Prowler 3.3.2 - Sun and Steel [HOTFIX]

Fixes

• fix(pypi): Build from release branch by @jfagoagas in #2151

Full Changelog: 3.3.1...3.3.2

Prowler 3.3.1 - Sun and Steel

Fixes

• fix(output bucket): solve IsADirectoryError using compliance flag by @sergargar in #2121
• fix(quickinventory): AttributError when creating inventory table by @bnugent in #2122
• fix(aws_provider): Fix assessment session name by @jfagoagas in #2132
• fix(brew): move brew formula action to the bottom by @sergargar in #2135
• fix(s3): handle if ignore_public_acls is None by @jfagoagas in #2128
• fix(defender service): retrieving key dicts with get by @n4ch04 in #2129
• fix(resource_not_found): Handle error by @jfagoagas in #2136
• fix(readme): add GCP provider to README introduction by @sergargar in #2143
• fix(azure output): change default values of audit identity metadata by @n4ch04 in #2144
• fix(delete check): delete check ec2.._in_use_without_ingrgess_filtering by @n4ch04 in #2148
• fix(audit_info): azure subscriptions parsing error by @n4ch04 in #2147
• fix(ssm): Handle ValidationException when retrieving documents by @jfagoagas in #2146
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2149

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2104
• chore(version): check latest version by @sergargar in #2106

Docs

• docs: Remove list severities by @jfagoagas in #2116
• docs(developer-guide): added phase 1 of dev guide by @toniblyx in #1904
• docs: improve quick inventory section by @sergargar in #2117
• docs: improve reporting documentation by @sergargar in #2119
• docs: Developer Guide - how to create a new check by @sergargar in #2137

Dependencies

• build(deps-dev): bump openapi-spec-validator from 0.5.5 to 0.5.6 by @dependabot in #2110
• build(deps-dev): bump coverage from 7.2.1 to 7.2.2 by @dependabot in #2112
• build(deps-dev): bump moto from 4.1.4 to 4.1.5 by @dependabot in #2111
• build(deps): bump mkdocs-material from 9.1.2 to 9.1.3 by @dependabot in #2113
• build(deps): bump boto3 from 1.26.86 to 1.26.90 by @dependabot in #2114
• build(deps): bump alive-progress from 3.0.1 to 3.1.0 by @dependabot in #2138
• build(deps): bump pydantic from 1.10.6 to 1.10.7 by @dependabot in #2139
• build(deps): bump mkdocs-material from 9.1.3 to 9.1.4 by @dependabot in #2140
• build(deps): bump botocore from 1.29.90 to 1.29.100 by @dependabot in #2142

New Contributors

• @bnugent made their first contribution in #2122

Full Changelog: 3.3.0...3.3.1

Prowler 3.3.0 - Sun and Steel

Through earth and water, fire and wind
You came at last, nothing was the end...

As this series of Prowler versions, Sun and Steel is a song part of Piece of Mind album of Iron Maiden. In this side of the world (north hemisphere), spring is about to start and this song is about Sun (and Steel) so here you go! 🤘🏽See below the amazing new features we have added to Prowler 3.3.0 🔥Sun and Steel🔥

New features to highlight in this version:

🏷️ Resource Tags everywhere:

• Now all findings outputs like HTML, CSV and JSON for AWS provider contains every resource tags.
  

⚖️ Compliance everywhere:

• Now all findings in outputs like HTML, CSV and JSON contains any security framework related to the finding.
  

