Releases: prowler-cloud/prowler
Prowler 3.0.2 - Piece of Mind
Features
- feat(regions_update): changes in regions for AWS services. by @github-actions in #1629 and #1646
- feat(aws-regions): update refresh regions action by @sergargar in #1641
- feat(ec2): add ResourceArn by @gabrielsoltz in #1649
- feat(ecs_task_definitions_no_environment_secrets): update recommendation by @Fennerr in #1658
- feat(ecs_task_definitions_no_environment_secrets): add ECS task revision number by @Fennerr in #1657
Fixes
- fix(typo): Prowler for Azure by @cclauss in #1619
- fix(output_filename): Use custom output filename when set by @jfagoagas in #1632
- fix(iam_user_mfa_enabled_console_access): password enabled issues by @n4ch04 in #1634
- fix(security-hub): apply -q to security hub by @sergargar in #1637
- fix(security): update pipfile.lock by @sergargar in #1639
- fix(dockerfile): Remove additional
apk update
in Dockerfile by @PeterDaveHello in #1617 - fix(actions): add Github Action
contents: write
permission by @sergargar in #1643 - fix(actions): add GH Action
pull-requests: write
permissions by @sergargar in #1644 - fix(codeartifact): set Namespace attribute as optional by @sergargar in #1648
- fix(assume-role): Refresh credentials when assuming role by @n4ch04 in #1636
- fix(glacier): handle no vault policy error by @sergargar in #1650
- fix(contrib): update contrib folder by @sergargar in #1635
Docs
- docs(AWS-Role): fixed typo by @eltociear in #1610
- docs(installation): add multiple ways to install prowler in tabs by @toniblyx in #1627
New Contributors
- @eltociear made their first contribution in #1610
- @cclauss made their first contribution in #1619
- @PeterDaveHello made their first contribution in #1617
Full Changelog: 3.0.1...3.0.2
Prowler 3.0.1 - Piece of Mind
Fixes
- fix(logs): add check_name to logs by @sergargar in #1574
- test(credential_report): Improve credential report tests by @jfagoagas in #1579
- build(deps-dev): bump coverage from 6.5.0 to 7.0.0 by @dependabot in #1568
- docs(links): Update broken links to permissions folder by @JonoB in #1584
- build(deps-dev): bump moto from 4.0.11 to 4.0.12 by @dependabot in #1570
- build(deps-dev): bump pylint from 2.15.8 to 2.15.9 by @dependabot in #1569
- fix(errors): handle S3 errors by @sergargar in #1585
- fix(ECR): handle ECR errors by @sergargar in #1586
- fix(iam): handle NoSuchEntity error by @sergargar in #1589
- fix(vpc): endpoint policy error by @sergargar in #1588
- fix(list services): Solve list services issue by @n4ch04 in #1587
- fix(shub): Handle Security Hub InvalidAccessException error by @sergargar in #1590
- fix(efs): handle PolicyNotFound error by @sergargar in #1591
- fix(aws-cn partition): solve aws-cn partition errors by @sergargar in #1576
- feat(errors): prettify unknown service errors by @sergargar in #1592
- fix(sqs): get sqs encryption by @sergargar in #1596
- fix(refresh-aws-regions): Change branch by @jfagoagas in #1598
- fix(check_report): Init status field and fix stats output by @jfagoagas in #1580
- fix(send to s3): fixed send to s3 feature by @n4ch04 in #1599
- docs: Include Azure requirements in README by @n4ch04 in #1600
- fix(global_services): handle global regions correctly by @sergargar in #1594
- fix(output-filename): Handle argument by @jfagoagas in #1604
New Contributors
Full Changelog: 3.0.0...3.0.1
Prowler 3.0.0 - Piece of Mind
Today we are releasing a new major version of Prowler 🎉🥳🎊🍾, the Version 3 aka Piece of Mind.
Take Prowler v3 as our 🎄Christmas gift 🎁 for the Cloud Security Community.
Artwork property of Iron Maiden
Piece of Mind was the fourth studio album of Iron Maiden. Its meaning fits perfectly with what we do with Prowler in both senses: being protected and at the same time, this is the software I would have wanted to write when I started Prowler back in 2016 (this is now, more than ever, a piece of my mind). Now this has been possible thanks to my awesome team at Verica.
No doubt that 2022 has been a pretty interesting year for us, we launched ProwlerPro and released many minor versions of Prowler. Now enjoy Sun and Steel while you keep reading these release notes.
