Releases: prowler-cloud/prowler
Prowler 4.6.0 - Blood Brothers
And as you look all around at the world in dismay
What do you see, do you think we have learned?
Not if you're taking a look at the war-torn affray
Out in the streets where the babies are burnt
Prowler 4.6.0 - Blood Brothers 🚀 has arrived! Packed with exciting new AWS checks, fixers, and expanded Azure coverage, this release takes your cloud security to the next level. 🎸 While you explore, enjoy the classic Iron Maiden song that inspired this release.
Special thanks to our amazing new contributors: @drewkerrigan, @metahertz, and @vicferpoy! ⭐ We’d also like to thank @normanecg, @sansns, @StylusFrost, @garym-krrv, and @thomscode for their continued efforts and valuable PRs that keep improving Prowler! 🙌🚀
New features to highlight in this version
AWS
🔒 IAM Root Credentials Management
AWS recently introduced the ability to centrally manage root credentials with AWS Organizations (read more). Prowler now supports this feature with the new check iam_root_credentials_management_enabled
, letting you verify whether root credentials management is enabled in your AWS account.
Try it out:
prowler aws -c iam_root_credentials_management_enabled
🧑🔧 6 New Fixers!
Prowler now includes 6 new fixers to help you automatically remediate misconfigurations in AWS services like DocumentDB, EC2, KMS, Neptune, and RDS.
Run a specific fixer with:
prowler aws -c <check_id> --fixer
See all the new available fixers with
prowler aws --list-fixers
1. documentdb_cluster_public_snapshot
2. ec2_ebs_public_snapshot
3. kms_cmk_not_deleted_unintentionally
4. neptune_cluster_public_snapshot
5. rds_instance_no_public_access
6. rds_snapshots_public_access
🚀 13 New AWS Checks Across 10 Services!
We’ve significantly expanded AWS coverage with 13 new checks, enhancing your security and compliance for services like AppSync, DMS, Firehose, Glue, Kinesis, and IAM.
See all the new available checks with
prowler aws --list-checks
1. appsync_field_level_logging_enabled
2. appsync_graphql_api_no_api_key_authentication
3. dms_endpoint_redis_in_transit_encryption_enabled
4. dms_replication_task_source_logging_enabled
5. dms_replication_task_target_logging_enabled
6. firehose_stream_encrypted_at_rest
7. glue_etl_jobs_logging_enabled
8. iam_root_credentials_management_enabled
9. kinesis_stream_data_retention_period
10. memorydb_cluster_auto_minor_version_upgrades
11. mq_broker_not_publicly_accessible
12. servicecatalog_portfolio_shared_within_organization_only
13. storagegateway_gateway_fault_tolerant
⚙️ Improved Handling of Unknown Resources
Prowler now avoids creating mocked resource ARNs or IDs for non-existent resources. Instead, it will generate a standardized "Unknown" ARN and ID using the following patterns:
- Unknown resource ARN:
arn:<partition>:<service>:<region>:<account-id>:resource-type/unknown
- Unknown resource ID:
resource-type/unknown
Azure
💪🏼 New Azure AI Search Check
Thanks to our great contributor @StylusFrost, Prowler now includes Azure AI Search coverage with the new checkaisearch_service_not_publicly_accessible
Give it a try by scanning the Azure Container Registry with
prowler azure --service aisearch
🇪🇸📜 Added ENS Compliance Framework
Thanks to @normanecg, Prowler now supports the ENS RD2022 compliance framework for Azure, ensuring enhanced compliance for Spanish organizations.
Give it a try with
prowler azure --compliance ens_rd2022_aws
GCP
🇪🇸📜 New ENS Compliance Framework
We’re excited to announce that Prowler now includes the ENS RD2022 compliance framework for GCP, courtesy of @normanecg!
