Skip to content

Releases: prowler-cloud/prowler

Prowler 2.9.0 - Run to the Hills

13 Apr 09:44
@jfagoagas jfagoagas
2.9.0
432632d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.9.0 - Run to the Hills

In 1982, Iron Maiden released The Number of the Beast, their third studio album and the first with Bruce Dickinson as their lead vocalist. The song Run to the Hills gives me very good memories, as the time we are living will do the same in the future. That song is one of the greatest metal songs in music history. Enjoy it as we do while releasing this new version of Prowler!
https://www.youtube.com/watch?v=86URGgqONvA

number-of-the-beast

Image copyright by Iron Maiden

Important changes in this version (read this!):

Now, if you want to use your allowlist or custom checks you can retrieve it from a S3 Bucket using -w option along with a S3 URI like s3://bucket/prefix/allowlist_sample.txt

Also, we have enriched some IAM checks to provide more information about resources when the check status is PASS.

New Features

  • New Extra Check - Detect SGs created by the EC2 Launch Wizard by @sectoramen in #1081
  • Support S3 URIs for custom checks paths by @sergargar in #1090
  • Support S3 URIs for allowlist file by @sergargar in #1090

Enhancements

  • Update example code for terraform-quickstart by @spazm in #1086
  • Replace comma from csv input info to prevent breaking csv format by @n4ch04 in #1102
  • IAM check116 and check122 now logs more detailed information with PASS results by @n4ch04 in #1107

Fixes

  • Fix(secrets_library): Verify if detect-secrets library is missing by @sergargar in #1080
  • Fix(extra729,extra740): Typo by @mourackb in #1083
  • Fix(extra736): Missing $PROFILE_OPT by @soffensive in #1084
  • Fix(extra792): TLS1.3 policies added as secure and TLS1.1/1.0 as insecure by @sergargar in #1091
  • Fix(extra7172): IllegalLocationConstraintException properly handled by @sergargar in #1093
  • Fix(extra764): NoSuchBucket error properly handled by @sergargar in #1094
  • Fix(extra764): Deleted temporary file references by @n4ch04 in #1089
  • Fix(extra7147): Handle unsupported AWS regions for Glacier by @jfagoagas in #1101
  • Fix(extra79): Typo publiccly -> publicly by @carterjones in #1106
  • Fix(extra75): Empty array check in SECURITYGROUPS object by @nealalan in #1099

New Contributors

Full Changelog: 2.8.1...2.9.0

Contributors

spazm, carterjones, and 7 other contributors
Assets 2
Loading

Prowler 2.8.1

25 Mar 11:59
@MrCloudSec MrCloudSec
2.8.1
1e87ef1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.8.1

What's Changed

  • fix(bucket_region): check extra764 doesn't handle bucket region properly by @sergargar in #1077
  • fix(detect-secrets): Include missing colon to link values by @jfagoagas in #1078

Full Changelog: 2.8.0...2.8.1

Contributors

jfagoagas and MrCloudSec
Assets 2
Loading

Prowler 2.8.0 - The Ides of March

16 Mar 17:41
@toniblyx toniblyx
2.8.0
8105e63
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.8.0 - The Ides of March

The Ides of March is an instrumental song that opens the second studio album of Iron Maiden called Killers. This song is great as an opening, March is the month when spring starts in my side of the world, is always time for optimism. Ides of March also means 15 of March in the Roman calendar (and the day of the assassination of Julius Caesar). Enjoy the song here.

We have put our best to make this release and with important help of the Prowler community of cloud security engineers around the world, thank you all! Special thanks to the Prowler full time engineers @jfagoagas, @n4ch04 and @sergargar! (and Bruce, my dog) ❤️

prowler-team-pic

Important changes in this version (read this!):

Now, if you have AWS Organizations and are scanning multiple accounts using the assume role functionality, Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and add them to CSV and JSON output formats. More information and usage here.

