Releases: prowler-cloud/prowler
Prowler 4.4.1 - Alexander the Great
What's Changed
Fixes
- fix(Dockerfile): install git dependency by @prowler-bot in #5344
- fix(ecs): Adjust code to the new ARN formats in the ECS service by @prowler-bot in #5312
- fix(threat detection): ignore AWS services events by @prowler-bot in #5311
Chores
- chore(ecs): mock all tests using moto by @prowler-bot in #5333
- chore(guardduty): mock failing tests using moto by @prowler-bot in #5337
- chore(secrets): Add TelegramBotToken detector by @prowler-bot in #5328
- chore(secrets): use
master
branch of Yelp/detect-secrets by @prowler-bot in #5331 - chore(sns): manage
ResourceNotFoundException
and add paralelism by @prowler-bot in #5347
Full Changelog: 4.4.0...4.4.1
Prowler 4.4.0 - Alexander the Great
Alexander the Great
His name struck fear into hearts of men
Alexander the Great
Became a legend 'mongst mortal men
Prowler 4.4.0 - Alexander the Great 🚀 is here, bringing a ton of new AWS checks and fixes! We also invite you to enjoy this Iron Maiden song.
A big shout-out to our engineers @danibarranqueroo, @MarioRgzLpz and @HugoPBrito for their fantastic work in developing new checks and to our new external contributors @abant07, @LefterisXefteris, @h4r5h1t, @Jude-Bae and @johannes-engler-mw for their PRs 🥳
New features to highlight in this version
AWS
🔐 Cover IAM non existing AWS actions/resources
Prowler now covers IAM scenarios where policies could have a non existing AWS actions in the NotAction
statement allowing ALL actions in resources (same as non existing resources in NotResource
) like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"NotAction": "prowler:action",
"NotResource": "arn:aws:s3:::calculator"
}
]
}
🤔 How to Prevent AWS AI From Using Your Data
Recently, AWS may be using your data to train its AI models, and you may have unwittingly consented to it.
The new check organizations_opt_out_ai_services_policy
ensure that you stop feeding AWS’s AI with your data.
You can see @QuinnyPig's helpful post about how to opt out here or using the AWS documentation.
🚀 More checks!
Prowler has expanded its AWS coverage with 74 new checks for ACM, CloudFront, CodeBuild, DMS, DocumentDB, DynamoDB, EC2, ECS, EKS, Elasticache, ELB, ELBv2, EKS, GuardDuty, IAM, KMS, Lambda, Neptune, Network Firewall, Organizations, RDS, S3, SageMaker and VPC.
See all the new available checks with
prowler aws --list-checks
acm_certificates_with_secure_key_algorithms
awslambda_function_inside_vpc
awslambda_function_vpc_multi_az
cloudfront_distributions_custom_ssl_certificate
cloudfront_distributions_default_root_object
cloudfront_distributions_https_sni_enabled
cloudfront_distributions_multiple_origin_failover_configured
cloudfront_distributions_origin_traffic_encrypted
cloudfront_distributions_s3_origin_access_control
cloudfront_distributions_s3_origin_non_existent_bucket
codebuild_project_no_secrets_in_variables
codebuild_project_source_repo_url_no_sensitive_credentials
dms_endpoint_ssl_enabled
documentdb_cluster_public_snapshot
dynamodb_accelerator_cluster_in_transit_encryption_enabled
dynamodb_table_deletion_protection_enabled
dynamodb_table_protected_by_backup_plan
ec2_client_vpn_endpoint_connection_logging_enabled
ec2_ebs_volume_protected_by_backup_plan
ec2_instance_paravirtual_type
ec2_instance_uses_single_eni
ec2_launch_template_no_public_ip
ec2_networkacl_unused
ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
ec2_transitgateway_auto_accept_vpc_attachments
ecr_repositories_tag_immutability
ecs_service_no_assign_public_ip
ecs_task_definitions_containers_readonly_access
ecs_task_definitions_host_namespace_not_shared
ecs_task_definitions_host_networking_mode_users
ecs_task_definitions_logging_enabled
ecs_task_definitions_no_privileged_containers
eks_cluster_uses_a_supported_version
elasticache_redis_cluster_automatic_failover_enabled
elasticache_redis_cluster_auto_minor_version_upgrades
elasticache_redis_replication_group_auth_enabled
elbv2_is_in_multiple_az
elb_connection_draining_enabled
elb_cross_zone_load_balancing_enabled
elb_is_in_multiple_az
guardduty_rds_protection_enabled
guardduty_s3_protection_enabled
iam_group_administrator_access_policy
iam_user_administrator_access_policy
kms_cmk_not_deleted_unintentionally
neptune_cluster_copy_tags_to_snapshots
neptune_cluster_integration_cloudwatch_logs
neptune_cluster_public_snapshot
neptune_cluster_snapshot_encrypted
networkfirewall_policy_rule_group_associated
organizations_opt_out_ai_services_policy
rds_cluster_copy_tags_to_snapshots
rds_cluster_critical_event_subscription
rds_cluster_default_admin
rds_cluster_deletion_protection
rds_cluster_iam_authentication_enabled
rds_cluster_integration_cloudwatch_logs
rds_cluster_minor_version_upgrade_enabled
rds_cluster_multi_az
rds_cluster_non_default_port
rds_cluster_storage_encrypted
rds_instance_copy_tags_to_snapshots
rds_instance_critical_event_subscription
rds_instance_event_subscription_parameter_groups
rds_instance_inside_vpc
rds_instance_non_default_port
rds_instance_protected_by_backup_plan
s3_access_point_public_access_block
s3_bucket_cross_account_access
s3_bucket_cross_region_replication
s3_bucket_lifecycle_enabled
sagemaker_endpoint_config_prod_variant_instances
vpc_endpoint_for_ec2_enabled
vpc_vpn_connection_tunnels_up
📜 KISA ISMS-P AWS compliance framework added
Prowler now supports one of Korea’s key security compliance frameworks, the Personal Information & Information Security Management System (ISMS-P) from the Korea Internet & Security Agency (KISA) thanks to @Jude-Bae !