Give it a try with
prowler gcp --compliance ens_rd2022_aws
🔧 Other issues and bug fixes solved for all the cloud providers
What's Changed
Features
- feat(appsync): add new check
appsync_field_level_logging_enabled
by @MarioRgzLpz in #5602 - feat(appsync): add new check
appsync_graphql_apis_no_api_key_authentication
by @MarioRgzLpz in #5591 - feat(appsync): Add new service AppSync by @MarioRgzLpz in #5589
- feat(aws): add MemoryDB service by @sansns in #5546
- feat(aws): add new check
iam_root_credentials_management_enabled
by @MrCloudSec in #5801 - feat(aws): add new service
firehose
by @HugoPBrito in #5620 - feat(aws): get regions by partition by @pedrooot in #5748
- feat(aws): Update check metadata with
logging
category by @sansns in #5639 - feat(aws): Update check metadata with
redudancy
category by @sansns in #5640 - feat(azure): Add get_regions method for provider by @vicferpoy in #5774
- feat(azure): AI Search service check not publicly accesible by @StylusFrost in #5846
- feat(compliance): add ENSRD2022 for Azure and GCP by @pedrooot in #5746
- feat(dms): add new check
dms_endpoint_redis_tls_enabled
by @danibarranqueroo in #5583 - feat(dms): add new check
dms_replication_task_source_logging_enabled
by @danibarranqueroo in #5627 - feat(dms): add new check
dms_replication_task_target_logging_enabled
by @danibarranqueroo in #5631 - feat(documentdb): add new fixer
documentdb_cluster_public_snapshot_fixer
by @danibarranqueroo in #5759 - feat(ec2): add new fixer
ec2_ebs_public_snapshot_fixer
by @danibarranqueroo in #5825 - feat(firehose): add new check
firehose_stream_encrypted_at_rest
by @HugoPBrito in #5635 - feat(gcp): add get regions method by @pedrooot in #5756
- feat(jira): add jira integration by @pedrooot in #5629
- feat(kinesis): add new check
kinesis_stream_data_retention_period
by @HugoPBrito in #5547 - feat(kms): add new fixer
kms_cmk_not_deleted_unintentionally_fixer
by @danibarranqueroo in #5842 - feat(mq): add
mq_broker_not_publicly_accessible
check by @sansns in #5604 - feat(neptune): add new fixer
neptune_cluster_public_snapshot_fixer
by @danibarranqueroo in #5749 - feat(prowler-check-kreator):
ProwlerChecKreator
first version by @puchy22 in #5099 - feat(rds): add new fixer
rds_instance_no_public_access_fixer
by @danibarranqueroo in #5794 - feat(rds): add new fixer
rds_snapshots_public_access_fixer
by @danibarranqueroo in #5773 - feat(rds): add
rds_cluster_protected_by_backup_plan
check by @sansns in #5638 - feat(servicecatalog): Add new check
servicecatalog_portfolio_shared_within_organization_only
by @MarioRgzLpz in #5632 - feat(servicecatalog): Add new service servicecatalog by @MarioRgzLpz in #5618
- feat(sgw): add
storagegateway_fault_tolerance
check by @sansns in #5570
Fixes
- fix(aws): exclude member accounts in IAM Root Credentials check by @MrCloudSec in #5813
- fix(aws): remove
cloudwatch_log_group_no_critical_pii_in_logs
check by @MrCloudSec in #5736 - fix(aws): update EKS check in compliance frameworks by @MrCloudSec in #5672
- fix(compliance): CIS details for new EFS Controls by @garym-krrv in #5858
- fix(compliance): use subscriptionid instead of name for azure cis by @pedrooot in #5786
- fix(connection): return Connection on generic exception by @jfagoagas in #5636
- fix(docker): add g++ to Dockerfile for presidio-analyzer compatibility by @MrCloudSec in #5645
- fix(docs): provider typo by @HugoPBrito in #5713
- fix(docs): Update misc tutorial categories example by @drewkerrigan in #5644
- fix(ec2): add default value to Name key for image information by @puchy22 in #5747
- fix(ec2): unique finding per Security Group in high risk ports check by @MarioRgzLpz in #5697
- fix(gcp): do not require organization id to get projects by @MrCloudSec in #5637
- fix(gcp): scan only ACTIVE projects by @MrCloudSec in #5743
- fix(guardduty): fix
guardduty_is_enabled_fixer
test by @danibarranqueroo in #5668 - fix(iam): use
get
to get the key by @pedrooot in https://github.com/prowl...