🛡️ Security Hub integration with compliance from Prowler:

• All findings sent to Security Hub include their compliance information and all frameworks that they belongs to. This allow user to filter by Compliance Associated Standards ID and others and take advantage of all new supported frameworks in Prowler:
  

📊 New inventory output include regions:

• When running Prowler Quick Inventory (prowler -i) the output is as nice as this one:

✅ 3 new checks:

• s3_bucket_level_public_access_block
• rds_instance_transport_encrypted - this is valid so far only for Postgresql and MS SQL Server
• cloudwatch_log_group_no_secrets_in_logs

What's Changed:

• feat(templates): New versions of issues and fr templates by @n4ch04 in #2072
• feat(tags): add resource tags by @sergargar in #2020
• feat(s3_bucket_level_public_access_block): new check by @sergargar in #1953
• feat(rds_instance_transport_encrypted): add new check by @sergargar in #1963
• feat(quick_inventory): add regions to inventory table by @sergargar in #2026
• feat(new_check): cloudwatch_log_group_no_secrets_in_logs by @Fennerr in #1980
• feat(lambda_cloudtrail check): improved logic and status extended by @n4ch04 in #2092
• feat(inventory): add tags to quick inventory by @sergargar in #2051
• feat(encryption): add new encryption category by @sergargar in #1999
• feat(dispatch): add tag info to dispatch by @n4ch04 in #2002
• feat(compliance): add compliance field to HTML, CSV and JSON outputs including frameworks and reqs by @sergargar in #2060
• feat(SecurityHub): add compliance details to Security Hub findings by @sergargar in #2100

Fixes:

• fix(windows-path): --list-services bad split by @garym-krrv in #2028
• fix(ulimit): handle low ulimit OSError by @sergargar in #2042
• fix(ulimit check): test only when platform is not windows by @n4ch04 in #2094
• fix(quick inventory): add non-tagged s3 buckets to inventory by @sergargar in #2041
• fix(providers): Move provider's logic outside main by @jfagoagas in #2043
• fix(iam): pydantic migration and reformat logic service by @n4ch04 in #2010
• fix(head): Pass head commit to dispatch action by @n4ch04 in #2022
• fix(emr): solve emr_cluster_publicly_accesible error by @sergargar in #2086
• fix(emr): KeyError EmrManagedSlaveSecurityGroup by @jfagoagas in #2000
• fix(ec2_securitygroup_allow_wide_open_public_ipv4): correct check title by @sergargar in #2101
• fix(ec2): avoid terminated instances by @sergargar in #2063
• fix(compliance): add check to 2.1.5 CIS by @sergargar in #2077
• fix(cloudwatch): solve inexistent filterPattern error by @sergargar in #2087
• fix(cloudtrail): list tags only in owned trails by @sergargar in #2025
• fix(check): change cloudformation_outputs_find_secrets name by @sergargar in #2027
• fix(bug_report): typo in bug reporting template by @jfagoagas in #2078
• fix(bug_report): Update wording by @jfagoagas in #2074
• fix(awslambdacloudtrail): include advanced event and all lambdas in check by @n4ch04 in #1994
• fix(actions): fixed dispatch commit message by @n4ch04 in #2023
• fix(actions): Typo push should be true by @jfagoagas in #2019
• fix(actions): Stop using github storage by @jfagoagas in #2016

Documentation and other updates

• chore(docs): update readme with new ECR alias by @toniblyx in #2079
• chore(docs): Corrected spelling mistake in multiacount by @alexnelsone in #2056
• chore(docs): Add brew and github installation to quick start by @toniblyx in #1991
• chore(release): update Prowler Version to 3.2.4 by @sergargar in #1988
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2095
• chore(poetry): add poetry checks to pre-commit by @sergargar in #2040
• chore(metadata): remove tags from metadata by @sergargar in #1998
• chore(iam): update prowler permissions by @sergargar in #2050
• chore(dependabot): Change to weekly by @jfagoagas in #2057
• chore(brew): bump new version to brew by @sergargar in #1990
• chore(actions): Use GHA cache by @jfagoagas in #2066
• chore(actions): Missing cache in the PR by @jfagoagas in #2067
• build(deps-dev): bump pytest-xdist from 3.2.0 to 3.2.1 by @dependabot in #2084
• build(deps-dev): bump pytest from 7.2.1 to 7.2.2 by @dependabot in #2046
• build(deps-dev): bump pylint from 2.16.4 to 2.17.0 by @dependabot in #2062
• build(deps-dev): bump moto from 4.1.3 to 4.1.4 by @dependabot in #2045
• build(deps-dev): bump freezegun from 1.2.1 to 1.2.2 by @dependabot in #2033
• build(deps-dev): bump flake8 from 5.0.4 to 6.0.0 by @dependabot in #2012
• build(deps-dev): bump docker from 6.0.0 to 6.0.1 by @dependabot in #2030
• build(deps-dev): bump coverage from 7.1.0 to 7.2.1 by @dependabot in #2032
• build(deps-dev): bump black from 22.10.0 to 22.12.0 by @dependabot in #2013
• build(deps-dev): bump bandit from 1.7.4 to 1.7.5 by @dependabot in #2082
• build(deps): bump pydantic from 1.10.5 to 1.10.6 by @dependabot in #2081
• build(deps): bump mkdocs-material from 9.1.1 to 9.1.2 by @dependabot in #2080
• build(deps): bump botocore from 1.29.86 to 1.29.90 by @dependabot in #2083
• build(deps): bump boto3 from 1.26.85 to 1.26.86 by @dependabot in #2061