New Features

  • 1 New check for S3 buckets have ACLs enabled by @jeffmaley in #1023 :
    7.172 [extra7172] Check if S3 buckets have ACLs enabled - s3 [Medium]
  • feat(metadata): Include account metadata in Prowler assessments by @toniblyx in #1049

Enhancements

Fixes

  • Fix issue extra75 reports default SecurityGroups as unused #1001 by @jansepke in #1006
  • Fix issue extra793 filtering out network LBs #1002 by @jansepke in #1007
  • Fix formatting by @lorchda in #1012
  • Fix docker references by @mike-stewart in #1018
  • Fix(check32): filterName base64encoded to avoid space problems in filter names by @n4ch04 in #1020
  • Fix: when prowler exits with a non-zero status, the remainder of the block is not executed by @lorchda in #1015
  • Fix(extra7148): Error handling and include missing policy by @toniblyx in #1021
  • Fix(extra760): Error handling by @lazize in #1025
  • Fix(CODEOWNERS): Rename team by @jfagoagas in #1027
  • Fix(include/outputs): Whitelist logic reformulated to exactly match input by @n4ch04 in #1029
  • Fix CFN CodeBuild example by @mmuller88 in #1030
  • Fix typo CodeBuild template by @dlorch in #1010
  • Fix(extra736): Recover only Customer Managed KMS keys by @jfagoagas in #1036
  • Fix(extra7141): Error handling and include missing policy by @lazize in #1024
  • Fix(extra730): Handle invalid date formats checking ACM certificates by @jfagoagas in #1033
  • Fix(check41/42): Added tcp protocol filter to query by @n4ch04 in #1035
  • Fix(include/outputs):Rolling back whitelist checking to RE check by @n4ch04 in #1037
  • Fix(extra758): Reduce API calls. Print correct instance state. by @lazize in #1057
  • Fix: extra7167 Advanced Shield and CloudFront bug parsing None output without distributions by @NMuee in #1062
  • Fix(extra776): Handle image tag commas and json output by @jfagoagas in #1063
  • Fix(whitelist): Whitelist logic reformulated again by @n4ch04 in #1061
  • Fix: Change lower case from bash variable expansion to tr by @lazize in #1064
  • Fix(check_extra7161): fixed check title by @n4ch04 in #1068
  • Fix(extra760): Improve error handling by @lazize in #1055
  • Fix(check122): Error when policy name contains commas by @plarso in #1067
  • Fix: Remove automatic PR labels by @jfagoagas in #1044
  • Fix(ES): Improve AWS CLI query and add error handling for ElasticSearch/OpenSearch checks by @lazize in #1032
  • Fix(extra771): jq fail when policy action is an array by @lazize in #1031
  • Fix(extra765/776): Add right region to CSV if access is denied by @roman-mueller in #1045
  • Fix: extra7167 Advanced Shield and CloudFront bug parsing None output without distributions by @NMuee in #1053

New Contributors

Full Changelog: 2.7.0...2.8.0

Contributors

dlorch, jansepke, and 14 other contributors
Assets 2
Loading

Prowler 2.7.0 - Brave

24 Jan 12:45
@toniblyx toniblyx
2.7.0
c120a31
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.7.0 - Brave

This release name is in honor of Brave New World, a great song of 🔥Iron Maiden🔥 from their Brave New World album. Dedicated to all of you looking forward to having the world we had before COVID... We hope is not hitting you bad. Enjoy!

Important changes in this version (read this!):

  • As you can see, Prowler is now in a new organization called https://github.com/prowler-cloud/.
  • When Prowler doesn't have permissions to check a resources or service it gives an INFO instead of FAIL. We have improved all checks error handling in those use cases when the CLI responds with a AccessDenied, UnauthorizedOperation or AuthorizationError.
  • From this version, master branch will be the latest available code and we will keep the stable code as each release, if you are installing or deploying Prowler using git clone to master take that into account and use the latest release instead, i.e.: git clone --branch 2.7 https://github.com/prowler-cloud/prowler or curl https://github.com/toniblyx/prowler/archive/refs/tags/2.7.0.tar.gz -o prowler-2.7.0.tar.gz
  • For known issues please see https://github.com/prowler-cloud/prowler/issues the ones open with bug as a red tag.
  • Discussions is now open in the Prowler repo https://github.com/prowler-cloud/prowler/discussions, feel free to use it if that works for you better than the current Discord server.
  • 11 new checks!! Thanks to @michael-dickinson-sainsburys, @jonloza, @rustic, @Obiakara, @Daniel-Peladeau, @maisenhe, @7thseraph and @tekdj7. Now there have a total of 218 checks. See below for details.
  • An issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings is now working as expected thanks to @Kirizan
  • When credential are in environment variable it failed to review, that was fixed by @lazize
  • See below new features and more details for this version.