Prowler 4.5.3 - Another Life
What's Changed
- chore(ec2): add name from image information to status_extended by @prowler-bot in #5758
- chore(version): update Prowler version by @MrCloudSec in #5737
- fix(ec2): add default value to Name key for image information by @prowler-bot in #5754
- fix(gcp): scan only ACTIVE projects by @prowler-bot in #5752
Full Changelog: 4.5.2...4.5.3
Prowler 4.5.2 - Another Life
Important Changes
-
fix(aws): remove
cloudwatch_log_group_no_critical_pii_in_logs
check by @MrCloudSec in #5735- This check has been removed due to dependencies on
presidio-analyzer
, which loads NLP modules and PII recognizers from external sources not included in Prowler’s dependencies. This approach is unsuitable for offline environments. Additionally:- Dependencies are unavailable on PyPI, complicating installation.
- The NLP module (
en-core-web-lg
) is large (~400MB), and we need to assess whether this module is necessary. - The installation process adds excessive output to the terminal UI, impacting readability.
We plan to reintroduce this check with dependencies fully defined and verified.
- This check has been removed due to dependencies on
Fixes
- fix(ec2): Unique finding per Security Group in high-risk ports check by @prowler-bot in #5698
Chores
- chore(version): Updated Prowler version by @MrCloudSec in #5680
Full Changelog: 4.5.1...4.5.2
Prowler 4.5.1 - Another Life
What's Changed
Fixes
- fix(docker): add g++ to Dockerfile for presidio-analyzer compatibility by @prowler-bot in #5648
- fix(mutelist): set arguments while loading providers by @prowler-bot in #5673
- fix(guardduty): fix
guardduty_is_enabled_fixer
test by @prowler-bot in #5678 - fix(aws): update EKS check in compliance frameworks by @prowler-bot in #5675
Chores
- chore(aws): deprecate
glue_etl_jobs_logging_enabled
check by @prowler-bot in #5677 - chore(version): update Prowler version by @sergargar in #5679
Full Changelog: 4.5.0...4.5.1
Prowler 4.5.0 - Another Life
There's a feeling that's inside me
Telling me to get away
But I'm so tired of living
I might as well end today
Prowler 4.5.0 - Another Life 🚀 has arrived, packed with a host of new AWS checks and improvements! We also invite you to enjoy this classic Iron Maiden song.
A huge shout-out to our talented engineers @danibarranqueroo, @MarioRgzLpz, and @HugoPBrito for their amazing work on developing new checks, and a warm welcome to our new engineer @AdriiiPRodri!
Special thanks as well to @sansns for his outstanding contributions to new Fault Tolerance checks, and to our fantastic external contributors @SaintTamnoon, @jonathanbro, and @Nirbhay1997 for their valuable PRs 🥳.
New features to highlight in this version
AWS
🔒 Combat LLMJacking in AWS Bedrock
Following recent insights from Permiso Security on hijacking threats to GenAI infrastructure like AWS Bedrock, we’ve introduced five new checks in Prowler to bolster security:
bedrock_model_invocation_logging_enabled
cloudtrail_threat_detection_llm_jacking
bedrock_agent_guardrail_enabled
bedrock_guardrail_prompt_attack_filter_enabled
bedrock_guardrail_sensitive_information_filter_enabled
.
These checks enhance logging, encryption, and guardrail configurations to monitor and mitigate unauthorized access, safeguarding sensitive data and helping detect emerging LLMJacking threats.
🛡️ New Checks to Address IAM Access Analyzer Gaps
In their latest post on securityrunners.io, @SecurityRunners identified gaps in IAM Access Analyzer's ability to detect publicly exposed resources. To close these gaps, we’ve introduced new checks: cloudwatch_log_group_not_publicly_accessible
, ses_identities_not_publicly_accessible
, glue_data_catalogs_not_publicly_accessible
, and secretsmanager_not_publicly_accessible
, helping to reliably identify and secure public resources.
🚀 More checks!
Prowler has significantly expanded its AWS coverage, adding 104 new checks across 42 AWS services, including popular ones like Bedrock, DMS, FSx, GuardDuty, SES and WAF, to enhance your cloud security and compliance posture.