New Contributors

• @garym-krrv made their first contribution in #2028
• @alexnelsone made their first contribution in #2056

Full Changelog: 3.2.4...3.3.0

Prowler 3.2.4 - Quest for Fire [HOTFIX]

Fixes

• fix(compliance): solve AWS compliance directory path by @sergargar in #1987
• fix(pypi-release.yml): create PR before replicating by @sergargar in #1986

Full Changelog: 3.2.3...3.2.4

Prowler 3.2.3 - Quest for Fire

Dependencies

• build(deps): bump colorama from 0.4.5 to 0.4.6 by @dependabot in #1967
• build(deps): bump azure-storage-blob from 12.14.1 to 12.15.0 by @dependabot in #1966
• build(deps): bump botocore from 1.29.74 to 1.29.78 by @dependabot in #1968
• build(deps): bump mkdocs-material from 8.2.1 to 9.0.14 by @dependabot in #1964
• build(deps): bump alive-progress from 2.4.1 to 3.0.1 by @dependabot in #1965
• build(deps): bump botocore from 1.29.78 to 1.29.79 by @dependabot in #1978
• build(deps): bump boto3 from 1.26.74 to 1.26.79 by @dependabot in #1981

Fixes

• fix(toml): add toml dependency to pypi release action by @sergargar in #1960
• fix(kms): handle if describe_keys returns no value by @n4ch04 in #1961
• fix(cloudfront): handle empty objects in checks by @n4ch04 in #1962
• fix(directoryservice): tzinfo without _ by @jfagoagas in #1971
• fix(acm): Fix issues with list-certificates by @jfagoagas in #1970
• fix(service errors): solve EMR, VPC and ELBv2 service errors by @sergargar in #1974
• fix(action): Use PathContext to get version changes by @jfagoagas in #1983

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #1972
• chore(compliance): implements dynamic handling of available compliance frameworks by @pedromarting3 in #1977
• chore(readme): add brew stats by @sergargar in #1982
• chore(codeowners): Update team to OSS by @jfagoagas in #1984

Full Changelog: 3.2.2...3.2.3

Prowler 3.2.2 - Quest for Fire

Chores

• chore(poetry): make python-poetry as packaging and dependency manager by @sergargar in #1935
• chore(resource-based scan): execute only applicable checks by @sergargar in #1934

Fixes

• fix(actions): add README to docker action and filter steps for releases by @sergargar in #1955
• fix(cloudtrail): Handle when the CloudTrail bucket is in another account by @n4ch04 in #1956
• fix(key errors): solver EMR and IAM errrors by @sergargar in #1957
• fix(metadata): remove us-east-1 in remediation by @sergargar in #1958

Builds

• build(deps): bump botocore from 1.29.75 to 1.29.76 by @dependabot in #1946
• build(deps): bump boto3 from 1.26.74 to 1.26.76 by @dependabot in #1948

