prowler-cloud/prowler 4.5.0 on GitHub

There's a feeling that's inside me
Telling me to get away
But I'm so tired of living
I might as well end today

Prowler 4.5.0 - Another Life 🚀 has arrived, packed with a host of new AWS checks and improvements! We also invite you to enjoy this classic Iron Maiden song.

A huge shout-out to our talented engineers @danibarranqueroo, @MarioRgzLpz, and @HugoPBrito for their amazing work on developing new checks, and a warm welcome to our new engineer @AdriiiPRodri!

Special thanks as well to @sansns for his outstanding contributions to new Fault Tolerance checks, and to our fantastic external contributors @SaintTamnoon, @jonathanbro, and @Nirbhay1997 for their valuable PRs 🥳.

New features to highlight in this version

AWS

🔒 Combat LLMJacking in AWS Bedrock

Following recent insights from Permiso Security on hijacking threats to GenAI infrastructure like AWS Bedrock, we’ve introduced five new checks in Prowler to bolster security:

bedrock_model_invocation_logging_enabled
cloudtrail_threat_detection_llm_jacking
bedrock_agent_guardrail_enabled
bedrock_guardrail_prompt_attack_filter_enabled
bedrock_guardrail_sensitive_information_filter_enabled.

These checks enhance logging, encryption, and guardrail configurations to monitor and mitigate unauthorized access, safeguarding sensitive data and helping detect emerging LLMJacking threats.

🛡️ New Checks to Address IAM Access Analyzer Gaps

In their latest post on securityrunners.io, @SecurityRunners identified gaps in IAM Access Analyzer's ability to detect publicly exposed resources. To close these gaps, we’ve introduced new checks: cloudwatch_log_group_not_publicly_accessible, ses_identities_not_publicly_accessible, glue_data_catalogs_not_publicly_accessible, and secretsmanager_not_publicly_accessible, helping to reliably identify and secure public resources.

🚀 More checks!

Prowler has significantly expanded its AWS coverage, adding 104 new checks across 42 AWS services, including popular ones like Bedrock, DMS, FSx, GuardDuty, SES and WAF, to enhance your cloud security and compliance posture.