See all the new available checks with
prowler aws --list-checks
apigateway_restapi_cache_encrypted
apigateway_restapi_tracing_enabled
athena_workgroup_logging_enabled
autoscaling_group_capacity_rebalance_enabled
autoscaling_group_elb_health_check_enabled
autoscaling_group_launch_configuration_no_public_ip
autoscaling_group_launch_configuration_requires_imdsv2
autoscaling_group_multiple_instance_types
autoscaling_group_using_ec2_launch_template
backup_recovery_point_encrypted
bedrock_agent_guardrail_enabled
bedrock_guardrail_prompt_attack_filter_enabled
bedrock_guardrail_sensitive_information_filter_enabled
bedrock_model_invocation_logging_enabled
bedrock_model_invocation_logs_encryption_enabled
cloudfront_distributions_s3_origin_non_existent_bucket
cloudtrail_threat_detection_enumeration
cloudtrail_threat_detection_llm_jacking
cloudtrail_threat_detection_privilege_escalation
cloudwatch_alarm_actions_alarm_state_configured
cloudwatch_alarm_actions_enabled
cloudwatch_log_group_no_critical_pii_in_logs
cloudwatch_log_group_not_publicly_accessible
codebuild_project_logging_enabled
codebuild_project_no_secrets_in_variables
codebuild_project_s3_logs_encrypted
codebuild_report_group_export_encrypted
config_recorder_using_aws_service_role
datasync_task_logging_enabled
directconnect_connection_redundancy
directconnect_virtual_interface_redundancy
dms_endpoint_mongodb_authentication_enabled
dms_endpoint_neptune_iam_authorization_enabled
documentdb_cluster_multi_az_enabled
dynamodb_accelerator_cluster_multi_az
dynamodb_table_autoscaling_enabled
ecs_cluster_container_insights_enabled
ecs_service_fargate_latest_platform_version
ecs_task_definitions_logging_block_mode
ecs_task_set_no_assign_public_ip
efs_access_point_enforce_root_directory
efs_access_point_enforce_user_identity
efs_mount_target_not_publicly_accessible
eks_cluster_not_publicly_accessible
elasticbeanstalk_environment_cloudwatch_logging_enabled
elasticbeanstalk_environment_enhanced_health_reporting
elasticbeanstalk_environment_managed_updates_enabled
elb_desync_mitigation_mode
elb_ssl_listeners_use_acm_certificate
elbv2_cross_zone_load_balancing_enabled
elbv2_nlb_tls_termination_enabled
eventbridge_global_endpoint_event_replication_enabled
fsx_file_system_copy_tags_to_backups_enabled
fsx_file_system_copy_tags_to_volumes_enabled
fsx_windows_file_system_multi_az_enabled
glue_data_catalogs_not_publicly_accessible
glue_etl_jobs_logging_enabled
glue_ml_transform_encrypted_at_rest
guardduty_ec2_malware_protection_enabled
guardduty_eks_audit_log_enabled
guardduty_eks_runtime_monitoring_enabled
guardduty_lambda_protection_enabled
iam_policy_cloudshell_admin_not_attached
kafka_connector_in_transit_encryption_enabled
kinesis_stream_encrypted_at_rest
macie_automated_sensitive_data_discovery_enabled
mq_broker_active_deployment_mode
mq_broker_auto_minor_version_upgrades
mq_broker_cluster_deployment_mode
mq_broker_logging_enabled
networkfirewall_logging_enabled
networkfirewall_multi_az
networkfirewall_policy_default_action_fragmented_packets
networkfirewall_policy_default_action_full_packets
opensearch_service_domains_fault_tolerant_data_nodes
opensearch_service_domains_fault_tolerant_master_nodes
opensearch_service_domains_not_publicly_accessible
rds_cluster_protected_by_backup_plan
rds_instance_transport_encrypted
redshift_cluster_encrypted_at_rest
redshift_cluster_enhanced_vpc_routing
redshift_cluster_in_transit_encryption_enabled
redshift_cluster_multi_az_enabled
redshift_cluster_non_default_database_name
redshift_cluster_non_default_username
s3_bucket_event_notifications_enabled
s3_multi_region_access_point_public_access_block
secretsmanager_not_publicly_accessible
secretsmanager_secret_rotated_periodically
secretsmanager_secret_unused
ses_identity_not_publicly_accessible
transfer_server_in_transit_encryption_enabled
vpc_endpoint_multi_az_enabled
waf_global_rule_with_conditions
waf_global_rulegroup_not_empty
waf_global_webacl_logging_enabled
waf_global_webacl_with_rules
waf_regional_rule_with_conditions
waf_regional_rulegroup_not_empty
waf_regional_webacl_with_rules
wafv2_webacl_rule_logging_enabled
wafv2_webacl_with_rules
Azure
💪🏼 New checks for Azure Container Registry
A big thanks to @johannes-engler-mw for helping expand Prowler's Azure coverage with new checks for Azure Container Registry: containerregistry_uses_private_link
and containerregistry_not_publicly_accessible
.
