Prowler 3.2.3 - Quest for Fire

Dependencies

• build(deps): bump colorama from 0.4.5 to 0.4.6 by @dependabot in #1967
• build(deps): bump azure-storage-blob from 12.14.1 to 12.15.0 by @dependabot in #1966
• build(deps): bump botocore from 1.29.74 to 1.29.78 by @dependabot in #1968
• build(deps): bump mkdocs-material from 8.2.1 to 9.0.14 by @dependabot in #1964
• build(deps): bump alive-progress from 2.4.1 to 3.0.1 by @dependabot in #1965
• build(deps): bump botocore from 1.29.78 to 1.29.79 by @dependabot in #1978
• build(deps): bump boto3 from 1.26.74 to 1.26.79 by @dependabot in #1981

Fixes

• fix(toml): add toml dependency to pypi release action by @sergargar in #1960
• fix(kms): handle if describe_keys returns no value by @n4ch04 in #1961
• fix(cloudfront): handle empty objects in checks by @n4ch04 in #1962
• fix(directoryservice): tzinfo without _ by @jfagoagas in #1971
• fix(acm): Fix issues with list-certificates by @jfagoagas in #1970
• fix(service errors): solve EMR, VPC and ELBv2 service errors by @sergargar in #1974
• fix(action): Use PathContext to get version changes by @jfagoagas in #1983

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #1972
• chore(compliance): implements dynamic handling of available compliance frameworks by @pedromarting3 in #1977
• chore(readme): add brew stats by @sergargar in #1982
• chore(codeowners): Update team to OSS by @jfagoagas in #1984

Full Changelog: 3.2.2...3.2.3

Prowler 3.2.2 - Quest for Fire

Chores

• chore(poetry): make python-poetry as packaging and dependency manager by @sergargar in #1935
• chore(resource-based scan): execute only applicable checks by @sergargar in #1934

Fixes

• fix(actions): add README to docker action and filter steps for releases by @sergargar in #1955
• fix(cloudtrail): Handle when the CloudTrail bucket is in another account by @n4ch04 in #1956
• fix(key errors): solver EMR and IAM errrors by @sergargar in #1957
• fix(metadata): remove us-east-1 in remediation by @sergargar in #1958

Builds

• build(deps): bump botocore from 1.29.75 to 1.29.76 by @dependabot in #1946
• build(deps): bump boto3 from 1.26.74 to 1.26.76 by @dependabot in #1948

Full Changelog: 3.2.1...3.2.2

Prowler 3.2.1 - Quest for Fire

Chores

• chore(Security Hub): add --skip-sh-update by @sergargar in #1911
• chore(Security Hub): add status extended to Security Hub by @sergargar in #1921
• chore(secrets): Improve the status_extended with more information by @Fennerr in #1937
• chore(iam_disable_N_days_credentials): improve checks logic by @sergargar in #1923

Fixes

• fix(cloudtrail_logs_s3_bucket_access_logging_enabled): cloudtrail s3 bucket logging by @n4ch04 in #1902
• fix(codebuild): Handle endTime in builds by @jfagoagas in #1900
• fix(iam-credentials-expiration): IAM password policy expires passwords fix by @congon4tor in #1903
• fix(compliance): Set Version as optional and fix list by @jfagoagas in #1899
• fix(ecs_task_definitions_no_environment_secrets): dump_env_vars is reintialised by @Fennerr in #1922
• fix(quick_inventory): handle ApiGateway resources by @Fennerr in #1924
• fix(iam_rotate_access_key_90_days): check only active access keys by @Fennerr in #1929
• fix(services): solve errors in EMR, RDS, S3 and VPC services by @sergargar in #1913
• fix(regions): add unique branch name by @sergargar in #1941
• fix(errors): handle errors when S3 buckets or EC2 instances are deleted by @sergargar in #1942
• fix(cloudwatch): allow " in regex patterns by @sergargar in #1943