If you are an Iron Maiden fan as I am, you have noticed the latest minor release of Prowler (2.12) was a song from this very same album, just a clue of what was coming! In Piece of Mind you can find one of the most popular heavy metal songs of all times, The Trooper, which will be a Prowler version to be released during 2023.
Prowler v3 is more than a new version of Prowler, it is a whole new piece of software, we have fully rewritten it in Python and we have made it multi-cloud adding Azure as our second supported Cloud Provider. Prowler v3 is also way faster, being able to scan an entire AWS account across all regions 37 times faster than before, yes! you read it correctly, what before took hours now it takes literally few minutes or even seconds.
New documentation site:
We are also releasing today our brand new documentation site for Prowler at https://docs.prowler.cloud and it is also stored in the docs
folder in the repo.
What's Changed:
Here is a list of the most important changes in Prowler v3:
- 🐍 Python: we got rid of all bash and it is now all in Python.
pip install prowler
then runprowler
that’s all. - 🚀 Faster: huge performance improvements.
Scanning the same account takes from 2.5 hours to 4 minutes. - 💻 Developers and Community: we have made it easier to contribute with new checks and new compliance frameworks. We also included unit tests and native logging features. And now the CLI supports long arguments and options.
- ☁️ Multi-cloud: in addition to AWS, we have added Azure.
- ✅ Checks and Groups: all checks are now more comprehensive and we provide resolution actions in most of them. Their ID is no longer tight to CIS but they are self-explanatory. Groups now are dynamically generated based on checks metadata like services, categories, severity and more).
- ⚖️ Compliance: we are including full support for CIS 1.4, CIS 1.5 and the new Spanish ENS in this release, more to come soon! Compliance also has its own output file with their own metadata and to create your own is easier than ever before making more comprehensive reports.
- 🧩 Compatibility with v2: most of the options are the same in this version in order to support backward compatibility however some options like assume role or AWS Organizations query are now different and easier to use.
- 🔄 Consolidated output formats: now both CSV and JSON reports come with the same attributes and compared to v2, they come with more than 40 values per finding. HTML, CSV and JSON are created every time you run
prowler
. - 📊 Quick Inventory: introduced in v2, we have fine tuned the Quick Inventory feature and now you can get a list of all resources in your AWS accounts within seconds.
Prowler new default overview:
Prowler updated HTML report:
Prowler compliance overview:
Prowler list of Azure checks:
What is coming next?
- More Cloud Providers and more checks: in addition to keep adding new checks to AWS and Azure, we plan to include GCP and OCI soon, let us know if you want to contribute!
- XML-JUNIT support: we didn’t add that to v3, if you miss it, let us know in https://github.com/prowler-cloud/prowler/discussions
- Compliance: we will add more compliance frameworks to have as many as in Prowler v2, we appreciate help though!
- Tags based audit: you will be able to scan only those resources with specific tags.
New Contributors
In addition to the Prowler rock stars @jfagoagas @n4ch04 @sergargar we have a couple of new contributors in this release:
- @StylusFrost made their first contribution in #1350
- @alexr3y made their first contribution in #1502
For more information and a detailed list of changes see below:
Full Changelog: 2.10.0...3.0.0
Prowler 2.12.1
Fixes
- fix(extra7195): Update title by @Fennerr in #1440
- fix(extra71): Modified wrong remediation by @n4ch04 in #1445
- fix(README): include more details about db connector by @n4ch04 in #1507
- fix(extra723): corrected some typos for check_extra723 by @kagahd in #1511
- fix(CloudTrail): Fix CloudTrail trail S3 logging public bucket false positive result when trail bucket doesn't exist by @acknosyn in #1505
New Contributors
Full Changelog: 2.12.0...2.12.1
Prowler 2.12.0 - Where Eagles Dare
Where Eagles Dare is the song that opens the Piece of Mind album of Iron Maiden, released back in 1983, the first one with Nicko McBrain as drummer after Clive Burr left the band, note his first seconds on this piece, it is like Nicko saying "here I go!". This song relates the adventure of a team of soldiers raiding a castle in Germany during the WWII, that is related in the movie with the same name starred by Clint Eastwood and Richard Burton.
For all of you that have contributed to this version (see list below), thank you ❤️!!! And reach out to me on Twitter (@toniblyx - DMs are open) if you want some laptop stickers.