Give them a try by scanning the Azure Container Registry with
prowler azure --service containerregistry
GCP
🔎 Scan your GCP Organization
Now you can limit the scan to projects within a specific Google Cloud organization by using the --organization-id
option with the GCP organization ID:
prowler gcp --organization-id organization-id
See more in our documentation
OCSF
Breaking changes from v1.2.0 to v1.3.0
We have updated the OCSF output to be compatible with the v1.3.0 version. From v1.2.0 to v1.3.0 the format has the several changes, in the form of additions, changes and some breaking changes:
- Add
finding_info.created_time_dt
as a timestamp. - Change
finding_info.created_time
from a timestamp to a unix timestamp. - Add
finding_info.name
with the finding's resource name. - Add
finding_info.types
with the Prowler's check type. - Add
time_dt
as a timestamp. - Rename
event_time
totime
and change the format from a timestamp to a unix timestamp. - Remove
container
object. - Add
metadata.product.uid
withprowler
. - Add
metadata.profiles
with:["cloud", "datetime"]
for the Cloud providers.["container", "datetime"]
for the Kubernetes provider.
- Fix
type_name
withDetection Finding: Create
. - Fix
cloud.type
format.
🔧 Other issues and bug fixes solved for all the cloud providers
What's Changed
Features
- feat(apigateway): add new check
apigateway_restapi_cache_encrypted
by @danibarranqueroo in #5448 - feat(apigateway): add new check
apigateway_restapi_tracing_enabled
by @danibarranqueroo in #5470 - feat(athena): add new check
athena_workgroup_logging_enabled
by @puchy22 in #5468 - feat(autoscaling): add new check
autoscaling_group_elb_health_check_enabled
by @danibarranqueroo in #5330 - feat(autoscaling): add new check
autoscaling_group_launch_configuration_no_public_ip
by @danibarranqueroo in #5359 - feat(autoscaling): add new check
autoscaling_group_launch_configuration_requires_imdsv2
by @danibarranqueroo in #5356 - feat(autoscaling): add new check `aut...
Prowler 4.4.1 - Alexander the Great
What's Changed
Fixes
- fix(Dockerfile): install git dependency by @prowler-bot in #5344
- fix(ecs): Adjust code to the new ARN formats in the ECS service by @prowler-bot in #5312
- fix(threat detection): ignore AWS services events by @prowler-bot in #5311
Chores
- chore(ecs): mock all tests using moto by @prowler-bot in #5333
- chore(guardduty): mock failing tests using moto by @prowler-bot in #5337
- chore(secrets): Add TelegramBotToken detector by @prowler-bot in #5328
- chore(secrets): use
master
branch of Yelp/detect-secrets by @prowler-bot in #5331 - chore(sns): manage
ResourceNotFoundException
and add paralelism by @prowler-bot in #5347
Full Changelog: 4.4.0...4.4.1
Prowler 4.4.0 - Alexander the Great
Alexander the Great
His name struck fear into hearts of men
Alexander the Great
Became a legend 'mongst mortal men
Prowler 4.4.0 - Alexander the Great 🚀 is here, bringing a ton of new AWS checks and fixes! We also invite you to enjoy this Iron Maiden song.
A big shout-out to our engineers @danibarranqueroo, @MarioRgzLpz and @HugoPBrito for their fantastic work in developing new checks and to our new external contributors @abant07, @LefterisXefteris, @h4r5h1t, @Jude-Bae and @johannes-engler-mw for their PRs 🥳
New features to highlight in this version
AWS
🔐 Cover IAM non existing AWS actions/resources
Prowler now covers IAM scenarios where policies could have a non existing AWS actions in the NotAction
statement allowing ALL actions in resources (same as non existing resources in NotResource
) like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"NotAction": "prowler:action",
"NotResource": "arn:aws:s3:::calculator"
}
]
}
🤔 How to Prevent AWS AI From Using Your Data
Recently, AWS may be using your data to train its AI models, and you may have unwittingly consented to it.