See all the new available checks with prowler aws --list-checks

apigateway_restapi_cache_encrypted
apigateway_restapi_tracing_enabled
athena_workgroup_logging_enabled
autoscaling_group_capacity_rebalance_enabled
autoscaling_group_elb_health_check_enabled
autoscaling_group_launch_configuration_no_public_ip
autoscaling_group_launch_configuration_requires_imdsv2
autoscaling_group_multiple_instance_types
autoscaling_group_using_ec2_launch_template
backup_recovery_point_encrypted
bedrock_agent_guardrail_enabled
bedrock_guardrail_prompt_attack_filter_enabled
bedrock_guardrail_sensitive_information_filter_enabled
bedrock_model_invocation_logging_enabled
bedrock_model_invocation_logs_encryption_enabled
cloudfront_distributions_s3_origin_non_existent_bucket
cloudtrail_threat_detection_enumeration
cloudtrail_threat_detection_llm_jacking
cloudtrail_threat_detection_privilege_escalation
cloudwatch_alarm_actions_alarm_state_configured
cloudwatch_alarm_actions_enabled
cloudwatch_log_group_no_critical_pii_in_logs
cloudwatch_log_group_not_publicly_accessible
codebuild_project_logging_enabled
codebuild_project_no_secrets_in_variables
codebuild_project_s3_logs_encrypted
codebuild_report_group_export_encrypted
config_recorder_using_aws_service_role
datasync_task_logging_enabled
directconnect_connection_redundancy
directconnect_virtual_interface_redundancy
dms_endpoint_mongodb_authentication_enabled
dms_endpoint_neptune_iam_authorization_enabled
documentdb_cluster_multi_az_enabled
dynamodb_accelerator_cluster_multi_az
dynamodb_table_autoscaling_enabled
ecs_cluster_container_insights_enabled
ecs_service_fargate_latest_platform_version
ecs_task_definitions_logging_block_mode
ecs_task_set_no_assign_public_ip
efs_access_point_enforce_root_directory
efs_access_point_enforce_user_identity
efs_mount_target_not_publicly_accessible
eks_cluster_not_publicly_accessible
elasticbeanstalk_environment_cloudwatch_logging_enabled
elasticbeanstalk_environment_enhanced_health_reporting
elasticbeanstalk_environment_managed_updates_enabled
elb_desync_mitigation_mode
elb_ssl_listeners_use_acm_certificate
elbv2_cross_zone_load_balancing_enabled
elbv2_nlb_tls_termination_enabled
eventbridge_global_endpoint_event_replication_enabled
fsx_file_system_copy_tags_to_backups_enabled
fsx_file_system_copy_tags_to_volumes_enabled
fsx_windows_file_system_multi_az_enabled
glue_data_catalogs_not_publicly_accessible
glue_etl_jobs_logging_enabled
glue_ml_transform_encrypted_at_rest
guardduty_ec2_malware_protection_enabled
guardduty_eks_audit_log_enabled
guardduty_eks_runtime_monitoring_enabled
guardduty_lambda_protection_enabled
iam_policy_cloudshell_admin_not_attached
kafka_connector_in_transit_encryption_enabled
kinesis_stream_encrypted_at_rest
macie_automated_sensitive_data_discovery_enabled
mq_broker_active_deployment_mode
mq_broker_auto_minor_version_upgrades
mq_broker_cluster_deployment_mode
mq_broker_logging_enabled
networkfirewall_logging_enabled
networkfirewall_multi_az
networkfirewall_policy_default_action_fragmented_packets
networkfirewall_policy_default_action_full_packets
opensearch_service_domains_fault_tolerant_data_nodes
opensearch_service_domains_fault_tolerant_master_nodes
opensearch_service_domains_not_publicly_accessible
rds_cluster_protected_by_backup_plan
rds_instance_transport_encrypted
redshift_cluster_encrypted_at_rest
redshift_cluster_enhanced_vpc_routing
redshift_cluster_in_transit_encryption_enabled
redshift_cluster_multi_az_enabled
redshift_cluster_non_default_database_name
redshift_cluster_non_default_username
s3_bucket_event_notifications_enabled
s3_multi_region_access_point_public_access_block
secretsmanager_not_publicly_accessible
secretsmanager_secret_rotated_periodically
secretsmanager_secret_unused
ses_identity_not_publicly_accessible
transfer_server_in_transit_encryption_enabled
vpc_endpoint_multi_az_enabled
waf_global_rule_with_conditions
waf_global_rulegroup_not_empty
waf_global_webacl_logging_enabled
waf_global_webacl_with_rules
waf_regional_rule_with_conditions
waf_regional_rulegroup_not_empty
waf_regional_webacl_with_rules
wafv2_webacl_rule_logging_enabled
wafv2_webacl_with_rules

Azure

💪🏼 New checks for Azure Container Registry

A big thanks to @johannes-engler-mw for helping expand Prowler's Azure coverage with new checks for Azure Container Registry: containerregistry_uses_private_link and containerregistry_not_publicly_accessible.

Give them a try by scanning the Azure Container Registry with prowler azure --service containerregistry

GCP

🔎 Scan your GCP Organization

Now you can limit the scan to projects within a specific Google Cloud organization by using the --organization-id option with the GCP organization ID:
prowler gcp --organization-id organization-id