New Features

  • 11 New checks for Redshift, EFS, CloudWatch, Secrets Manager, DynamoDB and Shield Advanced:
7.160 [extra7160] Check if Redshift has automatic upgrades enabled - redshift [Medium]
7.161 [extra7161] Check if EFS have protects sensative data with encryption at rest - efs [Medium]
7.162 [extra7162] Check if CloudWatch Log Groups have a retention policy of 365 days - cloudwatch [Medium]
7.163 [extra7163] Check if Secrets Manager key rotation is enabled - secretsmanager [Medium]
7.164 [extra7164] Check if CloudWatch log groups are protected by AWS KMS  - logs [Medium]
7.165 [extra7165] Check if DynamoDB: DAX Clusters are encrypted at rest - dynamodb [Medium]
7.166 [extra7166] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced - shield [Medium]
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
7.168 [extra7168] Check if Route53 hosted zones are protected by AWS Shield Advanced - shield [Medium]
7.169 [extra7169] Check if global accelerators are protected by AWS Shield Advanced - shield [Medium]
7.170 [extra7170] Check if internet-facing application load balancers are protected by AWS Shield Advanced - shield [Medium]
7.171 [extra7171] Check if classic load balancers are protected by AWS Shield Advanced - shield [Medium]
  • Add -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option by @sectoramen in #974
  • Add new functions to backup and restore initial AWS credentials, for better handling chaining role by @sectoramen in #978
  • Add additional action permissions for Glue and Shield Advanced checks by @lazize in #995

Enhancements

  • Update Dockerfile to use Amazon Linux container image by @Kirizan in #972
  • Update Readme: -T option is not mandatory by @jfagoagas in #944
  • Add $PROFILE_OPT to CopyToS3 commands by @sectoramen in #976
  • Remove unneeded package "file" from Dockerfile by @sectoramen in #977
  • Update docs (templates): Improve bug template with more info by @jfagoagas in #982

Fixes

  • Fix in README and multiaccount serverless deployment templates by @dlorch in #939
  • Fix assume-role: check if -T and -A options are set together by @jfagoagas in #945
  • Fix group25 FTR by @lopmoris in #948
  • Fix in README link for group25 FTR by @lopmoris in #949
  • Fix issue #938 assume_role multiple times by @halfluke in #951
  • Fix and clean assume-role to better handle AWS STS CLI errors by @jfagoagas in #946
  • Fix issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings by @Kirizan in #953
  • Fix broken link in README.md by @rtcms in #966
  • Fix checks with comma issues in checks by @j2clerck in #975
  • Fix: Credential chaining from environment variables by @lazize in #996

New Contributors

Full Changelog: 2.6.1...2.7

Contributors

dlorch, rustic, and 15 other contributors
Assets 2
Loading
0 Join discussion

Prowler 2.6.1

15 Nov 17:55
@toniblyx toniblyx
2.6.1
d272fad
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.6.1

What's Changed

  • e4edb5e - Enhancement IAM assumed role session duration error handling by @jfagoagas
  • 3e78f01 - Fix Terraform Kickstarter path in README by @z0ph
  • cee6437 - Fix issue #926 resource id and remediation typo
  • b251f31 - Fix issue #925 replace sensible by sensitive in multiple checks
  • 50de9f2 - Fix output for checks check3x when no CW group is in place
  • a6ba580 - Fix severity case variable

New Contributors

Full Changelog: 2.6.0...2.6.1

Contributors

jfagoagas, z0ph, and fredski-github
Assets 2
Loading

Prowler 2.6.0 - Phantom

12 Nov 11:10
@toniblyx toniblyx
2.6.0
79c32a3
Compare
Choose a tag to compare
Prowler 2.6.0 - Phantom

Prowler 2.6.0 - Phantom

This release name is in honor to Phantom of the Opera, one of my favorite songs and a master piece of 🔥Iron Maiden🔥. It starts by "I've been lookin' so long for you now" like looking for security issues, isn't it? 🤘🏼 Enjoy it here while reading the rest of this note.

