Prowler 2.4.0
New version, new logo and new features, many community contributions, fixes and improvements.
Thanks to all the community for the continuous effort, contributing in many ways, including code and feedback. Prowler is being used by thousands of users and making your cloud infrastructure more secure. THANK YOU.
New Features:
Please read carefully this new features and changes (mostly for CSV output changes) if you have integrations, it may affect you.
Added Risk, Remediation, Link to doc and CAF security epics to controls @pablopagani
Added support for new fields Risk, Remediation, Link to doc and CAF security epics to CSV and HTML outputs. New fields are:
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC
Added severity field to CSV and HTML output reports
Added new logo, screenshots and improved documentation sections
Added -N <shodan_api_key> support for extra7102
Added [extra736] Check exposed KMS keys to group internet-exposed
Added [extra798] Check if Lambda functions have resource-based policy set as Public
Added [extra799] Check if Security Hub is enabled and its standard subscriptions
Added 4 new EKS checks @jonjozwiak
Added access checks for several checks @zfLQ2qx2
Added additional checks to HIPAA group @gchib297
Added additional GDPR checks to GDPR group @gchib297
Added all new Sagemaker checks to extras
Added allow list All findings in single view in html report
Added AWS partition variable to the ASFF output format
Added AWS service name to json, csv and html outputs
Added back extra798
Added Better handle permissions and errors
Added CFN template helper for role
Added check extra7113
Added check extra798 to gdpr and pci groups @gchib297
Added check extra798 to iso27001 @gchib297
Added check extra798 to PCI
Added check for AccessDenied when calling GetBucketLocation in extra73,extra734,extra764 @zfLQ2qx2
Added Check for errors generating credential report, limit loop iterations @zfLQ2qx2
Added check for RDS enhanced monitoring @mpratsch
Added check if Enhanced monitoring is enabled on RDS instances
Added check23 to group17_internetexposed group @RyanJarv
Added check7130 to group7_extras and Fixed some issues
Added checks about EKS to groups internet-exposed and forensics
Added CodeBuild deployment section
Added CodeBuild template original from @stevecjones
Added coreutils to Dockerfile
Added EKS checks to eks-cis and extras group @jonjozwiak
Added Enable Security Hub official integration @toniblyx
Added ENS group with new checks
Added extra7102 ElasticIP Shodan integration
Added extra7102 to groups extras and internetexposed
Added extra7113: Check RDS deletion protection
Added extra7113: Check RDS instances deletion protection @gchib297
Added extra7133 RDS multi-AZ
Added extra796 EKS control plane access to internet-exposed group
Added extra799 and extra7100 to group extras
Added FFIEC cybersecurity assessment group @gchib297
Added Fixed to generate test summary so reports display graphs correctly @stevecjones
Added get_regions function in order to call after assume_role @HG00
Added GetFindings action to example IAM policy for Security Hub
Added Glue checks additional @dlpzx
Added Glue checks part 1 @ramondiez
Added GovCloud usage information
Added group for ENS Spanish Esquema Nacional de Seguridad
Added group for pci-dss as reference
Added group internet-exposed
Added group18 for ISO27001 thanks to @gchib297 issue #637
Added high level architecture
Added html to -M in usage
Added IAM to extra7100 title
Added latest checks to extras group
Added more checks mappings to ISO27001 group and reordered the list @mario-platt
Added New 7 checks required for ENS
Added new check [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled
Added New check 7.98 [extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) @nickmalcolm
Added new check extra_7130 to check encryption of a SNS topic @mpratsch
Added new check extra7131 RDS minor version upgrade
Added new check extra793 for SSL listeners on load balancers @jonjozwiak
Added new extras check (7130) to check encryption of a SNS topic
Added New group for Sagemaker with 10 new controls
Added parameters and made the template parameterised @pacohope
added parameters and made the template parameterised.
Added Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys
Added script to generate html report from multiple csv outputs
Added service name to all checks
Added service name to sample check
Added session durantion option to 12h
Added sleep to extra7102 to avoid Shodan API limits
Added SOC2 compliance group @gchib297
Added start build automatically
Added Support custom folder checks when running all checks @xeroxnir
Added support to run inside AWS CloudShell
Added Whitelist feature improvements @QuinnStevens
Enhancements:
Enhanced Accept current most restrictive TLSv1.2-only ALB security policy as secure
Enhanced Adapt check119 to exclude instances shutting down @stku1985
Enhanced Additional check for location of awscli @zfLQ2qx2
Enhanced Adjusted severity like in Security Hub @xeroxnir
Enhanced Allow list checks and groups without credentials
Enhanced better handle permissions and errors
Enhanced Catch errors assuming role and describing regions @zfLQ2qx2
Enhanced check extra740: reworked to consider all snapshots, use JMESPath query @pacohope
Enhanced check extra792 to accept current most restrictive TLSv1.2 @bazbremner
Enhanced check119 to exclude instances shutting-down @stku1985
Enhanced clear AWS_DEFAULT_OUTPUT on start @zfLQ2qx2
Enhanced Cloudtrail metrics (check3x) pass if found on any, not every, cloudtrail log @zfLQ2qx2
Enhanced CodeBuild CFN template with scheduler and documentation
Enhanced documentation about SecurityHub integration and region filter
Enhanced Ensure check28 only looks at symmetric keys
Enhanced Ensure that checks are sorted numerically when listing checks @marcjay
Enhanced Ensures JSON is the default AWS command output.