Azure
🆕 Azure Container Registries now supported!
@johannes-engler-mw added a new check containerregistry_admin_user_disabled
for verifying if the admin user is disabled for Azure Container Registries.
You can try it with
prowler azure -c containerregistry_admin_user_disabled
🔧 Other issues and bug fixes solved for all the cloud providers
Features
- feat(acm): Add new check for insecure algorithms in certificates by @MarioRgzLpz in #4551
- feat(aws): Add a test_connection method by @jfagoagas in #4563
- feat(aws): add custom exceptions class by @pedrooot in #4847
- feat(aws): Add new check to ensure Aurora MySQL DB Clusters publish audit logs to CloudWatch logs by @danibarranqueroo in #4916
- feat(aws): Add new check to ensure RDS DB clusters are encrypted at rest by @danibarranqueroo in #4931
- feat(aws): Add new check to ensure RDS db clusters copy tags to snapshots by @danibarranqueroo in #4846
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical cluster events by @danibarranqueroo in #4887
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database instance events by @danibarranqueroo in #4891
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database parameter group events by @danibarranqueroo in #4907
- feat(aws): Add new check to ensure RDS instances are not using default database engine ports by @danibarranqueroo in #4973
- feat(aws): Add new check
opensearch_service_domains_access_control_enabled
by @abant07 in #5203 - feat(aws): add new check
organizations_opt_out_ai_services_policy
by @sergargar in #5152 - feat(aws): Add new CodeBuild check to validate environment variables by @danibarranqueroo in #4632
- feat(aws): Add new KMS check to prevent unintentional key deletion by @danibarranqueroo in #4595
- feat(aws): Add new Neptune check for cluster snapshot visibility by @danibarranqueroo in #4709
- feat(aws): Add new RDS check for deletion protection enabled on clusters by @danibarranqueroo in #4738
- feat(aws): Add new RDS check to ensure db clusters are configured for multiple availability zones by @danibarranqueroo in #4781
- feat(aws): Add new RDS check to ensure db instances are protected by a backup plan by @danibarranqueroo in #4879
- feat(aws): Add new RDS check to verify that cluster minor version upgrade is enabled by @danibarranqueroo in #4725
- feat(aws): Add new RDS check to verify that db instances copy tags to snapshots by @danibarranqueroo in #4806
- feat(aws): Add new S3 check for public access block configuration in access points by @HugoPBrito in #4608
- feat(aws): add tags to Global Accelerator by @puchy22 in #5233
- feat(aws): Split the checks that mix RDS Instances and Clusters by @danibarranqueroo in #4730
- feat(aws) Add check to make sure EKS clusters have a supported version by @abant07 in https://github.com/prowler-cloud/prow...