Important changes in this version:

New Features:

  • 12 New checks for efs, redshift, elb, dynamodb, route53, cloiudformation, elb and apigateway:
7.148 [extra7148] Check if EFS File systems have backup enabled - efs [Medium]
7.149 [extra7149] Check if Redshift Clusters have automated snapshots enabled - redshift [Medium]
7.150 [extra7150] Check if Elastic Load Balancers have deletion protection enabled - elb [Medium]
7.151 [extra7151] Check if DynamoDB tables point-in-time recovery (PITR) is enabled - dynamodb [Medium]
7.152 [extra7152] Enable Privacy Protection for for a Route53 Domain - route53 [Medium]
7.153 [extra7153] Enable Transfer Lock for a Route53 Domain - route53 [Medium]
7.154 [extra7154] Enable termination protection for Cloudformation Stacks - cloudformation [MEDIUM]
7.155 [extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode - elb [MEDIUM]
7.156 [extra7156] Checks if API Gateway V2 has Access Logging enabled - apigateway [Medium]
7.157 [extra7157] Check if API Gateway V2 has configured authorizers - apigateway [Medium]
7.158 [extra7158] Check if ELBV2 has listeners underneath - elb [Medium]
7.159 [extra7159] Check if ELB has listeners underneath - elb [Medium]

Enhancements:

Fixes:

New Contributors

Full Changelog: 2.5.0...2.6.0

Thank you all for your contributions, Prowler community is awesome! 🥳

Contributors

chbiel, FallenAtticus, and 25 other contributors
Assets 2
Loading

Prowler 2.5.0 - Senjutsu

13 Aug 08:12
@toniblyx toniblyx
2.5.0
e0f6011
Compare
Choose a tag to compare
Prowler 2.5.0 - Senjutsu

Prowler 2.5.0 - Senjutsu

prowler-logo-new

This new version was planned to celebrate AWS re:Inforce that would have taken place on August 24th and 25th but has been cancelled and the new studio album of Iron Maiden (Senjutsu) to be released on September 3rd 2021. In any case, enjoy this new version. More cool stuff coming soon!

Prowler would have been present in the re:Inforce 2021 conference with a pretty expected workshop called "Building Prowler into a QuickSight powered AWS security dashboard". Templates and workshop link to be public soon. For updates follow me on Twitter: https://twitter.com/ToniBlyx.

image

As Prowler keeps growing in user base and downloads (averages 1400 clones/day), there are more contributions and I want to thank you all for your feedback and code. Please keep contributing to make the Internet more secure.

New Features:

Please read carefully this new features and changes (for CSV output and also to improve the data in json ASFF for Security Hub integration) if you have integrations using CSV, it may affect you.

  • New CSV headers, added PROWLER_START_TIME:
    PROFILE{SEP}ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC,CHECK_RESOURCE_ID,PROWLER_START_TIME.
  • 14 New checks (@jfagoagas, @nayabpatel, @Outrun207 and @pablopagani):
7.134 [extra7134] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21  - ec2 [High]
7.135 [extra7135] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092  - ec2 [High]
7.136 [extra7136] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23  - ec2 [High]
7.137 [extra7137] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434  - ec2 [High]
7.138 [extra7138] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port - ec2 [High]
7.139 [extra7139] There are High severity GuardDuty findings  - guardduty [High]
7.140 [extra7140] Check if there are SSM Documents set as public - ssm [High]
7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
7.142 [extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based http request smuggling - elb [Medium]
7.143 [extra7143] Check if EFS have policies which allow access to everyone - efs [Critical]
7.144 [extra7144] Check if CloudWatch has allowed cross-account sharing - cloudwatch [Medium]
7.145 [extra7145] Check if Lambda functions have policies which allow access to any AWS account - lambda [Critical]
7.146 [extra7146] Check if there is any unassigned Elastic IP - ec2 [Low]
7.147 [extra7147] Check if S3 Glacier vaults have policies which allow access to everyone - glacier [Critical]
  • Docker images are available in the official ECR https://gallery.ecr.aws/prowler/prowler (if you run Prowler with Fargate this will help you). Images at https://hub.docker.com/r/toniblyx/prowler won't be updated.
  • Now when using -M option prowler shows standard output but saves desired reports in background
  • Added code for better experience running Prowler in AWS CloudShell @hackersifu
  • Added support for custom output folder and S3 bucket (see ./prowler -h for details) using bucket-owner-full-control.
  • Added support for custom output file (see ./prowler -h for details) @yangsec888
  • Added servicename to the title for ASFF and used for QuickSight dashboard
  • Added resourceid and more metadata to the ASFF file to be imported in Security Hub @singergs
  • Added s3 and glue required permissions and removed obsoletes
  • Added section with info about regions in README.md
  • Added WAF CLASSIC check for extra7129 @kamiryo
  • Added severity and servicename to the default output, removed blue color on check ID.
  • Removed duplicated checks extra756 and extra737 @w0rmr1d3r