See more in our documentation

🔧 Other issues and bug fixes solved for all the cloud providers

What's Changed

Features

feat(apigateway): add new check apigateway_restapi_cache_encrypted by @danibarranqueroo in #5448
feat(apigateway): add new check apigateway_restapi_tracing_enabled by @danibarranqueroo in #5470
feat(athena): add new check athena_workgroup_logging_enabled by @puchy22 in #5468
feat(autoscaling): add new check autoscaling_group_elb_health_check_enabled by @danibarranqueroo in #5330
feat(autoscaling): add new check autoscaling_group_launch_configuration_no_public_ip by @danibarranqueroo in #5359
feat(autoscaling): add new check autoscaling_group_launch_configuration_requires_imdsv2 by @danibarranqueroo in #5356
feat(autoscaling): add new check autoscaling_group_multiple_instance_types by @danibarranqueroo in #5325
feat(autoscaling): add new check autoscaling_group_using_ec2_launch_template by @danibarranqueroo in #5346
feat(autoscaling): Add autoscaling_group_capacity_rebalance_enabled check by @sansns in #5523
feat(aws): add checks for Bedrock logging configuration and CloudTrail LLM Jacking detection by @sergargar in #5314
feat(aws): add DirectConnect service and checks by @sansns in #5522
feat(aws): Add Fault Tolerance Checks by @sansns in #5488
feat(aws): Add new checks ses_identities/glue_data_catalogs/secretsmanager _not_publicly_accessible by @MarioRgzLpz in #5471
feat(aws): add new check bedrock_agent_guardrail_enabled by @sergargar in #5509
feat(aws): add new check cloudwatch_log_group_not_publicly_accessible by @sergargar in #5495
feat(aws): add new check cloudwatch_log_group_no_critical_pii_in_logs by @sergargar in #5494
feat(aws): add new check dynamodb_accelerator_cluster_multi_az by @sansns in #5493
feat(aws): add new check fsx_windows_file_system_multi_az by @sansns in #5491
feat(aws): add new check redshift_cluster_multi_az_enabled by @sansns in #5492
feat(aws): add new service transfer by @HugoPBrito in #5585
feat(aws): Add static credentials authentication by @jfagoagas in #5360
feat(aws): Update check metadata with category by @sansns in #5607
feat(azure): add authentication method from static credentials by @pedrooot in #5358
feat(azure): add provider id validation inside test_connection by @pedrooot in #5391
feat(backup): add new check backup_recovery_point_encrypted by @danibarranqueroo in #5426
feat(bedrock): add checks for guardrails configuration and log encryption by @sergargar in #5385
feat(check): add check methods by @pedrooot in #5462
feat(cloudwatch): add new check cloudwatch_alarm_actions_alarm_state_configured by @danibarranqueroo in #5404
feat(cloudwatch): add new check cloudwatch_alarm_actions_enabled by @danibarranqueroo in #5416
feat(codebuild): add new check codebuild_project_logging_enabled by @puchy22 in #5365
feat(codebuild): add new check codebuild_project_s3_logs_encrypted by @puchy22 in #5363
feat(codebuild): add new check codebuild_report_group_export_encrypted by @puchy22 in #5384
feat(color): add --no-color flag by @MrSecure in #5368
feat(config): add new check config_recorder_using_aws_service_role_config by @puchy22 in #5357
feat(containerregistry): add new check containerregistry_not_publicly_accessible by @johannes-engler-mw in #5291
feat(containerregistry): add new check containerregistry_uses_private_link by @johannes-engler-mw in #5375
feat(datasync): add datasync service and check datasync_task_logging_enabled by @AdriiiPRodri in #5444
feat(dms): add new check dms_endpoint_mongodb_authentication_enabled by @danibarranqueroo in #5578
feat(dms): add new check dms_endpoint_neptune_iam_authorization_enabled by @danibarranqueroo in #5549
feat(ecs): add new check ecs_service_fargate_latest_platform_version by @MarioRgzLpz in #5258
feat(ecs): add new check ecs_task_set_no_assign_public_ip by @MarioRgzLpz in #5603
feat(ecs): Add ecs_task_definitions_logging_block_mode check by @sansns in #5526
feat(efs): add new check efs_access_point_enforce_root_directory by @MarioRgzLpz in #5277
feat(efs): add new check efs_access_point_enforce_user_identity by @MarioRgzLpz in #5285
feat(efs): add new check efs_mount_target_not_publicly_accesible by @MarioRgzLpz in #5275
feat(elasticbeanstalk): add new check elasticbeanstalk_cloudwatch_enabled by @MarioRgzLpz in #5335
feat(elasticbeanstalk): add new check elasticbeanstalk_enhanced_health_reporting_enabled by @MarioRgzLpz in #5348
feat(elasticbeanstalk): add new check elasticbeanstalk_managed_platform_updates_enabled by @MarioRgzLpz in #5324
feat(elasticbeanstalk): Add new service ElasticBeanstalk by @MarioRgzLpz in #5322
feat(elb): add new check elb_desync_mitigation_mode by @MarioRgzLpz in #5500
feat(elb): add new check elb_ssl_listeners_use_acm_certificate by @MarioRgzLpz in #5424
feat(elbv2): add elbv2_cross_zone_load_balancing_enabled check by @sansns in #5548
feat(elbv2): add elbv2_nlb_tls_termination_enabled check by @sansns in #5550
