

What's Changed

• chore(deps): bump google-api-python-client from 2.135.0 to 2.136.0 by @dependabot in #4365
• chore(deps): bump botocore from 1.34.138 to 1.34.139 by @dependabot in #4374
• chore(deps): bump boto3 from 1.34.137 to 1.34.139 by @dependabot in #4376
• chore(acm): add ignore unused services feature by @sergargar in #4371

Full Changelog: 3.16.10...3.16.11

Prowler 3.16.10 - Back in the Village

What's Changed

Chores

• chore(v3): include latest v4 changes by @sergargar in #4350
  • chore(acm): Improve near-expiration certificates check (#4207)
  • chore(network): Reduce network watchers azure check findings (#4242)
  • fix(aws): aws check and metadata fixes (#4251)
  • chore(s3): reduce false positive in s3 public check (#4281)
  • fix(rds): handle not existing endpoint (#4285)
  • fix(csv-outputs): compliance outputs not showing consistents values (#4287)
  • fix(codebuild): enhance service functions (#4319)
  • fix(aws): parallelize functions per resource (#4323)
  • fix(s3): handle empty Action in bucket policy (#4328)

Dependencies

• chore(deps): bump azure-identity from 1.16.1 to 1.17.1 by @dependabot in #4312
• chore(deps): bump azure-mgmt-cosmosdb from 9.5.0 to 9.5.1 by @dependabot in #4306
• chore(deps): bump azure-mgmt-storage from 21.2.0 to 21.2.1 by @dependabot in #4340
• chore(deps): bump azure-mgmt-web from 7.2.0 to 7.3.0 by @dependabot in #4304
• chore(deps): bump boto3 from 1.34.132 to 1.34.136 by @dependabot in #4354
• chore(deps): bump botocore from 1.34.136 to 1.34.137 by @dependabot in #4353
• chore(deps): bump docker/build-push-action from 5 to 6 by @dependabot in #4262
• chore(deps): bump google-api-python-client from 2.134.0 to 2.135.0 by @dependabot in #4338
• chore(deps): bump pydantic from 1.10.16 to 1.10.17 by @dependabot in #4307
• chore(deps): bump requests from 2.32.2 to 2.32.3 by @dependabot in #4341
• chore(deps): bump slack-sdk from 3.29.0 to 3.30.0 by @dependabot in #4309
• chore(deps): bump trufflesecurity/trufflehog from 3.78.2 to 3.79.0 by @dependabot in #4336
• chore(deps): Upgrade requests to 2.32.2 by @jfagoagas in #4314
• chore(deps-dev): bump bandit from 1.7.8 to 1.7.9 by @dependabot in #4268
• chore(deps-dev): bump coverage from 7.5.3 to 7.5.4 by @dependabot in #4302
• chore(deps-dev): bump flake8 from 7.0.0 to 7.1.0 by @dependabot in #4267
• chore(deps-dev): bump moto from 5.0.9 to 5.0.10 by @dependabot in #4346
• chore(deps-dev): bump pylint from 3.2.3 to 3.2.5 by @dependabot in #4348
• chore(deps-dev): bump pytest from 8.2.1 to 8.2.2 by @dependabot in #4216
• chore(deps-dev): bump safety from 3.2.0 to 3.2.3 by @dependabot in #4221
• chore(python): update vulnerable anyio library by @jfagoagas in #4349

Full Changelog: 3.16.9...3.16.10

Prowler 4.2.4 - 2 Minutes to Midnight

What's Changed

Fixes

• fix(compliance): check if custom check has compliance metadata by @sergargar in #4208
• fix(encoding): handle encoding issues and improve error handling in config and HTML file loading functions by @lshw54 in #4203
• fix(custom): execute custom checks by @sejimhp in #4202
• fix(dashboard): fix styles in overview page by @pedrooot in #4204
• fix(html): fix status from HTML outputs by @pedrooot in #4206

Chores

• chore(acm): Improve near-expiration certificates check by @puchy22 in #4207
• chore(regions_update): Changes in regions for AWS services. by @jfagoagas in #4205

New Contributors

• @sejimhp made their first contribution in #4202
• @lshw54 made their first contribution in #4203

Full Changelog: 4.2.3...4.2.4

Prowler 4.2.3 - 2 Minutes to Midnight

What's Changed

Fixes

• fix(elasticache): handle empty cluster subnets by @sergargar in #4192
• fix(glue): check if get dev endpoints call is supported by @sergargar in #4193
• fix(rds): handle not existing parameter values by @sergargar in #4191
• fix(s3): check if account is signed up by @sergargar in #4194
• fix(html): resolve html changing finding status by @pedrooot in #4199
• fix(html): handle muted status to html outputs by @pedrooot in #4195

Documentation

• docs(reporting): fix mapping of json-ocsf field cloud.account.type by @kagahd in #4186
• docs(index): fix docu about output modes by @kagahd in #4187

Full Changelog: 4.2.2...4.2.3

Prowler 3.16.9 - Back in the Village

What's Changed

Chores

• chore(backport): update v3 with latest changes by @sergargar in #4198
  • chore(regions_update): Changes in regions for AWS services. (#4178)
  • fix(rds): handle not existing parameter values (#4191)
  • fix(elasticache): handle empty cluster subnets (#4192)
  • fix(glue): check if get dev endpoints call is supported (#4193)
  • fix(s3): check if account is signed up (#4194)
• chore(deps): bump boto3 from 1.34.109 to 1.34.113 by @dependabot in #4173
• chore(deps): bump botocore from 1.34.113 to 1.34.118 by @dependabot in #4176
• chore(deps): bump google-api-python-client from 2.130.0 to 2.131.0 by @dependabot in #4174
• chore(deps): bump trufflesecurity/trufflehog from 3.76.3 to 3.77.0 by @dependabot in #4168
• chore(deps-dev): bump coverage from 7.5.2 to 7.5.3 by @dependabot in #4175
• chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.5 to 1.2.6 by @dependabot in #4172
• chore(deps-dev): bump moto from 5.0.8 to 5.0.9 by @dependabot in #4171

Full Changelog: 3.16.8...3.16.9