Prowler 3.15.0 - Children of the Damned

You’re children of the damned
Your backs against the wall
You turn into the light
You’re burning in the night

Beware the cloud security issues that paralyze! As per Bruce Dickinson comments at the BBC, this Iron Maiden song part of The Number of the Beast album was inspired by by Black Sabbath’s “Children of the Sea”. In any case, let’s put all those cloud security misconfigurations against the wall now!

Enjoy it! 🤘🏽🔥

New features to highlight in this version:

💪🏼 40 New Azure checks

• Prowler is improving its Azure coverage by including 40 new checks that appears in the CIS Benchmark v2.1.0.
  (Thanks @Hugo966, @pedrooot and @puchy22 for their contributions and performance!)

See all the new available checks with prowler azure -l

🔒 Shodan.io support for Azure and GCP

• Now, Prowler lets you also check if any public IPs in Azure or GCP are exposed in Shodan.
  Try it with prowler gcp -c compute_public_address_shodan --shodan <API_KEY> and prowler azure -c network_public_ip_shodan --shodan <API_KEY>

The Shodan API Key can also be set in the config.yaml file instead of using the --shodan flag.

✅ Added Kubernetes Coverage in Cloud Providers

• New checks that cover Kubernetes managed services in AWS (EKS), Azure (AKS) and in GCP (GKE/GCR) are now available in Prowler. Try them with prowler aws/azure/gcp --services eks/aks/gke

📝 New AWS FTR Compliance

• AWS FTR helps you identify AWS Well-Architected best practices specific to your software or solution.
  You can execute the new AWS Foundational Technical Review Compliance Framework with prowler aws --compliance foundational_technical_review_aws

Features

• feat(aws): add 2 new Amazon EKS checks from CIS by @sergargar in #3439
• feat(aws): Get organizations metadata if delegated admin by @jfagoagas in #3435
• feat(azure): add new check related with cmk by @Hugo966 in #3466
• feat(azure): add new check related with Public IPs in Shodan.io by @pedrooot in #3433
• feat(azure): Azure new checks related with AKS by @puchy22 in #3476
• feat(azure): Azure new checks related with App Service by @puchy22 in #3432
• feat(azure): Azure new check policy_ensure_asc_enforcement_enabled by @puchy22 in #3452
• feat(azure): Checks related to Azure Keyvault by @pedrooot in #3430
• feat(Azure): Entra service with two checks by @puchy22 in #3510
• feat(azure): New azure monitor check monitor_ensure_diagnostic_setting_appropriate by @Hugo966 in #3421
• feat(azure): new monitoring check ensuring storage account with logs private by @Hugo966 in #3453
• feat(azure): New check related with network flow logs by @Hugo966 in #3535
• feat(azure): 10 new checks related with alerts in monitoring by @Hugo966 in #3516
• feat(compliance): Add new compliance foundational_technical_review_aws by @pedrooot in #3511
• feat(gcp): add 3 new checks for GKE CIS by @sergargar in #3440
• feat(gcp): add Shodan check for GCP External Addresses by @sergargar in #3486

Fixes

• fix(checks_loader): Handle exceptions and always load checks by @jfagoagas in #3479
• fix(check_loader): Add validation in 'Categories' field from metadata by @pedrooot in #3480
• fix(cloudwatch): correct recommendation text by @sergargar in #3538
• fix(compliance): add default severity to Manual Mocked Metadata by @sergargar in #3484
• fix(compliance): set correct CSV Compliance model for CIS by @sergargar in #3503
• fix(compliance): set Generic Compliance as last model by @sergargar in #3487
• fix(compliance): set the provider dynamically in Manual checks by @sergargar in #3502
• fix(docs): Add docs group to install by @jfagoagas in #3436
• fix(docs): Fix some typos in requirements page by @pedrooot in #3504
• fix(docs): Fix typo and change info about mocking by @pedrooot in #3438
• fix(docs): readthedocs install by @jfagoagas in #3437
• fix(ecr): check if ECR Repository Policies does not exist by @sergargar in #3451
• fix(error_handling): delete unnecessary error in logger.error by @pedrooot in #3454
• fix(gcp): handle KeyError in Compute service by @sergargar in #3471
• fix(gcp): remove Default Project ID requirement by @sergargar in #3459
• fix(glue): Add mocked ARN by @jfagoagas in #3515
• fix(iam): ignore Root User in iam_user_mfa_enabled_console_access by @sergargar in #3537
• fix(LICENSE): update LICENSE copyright by @sergargar in #3508
• fix(security_hub): Handle user facing errors by @jfagoagas in #3456

Chores

• chore(action): Link docs in PR by @jfagoagas in #3448
• chore(allowlist): add AFT IAM roles to allowlist by @sergargar in #3460
• chore(arn): improve resource ARNs in checks by @sergargar in #3388
• chore(azure): Manage new errors in the Defender service by @puchy22 in #3534
• chore(docs): improve documentation for Azure debugging by @pedrooot in #3411
• chore(docs): Prettify notes and add dates by @jfagoagas in #3434
• chore(fixme): Add fixme for credentials refresh by @jfagoagas in #3485
• chore(gcp): set GCP account in output file name by @sergargar in #3461
• chore(README): update checks summary table by @sergargar in #3483
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3429
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3457
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3465
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3473
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3505
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3509
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3518
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3520
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3528
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3533
• chore(release): update Prowler Version to 3.14.0 by @n4ch04 in #3422
• chore: update feature request label by @jfagoagas in #3464
• docs(compliance): Add newline to format list by @jfagoagas in #3455
• docs: New overview page by @toniblyx in #3427
• docs: Update documentation links by @jfagoagas in #3424
• docs: Update README.md with bigger Slack link by @toniblyx in #3425

Dependencies

• build(deps): bump azure-keyvault-keys from 4.8.0 to 4.9.0 by @dependabot in #3443
• build(deps): bump azure-storage-blob from 12.19.0 to 12.19.1 by @dependabot in #3527
• build(deps): bump cryptography from 42.0.2 to 42.0.4 by @dependabot in #3428
• build(deps): bump google-api-python-client from 2.120.0 to 2.122.0 by @dependabot in #3531
• build(deps): bump slack-sdk from 3.27.0 to 3.27.1 by @dependabot in #3494
• build(deps): bump trufflesecurity/trufflehog from 3.68.4 to 3.69.0 by @dependabot in #3522
• build(deps-dev): bump bandit from 1.7.7 to 1.7.8 by @dependabot in #3523
• build(deps-dev): bump coverage from 7.4.1 to 7.4.3 by @dependabot in #3444
• build(deps-dev): bump mkdocs-material from 9.5.11 to 9.5.12 by @dependabot in #3492
• build(deps-dev): bump moto from 5.0.2 to 5.0.3 by @dependabot in #3525
• build(deps-dev): bump pylint from 3.0.3 to 3.1.0 by @dependabot in #3442
• build(deps-dev): bump pytest from 8.0.2 to 8.1.1 by @dependabot in #3524

Full Changelog: 3.14.0...3.15.0