Full Changelog: 3.2.1...3.2.2

Prowler 3.2.1 - Quest for Fire

Chores

• chore(Security Hub): add --skip-sh-update by @sergargar in #1911
• chore(Security Hub): add status extended to Security Hub by @sergargar in #1921
• chore(secrets): Improve the status_extended with more information by @Fennerr in #1937
• chore(iam_disable_N_days_credentials): improve checks logic by @sergargar in #1923

Fixes

• fix(cloudtrail_logs_s3_bucket_access_logging_enabled): cloudtrail s3 bucket logging by @n4ch04 in #1902
• fix(codebuild): Handle endTime in builds by @jfagoagas in #1900
• fix(iam-credentials-expiration): IAM password policy expires passwords fix by @congon4tor in #1903
• fix(compliance): Set Version as optional and fix list by @jfagoagas in #1899
• fix(ecs_task_definitions_no_environment_secrets): dump_env_vars is reintialised by @Fennerr in #1922
• fix(quick_inventory): handle ApiGateway resources by @Fennerr in #1924
• fix(iam_rotate_access_key_90_days): check only active access keys by @Fennerr in #1929
• fix(services): solve errors in EMR, RDS, S3 and VPC services by @sergargar in #1913
• fix(regions): add unique branch name by @sergargar in #1941
• fix(errors): handle errors when S3 buckets or EC2 instances are deleted by @sergargar in #1942
• fix(cloudwatch): allow " in regex patterns by @sergargar in #1943

Dependencies

• build(deps-dev): bump pylint from 2.16.1 to 2.16.2 by @dependabot in #1896
• build(deps-dev): bump moto from 4.1.2 to 4.1.3 by @dependabot in #1939
• build(deps): bump boto3 from 1.26.51 to 1.26.69 by @dependabot in #1897
• build(deps): bump botocore from 1.29.69 to 1.29.70 by @dependabot in #1898
• build(deps): bump boto3 from 1.26.69 to 1.26.70 by @dependabot in #1908
• build(deps): bump botocore from 1.29.70 to 1.29.71 by @dependabot in #1909
• build(deps): bump boto3 from 1.26.70 to 1.26.71 by @dependabot in #1920
• build(deps): bump pydantic from 1.10.4 to 1.10.5 by @dependabot in #1918
• build(deps): bump botocore from 1.29.71 to 1.29.72 by @dependabot in #1919
• build(deps): bump boto3 from 1.26.71 to 1.26.72 by @dependabot in #1925
• build(deps): bump botocore from 1.29.72 to 1.29.73 by @dependabot in #1926
• build(deps): bump botocore from 1.29.73 to 1.29.74 by @dependabot in #1932
• build(deps): bump boto3 from 1.26.72 to 1.26.74 by @dependabot in #1933
• build(deps): bump botocore from 1.29.74 to 1.29.75 by @dependabot in #1938

Full Changelog: 3.2.0...3.2.1

Prowler 3.2.0 - Quest for Fire

Drawn by quest for fire
They searched all through the land
Drawn by quest for fire
Discovery of man.

Quest for Fire is a song part of Piece of Mind album of Iron Maiden. This new version is the result of our quest for your security issues and our quest to help you to improve your cloud security posture. See below the amazing new features we have added to Prowler 3.2.0 🔥Quest for Fire🔥

New features to highlight in this version:

🏷️ Tag-based scan: now you can scan only resources with specific tags across your entire account with the following command:

• prowler aws --resource-tags Environment=dev Project=prowler
• You can use as many tags as you need. More information here: https://docs.prowler.cloud/en/latest/tutorials/aws/tag-based-scan/

🎯 Resource-based scan: now you can scan only a specific resources by the ARN

• prowler aws --resource-arn arn:aws:iam::012345678910:user/test arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678
• That command will run all IAM user related checks to test and all VPC related checks to VPC vpc-12345678
• This is very helpful for new found resources or even pipelines! More information here: https://docs.prowler.cloud/en/latest/tutorials/aws/resource-arn-based-scan/

⚖️ 17 New Security Compliance Frameworks: we added 17 new security frameworks for AWS.