feat(eventbridge): add new check eventbridge_global_endpoint_event_replication_enabled by @MarioRgzLpz in #5396
feat(exceptions): modify custom exceptions by @pedrooot in #5451
feat(fsx): add new check fsx_file_system_copy_tags_to_backups_enabled by @MarioRgzLpz in #5417
feat(fsx): add new check fsx_file_system_copy_tags_to_volumes_enabled by @MarioRgzLpz in #5414
feat(fsx): Add new service FSx by @MarioRgzLpz in #5412
feat(gcp): add provider id validation inside test_connection by @pedrooot in #5381
feat(gcp): add static credentials for gcp provider by @pedrooot in #5364
feat(gcp): add --organization-id flag by @sergargar in #5524
feat(glue): add check glue_ml_transform_encrypted_at_rest by @LefterisXefteris in #5272
feat(glue): add new check glue_etl_jobs_logging_enabled by @HugoPBrito in #5581
feat(guardduty): add new check guardduty_ec2_malware_protection_enabled by @puchy22 in #5297
feat(guardduty): add new check guardduty_eks_audit_log_enabled by @puchy22 in #5293
feat(guardduty): add new check guardduty_eks_runtime_monitoring_enabled by @MarioRgzLpz in #5582
feat(guardduty): add new check guardduty_lambda_protection_enabled by @puchy22 in #5299
feat(iam): add new check iam_policy_cloudshell_admin_not_attached by @MarioRgzLpz in #5437
feat(k8s): Add kubeconfig content authentication by @pedrooot in #5397
feat(k8s): Add kubeconfig content static authentication by @sergargar in #5370
feat(kafka): add new check kafka_connector_in_transit_encryption_enabled by @MarioRgzLpz in #5577
feat(kinesis): add new check kinesis_stream_encrypted_at_rest by @HugoPBrito in #5292
feat(macie): add new check macie_automated_sensitive_data_discovery_enabled by @MarioRgzLpz in #5390
feat(mq): add new check mq_broker_active_deployment_mode by @HugoPBrito in #5433
feat(mq): add new check mq_broker_auto_minor_version_upgrades by @HugoPBrito in #5431
feat(mq): add new check mq_broker_cluster_deployment_mode by @HugoPBrito in #5481
feat(mq): add new check mq_broker_logging_enabled by @HugoPBrito in #5483
feat(MQ): add new service MQ by @HugoPBrito in #5419
feat(mutelist): add mute_finding method by @pedrooot in #5563
feat(networkfirewall): add new check networkfirewall_policy_default_action_full_packets by @HugoPBrito in #5284
feat(opensearch): add new check opensearch_domain_master_nodes_fault_tolerant by @puchy22 in #5393
feat(opensearch): add new check opensearch_service_domains_fault_tolerant_data_nodes by @MarioRgzLpz in #5366
feat(redshift): add new check redshift_cluster_encrypted_at_rest by @danibarranqueroo in #5262
feat(redshift): add new check redshift_cluster_enhanced_vpc_routing by @danibarranqueroo in #5281
feat(redshift): add new check redshift_cluster_in_transit_encryption_enabled by @danibarranqueroo in #5271
feat(redshift): add new check redshift_cluster_non_default_database_name by @danibarranqueroo in #5283
feat(redshift): add new check redshift_cluster_non_default_username by @danibarranqueroo in #5268
feat(s3): add new check s3_bucket_event_notifications_enabled by @HugoPBrito in #5562
feat(s3): add new check s3_multi_region_access_point_public_access_block by @HugoPBrito in #5552
feat(s3): add test_connection method by @pedrooot in #5332
feat(scan): add arguments by @pedrooot in #5427
feat(scan): add excluded_checks and services by @pedrooot in #5442
feat(scan): add mutelist and config file to scan by @pedrooot in #5310
feat(scan): add scan duration by @pedrooot in #5305
feat(scan): add status argument by @pedrooot in #5443
feat(scan): execute all checks if no checks are provided by @pedrooot in #5307
feat(secretsmanager): add new check secretsmanager_secret_rotated_periodically by @puchy22 in #5450
feat(secretsmanager): add new check secretsmanager_secret_unused by @puchy22 in #5428
feat(SecurityHub): add test_connection method by @sergargar in #5350
feat(slack): add test_connection method by @sergargar in #5340
feat(test_connection): Add optional AWS Account ID validation by @jfagoagas in #5361
feat(transfer): add new check transfer_server_encryption_in_transit by @HugoPBrito in #5590
feat(waf): add new check waf_global_rulegroup_not_empty by @HugoPBrito in #5467
feat(waf): add new check waf_global_rule_with_conditions by @HugoPBrito in #5465
feat(waf): add new check waf_global_webacl_logging_enabled by @HugoPBrito in #5479
feat(waf): add new check waf_global_webacl_with_rules by @HugoPBrito in #5469
feat(waf): add new check waf_regional_rulegroup_not_empty by @HugoPBrito in #5415
feat(waf): add new check waf_regional_rule_with_conditions by @HugoPBrito in #5411
feat(waf): add new check waf_regional_webacl_with_rules by @HugoPBrito in #5392
feat(waf): change WAF Classic web_acls from list to dict by @HugoPBrito in #5380
feat(wafv2): add new check wafv2_webacl_rule_logging_enabled by @HugoPBrito in #5362
feat(wafv2): add new check wafv2_webacl_with_rules by @HugoPBrito in #5376
feat(wafv2): change web_acls from list to dict by @HugoPBrito in #5308
feat(wafv2): set us-east-1 region for global acls by @HugoPBrito in #5558