🔥Important changes in this version (read this!)🔥:
New checks:
7.195 [check7195] Ensure CodeArtifact internal packages do not allow external public source publishing. - codeartifact [Critical]
Other changes:
- CloudTrail checks check21, check22, check23, check24, check26, check27 now include shadow trails in the results (those trails used for multi-region and AWS organizations)
- New group called
cisig2
for CIS Critical Security Controls v8 by @artfulbodger - We have deprecated Discord and now we only use Slack, join us here!
New features:
- feat(checks): Adding commands for checks 117 and 118 by @belialboy in #1289
- feat(extra780): Check for Cognito or SAML authentication on OpenSearch by @kagahd in #1291
- feat(extra7195): Added check for dependency confusion in codeartifact by @congon4tor in #1329
- feat(group): CIS Critical Security Controls v8 by @artfulbodger in #1347
- feat(audit_id): add optional audit_id field to postgres connector by @sergargar in #1362
- feat(db-connector): Include UUID for findings ID by @n4ch04 in #1368
- feat(slack): add Slack badge to README instead of deprecated Discord by @sergargar in #1401
- feat(extra7111): Exception handling by @n4ch04 in #1408
- feat(stable tag): Inclusion of stable tag point to last release by @n4ch04 in #1419
- docs(spelling): Typo corrections by @olivier987654 in #1394
Enhancements:
- chore(issues): Link Q&A by @jfagoagas in #1305
- docs(outputs): added CVS and JSON details by @jfagoagas in #1313
- docs(dockerfile): Dockerfile build instructions by @walkerab in #1370
- chore(actions): Bump Trufflehog to v3.13.0 by @gliptak in #1382
- delete(shortcut.sh): Remove ScoutSuite by @jfagoagas in #1388
- fix(checks): CloudTrail checks 2.X now include shadow trails in the results (those trails used for multi-region and AWS organizations)
Fixes:
- fix(check12): Improve remediation by @jfagoagas in #1281
- fix(extra712): changed Macie service detection by @williambrady in #1286
- fix(permissions): Include missing appstream:DescribeFleets permission by @jfagoagas in #1278
- fix(appstream): Handle timeout errors by @jfagoagas in #1296
- fix(security-groups): Include TCP as the IpProtocol by @jfagoagas in #1323
- fix(credential_report): Do not generate for 117 and 118 by @jfagoagas in #1322
- fix(inventory): Variable assigning syntax in inventory mode by @JArmandoG in #1283
- fix(check120): correct AWS support policy name by @JArmandoG in #1328
- fix(postgresql): Connector field by @jfagoagas in #1372
- fix(postgresql): Missing space by @jfagoagas in #1374
- fix(checks): Include missing output in checks by @n4ch04 in #1380
- fix(checks): Handle checks not returning result by @n4ch04 in #1383
- fix(inventory): quick inventory input fixed by @sergargar in #1397
- fix(check_extra77): Add missing check_resource_id to the report by @kagahd in #1402
- fix(missing permissions): add missing permissions of checks by @sergargar in #1403
- fix(region_bugs): Remove duplicate outputs by @sergargar in #1390
- fix(extra740): remove additional info and fix max_items by @sergargar in #1405
- fix(extra77): Deleted resource id from exception results by @n4ch04 in #1409
- fix(extra7183): Exception handling error UnsupportedOperationException by @n4ch04 in #1410
- fix(extra7184): Error handling GetSnapshotLimits api call by @n4ch04 in #1411
New Contributors:
- @williambrady made their first contribution in #1286
- @belialboy made their first contribution in #1289
- @kagahd made their first contribution in #1291
- @JArmandoG made their first contribution in #1283
- @congon4tor made their first contribution in #1329
- @artfulbodger made their first contribution in #1347
- @walkerab made their first contribution in #1370
- @olivier987654 made their first contribution in #1394
Full Changelog: 2.11.0...2.12.0
Prowler 2.11.0 - Blood Brothers
Steve Harris, founder and bass guitar of Iron Maiden 🤘🏽 wrote this song when he lost his father, lyrics and music is beautiful. This release is for those that always look forward and only look back to be thankful and learn. Also this song and version is to thanks my Prowler brothers @jfagoagas, @n4ch04, @sergargar and @drewkerrigan, they are working as beasts every day to make this piece of software better and building something awesome with Prowler underneath called Prowler Pro.