• In addition to CIS 1.4, CIS 1.5 and Spanish ENS (that comes with more enhancements) we have added the following security frameworks for the AWS provider.
  • CISA Cyber Essentials
  • FedRAMP Low Revision 4
  • FedRAMP Moderate Revision 4
  • Federal Financial Institutions Examination Council (FFIEC)
  • AWS Foundational Security Best Practices
  • General Data Protection Regulation (GDPR)
  • GxP 21 CFR Part 11
  • GxP EU Annex 11
  • HIPAA
  • NIST 800-171 Revision 2
  • NIST 800-53 Revision 4
  • NIST 800-53 Revision 5
  • NIST Cybersecurity Framework (CSF) v1.1
  • PCI v3.2.1
  • RBI Cyber Security Framework
  • SOC 2
• These can be considered test mode at this point, we are open for feedback and updates.
• More information about how to use them with Prowler and compliance here: https://docs.prowler.cloud/en/latest/tutorials/compliance/.
• We want to thank @pedromarting3 for his contribution, AWS and their public documentation and also steampipe.io mod page https://hub.steampipe.io/mods/turbot/aws_compliance because they were pretty helpful for us. 🙏🏼 🤜🏼🤛🏼

✅New check:

• Check if IAM Access Analyzer is enabled (in addition of the existing one that looks for issues as well)

📺Handler for output code:

• Like in v2, now you can handle what output code to get when Prowler gets failed findings. (-z)

📄Allow list feature now supports Lambda to manage it:

• More information #1793

What's Changed:

• feat(compliance): Add 17 new security compliance frameworks for AWS by @pedromarting3 in #1824
• feat(new check): add accessanalyzer_enabled check by @sergargar in #1864
• feat(boto3-config): Use standard retrier by @jfagoagas in #1868
• feat(allowlist): AWS Lambda function support by @pplu in #1793
• feat(scan-type): AWS Resource ARNs based scan by @sergargar in #1807
• feat(exit_code 3): add -z option by @sergargar in #1848
• feat(scanner): Tag-based scan by @sergargar in #1751

Fixes:

• fix(elbv2): handle service for GWLB resources by @daftkid in #1860
• fix(checks): added validation for non-existing VPC endpoint policy by @daftkid in #1859
• fix(action): do not trigger action when editing release by @sergargar in #1865
• fix(key_errors): handle Key Errors in Lambda and EMR by @sergargar in #1871
• fix(permissive role assumption): actions list handling by @n4ch04 in #1869
• fix(key_errors): handle Key Errors in Lambda and EMR by @sergargar in #1871
• fix(hardware mfa): changed hardware mfa description by @n4ch04 in #1873
• fix(metadata): typo in appstream_fleet_session_disconnect_timeout.metadata.json by @sergargar in #1875
• fix(compliance): ENS RD2022 Spanish security framework updates by @alexr3y in #1809
• fix(errors): solve several services errors (AccessAnalyzer, AppStream, KMS, S3, SQS, R53, IAM, CodeArtifact and EC2) by @sergargar in #1879
• fix(cloudtrail_multi_region_enabled): reformat check by @n4ch04 in #1880
• chore(compliance): add manual checks to compliance CSV by @sergargar in #1872
• fix(service errors): solve errors in IAM, S3, Lambda, DS, Cloudfront services by @sergargar in #1882
• chore(Dockerfile): Remove build files by @jfagoagas in #1886
• fix(list_checks): filter checks after audit_info set by @n4ch04 in #1887
• fix(Azure_Audit_Info): Added audited_resources field by @n4ch04 in #1891

Documentation

• docs: Boto3 Standard Retrier by @jfagoagas in #1885
• docs: Update AWS Role Assumption by @Fennerr in #1890
• docs: Minor changes to the intro paragraph by @Fennerr in #1892
• docs: Minor changes to logging by @Fennerr in #1893