Dependencies

• build(deps-dev): bump pylint from 2.16.1 to 2.16.2 by @dependabot in #1896
• build(deps-dev): bump moto from 4.1.2 to 4.1.3 by @dependabot in #1939
• build(deps): bump boto3 from 1.26.51 to 1.26.69 by @dependabot in #1897
• build(deps): bump botocore from 1.29.69 to 1.29.70 by @dependabot in #1898
• build(deps): bump boto3 from 1.26.69 to 1.26.70 by @dependabot in #1908
• build(deps): bump botocore from 1.29.70 to 1.29.71 by @dependabot in #1909
• build(deps): bump boto3 from 1.26.70 to 1.26.71 by @dependabot in #1920
• build(deps): bump pydantic from 1.10.4 to 1.10.5 by @dependabot in #1918
• build(deps): bump botocore from 1.29.71 to 1.29.72 by @dependabot in #1919
• build(deps): bump boto3 from 1.26.71 to 1.26.72 by @dependabot in #1925
• build(deps): bump botocore from 1.29.72 to 1.29.73 by @dependabot in #1926
• build(deps): bump botocore from 1.29.73 to 1.29.74 by @dependabot in #1932
• build(deps): bump boto3 from 1.26.72 to 1.26.74 by @dependabot in #1933
• build(deps): bump botocore from 1.29.74 to 1.29.75 by @dependabot in #1938

Full Changelog: 3.2.0...3.2.1

Prowler 3.2.0 - Quest for Fire

Drawn by quest for fire
They searched all through the land
Drawn by quest for fire
Discovery of man.

Quest for Fire is a song part of Piece of Mind album of Iron Maiden. This new version is the result of our quest for your security issues and our quest to help you to improve your cloud security posture. See below the amazing new features we have added to Prowler 3.2.0 🔥Quest for Fire🔥

New features to highlight in this version:

🏷️ Tag-based scan: now you can scan only resources with specific tags across your entire account with the following command:

• prowler aws --resource-tags Environment=dev Project=prowler
• You can use as many tags as you need. More information here: https://docs.prowler.cloud/en/latest/tutorials/aws/tag-based-scan/

🎯 Resource-based scan: now you can scan only a specific resources by the ARN

• prowler aws --resource-arn arn:aws:iam::012345678910:user/test arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678
• That command will run all IAM user related checks to test and all VPC related checks to VPC vpc-12345678
• This is very helpful for new found resources or even pipelines! More information here: https://docs.prowler.cloud/en/latest/tutorials/aws/resource-arn-based-scan/

⚖️ 17 New Security Compliance Frameworks: we added 17 new security frameworks for AWS.

• In addition to CIS 1.4, CIS 1.5 and Spanish ENS (that comes with more enhancements) we have added the following security frameworks for the AWS provider.
  • CISA Cyber Essentials
  • FedRAMP Low Revision 4
  • FedRAMP Moderate Revision 4
  • Federal Financial Institutions Examination Council (FFIEC)
  • AWS Foundational Security Best Practices
  • General Data Protection Regulation (GDPR)
  • GxP 21 CFR Part 11
  • GxP EU Annex 11
  • HIPAA
  • NIST 800-171 Revision 2
  • NIST 800-53 Revision 4
  • NIST 800-53 Revision 5
  • NIST Cybersecurity Framework (CSF) v1.1
  • PCI v3.2.1
  • RBI Cyber Security Framework
  • SOC 2
• These can be considered test mode at this point, we are open for feedback and updates.
• More information about how to use them with Prowler and compliance here: https://docs.prowler.cloud/en/latest/tutorials/compliance/.
• We want to thank @pedromarting3 for his contribution, AWS and their public documentation and also steampipe.io mod page https://hub.steampipe.io/mods/turbot/aws_compliance because they were pretty helpful for us. 🙏🏼 🤜🏼🤛🏼

✅New check:

• Check if IAM Access Analyzer is enabled (in addition of the existing one that looks for issues as well)

📺Handler for output code:

• Like in v2, now you can handle what output code to get when Prowler gets failed findings. (-z)

📄Allow list feature now supports Lambda to manage it:

• More information #1793

What's Changed:

• feat(compliance): Add 17 new security compliance frameworks for AWS by @pedromarting3 in #1824
• feat(new check): add accessanalyzer_enabled check by @sergargar in #1864
• feat(boto3-config): Use standard retrier by @jfagoagas in #1868
• feat(allowlist): AWS Lambda function support by @pplu in #1793
• feat(scan-type): AWS Resource ARNs based scan by @sergargar in #1807
• feat(exit_code 3): add -z option by @sergargar in #1848
• feat(scanner): Tag-based scan by @sergargar in #1751

Fixes:

• fix(elbv2): handle service for GWLB resources by @daftkid in #1860
• fix(checks): added validation for non-existing VPC endpoint policy by @daftkid in #1859
• fix(action): do not trigger action when editing release by @sergargar in #1865
• fix(key_errors): handle Key Errors in Lambda and EMR by @sergargar in #1871
• fix(permissive role assumption): actions list handling by @n4ch04 in #1869
• fix(key_errors): handle Key Errors in Lambda and EMR by @sergargar in #1871
• fix(hardware mfa): changed hardware mfa description by @n4ch04 in #1873
• fix(metadata): typo in appstream_fleet_session_disconnect_timeout.metadata.json by @sergargar in #1875
• fix(compliance): ENS RD2022 Spanish security framework updates by @alexr3y in #1809
• fix(errors): solve several services errors (AccessAnalyzer, AppStream, KMS, S3, SQS, R53, IAM, CodeArtifact and EC2) by @sergargar in #1879
• fix(cloudtrail_multi_region_enabled): reformat check by @n4ch04 in #1880
• chore(compliance): add manual checks to compliance CSV by @sergargar in #1872
• fix(service errors): solve errors in IAM, S3, Lambda, DS, Cloudfront services by @sergargar in #1882
• chore(Dockerfile): Remove build files by @jfagoagas in #1886
• fix(list_checks): filter checks after audit_info set by @n4ch04 in #1887
• fix(Azure_Audit_Info): Added audited_resources field by @n4ch04 in #1891

Documentation

• docs: Boto3 Standard Retrier by @jfagoagas in #1885
• docs: Update AWS Role Assumption by @Fennerr in #1890
• docs: Minor changes to the intro paragraph by @Fennerr in #1892
• docs: Minor changes to logging by @Fennerr in #1893

New Contributors

• @pedromarting3 made their first contribution in #1824
• @pplu made their first contribution in #1792

Full Changelog: 3.1.4...3.2.0

Prowler 3.1.4 - Revelations

Chores

• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1812
• chore(issues): update bug_report.md by @toniblyx in #1844
• chore(security hub): improve securityhub_enabled check logic by @sergargar in #1851
• build(deps-dev): bump moto from 4.1.1 to 4.1.2 by @dependabot in #1845
• build(deps-dev): bump sure from 2.0.0 to 2.0.1 by @dependabot in #1847
• build(deps-dev): bump openapi-spec-validator from 0.5.4 to 0.5.5 by @dependabot in #1846
• build(deps-dev): bump pylint from 2.16.0 to 2.16.1 by @dependabot in #1823

Fixes

• fix(readme): correct PyPi download link by @sergargar in #1836
• fix(lambda-runtime): Init value must be empty string by @jfagoagas in #1837
• fix(errors): solve CloudWatch, KMS, EMR and OpenSearch service errors by @sergargar in #1843
• fix(kms): call GetKeyRotationStatus only for Customer Keys by @sergargar in #1842
• fix(checks): solve different errors in EFS, S3 and VPC by @sergargar in #1841
• fix(exit_code): change sys exit code to 1 in Critical Errors by @sergargar in #1853
• fix(iam): change prowler additional policy json due errors in creation by @theist in #1852