Enhancements:

  • HTML report: filtering and other nice things @nickmalcolm
  • License file and banner cosolidation
  • Now it shows default output regardless custom outputs called with -M
  • Clean up check title without info related to CIS (like scored, etc. CIS support still in Prowler)
  • Updated Docker image to Alpine to 3.13 and with py3-pip in Dockerfile @gliptak
  • Improved error handling sts get-caller-identity @pablopagani
  • Improved error handling when listing regions @pablopagani
  • Updated html report color contrast for WCAG 2.1 accessibility standards @danielperez660
  • Updated Prowler additions policy
  • Updated check12 - Missing MFA at the beginning of remediation @thorkill
  • Removed CSV header in stdout
  • Updated README to include reference to CloudShell https://github.com/toniblyx/prowler/tree/2.5/util/cloudshell @hackersifu
  • Updated README with better coverage of -f <filterregion> usage info

Fixes:

  • Fixed Security Hub integration error resource type is always empty #776
  • Fixed credential renewal broke on Alpine Linux #775
  • Fixed check extra747 grammar #774
  • Fixed grammar issue in scoring @w0rmr1d3r
  • Fixed check21 to fail if trail is off
  • Fixed aws organizations multi-account deployment s3 upload issue @owlvat
  • Corrected bug on groups when listing checks @pablopagani
  • Fixed issue #811 @h1008
  • Fixed kms keys compatibility in cli v2 and v1 @dbellizzi
  • Fixed typo in check extra7141 ID
  • Fixed alias of extra7139
  • Fixed link to doc for check45 check46 extra7138 and extras

*If you have made a contribution to this released and I missed your Github id here, my apologies and please let me know to include you. Thank you!

Contributors

gliptak, nickmalcolm, and 14 other contributors
Assets 2
Loading

Prowler 2.4.1

15 Apr 08:23
@toniblyx toniblyx
2.4.1
583cffa
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.4.1

Prowler 2.4.1

Fixes

Fixed Security Hub integration error resource type is always empty #776
Fixed credential renewal broke on Alpine Linux #775
Fixed check extra747 grammar #774

Assets 2
Loading

Prowler 2.4.0

09 Apr 14:55
@toniblyx toniblyx
2.4.0
b0fd6ce
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Prowler 2.4.0

Prowler 2.4.0

New version, new logo and new features, many community contributions, fixes and improvements.

prowler-logo-new

Thanks to all the community for the continuous effort, contributing in many ways, including code and feedback. Prowler is being used by thousands of users and making your cloud infrastructure more secure. THANK YOU.

New Features:

Please read carefully this new features and changes (mostly for CSV output changes) if you have integrations, it may affect you.

