✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com/

🖥️ Redesigned Resources

The resources detail panel has been rebuilt from the ground up. The new side drawer consolidates resource metadata, associated findings, and events timeline into a cleaner, denser layout — designed to keep you inside the drawer while investigating a resource instead of bouncing back to the list.

🧹 UX and Data Consistency

A large sweep of fixes landed this release targeting the rough edges users actually hit day to day: filter behavior, headers, counters drifting from the underlying data, drawer layouts, and scan/compliance/finding views surfacing stale or mislabeled context.

🆕 AWS Checks

Bedrock Security Hardening

Four new AWS checks tightening the blast radius around Amazon Bedrock and the identities that can reach it:

• bedrock_full_access_policy_attached — flags IAM principals with AmazonBedrockFullAccess or equivalent wildcard Bedrock permissions attached
• iam_role_access_not_stale_to_bedrock and iam_user_access_not_stale_to_bedrock — catch roles and users with Bedrock privileges that haven't been used recently, so dormant GenAI access stops piling up as a standing risk
• bedrock_vpc_endpoints_configured — verifies Bedrock traffic stays on private VPC endpoints instead of traversing the public internet

Explore all AWS Bedrock checks at Prowler Hub.

IAM Marketplace Guardrails

Two new IAM checks to stop the silent path from a compromised identity to a paid marketplace subscription:

• iam_policy_no_wildcard_marketplace_subscribe
• iam_inline_policy_no_wildcard_marketplace_subscribe

Both detect aws-marketplace:Subscribe granted with wildcards on managed and inline policies — a vector that turns an IAM misconfiguration into a billing incident.

Explore all AWS IAM checks at Prowler Hub.

🆕 Microsoft 365 Checks

Entra Conditional Access

• entra_conditional_access_policy_all_apps_all_users — ensures at least one CA policy targets every app and every user
• entra_conditional_access_policy_mfa_enforced_for_guest_users - checks that guest and external users have MFA enforced. Without that compromised external accounts can access tenant resources using only a password
• entra_conditional_access_policy_block_unknown_device_platforms - block access from unknown device platforms
• entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced - enforces sign in for non-corporate devices, without that user sessions may persist indefinitely on unmanaged devices
• entra_conditional_access_policy_directory_sync_account_excluded — validates that the directory sync service account is excluded from restrictive CA policies to prevent sync outages

Explore all M365 Entra checks at Prowler Hub.

Intune

• intune_device_compliance_policy_unassigned_devices_not_compliant_by_default — unassigned devices should not be marked compliant by default by the built-in device policy

Explore all M365 Intune checks at Prowler Hub.

Exchange Online

• exchange_organization_delicensing_resiliency_enabled — keeps mailbox data accessible for 30 days after a license is removed, preventing accidental data loss

Explore all M365 Exchange checks at Prowler Hub.

🆕 Exclude Regions in AWS scans

Prowler now lets you exclude specific AWS regions from scans, so you can keep your scan scope focused on the regions that matter to you. You can configure exclusions with

• --excluded-region
• PROWLER_AWS_DISALLOWED_REGIONS environment variable
• aws.disallowed_regions in config.yaml

See the AWS Regions and Partitions documentation for usage examples.

UI

🚀 Added

• Resources side drawer with redesigned detail panel (#10673)
• Syntax highlighting for remediation code blocks in finding groups drawer with provider-aware auto-detection (Shell, HCL, YAML, Bicep) (#10698)

🔄 Changed

• Attack Paths scan selection: contextual button labels based on graph availability, tooltips on disabled actions, green dot indicator for selectable scans, and a warning banner when viewing data from a previous scan cycle (#10685)
• Remove legacy finding detail sheet, row-details wrapper, and resource detail panel; unify findings and resources around new side drawers (#10692)
• Attack Paths "View Finding" now opens the finding drawer inline over the graph instead of navigating to /findings in a new tab, preserving graph zoom, selection, and filter state
• Attack Paths scan table: replace action buttons with radio buttons, add dedicated Graph column, use info-colored In Progress badge, remove redundant Progress column, and fix info banner variant (#10704)

🐞 Fixed

• Findings group resource filters now strip unsupported scan parameters, display scan name instead of provider alias in filter badges, migrate mute modal from HeroUI to shadcn, and add searchable accounts/provider type selectors (#10662)
• Compliance detail page header now reflects the actual provider, alias and UID of the selected scan instead of always defaulting to AWS (#10674)
• Provider wizard modal moved to a stable page-level host so the providers table refreshes after link, authenticate, and connection check without closing the modal (#10675)

API

🔄 Changed

• Bump Poetry to 2.3.4 in Dockerfile and pre-commit hooks. Regenerate api/poetry.lock (#10681)
• Attack Paths: Remove dead cleanup_findings no-op and its supporting prowler_finding_lastupdated index (#10684)

🐞 Fixed

• Worker-beat race condition on cold start: replaced sleep 15 with API service healthcheck dependency (Docker Compose) and init containers (Helm), aligned Gunicorn default port to 8080 (#10603)
• API container startup crash on Linux due to root-owned bind-mount preventing JWT key generation (#10646)

🔐 Security

• pytest from 8.2.2 to 9.0.3 to fix CVE-2025-71176 (#10678)

SDK

🚀 Added

• entra_conditional_access_policy_directory_sync_account_excluded check for M365 provider (#10620)
• intune_device_compliance_policy_unassigned_devices_not_compliant_by_default check for M365 provider (#10599)
• entra_conditional_access_policy_all_apps_all_users check for M365 provider (#10619)
• bedrock_full_access_policy_attached check for AWS provider (#10577)
• iam_role_access_not_stale_to_bedrock and iam_user_access_not_stale_to_bedrock checks for AWS provider (#10536)
• iam_policy_no_wildcard_marketplace_subscribe and iam_inline_policy_no_wildcard_marketplace_subscribe checks for AWS provider (#10525)
• bedrock_vpc_endpoints_configured check for AWS provider (#10591)
• exchange_organization_delicensing_resiliency_enabled check for M365 provider (#10608)
• entra_conditional_access_policy_mfa_enforced_for_guest_users check for M365 provider (#10616)
• entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced check for M365 provider (#10618)
• entra_conditional_access_policy_block_unknown_device_platforms check for M365 provider (#10615)
• --excluded-region CLI flag, PROWLER_AWS_DISALLOWED_REGIONS environment variable, and aws.disallowed_regions config entry to skip specific AWS regions during scans (#10688)

🔄 Changed

• Bump Poetry to 2.3.4 and consolidate SDK workflows onto the setup-python-poetry composite action with opt-in lockfile regeneration (#10681)
• Normalize Conditional Access platform values in Entra models and simplify platform-based checks (#10635)

🐞 Fixed

• Vercel firewall config handling for team-scoped projects and current API response shapes (#10695)