For all of you that have contributed to this version (see list below), thank you ❤️!!! And reach out to me on Twitter (@toniblyx - DMs are open) if you want some laptop stickers.
🔥Important changes in this version (read this!):
- 14 New checks covering Directory Service, IAM, S3, Workspaces, AppStream and ECR:
7.181 [extra7181] Directory Service monitoring with CloudWatch logs - ds [Medium]
7.182 [extra7182] Directory Service SNS Notifications - ds [Medium]
7.183 [extra7183] Directory Service LDAP Certificates expiration - ds [Medium]
7.184 [extra7184] Directory Service Manual Snapshot Limit - ds [Low]
7.185 [extra7185] Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation - iam [High]
7.186 [extra7186] Check S3 Account Level Public Access Block - s3 [High]
7.187 [extra7187] Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements - workspaces [High]
7.188 [extra7188] Ensure Radius server in DS is using the recommended security protocol - ds [Medium]
7.189 [extra7189] Ensure Multi-Factor Authentication (MFA) using Radius Server is enabled in DS - ds [Medium]
7.190 [extra7190] Ensure user maximum session duration is no longer than 10 hours. - appstream [Medium]
7.191 [extra7191] Ensure session disconnect timeout is set to 5 minutes or less. - appstream [Medium]
7.192 [extra7192] Ensure session idle disconnect timeout is set to 10 minutes or less. - appstream [Medium]
7.193 [extra7193] Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked. - appstream [Medium]
7.194 [extra7194] Check if ECR repositories have lifecycle policies enabled - ecr [Low]
-
New beta feature called Prowler Quick Inventory, run
./prowler -i
and tell us how it works for you. More information here: https://github.com/prowler-cloud/prowler#inventory
-
Look at the new IAM check
extra7185
that will help you find IAM customer managed policies that may lead into privilege escalation. -
Now you can send findings directly to a PostgreSQL DB. More here https://github.com/prowler-cloud/prowler#database-providers-connector.
-
We have refactored the whole core to improve how everything is put together, that is helping us to write the new v3 in python.
New features:
- feat(check) Directory Service by @lemelop in #1164
- feat(check): PublicAccessBlockConfiguration by @jfagoagas in #1167
- feat(check): Amazon WorkSpaces storage volumes are encrypted by @rajarshidas in #1166
- feat(inventory): Prowler quick inventory including IAM resources by @toniblyx in #1258
- feat(ecr_lifecycle): Check Lifecycle policy by @massyn in #1260
- feat(checks): New IAM privilege escalation check by @jfagoagas in #1168
- feat(codebuild_timeout): Increase codebuild timeout to maximum. by @sergargar in #1192
- feat(db) Create a PostgreSQL connector for Prowler by @n4ch04 in #1171
- feat(checks): Amazon AppStream checks by @rajarshidas in #1216
- feat(check): Ensure default internet access from Amazon AppStream fleet should be disabled. by @rajarshidas in #1233
- feat(dockerfile): Include psql client in the Prowler scanner image by @jfagoagas in #1238
- feat(db-connector): Support environment variables by @jfagoagas in #1236
- feat(inventory): Prowler quick inventory by @toniblyx in #1245
Enhancements:
- feat(output): Consolidate prowler output functions by @n4ch04 in #1180
- refactor(Prowler): Main logic refactor by @jfagoagas in #1189
- feat(extra7185): Update severity of check extra7185 by @sergargar in #1178
- feat(actions): Trigger by @jfagoagas in #1209
- feat(check): Directory Service - Ensure Radius server is using the recommended security protocol by @rajarshidas in #1203
- docs(readme): Update inventory and checks by @jfagoagas in #1257
- feat(check7164): 365 days or more in a Cloudwatch log retention should be consider PASS by @bcarranza in #1240
Fixes:
- fix(extra767): Remove false positive for check_extra767 by @zsecducna in #1198
- fix(update_deprecate_runtimes): Deprecated runtimes for lambda were updated. by @sergargar in #1170
- fix(runtimes_extra762): Detect nodejs versions correctly. by @sergargar in #1177
- fix(SQS_encryption_type): Add SQS encryption types to extra728. by @sergargar in #1175
- fix(typo): Max session duration error message by @jfagoagas in #1179
- fix(apigateway_iam): Error handling and permissions for extra745. by @sergargar in #1176