Fixes

fix(aws): do not flag cross-service confused deputy as public by @sergargar in #5593
fix(aws): findings in IAM policies were not reported by @kagahd in #5560
fix(aws): handle global WAFv2 ACLs in service by @sergargar in #5628
fix(aws): review checks in compliance frameworks by @sergargar in #5513
fix(aws): review checks with wrong attributes by @sergargar in #5503
fix(aws): solve invalid ECR Registry ARN by @sergargar in #5622
fix(bedrock): add filtering and handle different ARNs by @sergargar in #5453
fix(check): add .value to severity enum by @pedrooot in #5579
fix(checks_loader): solve issue related with checks from compliance by @pedrooot in #5601
fix(dependabot): security update werkzeug by @sergargar in #5551
fix(Dockerfile): install git dependency by @sergargar in #5339
fix(ecs): Adjust code to the new ARN formats in the ECS service by @MarioRgzLpz in #5259
fix(gcp): enforce correct severity levels in CloudSQL PostgreSQL log_min_messages by @sergargar in #5571
fix(iam): update AWS Support policy by @sergargar in #5399
fix(k8s): do not raise error when unable to list roles by @sergargar in #5630
fix(kinesis): add missing init file by @puchy22 in #5490
fix(kubernetes): handle input kube config file by @sergargar in #5502
fix(main): set attributes on load_checks_to_execute by @pedrooot in #5606
fix(organizations): no finding for access denied in listing policies by @sergargar in #5400
fix(PyPi): solve detect-secrets dependency by @sergargar in #5514
fix(rds): Check Aurora clusters properly for backup plan by @sansns in #5594
fix(threat detection): ignore AWS services events by @sergargar in #5276
fix: added s3 origin comprobation in cloudfront_distributions_s3_origin_non_existent_bucket by @HugoPBrito in #5543