New Contributors

• @pedromarting3 made their first contribution in #1824
• @pplu made their first contribution in #1792

Full Changelog: 3.1.4...3.2.0

Prowler 3.1.4 - Revelations

Chores

• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1812
• chore(issues): update bug_report.md by @toniblyx in #1844
• chore(security hub): improve securityhub_enabled check logic by @sergargar in #1851
• build(deps-dev): bump moto from 4.1.1 to 4.1.2 by @dependabot in #1845
• build(deps-dev): bump sure from 2.0.0 to 2.0.1 by @dependabot in #1847
• build(deps-dev): bump openapi-spec-validator from 0.5.4 to 0.5.5 by @dependabot in #1846
• build(deps-dev): bump pylint from 2.16.0 to 2.16.1 by @dependabot in #1823

Fixes

• fix(readme): correct PyPi download link by @sergargar in #1836
• fix(lambda-runtime): Init value must be empty string by @jfagoagas in #1837
• fix(errors): solve CloudWatch, KMS, EMR and OpenSearch service errors by @sergargar in #1843
• fix(kms): call GetKeyRotationStatus only for Customer Keys by @sergargar in #1842
• fix(checks): solve different errors in EFS, S3 and VPC by @sergargar in #1841
• fix(exit_code): change sys exit code to 1 in Critical Errors by @sergargar in #1853
• fix(iam): change prowler additional policy json due errors in creation by @theist in #1852

New Contributors

• @theist made their first contribution in #1852

Full Changelog: 3.1.3...3.1.4

Prowler 3.1.3 - Revelations

Chores

• chore(readme): add prowler PyPi stats by @sergargar in #1798
• chore(regions): Change feat to chore by @jfagoagas in #1805
• chore(regions_update): Changes in regions for AWS services. by @github-actions in #1812
• chore(logs): improve check error logs by @sergargar in #1818
• chore(audit metadata): retrieve audit metadata from execution by @n4ch04 in #1803
• build(deps-dev): bump pylint from 2.15.10 to 2.16.0 by @dependabot in #1815
• build(deps-dev): bump openapi-spec-validator from 0.5.2 to 0.5.4 by @dependabot in #1821

Fixes

• fix(kms): add symmetric condition to kms_cmk_rotation_enabled check by @sergargar in #1788
• fix(partition): add dynamic partition in CloudTrail S3 DataEvents checks by @sergargar in #1787
• fix(metadata): use docs.aws.amazon.com like other aws checks, not docs.amazonaws.cn by @ifduyue in #1790
• fix(allowlist): validate allowlist for any database format (file, dynamo, s3, etc) by @pplu in #1792
• fix(accessanalyzer_enabled_without_findings): fixed status findings by @n4ch04 in #1799
• fix(iam_policy_no_administrative_privileges): check only : permissions by @sergargar in #1802
• fix(iam_avoid_root_usage): correct date logic by @sergargar in #1801
• fix(ec2_securitygroup_not_used): ignore default security groups by @sergargar in #1800
• fix(accessanalyzer): no analyzers using pydantic by @n4ch04 in #1806
• fix(cloudtrail): improve cloudtrail_cloudwatch_logging_enabled status extended by @sergargar in #1813
• fix(KeyError): handle service key errors by @sergargar in #1819
• fix(metadata) fixed typo in title for awslambda_function_not_publicly… by @daftkid in #1826
• fix(KeyError): handle service key errors by @sergargar in #1831
• fix(cloudtrail): included advanced data events selectors by @n4ch04 in #1814
• fix(shub): update link to Security Hub documentation by @sergargar in #1830
• fix(awslambda_function_no_secrets_in_code): Retrieve Code if set by @jfagoagas in #1833
• fix(action): Build from release branch by @jfagoagas in #1834
• fix(errors): solve different errors in KMS, EFS and Lambda by @sergargar in #1835

New Contributors

• @ifduyue made their first contribution in #1790
• @pplu made their first contribution in #1792
• @daftkid made their first contribution in #1826

Full Changelog: 3.1.2...3.1.3