- fix(assume_role): Use date instead of jq by @jfagoagas in #1181
- fix(check119_remediation): Update check remediation text. by @sergargar in #1185
- fix(codebuild_update): AWS CLI and permissions update. by @sergargar in #1183
- fix(extra7187): Remove commas from the metadata by @jfagoagas in #1187
- fix(outputs): Replace each comma occurrence before sending to csv file by @n4ch04 in #1188
- fix(shellcheck): Main variables by @jfagoagas in #1194
- fix(session_duration): Use jq with TZ=UTC by @jfagoagas in #1195
- fix(instance-metadata): Credentials recovering by @sergargar in #1207
- fix(actions): Dockerfile path by @jfagoagas in #1208
- fix(junit_xml output): Fix xml output integration. by @sergargar in #1210
- fix(instance metadata): missing raw flag in jq parser by @n4ch04 in #1214
- fix(shub_fails): Treat failed findings as failed in SHub. by @sergargar in #1219
- fix(extra7162): Query AWS log groups using LOG_GROUP_RETENTION_PERIOD_DAYS by @jfagoagas in #1232
- fix(backupInitialAWSCredentials): Do nothing if no initial creds by @jfagoagas in #1239
- fix(postgres): Fix postgres connector issues. by @sergargar in #1244
- fix(add-checks-regions): Missing regions in checks by @sergargar in #1247
- fix(Dockerfile): Prowler path by @jfagoagas in #1254
- fix(apigatewayv2): handle BadRequestException by @sergargar in #1261
- fix(codebuild): expired token error by @sergargar in #1262
- fix(extra7173): Correct check and alternative name by @vigah in #1270
- docs(readme): Fix spelling by @r8bhavneet in #1271
- docs(readme): Fix spelling errors by @andsiu #1274
- fix(ci): Remove
yum check-update
by @jfagoagas #1275
New Contributors
- @lemelop made their first contribution in #1164
- @rajarshidas made their first contribution in #1166
- @zsecducna made their first contribution in #1198
- @bcarranza made their first contribution in #1240
- @massyn made their first contribution in #1260
- @vigah made their first contribution in https://github.com/prowler-clou...
Prowler 2.10.0 - Flight Of Icarus
Fly on your way, like an eagle
Fly as high as the sun
On your way, like an eagle
Fly, touch the sun
Flight of Icarus is a song of Iron Maiden released in 1983 as part of their Piece of Mind album. There are some amazing guitar solos in this song and it is so good, watch the video and enjoy it like this new version here:
https://www.youtube.com/watch?v=p4w2BZXL6Ss:
Image copyright by Iron Maiden
Important changes in this version (read this!):
- Now you can manage the Allow list feature using DynamoDB instead of just a text plain file.
- 7 new checks available for CodeBuild, EMR and Lambda:
7.174 [extra7174] CodeBuild Project last invoked greater than 90 days - codebuild [High]
7.175 [extra7175] CodeBuild Project with an user controlled buildspec - codebuild [High]
7.176 [extra7176] EMR Cluster without Public IP - emr [Medium]
7.177 [extra7177] Publicly accessible EMR Cluster - emr [High]
7.178 [extra7178] EMR Account Public Access Block enabled - emr [High]
7.179 [extra7179] Check Public Lambda Function URL - lambda [High]
7.180 [extra7180] Check Lambda Function URL CORS configuration - lambda [Medium]
New features:
- feat(new): New checks for lambda functions URL by @jfagoagas in #1148
- feat(new): New checks for CodeBuild and EMR added by @0xDivyanshu in #1112
- feat(emr): New check BlockPublicAccessConfiguration for EMR by @jfagoagas in #1120
- feat(new): New custom check extra9999 to build a custom check on the fly by @sectoramen in #1103
- feat(assume-role): Properly handle External ID variable by @chrisdlangton in #1128
- feat(dynamodb_allowlist): Support DynamoDB tables ARN for allowlist input by @sergargar in #1118
- feat(group7): Include extra7178 by @jfagoagas in #1121
- feat(contrib): Serverless multi account Prowler with SecurityHub Integration by @MorlaxAR in #1113
- feat(actions): Upload Prowler containers to registries by @jfagoagas in #1132
- feat(util): K8s cronjob sample files by @charles-josiah in #1140
Enhancements:
- Update CloudFormation template for CodeBuild by @jplock in #1114
- Updated multi-org ProwlerRole.yaml to match current Prowler additions policy by @ChrisGoKim in #1123
- docs(k8s-integration): Beautify README by @1vicente in #1153
Fixes:
- fix(checks): Handle AWS Gov Cloud regions #1160