Prowler 4.3.7 - The Alchemist
What's Changed
Fixes
- fix(action): solve pypi-release action by @sergargar in #5134
- fix(regions): show all for empty regions by @pedrooot in #5143
- fix(iam): fill resource id with inline policy entity by @prowler-bot in #5147
Full Changelog: 4.3.6...4.3.7
Prowler 4.3.6 - The Alchemist
What's Changed
Fixes
- fix(asff): include status extended in ASFF output by @prowler-bot in #5116
- fix(audit): solve resources audit by @prowler-bot in #4988
- fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4950
- fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4862
- fix(aws): handle AWS key-only tags by @github-actions in #4854
- fix(aws): make intersection to retrieve checks to execute by @prowler-bot in #4974
- fix(gcp): solve errors in GCP services by @prowler-bot in #5124
- fix(gcp): add default project for org level checks by @prowler-bot in #5132
- fix(iam-gcp): add getters in iam_service for gcp by @prowler-bot in #5001
- fix(lightsail): Remove second call to
is_resource_filtered
by @prowler-bot in #5125 - fix(main): logic for resource_tag and resource_arn usage by @prowler-bot in #4982
- fix(metadata): change description from documentdb_cluster_deletion_protection by @prowler-bot in #4913
- fix(rds): Modify RDS Event Notification Subscriptions for Security Groups Events check by @prowler-bot in #4977
- fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4953
- fix(vpc): check all routes tables in subnet by @prowler-bot in #5122
Chores
- chore(aws): Remove token from log line by @prowler-bot in #4905
- chore(aws_mutelist): Add more Control Tower resources and tests by @prowler-bot in #4902
- chore(ssm): add trusted accounts variable to ssm check by @prowler-bot in #5118
Full Changelog: 4.3.5...4.3.6
Prowler 3.16.17 - Back in the Village
What's Changed
Fixes
- fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4949
- fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4861
- fix(ec2): Manage
UnicodeDecodeError
when reading user data by @github-actions in #4788 - fix(gcp): solve errors in GCP services by @prowler-bot in #5123
- fix(inspector2): Ensure Inspector2 is enabled for ECR, EC2, Lambda and Lambda Code by @prowler-bot in #5066
- fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4952
- fix(v3): remove not supported checks by @sergargar in #5126
- fix(vpc): check all routes tables in subnet by @prowler-bot in #5121
Chores
- chore(aws): match all AWS resource types with SecurityHub supported types in metadata by @prowler-bot in #5064
- chore(aws): Remove token from log line by @jfagoagas in #4904
- chore(awslambda): Enhance function public access check called from other resource by @github-actions in #4793
- chore(azure): Fix CIS 2.1 mapping by @github-actions in #4780
- chore(docs): change ResourceType link of Security Hub by @prowler-bot in #5096
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5083
- chore(ssm): add trusted accounts variable to ssm check by @prowler-bot in #5117
- chore(test): improve
iam_root_hardware_mfa_enabled
tests by @github-actions in #4834 - chore(version): update version logic in Prowler by @github-actions in #4776
Dependencies
- chore(dependencies): update boto3 and botocore packages by @prowler-bot in #4986
- chore(deps): bump azure-identity from 1.17.1 to 1.18.0 by @dependabot in #5105
- chore(deps): bump azure-mgmt-compute from 32.0.0 to 33.0.0 by @dependabot in #4858
- chore(deps): bump azure-mgmt-containerservice from 31.0.0 to 32.0.0 by @dependabot in #5040
- chore(deps): bump azure-mgmt-cosmosdb from 9.5.1 to 9.6.0 by @dependabot in #5103
- chore(deps): bump azure-mgmt-web from 7.3.0 to 7.3.1 by @dependabot in #4810
- chore(deps): bump azure-storage-blob from 12.22.0 to 12.23.0 by @dependabot in #5078
- chore(deps): bump boto3 from 1.35.21 to 1.35.23 by @dependabot in #5114
- chore(deps): bump botocore from 1.35.22 to 1.35.23 by @dependabot in #5101
- chore(deps): bump google-api-python-client from 2.145.0 to 2.146.0 by @dependabot in #5079
- chore(deps): bump msgraph-sdk from 1.7.0 to 1.8.0 by @dependabot in #5102
- chore(deps): bump peter-evans/create-pull-request from 6 to 7 by @dependabot in #4924
- chore(deps): bump pydantic from 1.10.17 to 1.10.18 by @dependabot in #4857
- chore(deps): bump pytz from 2024.1 to 2024.2 by @dependabot in #5006
- chore(deps): bump setuptools from 74.1.2 to 75.1.0 by @dependabot in #5054
- chore(deps): bump slack-sdk from 3.33.0 to 3.33.1 by @dependabot in #5104
- chore(deps): bump tj-actions/changed-files from 44 to 45 by @dependabot in #4823
- chore(deps): bump trufflesecurity/trufflehog from 3.82.1 to 3.82.2 by @dependabot in #5051
- chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.8 to 1.2.9 by @dependabot in #5020
