prowler-cloud/prowler 3.2.0

Prowler 3.2.0 - Quest for Fire

on GitHub

Drawn by quest for fire
They searched all through the land
Drawn by quest for fire
Discovery of man.

Quest for Fire is a song part of Piece of Mind album of Iron Maiden. This new version is the result of our quest for your security issues and our quest to help you to improve your cloud security posture. See below the amazing new features we have added to Prowler 3.2.0 🔥Quest for Fire🔥

New features to highlight in this version:

🏷️ Tag-based scan: now you can scan only resources with specific tags across your entire account with the following command:

• prowler aws --resource-tags Environment=dev Project=prowler
• You can use as many tags as you need. More information here: https://docs.prowler.cloud/en/latest/tutorials/aws/tag-based-scan/

🎯 Resource-based scan: now you can scan only a specific resources by the ARN

• prowler aws --resource-arn arn:aws:iam::012345678910:user/test arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678
• That command will run all IAM user related checks to test and all VPC related checks to VPC vpc-12345678
• This is very helpful for new found resources or even pipelines! More information here: https://docs.prowler.cloud/en/latest/tutorials/aws/resource-arn-based-scan/

⚖️ 17 New Security Compliance Frameworks: we added 17 new security frameworks for AWS.

• In addition to CIS 1.4, CIS 1.5 and Spanish ENS (that comes with more enhancements) we have added the following security frameworks for the AWS provider.
  • CISA Cyber Essentials
  • FedRAMP Low Revision 4
  • FedRAMP Moderate Revision 4
  • Federal Financial Institutions Examination Council (FFIEC)
  • AWS Foundational Security Best Practices
  • General Data Protection Regulation (GDPR)
  • GxP 21 CFR Part 11
  • GxP EU Annex 11
  • HIPAA
  • NIST 800-171 Revision 2
  • NIST 800-53 Revision 4
  • NIST 800-53 Revision 5
  • NIST Cybersecurity Framework (CSF) v1.1
  • PCI v3.2.1
  • RBI Cyber Security Framework
  • SOC 2
• These can be considered test mode at this point, we are open for feedback and updates.
• More information about how to use them with Prowler and compliance here: https://docs.prowler.cloud/en/latest/tutorials/compliance/.
• We want to thank @pedromarting3 for his contribution, AWS and their public documentation and also steampipe.io mod page https://hub.steampipe.io/mods/turbot/aws_compliance because they were pretty helpful for us. 🙏🏼 🤜🏼🤛🏼

✅New check:

• Check if IAM Access Analyzer is enabled (in addition of the existing one that looks for issues as well)

📺Handler for output code:

• Like in v2, now you can handle what output code to get when Prowler gets failed findings. (-z)

📄Allow list feature now supports Lambda to manage it:

• More information #1793

What's Changed:

• feat(compliance): Add 17 new security compliance frameworks for AWS by @pedromarting3 in #1824
• feat(new check): add accessanalyzer_enabled check by @sergargar in #1864
• feat(boto3-config): Use standard retrier by @jfagoagas in #1868
• feat(allowlist): AWS Lambda function support by @pplu in #1793
• feat(scan-type): AWS Resource ARNs based scan by @sergargar in #1807
• feat(exit_code 3): add -z option by @sergargar in #1848
• feat(scanner): Tag-based scan by @sergargar in #1751

Fixes:

• fix(elbv2): handle service for GWLB resources by @daftkid in #1860
• fix(checks): added validation for non-existing VPC endpoint policy by @daftkid in #1859
• fix(action): do not trigger action when editing release by @sergargar in #1865
• fix(key_errors): handle Key Errors in Lambda and EMR by @sergargar in #1871
• fix(permissive role assumption): actions list handling by @n4ch04 in #1869
• fix(key_errors): handle Key Errors in Lambda and EMR by @sergargar in #1871
• fix(hardware mfa): changed hardware mfa description by @n4ch04 in #1873
• fix(metadata): typo in appstream_fleet_session_disconnect_timeout.metadata.json by @sergargar in #1875
• fix(compliance): ENS RD2022 Spanish security framework updates by @alexr3y in #1809
• fix(errors): solve several services errors (AccessAnalyzer, AppStream, KMS, S3, SQS, R53, IAM, CodeArtifact and EC2) by @sergargar in #1879
• fix(cloudtrail_multi_region_enabled): reformat check by @n4ch04 in #1880
• chore(compliance): add manual checks to compliance CSV by @sergargar in #1872
• fix(service errors): solve errors in IAM, S3, Lambda, DS, Cloudfront services by @sergargar in #1882
• chore(Dockerfile): Remove build files by @jfagoagas in #1886
• fix(list_checks): filter checks after audit_info set by @n4ch04 in #1887
• fix(Azure_Audit_Info): Added audited_resources field by @n4ch04 in #1891

Documentation

• docs: Boto3 Standard Retrier by @jfagoagas in #1885
• docs: Update AWS Role Assumption by @Fennerr in #1890
• docs: Minor changes to the intro paragraph by @Fennerr in #1892
• docs: Minor changes to logging by @Fennerr in #1893

New Contributors

• @pedromarting3 made their first contribution in #1824
• @pplu made their first contribution in #1792

Full Changelog: 3.1.4...3.2.0