- fix(check): check_extra7113: Fix wrong listing of RDS instances in regions without databases by @Sinnohd in #1124
- fix(custom-file-in-bucket): Custom file names are also support for S3 output. by @sergargar in #1129
- fix(copyToS3): Upload to S3 only when indicated. by @sergargar in #1134
- fix(actions): tag and push by @jfagoagas in #1142
- fix(readme): Fix correct permissions for DynamoDB allowlist. by @sergargar in #1147
- fix(actions): Ignore changes on Readme by @jfagoagas in #1149
- fix(timestamp): Timestamp to date casting issues solved by @n4ch04 in #1154
- fix(IllegalLocationConstraintException): Recover bucket policy using the right region endpoint by @jfagoagas in #1155
- fix(BucketLocation): Recover bucket policy using the right region endpoint by @jfagoagas in #1156
- fix(remediation): Fix empty remediation fields for checks 7164, 7144 and 7163 by @jfagoagas in #1157
New Contributors
- @0xDivyanshu made their first contribution in #1112
- @jplock made their first contribution in #1114
- @Sinnohd made their first contribution in #1124
- @ChrisGoKim made their first contribution in #1123
- @MorlaxAR made their first contribution in #1113
- @chrisdlangton made their first contribution in #1128
- @charles-josiah made their first contribution in #1140
- @1vicente made their first contribution in #1153
Full Changelog: 2.9.0...2.10.0
Prowler 2.9.0 - Run to the Hills
In 1982, Iron Maiden released The Number of the Beast, their third studio album and the first with Bruce Dickinson as their lead vocalist. The song Run to the Hills gives me very good memories, as the time we are living will do the same in the future. That song is one of the greatest metal songs in music history. Enjoy it as we do while releasing this new version of Prowler!
https://www.youtube.com/watch?v=86URGgqONvA
Image copyright by Iron Maiden
Important changes in this version (read this!):
Now, if you want to use your allowlist or custom checks you can retrieve it from a S3 Bucket using -w
option along with a S3 URI like s3://bucket/prefix/allowlist_sample.txt
Also, we have enriched some IAM checks to provide more information about resources when the check status is PASS.
New Features
- New Extra Check - Detect SGs created by the EC2 Launch Wizard by @sectoramen in #1081
- Support S3 URIs for custom checks paths by @sergargar in #1090
- Support S3 URIs for allowlist file by @sergargar in #1090
Enhancements
- Update example code for terraform-quickstart by @spazm in #1086
- Replace comma from csv input info to prevent breaking
csv
format by @n4ch04 in #1102 - IAM check116 and check122 now logs more detailed information with PASS results by @n4ch04 in #1107
Fixes
- Fix(secrets_library): Verify if detect-secrets library is missing by @sergargar in #1080
- Fix(extra729,extra740): Typo by @mourackb in #1083
- Fix(extra736): Missing $PROFILE_OPT by @soffensive in #1084
- Fix(extra792): TLS1.3 policies added as secure and TLS1.1/1.0 as insecure by @sergargar in #1091
- Fix(extra7172): IllegalLocationConstraintException properly handled by @sergargar in #1093
- Fix(extra764): NoSuchBucket error properly handled by @sergargar in #1094
- Fix(extra764): Deleted temporary file references by @n4ch04 in #1089
- Fix(extra7147): Handle unsupported AWS regions for Glacier by @jfagoagas in #1101
- Fix(extra79): Typo publiccly -> publicly by @carterjones in #1106
- Fix(extra75): Empty array check in SECURITYGROUPS object by @nealalan in #1099
New Contributors
- @mourackb made their first contribution in #1083
- @spazm made their first contribution in #1086
- @nealalan made their first contribution in #1099
- @carterjones made their first contribution in #1106
Full Changelog: 2.8.1...2.9.0
Prowler 2.8.1
What's Changed
- fix(bucket_region): check extra764 doesn't handle bucket region properly by @sergargar in #1077
- fix(detect-secrets): Include missing colon to link values by @jfagoagas in #1078
Full Changelog: 2.8.0...2.8.1
Prowler 2.8.0 - The Ides of March
The Ides of March is an instrumental song that opens the second studio album of Iron Maiden called Killers. This song is great as an opening, March is the month when spring starts in my side of the world, is always time for optimism. Ides of March also means 15 of March in the Roman calendar (and the day of the assassination of Julius Caesar). Enjoy the song here.