The new check organizations_opt_out_ai_services_policy
ensure that you stop feeding AWS’s AI with your data.
You can see @QuinnyPig's helpful post about how to opt out here or using the AWS documentation.
🚀 More checks!
Prowler has expanded its AWS coverage with 74 new checks for ACM, CloudFront, CodeBuild, DMS, DocumentDB, DynamoDB, EC2, ECS, EKS, Elasticache, ELB, ELBv2, EKS, GuardDuty, IAM, KMS, Lambda, Neptune, Network Firewall, Organizations, RDS, S3, SageMaker and VPC.
See all the new available checks with
prowler aws --list-checks
acm_certificates_with_secure_key_algorithms
awslambda_function_inside_vpc
awslambda_function_vpc_multi_az
cloudfront_distributions_custom_ssl_certificate
cloudfront_distributions_default_root_object
cloudfront_distributions_https_sni_enabled
cloudfront_distributions_multiple_origin_failover_configured
cloudfront_distributions_origin_traffic_encrypted
cloudfront_distributions_s3_origin_access_control
cloudfront_distributions_s3_origin_non_existent_bucket
codebuild_project_no_secrets_in_variables
codebuild_project_source_repo_url_no_sensitive_credentials
dms_endpoint_ssl_enabled
documentdb_cluster_public_snapshot
dynamodb_accelerator_cluster_in_transit_encryption_enabled
dynamodb_table_deletion_protection_enabled
dynamodb_table_protected_by_backup_plan
ec2_client_vpn_endpoint_connection_logging_enabled
ec2_ebs_volume_protected_by_backup_plan
ec2_instance_paravirtual_type
ec2_instance_uses_single_eni
ec2_launch_template_no_public_ip
ec2_networkacl_unused
ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
ec2_transitgateway_auto_accept_vpc_attachments
ecr_repositories_tag_immutability
ecs_service_no_assign_public_ip
ecs_task_definitions_containers_readonly_access
ecs_task_definitions_host_namespace_not_shared
ecs_task_definitions_host_networking_mode_users
ecs_task_definitions_logging_enabled
ecs_task_definitions_no_privileged_containers
eks_cluster_uses_a_supported_version
elasticache_redis_cluster_automatic_failover_enabled
elasticache_redis_cluster_auto_minor_version_upgrades
elasticache_redis_replication_group_auth_enabled
elbv2_is_in_multiple_az
elb_connection_draining_enabled
elb_cross_zone_load_balancing_enabled
elb_is_in_multiple_az
guardduty_rds_protection_enabled
guardduty_s3_protection_enabled
iam_group_administrator_access_policy
iam_user_administrator_access_policy
kms_cmk_not_deleted_unintentionally
neptune_cluster_copy_tags_to_snapshots
neptune_cluster_integration_cloudwatch_logs
neptune_cluster_public_snapshot
neptune_cluster_snapshot_encrypted
networkfirewall_policy_rule_group_associated
organizations_opt_out_ai_services_policy
rds_cluster_copy_tags_to_snapshots
rds_cluster_critical_event_subscription
rds_cluster_default_admin
rds_cluster_deletion_protection
rds_cluster_iam_authentication_enabled
rds_cluster_integration_cloudwatch_logs
rds_cluster_minor_version_upgrade_enabled
rds_cluster_multi_az
rds_cluster_non_default_port
rds_cluster_storage_encrypted
rds_instance_copy_tags_to_snapshots
rds_instance_critical_event_subscription
rds_instance_event_subscription_parameter_groups
rds_instance_inside_vpc
rds_instance_non_default_port
rds_instance_protected_by_backup_plan
s3_access_point_public_access_block
s3_bucket_cross_account_access
s3_bucket_cross_region_replication
s3_bucket_lifecycle_enabled
sagemaker_endpoint_config_prod_variant_instances
vpc_endpoint_for_ec2_enabled
vpc_vpn_connection_tunnels_up
📜 KISA ISMS-P AWS compliance framework added
Prowler now supports one of Korea’s key security compliance frameworks, the Personal Information & Information Security Management System (ISMS-P) from the Korea Internet & Security Agency (KISA) thanks to @Jude-Bae !