New Contributors

• @theist made their first contribution in #1852

Full Changelog: 3.1.3...3.1.4

Prowler 3.1.3 - Revelations

Chores

• chore(readme): add prowler PyPi stats by @sergargar in #1798
• chore(regions): Change feat to chore by @jfagoagas in #1805
• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1812
• chore(logs): improve check error logs by @sergargar in #1818
• chore(audit metadata): retrieve audit metadata from execution by @n4ch04 in #1803
• build(deps-dev): bump pylint from 2.15.10 to 2.16.0 by @dependabot in #1815
• build(deps-dev): bump openapi-spec-validator from 0.5.2 to 0.5.4 by @dependabot in #1821

Fixes

• fix(kms): add symmetric condition to kms_cmk_rotation_enabled check by @sergargar in #1788
• fix(partition): add dynamic partition in CloudTrail S3 DataEvents checks by @sergargar in #1787
• fix(metadata): use docs.aws.amazon.com like other aws checks, not docs.amazonaws.cn by @ifduyue in #1790
• fix(allowlist): validate allowlist for any database format (file, dynamo, s3, etc) by @pplu in #1792
• fix(accessanalyzer_enabled_without_findings): fixed status findings by @n4ch04 in #1799
• fix(iam_policy_no_administrative_privileges): check only : permissions by @sergargar in #1802
• fix(iam_avoid_root_usage): correct date logic by @sergargar in #1801
• fix(ec2_securitygroup_not_used): ignore default security groups by @sergargar in #1800
• fix(accessanalyzer): no analyzers using pydantic by @n4ch04 in #1806
• fix(cloudtrail): improve cloudtrail_cloudwatch_logging_enabled status extended by @sergargar in #1813
• fix(KeyError): handle service key errors by @sergargar in #1819
• fix(metadata) fixed typo in title for awslambda_function_not_publicly… by @daftkid in #1826
• fix(KeyError): handle service key errors by @sergargar in #1831
• fix(cloudtrail): included advanced data events selectors by @n4ch04 in #1814
• fix(shub): update link to Security Hub documentation by @sergargar in #1830
• fix(awslambda_function_no_secrets_in_code): Retrieve Code if set by @jfagoagas in #1833
• fix(action): Build from release branch by @jfagoagas in #1834
• fix(errors): solve different errors in KMS, EFS and Lambda by @sergargar in #1835

New Contributors

• @ifduyue made their first contribution in #1790
• @pplu made their first contribution in #1792
• @daftkid made their first contribution in #1826

Full Changelog: 3.1.2...3.1.3

Prowler 3.1.2 - Revelations

Chores

• chore(contrib): Enables a new CloudFormation of CodeBuild for v3 by @sergargar in #1764
• chore(readme): Update pip package name, now prowler or prowler-cloud can be used to install Prowler by @sergargar in #1768

Fixes

• fix(docs): Changed the azure subscription file text #HSFDPMUW by @Leon114m in #1749
• fix(inventory): update resource type for SQS and SNS by @vabagaria in #1747
• fix(metadata): solve metadata replace by @sergargar in #1755
• fix(iam): IAM status messages switched fail and pass text and some grammar by @acknosyn in #1756
• fix(iam): handle credential report errors by @sergargar in #1765
• fix(json): close Json correctly when no findings by @sergargar in #1773
• fix(apigatewayv2): correct apigatewayv2_access_logging_enabled check title by @sergargar in #1769
• fix(IAM): remove duplicate list_policies function by @sergargar in #1763
• fix(cloudtrail_multi_region_enabled): fixed region when no trails by @n4ch04 in #1774
• fix(severity): update severities for Security Hub, GuardDuty and NACL related checks by @sergargar in #1775