Chores

chore(autoscaling): deprecate check autoscaling_find_secrets_ec2_launch_configuration by @puchy22 in #5205
chore(aws): Add AWSSessionTokenExpired by @jfagoagas in #5378
chore(aws): add mixed regions test for s3_access_point_public_access_block by @LefterisXefteris in #4877
chore(aws): add more cases to public IAM resource policies by @sergargar in #5336
chore(aws): Cleanup RDS and S3 tests by @sansns in #5569
chore(aws): cleanup tests by @sansns in #5592
chore(aws): cleanup tests on dynamodb and cloudwatch by @sansns in #5588
chore(aws): Set scan_unused_services False by default by @jfagoagas in #5425
chore(azure): deprecate AzureGermanCloud by @puchy22 in #5561
chore(cloudwatch): add tags to missing checks report by @puchy22 in #5261
chore(cloudwatch): Improve checks related with function check_cloudwatch_log_metric_filter by @puchy22 in #5286
chore(codebuild): Cleanup tests by @sansns in #5567
chore(contrib): update aws-multi-account-securityhub deployment by @SaintTamnoon in #5263
chore(deps): bump boto3 from 1.35.28 to 1.35.29 by @dependabot in #5257
chore(deps): bump trufflesecurity/trufflehog from 3.82.6 to 3.82.7 by @dependabot in #5315
chore(deps): bump trufflesecurity/trufflehog from 3.82.7 to 3.82.8 by @dependabot in #5371
chore(deps): bump trufflesecurity/trufflehog from 3.82.8 to 3.82.9 by @dependabot in #5421
chore(deps): bump trufflesecurity/trufflehog from 3.82.9 to 3.82.11 by @dependabot in #5458
chore(deps): bump trufflesecurity/trufflehog from 3.82.11 to 3.82.12 by @dependabot in #5508
chore(deps): bump trufflesecurity/trufflehog from 3.82.12 to 3.82.13 by @dependabot in #5531
chore(deps): bump trufflesecurity/trufflehog from 3.82.13 to 3.83.2 by @dependabot in #5611
chore(deps-dev): bump mkdocs-material from 9.5.38 to 9.5.39 by @dependabot in #5255
chore(deps-dev): bump moto from 5.0.15 to 5.0.16 by @dependabot in #5256
chore(ecs): mock all tests using moto by @puchy22 in #5326
chore(elbv2): cleanup tests by @sansns in #5553
chore(findings): add new properties by @jfagoagas in #5463
chore(glue): Cleanup tests by @sansns in #5568
chore(guardduty): mock failing tests using moto by @puchy22 in #5334
chore(iam): add tags to missing checks report by @puchy22 in #5280
chore(lambda): update obsolete lambda runtime by @jonathanbro in #5379
chore(ocsf): adapt mapping for version 1.3.0 by @sergargar in #5287
chore(providers): Remove get_output_mapping by @jfagoagas in #5484
chore(rds): improve metadata title and description for check rds_instance_transport_encrypted by @danibarranqueroo in #5584
chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5260, #5269, #5302, #5323, #5377, #5413, #5445, #5477, #5499, #5511, #5519, #5533, #5540, #5542, #5559, #5580, #5600, #5613 and #5617
chore(secrets): Add TelegramBotToken detector by @jfagoagas in #5321
chore(secrets): use master branch of Yelp/detect-secrets by @sergargar in #5298
chore(severities): Use enum by @jfagoagas in #5460
chore(slack): add text argument by best practice by @Nirbhay1997 in #5541
chore(sns): manage ResourceNotFoundException and add paralelism by @puchy22 in #5345
chore(version): update Prowler version by @sergargar in #5251
chore(wafv2): migrated testing from magicmock to moto by @HugoPBrito in #5464
chore: add dependabot labels by @jfagoagas in #5624
refactor(acm): Change certificates from list to dict in acm_service by @MarioRgzLpz in https:/github.com//pull/5420
refactor(finding): Add metadata object by @jfagoagas in #5447
refactor(WAF): Rename WAF to WAFRegional and Add Global WAF Service by @HugoPBrito in #5389
test(aws): fix failing tests for ecs_task_definitions_logging_enabled and ssm_managed_compliant_patching by @puchy22 in #5267

New Contributors

@SaintTamnoon made their first contribution in #5263
@jonathanbro made their first contribution in #5379
@AdriiiPRodri made their first contribution in #5444
@Nirbhay1997 made their first contribution in #5541

Full Changelog: 4.4.1...4.5.0

prowler-cloud/prowler 4.5.0 Prowler 4.5.0 - Another Life on GitHub