Added Risk, Remediation, Link to doc and CAF security epics to controls @pablopagani
Added support for new fields Risk, Remediation, Link to doc and CAF security epics to CSV and HTML outputs. New fields are:
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC
Added severity field to CSV and HTML output reports
Added new logo, screenshots and improved documentation sections
Added -N <shodan_api_key> support for extra7102
Added [extra736] Check exposed KMS keys to group internet-exposed
Added [extra798] Check if Lambda functions have resource-based policy set as Public
Added [extra799] Check if Security Hub is enabled and its standard subscriptions
Added 4 new EKS checks @jonjozwiak
Added access checks for several checks @zfLQ2qx2
Added additional checks to HIPAA group @gchib297
Added additional GDPR checks to GDPR group @gchib297
Added all new Sagemaker checks to extras
Added allow list All findings in single view in html report
Added AWS partition variable to the ASFF output format
Added AWS service name to json, csv and html outputs
Added back extra798
Added Better handle permissions and errors
Added CFN template helper for role
Added check extra7113
Added check extra798 to gdpr and pci groups @gchib297
Added check extra798 to iso27001 @gchib297
Added check extra798 to PCI
Added check for AccessDenied when calling GetBucketLocation in extra73,extra734,extra764 @zfLQ2qx2
Added Check for errors generating credential report, limit loop iterations @zfLQ2qx2
Added check for RDS enhanced monitoring @mpratsch
Added check if Enhanced monitoring is enabled on RDS instances
Added check23 to group17_internetexposed group @RyanJarv
Added check7130 to group7_extras and Fixed some issues
Added checks about EKS to groups internet-exposed and forensics
Added CodeBuild deployment section
Added CodeBuild template original from @stevecjones
Added coreutils to Dockerfile
Added EKS checks to eks-cis and extras group @jonjozwiak
Added Enable Security Hub official integration @toniblyx
Added ENS group with new checks
Added extra7102 ElasticIP Shodan integration
Added extra7102 to groups extras and internetexposed
Added extra7113: Check RDS deletion protection
Added extra7113: Check RDS instances deletion protection @gchib297
Added extra7133 RDS multi-AZ
Added extra796 EKS control plane access to internet-exposed group
Added extra799 and extra7100 to group extras
Added FFIEC cybersecurity assessment group @gchib297
Added Fixed to generate test summary so reports display graphs correctly @stevecjones
Added get_regions function in order to call after assume_role @HG00
Added GetFindings action to example IAM policy for Security Hub
Added Glue checks additional  @dlpzx
Added Glue checks part 1 @ramondiez
Added GovCloud usage information
Added group for ENS Spanish Esquema Nacional de Seguridad
Added group for pci-dss as reference
Added group internet-exposed
Added group18 for ISO27001 thanks to @gchib297 issue #637
Added high level architecture
Added html to -M in usage
Added IAM to extra7100 title
Added latest checks to extras group
Added more checks mappings to ISO27001 group and reordered the list @mario-platt
Added New 7 checks required for ENS
Added new check [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled
Added New check 7.98 [extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) @nickmalcolm
Added new check extra_7130 to check encryption of a SNS topic @mpratsch
Added new check extra7131 RDS minor version upgrade
Added new check extra793 for SSL listeners on load balancers @jonjozwiak
Added new extras check (7130) to check encryption of a SNS topic
Added New group for Sagemaker with 10 new controls
Added parameters and made the template parameterised @pacohope
added parameters and made the template parameterised.
Added Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys
Added script to generate html report from multiple csv outputs
Added service name to all checks
Added service name to sample check
Added session durantion option to 12h
Added sleep to extra7102 to avoid Shodan API limits
Added SOC2 compliance group @gchib297
Added start build automatically
Added Support custom folder checks when running all checks @xeroxnir
Added support to run inside AWS CloudShell
Added Whitelist feature improvements @QuinnStevens

Enhancements:

Enhanced Accept current most restrictive TLSv1.2-only ALB security policy as secure
Enhanced Adapt check119 to exclude instances shutting down @stku1985
Enhanced Additional check for location of awscli @zfLQ2qx2
Enhanced Adjusted severity like in Security Hub @xeroxnir
Enhanced Allow list checks and groups without credentials
Enhanced better handle permissions and errors
Enhanced Catch errors assuming role and describing regions @zfLQ2qx2
Enhanced check extra740: reworked to consider all snapshots, use JMESPath query @pacohope
Enhanced check extra792 to accept current most restrictive TLSv1.2 @bazbremner
Enhanced check119 to exclude instances shutting-down @stku1985
Enhanced clear AWS_DEFAULT_OUTPUT on start @zfLQ2qx2
Enhanced Cloudtrail metrics (check3x) pass if found on any, not every, cloudtrail log @zfLQ2qx2
Enhanced CodeBuild CFN template with scheduler and documentation
Enhanced documentation about SecurityHub integration and region filter
Enhanced Ensure check28 only looks at symmetric keys
Enhanced Ensure that checks are sorted numerically when listing checks @marcjay
Enhanced Ensures JSON is the default AWS command output.
Enhanced error handling without credentials
Enhanced extra7102 increased severity to medium
Enhanced extra792 skip check if no HTTPS/SSL Listener plus Added NLB Support @jonjozwiak
Enhanced feature to refresh assume role credentials before it expires
Enhanced Force default AWS CLI output issue #696 @Kirizan
Enhanced Handle shadow CloudTrails more gracefully in checks check21,check22,check24,check27 @zfLQ2qx2
Enhanced html output with scoring information, risk, remediation, doc link and CAF security epics.
Enhanced Implement OS neutral method of converting rfc3339 dates to epoch @zfLQ2qx2
Enhanced In CSV output, changed NOTES field header by CHECK_RESULT_EXTENDED. New CSV header looks like:
Enhanced PublicIP discovery used in Shodan check_extra7102 @as-km
Enhanced reduce needed actions in additions policy @tekdj7
Enhanced Removed textInfo extra information on extra712
Enhanced Security Hub integration @xeroxnir
Enhanced Security Hub integration improvement and Added severity for checks @xeroxnir
Enhanced Security Hub: Mark as ARCHIVED + Fixed race condition @xeroxnir
Enhanced Updated ProwlerExecRoleAdditionalViewPrivileges Policy with lambda:GetFunction
Enhanced Use describe-network-interfaces instead of describe-addresses in order to get public IPs #768
Enhanced whitelisting to allow regexes and fuzzy/strict matching
Enhanceed Adjusted severity to secrets and Shodan checks

Fixes:

Fixed account id in output file name
Fixed changes made in check27
Fixed check extra73 fail message omits bucket name @zfLQ2qx2
Fixed check for public rds instances
Fixed check_extra7107 condition
Fixed check_extra7116 and check_extra7117
Fixed Check12 BugFixed Remove $ from grep
Fixed check12 when MFA is enabled and user contains true in the name @xeroxnir
Fixed date command for busybox @zfLQ2qx2
Fixed don't fail check extra737 for keys scheduled for deletion
Fixed EKS related checks regarding us-west-1 @njgibbon
Fixed error handling for SubscriptionRequiredException in extra77
Fixed execute_group_by_id @xeroxnir
Fixed extra7103 parser error
Fixed extra7108 parser error
Fixed extra7110 title
Fixed extra7111 parser error
Fixed extra7116 extra7117 outputs and added to extras @ramondiez
Fixed extra737 now doesn't fail for keys scheduled for deletion @QuinnStevens
Fixed for busybox date command
Fixed for check_extra764 @grzegorznittner
Fixed for issue 713
Fixed FreeBSD $OSTYPE check @ring-pete
Fixed getops OPTARG for custom checks @xeroxnir
Fixed include lambda:GetFunction in prowler policy to check AWS Lambda related controls: extra720,extra759,extra760,extra762,extra798
Fixed Include missing AWS function lambda:GetFunction policy in prowler-additions-policy.json to check AWS Lambda @jfagoagas
Fixed issue #624 ID of check_extra792
Fixed issue #659
Fixed issue assuming role in regions with STS disabled
Fixed issue in extra776 when ECR Scanning imageDigest @adamcanzuk
Fixed listing CloudFormation stacks if default output format is not JSON
Fixed listing configurations if default output format is not JSON check119,extra742,extra75 and extra772 @Anthirian
Fixed listing EC2 instances if default output format is not JSON
Fixed li...

Read more
Assets 2
Loading

Prowler 2.3.0-18122020

18 Dec 12:11
@toniblyx toniblyx
2.3.0-18122020
297eeea
Compare
Choose a tag to compare
Prowler 2.3.0-18122020 
Label version 2.3.0-18122020
Assets 2
Loading