- chore(deps-dev): bump moto from 5.0.13 to 5.0.14 by @dependabot in #4963
- chore(deps-dev): bump pylint from 3.2.6 to 3.2.7 by @dependabot in #4919
- chore(deps-dev): bump pytest-env from 1.1.4 to 1.1.5 by @dependabot in #5092
- chore(deps-dev): bump pytest from 8.3.2 to 8.3.3 by @dependabot in #4994
- chore(deps-dev): bump safety from 3.2.6 to 3.2.7 by @dependabot in #4897
- chore(deps-dev): bump vulture from 2.11 to 2.12 by @dependabot in #5075
Full Changelog: 3.16.16...3.16.17
Prowler 4.3.5 - The Alchemist [HOTFIX]
What's Changed
Hotfix
- fix: handle empty input regions by @github-actions in #4842
Full Changelog: 4.3.4...4.3.5
Prowler 4.3.4 - The Alchemist [YANKED]
What's Changed
Fixes
- fix(aws): enhance resource arn filtering by @github-actions in #4837
- fix(aws): run Prowler as IAM Root or Federated User by @github-actions in #4773
- fix(ec2): Manage
UnicodeDecodeError
when reading user data by @github-actions in #4789 - fix(ecr): change log level of non-scanned images by @github-actions in #4769
- fix(ecr): handle non-existing findingSeverityCounts key by @github-actions in #4767
- fix(iam): handle no arn serial numbers for MFA devices by @github-actions in #4711
- fix(iam): update logic of Root Hardware MFA check by @github-actions in #4775
- fix(mutelist): change logic for tags in aws mutelist by @github-actions in #4803
- fix(outputs): refactor unroll_tags to use str as tags by @github-actions in #4819
- fix(version): update version flag logic by @github-actions in #4771
Chores
- chore(awslambda): Enhance function public access check called from other resource by @github-actions in #4794
- chore(azure): fix CIS 2.1 mapping by @github-actions in #4792
- chore(test): improve
iam_root_hardware_mfa_enabled
tests by @github-actions in #4835
Full Changelog: 4.3.3...4.3.4
Prowler 3.16.16 - Back in the Village
What's Changed
Fixes
- fix(ecr): handle non-existing findingSeverityCounts key by @github-actions in #4766
- fix(ecr): change log level of non-scanned images by @github-actions in #4768
- fix(aws): run Prowler as IAM Root or Federated User by @github-actions in #4772
- fix(iam): update logic of Root Hardware MFA check by @github-actions in #4774
Chores
- chore(deps): bump google-api-python-client from 2.140.0 to 2.141.0 by @dependabot in #4749
- chore(deps): bump trufflesecurity/trufflehog from 3.81.8 to 3.81.9 by @dependabot in #4755
- chore(deps): bump botocore from 1.34.160 to 1.34.162 by @dependabot in #4757
- chore(regions_update): Changes in regions for AWS services. by @github-actions in #4770
Full Changelog: 3.16.15...3.16.16
Prowler 3.16.15 - Back in the Village
What's Changed
Fixes
- fix(autoscaling): Add exception manage while decoding UserData by @github-actions in #4675
- fix(aws): only check artifacts that can be scanned for vulnerabilities by
ecr_repositories_scan_vulnerabilities_in_latest_image
by @github-actions in #4677 - fix(ecs): use threads for describing task definitions by @sergargar in #4733
- fix(iam): handle no arn serial numbers for MFA devices by @github-actions in #4710
- fix(sns): add condition to sns topics (#4498) backport for v3 by @github-actions
- fix(test): solve VPC import in tests by @github-actions in #4674
Dependencies
- chore(deps): bump azure-storage-blob from 12.21.0 to 12.22.0 by @dependabot in #4660
- chore(deps): bump boto3 from 1.34.158 to 1.34.160 by @dependabot in #4743
- chore(deps): bump botocore from 1.34.159 to 1.34.160 by @dependabot in #4736
- chore(deps): bump google-api-python-client from 2.139.0 to 2.140.0 by @dependabot in #4658
- chore(deps): bump msgraph-sdk from 1.5.3 to 1.5.4 by @dependabot in #4623
- chore(deps): bump trufflesecurity/trufflehog from 3.81.7 to 3.81.8 by @dependabot in #4718
- chore(deps): Update certifi version by @pedrooot in #4708
- chore(deps-dev): bump black from 24.4.2 to 24.8.0 by @dependabot in #4624
- chore(deps-dev): bump coverage from 7.6.0 to 7.6.1 by @dependabot in #4646
- chore(deps-dev): bump flake8 from 7.1.0 to 7.1.1 by @dependabot in #4649
- chore(deps-dev): bump moto from 5.0.11 to 5.0.12 by @dependabot in #4648
- chore(deps-dev): bump safety from 3.2.4 to 3.2.5 by @dependabot in #4716
Full Changelog: 3.16.14...3.16.15
Prowler 4.3.3 - The Alchemist
What's Changed
Fixes
- fix(tags): handle AWS dictionary type tags by @github-actions in #4685
Chores
- chore(actions): Run for v4.* branch by @github-actions in #4683
- chore(version): update Prowler version by @sergargar in #4639
- chore(version): update version logic in Prowler for v4.3 by @sergargar in #4680
- chore(version): update version logic in Prowler by @github-actions in #4689
Full Changelog: 4.3.2...4.3.3