We have put our best to make this release and with important help of the Prowler community of cloud security engineers around the world, thank you all! Special thanks to the Prowler full time engineers @jfagoagas, @n4ch04 and @sergargar! (and Bruce, my dog) ❤️
Important changes in this version (read this!):
Now, if you have AWS Organizations and are scanning multiple accounts using the assume role functionality, Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and add them to CSV and JSON output formats. More information and usage here.
New Features
- 1 New check for S3 buckets have ACLs enabled by @jeffmaley in #1023 :
7.172 [extra7172] Check if S3 buckets have ACLs enabled - s3 [Medium]
- feat(metadata): Include account metadata in Prowler assessments by @toniblyx in #1049
Enhancements
- Add whitelist examples for Control Tower resources by @lorchda in #1013
- Skip packages with broken dependencies when upgrading system by @dlorch in #1009
- Docs: Improve check_sample examples, add general comments by @lazize in #1039
- Added timestamp to temp folders for secrets related checks by @sectoramen in #1041
- Make python3 default in Dockerfile by @sectoramen in #1043
- Docs(readme): Fix typo by @jfagoagas in #1072
- Add(filter-region): Support comma separated regions by @thetemplateblog in #1071
Fixes
- Fix issue extra75 reports default SecurityGroups as unused #1001 by @jansepke in #1006
- Fix issue extra793 filtering out network LBs #1002 by @jansepke in #1007
- Fix formatting by @lorchda in #1012
- Fix docker references by @mike-stewart in #1018
- Fix(check32): filterName base64encoded to avoid space problems in filter names by @n4ch04 in #1020
- Fix: when prowler exits with a non-zero status, the remainder of the block is not executed by @lorchda in #1015
- Fix(extra7148): Error handling and include missing policy by @toniblyx in #1021
- Fix(extra760): Error handling by @lazize in #1025
- Fix(CODEOWNERS): Rename team by @jfagoagas in #1027
- Fix(include/outputs): Whitelist logic reformulated to exactly match input by @n4ch04 in #1029
- Fix CFN CodeBuild example by @mmuller88 in #1030
- Fix typo CodeBuild template by @dlorch in #1010
- Fix(extra736): Recover only Customer Managed KMS keys by @jfagoagas in #1036
- Fix(extra7141): Error handling and include missing policy by @lazize in #1024
- Fix(extra730): Handle invalid date formats checking ACM certificates by @jfagoagas in #1033
- Fix(check41/42): Added tcp protocol filter to query by @n4ch04 in #1035
- Fix(include/outputs):Rolling back whitelist checking to RE check by @n4ch04 in #1037
- Fix(extra758): Reduce API calls. Print correct instance state. by @lazize in #1057
- Fix: extra7167 Advanced Shield and CloudFront bug parsing None output without distributions by @NMuee in #1062
- Fix(extra776): Handle image tag commas and json output by @jfagoagas in #1063
- Fix(whitelist): Whitelist logic reformulated again by @n4ch04 in #1061
- Fix: Change lower case from bash variable expansion to tr by @lazize in #1064
- Fix(check_extra7161): fixed check title by @n4ch04 in #1068
- Fix(extra760): Improve error handling by @lazize in #1055
- Fix(check122): Error when policy name contains commas by @plarso in #1067
- Fix: Remove automatic PR labels by @jfagoagas in #1044
- Fix(ES): Improve AWS CLI query and add error handling for ElasticSearch/OpenSearch checks by @lazize in #1032
- Fix(extra771): jq fail when policy action is an array by @lazize in #1031
- Fix(extra765/776): Add right region to CSV if access is denied by @roman-mueller in #1045
- Fix: extra7167 Advanced Shield and CloudFront bug parsing None output without distributions by @NMuee in #1053
New Contributors
- @jansepke made their first contribution in #1006
- @lorchda made their first contribution in #1012
- @mike-stewart made their first contribution in #1018
- @n4ch04 made their first contribution in #1020
- @jeffmaley made their first contribution in #1023
- @roman-mueller made their first contribution in #1045
- @NMuee made their first contribution in #1053
- @plarso made their first contribution in #1067
- @thetemplateblog made their first contribution in #1071
- @sergargar made their first contribution in #1073
Full Changelog: 2.7.0...2.8.0