Enhanced error handling without credentials
Enhanced extra7102 increased severity to medium
Enhanced extra792 skip check if no HTTPS/SSL Listener plus Added NLB Support @jonjozwiak
Enhanced feature to refresh assume role credentials before it expires
Enhanced Force default AWS CLI output issue #696 @Kirizan
Enhanced Handle shadow CloudTrails more gracefully in checks check21,check22,check24,check27 @zfLQ2qx2
Enhanced html output with scoring information, risk, remediation, doc link and CAF security epics.
Enhanced Implement OS neutral method of converting rfc3339 dates to epoch @zfLQ2qx2
Enhanced In CSV output, changed NOTES field header by CHECK_RESULT_EXTENDED. New CSV header looks like:
Enhanced PublicIP discovery used in Shodan check_extra7102 @as-km
Enhanced reduce needed actions in additions policy @tekdj7
Enhanced Removed textInfo extra information on extra712
Enhanced Security Hub integration @xeroxnir
Enhanced Security Hub integration improvement and Added severity for checks @xeroxnir
Enhanced Security Hub: Mark as ARCHIVED + Fixed race condition @xeroxnir
Enhanced Updated ProwlerExecRoleAdditionalViewPrivileges Policy with lambda:GetFunction
Enhanced Use describe-network-interfaces instead of describe-addresses in order to get public IPs #768
Enhanced whitelisting to allow regexes and fuzzy/strict matching
Enhanceed Adjusted severity to secrets and Shodan checks
Fixes:
Fixed account id in output file name
Fixed changes made in check27
Fixed check extra73 fail message omits bucket name @zfLQ2qx2
Fixed check for public rds instances
Fixed check_extra7107 condition
Fixed check_extra7116 and check_extra7117
Fixed Check12 BugFixed Remove $ from grep
Fixed check12 when MFA is enabled and user contains true in the name @xeroxnir
Fixed date command for busybox @zfLQ2qx2
Fixed don't fail check extra737 for keys scheduled for deletion
Fixed EKS related checks regarding us-west-1 @njgibbon
Fixed error handling for SubscriptionRequiredException in extra77
Fixed execute_group_by_id @xeroxnir
Fixed extra7103 parser error
Fixed extra7108 parser error
Fixed extra7110 title
Fixed extra7111 parser error
Fixed extra7116 extra7117 outputs and added to extras @ramondiez
Fixed extra737 now doesn't fail for keys scheduled for deletion @QuinnStevens
Fixed for busybox date command
Fixed for check_extra764 @grzegorznittner
Fixed for issue 713
Fixed FreeBSD $OSTYPE check @ring-pete
Fixed getops OPTARG for custom checks @xeroxnir
Fixed include lambda:GetFunction in prowler policy to check AWS Lambda related controls: extra720,extra759,extra760,extra762,extra798
Fixed Include missing AWS function lambda:GetFunction policy in prowler-additions-policy.json to check AWS Lambda @jfagoagas
Fixed issue #624 ID of check_extra792
Fixed issue #659
Fixed issue assuming role in regions with STS disabled
Fixed issue in extra776 when ECR Scanning imageDigest @adamcanzuk
Fixed listing CloudFormation stacks if default output format is not JSON
Fixed listing configurations if default output format is not JSON check119,extra742,extra75 and extra772 @Anthirian
Fixed listing EC2 instances if default output format is not JSON
Fixed listing EC2 Security Groups if default output format is not JSON
Fixed listing Elastic IPs if default output format is not JSON
Fixed log metric filter check3x with multiple trails @bridgecrewio
Fixed log metric filter checks (#33)
Fixed Make check28 only look at symmetric keys @mdop-wh
Fixed moved assume role before listing regions Fixedes issue #744
Fixed output on extra731
Fixed profile and region settings for extra792 ELB SSL ciphers @jonjozwiak
Fixed quotes in check extra78 for public RDS instances @goldfiglabs
Fixed regex in check43 @ilyas28
Fixed Replace empty space with '\s' in check43 regex @frannovo
Fixed report metadata in html output
Fixed Security Hub eventual consistency + PREFixed query bug + Archive PASSED @xeroxnir
Fixed security-hub integration: Race condition timestamp @xeroxnir
Fixed SecurityHub: other os/check Fixedes + batch in 100 findings @xeroxnir
Fixed servicename variable in extra72
Fixed Store assumed role expiry time for later checking
Fixed syntax in extra7110
Fixed title grammar in check_extra73 @CenturionGamer
Fixed typos and Added to extras extra7132
Fixed Update check_extra7130 profile parameter was not set @soffensive