Docs

• docs(grammar): Improved grammar in the Documentation paragraph by @Ozan-Ekinci in #1776
• docs(grammar): Improved grammar in the AZ CLI / Browser / Managed Identity authentication paragraph by @Ozan-Ekinci in #1745

New Contributors

• @vabagaria made their first contribution in #1747

Full Changelog: 3.1.1...3.1.2

Prowler 3.1.1 - Revelations

Chores

• chore(release): add PyPi GitHub Action by @sergargar in #1724
• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1730
• chore(dispatch): dispatch triggered actions by @n4ch04 in #1739
• chore(code-ql): Include security linter by @jfagoagas in #1703

Fixes

• fix(arguments): improve quiet option by @sergargar in #1723
• fix(allowlist): add yaml structure validator by @sergargar in #1735
• fix(pipeline): fixed typo in main pipeline by @n4ch04 in #1740
• fix(rds): remove DocumentDB from RDS by @sergargar in #1737
• fix(actions): Exclude docs folder in action by @jfagoagas in #1743
• fix(IAM): add missing permissions for Prowler by @sergargar in #1731
• fix(allowlist): remove re.escape by @sergargar in #1734
• fix(lambda): solve lambda errors by @sergargar in #1732
• fix(pypi): replicate package to have Prowler in PyPi by @sergargar in #1727

Docs

• docs(mapping): add mapping of v2 to v3 checks and update pip package name by @toniblyx in #1742

Full Changelog: 3.1.0...3.1.1

Prowler 3.1.0 - Revelations

"The swords of scorn divide,
Take not thy thunder from us,
But take away our pride."

Revelations is the second song of the Peace of Mind album of Iron Maiden that was written by Bruce Dickinson.

This last month has been a real revelation for us and we realize how big is our community and how well accepted has been version 3. We have passed the number of 2 Million of downloads 🚀 since the project started (not counting forks). As a reference see OSS Insight stats in the last month https://ossinsight.io/collections/security-tool, we became the Top 1 tool thanks to all of you!

What's Changed:

New AWS check iam_role_cross_service_confused_deputy_prevention:

Ensure IAM Service Roles prevents against a cross-service confused deputy attack. Use the aws:SourceArn and aws:SourceAccount global condition context keys in trust relationship policies to limit the permissions that a service has to a specific resource. More information at https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention.

• feat(check): add iam_role_cross_service_confused_deputy_prevention check by @Fennerr and @sergargar in #1710
• feat(report): Support to custom report interface by @n4ch04 in #1702
• feat(ecs_task_definitions_no_environment_secrets): Update resource_id by @Fennerr in #1665
• feat(iam): Add IAM Role Class by @sergargar in #1709
• feat(only_logs): New logging flag to only show execution logs by @jfagoagas in #1708
• feat(regions_update): Changes in regions for AWS services by @github-actions

Fixes:

• fix(trustedadvisor_errors_and_warnings): add region by @sergargar in #1662
• fix(docs): Include a comma in the permissions paragraph #HSFDPMUW by @Leon114m in #1668
• fix(s3): Add S3 ResourceArn by @gabrielsoltz in #1666
• fix(shub): associate resource_arn as resourceId in Security Hub by @sergargar in #1672
• fix(compliance): Security Hub working with compliance by @sergargar in #1673
• fix(config): path error in Windows environment by @sergargar in #1684
• docs: Edit troubleshooting page by @n4ch04 in #1685
• fix: remove unnecessary print by @sergargar in #1686
• fix(services): Handle KeyErrors from AWS by @sergargar in #1690
• fix(path): aws_regions_by_service.json: FileNotFoundError[13] by @sergargar in #1689
• fix: deleted test exclusion in name loading checks by @n4ch04 in #1694
• fix(docs): Add security section and solve images location by @sergargar in #1696
• fix(cloudwatch_service): set default region in CloudWatch by @sergargar in #1693
• fix: VPC Key Error by @sergargar in #1695
• fix: Solve IAM policy Errors by @sergargar in #1692
• fix(quick_inventory): Prowler quick inventory for US GovCloud and China by @toniblyx in #1698
• fix(docs): correct permissions links by @sergargar in #1701
• fix(docs): Include a new comma in the Basic Usage paragraph #HSFDPMUW by @Leon114m in #1705
• fix(docs): Include multiple commas in the troubleshooting file #HSFDPMUW by @Leon114m in #1706
• fix(apigateway): Add ApiGateway ResourceArn and check fixes by @gabrielsoltz in #1707
• fix(ec2_elastic_ip_unassgined): Incorrect ResourceType for check ec2_elastic_ip_unassgined by @gabrielsoltz in #1711
• fix(action): add permissions to Github action by @sergargar in #1712
• fix(fill_html_overview_statistics): Handle if file exists by @jfagoagas in #1718
• fix(error): ecr_repositories_scan_vulnerabilities_in_latest_image report not found by @sergargar in #1719
• build(deps-dev): bump pytest from 7.2.0 to 7.2.1 by @dependabot in #1715
• build(deps-dev): bump pylint from 2.15.9 to 2.15.10 by @dependabot in #1676
• build(deps-dev): bump moto from 4.0.13 to 4.1.0 by @dependabot in #1675
• build(deps-dev): bump coverage from 7.0.3 to 7.0.4 by @dependabot in #1678
• build(deps-dev): bump vulture from 2.6 to 2.7 by @dependabot in #1677
• build(deps-dev): bump coverage from 7.0.4 to 7.0.5 by @dependabot in #1688
• build(deps-dev): bump openapi-spec-validator from 0.5.1 to 0.5.2 by @dependabot in #1716
• docs: Placed a comma in the Service Principal authentication paragraph by @Ozan-Ekinci in #1713
• docs(SECURITY.md): Include Security Policy by @toniblyx in #1697

New Contributors:

• @Leon114m made their first contribution in #1668
• @Ozan-Ekinci made their first contribution in #1713
• @Fennerr made their first contributions in in #1665 and #1710

Full Changelog: 3.0.2...3.1.0

Prowler 3.0.2 - Piece of Mind

Features

• feat(regions_update): changes in regions for AWS services. by @github-actions in #1629 and #1646
• feat(aws-regions): update refresh regions action by @sergargar in #1641
• feat(ec2): add ResourceArn by @gabrielsoltz in #1649
• feat(ecs_task_definitions_no_environment_secrets): update recommendation by @Fennerr in #1658
• feat(ecs_task_definitions_no_environment_secrets): add ECS task revision number by @Fennerr in #1657

Fixes

• fix(typo): Prowler for Azure by @cclauss in #1619
• fix(output_filename): Use custom output filename when set by @jfagoagas in #1632
• fix(iam_user_mfa_enabled_console_access): password enabled issues by @n4ch04 in #1634
• fix(security-hub): apply -q to security hub by @sergargar in #1637
• fix(security): update pipfile.lock by @sergargar in #1639
• fix(dockerfile): Remove additional apk update in Dockerfile by @PeterDaveHello in #1617
• fix(actions): add Github Action contents: write permission by @sergargar in #1643
• fix(actions): add GH Action pull-requests: write permissions by @sergargar in #1644
• fix(codeartifact): set Namespace attribute as optional by @sergargar in #1648
• fix(assume-role): Refresh credentials when assuming role by @n4ch04 in #1636
• fix(glacier): handle no vault policy error by @sergargar in #1650
• fix(contrib): update contrib folder by @sergargar in #1635

Docs

• docs(AWS-Role): fixed typo by @eltociear in #1610
• docs(installation): add multiple ways to install prowler in tabs by @toniblyx in #1627

New Contributors

• @eltociear made their first contribution in #1610
• @cclauss made their first contribution in #1619
• @PeterDaveHello made their first contribution in #1617

Full Changelog: 3.0.1...3.0.2