Azure
🆕 Azure Container Registries now supported!
@johannes-engler-mw added a new check containerregistry_admin_user_disabled
for verifying if the admin user is disabled for Azure Container Registries.
You can try it with
prowler azure -c containerregistry_admin_user_disabled
🔧 Other issues and bug fixes solved for all the cloud providers
Features
- feat(acm): Add new check for insecure algorithms in certificates by @MarioRgzLpz in #4551
- feat(aws): Add a test_connection method by @jfagoagas in #4563
- feat(aws): add custom exceptions class by @pedrooot in #4847
- feat(aws): Add new check to ensure Aurora MySQL DB Clusters publish audit logs to CloudWatch logs by @danibarranqueroo in #4916
- feat(aws): Add new check to ensure RDS DB clusters are encrypted at rest by @danibarranqueroo in #4931
- feat(aws): Add new check to ensure RDS db clusters copy tags to snapshots by @danibarranqueroo in #4846
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical cluster events by @danibarranqueroo in #4887
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database instance events by @danibarranqueroo in #4891
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database parameter group events by @danibarranqueroo in #4907
- feat(aws): Add new check to ensure RDS instances are not using default database engine ports by @danibarranqueroo in #4973
- feat(aws): Add new check
opensearch_service_domains_access_control_enabled
by @abant07 in #5203 - feat(aws): add new check
organizations_opt_out_ai_services_policy
by @sergargar in #5152 - feat(aws): Add new CodeBuild check to validate environment variables by @danibarranqueroo in #4632
- feat(aws): Add new KMS check to prevent unintentional key deletion by @danibarranqueroo in #4595
- feat(aws): Add new Neptune check for cluster snapshot visibility by @danibarranqueroo in #4709
- feat(aws): Add new RDS check for deletion protection enabled on clusters by @danibarranqueroo in #4738
- feat(aws): Add new RDS check to ensure db clusters are configured for multiple availability zones by @danibarranqueroo in #4781
- feat(aws): Add new RDS check to ensure db instances are protected by a backup plan by @danibarranqueroo in #4879
- feat(aws): Add new RDS check to verify that cluster minor version upgrade is enabled by @danibarranqueroo in #4725
- feat(aws): Add new RDS check to verify that db instances copy tags to snapshots by @danibarranqueroo in #4806
- feat(aws): Add new S3 check for public access block configuration in access points by @HugoPBrito in #4608
- feat(aws): add tags to Global Accelerator by @puchy22 in #5233
- feat(aws): Split the checks that mix RDS Instances and Clusters by @danibarranqueroo in #4730
- feat(aws) Add check to make sure EKS clusters have a supported version by @abant07 in https://github.com/prowler-cloud/prow...
Prowler 4.3.7 - The Alchemist
What's Changed
Fixes
- fix(action): solve pypi-release action by @sergargar in #5134
- fix(regions): show all for empty regions by @pedrooot in #5143
- fix(iam): fill resource id with inline policy entity by @prowler-bot in #5147
Full Changelog: 4.3.6...4.3.7
Prowler 4.3.6 - The Alchemist
What's Changed
Fixes
- fix(asff): include status extended in ASFF output by @prowler-bot in #5116
- fix(audit): solve resources audit by @prowler-bot in #4988
- fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4950
- fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4862
- fix(aws): handle AWS key-only tags by @github-actions in #4854
- fix(aws): make intersection to retrieve checks to execute by @prowler-bot in #4974
- fix(gcp): solve errors in GCP services by @prowler-bot in #5124
- fix(gcp): add default project for org level checks by @prowler-bot in #5132
- fix(iam-gcp): add getters in iam_service for gcp by @prowler-bot in #5001
- fix(lightsail): Remove second call to
is_resource_filtered
by @prowler-bot in #5125 - fix(main): logic for resource_tag and resource_arn usage by @prowler-bot in #4982
- fix(metadata): change description from documentdb_cluster_deletion_protection by @prowler-bot in #4913
- fix(rds): Modify RDS Event Notification Subscriptions for Security Groups Events check by @prowler-bot in #4977
- fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4953
- fix(vpc): check all routes tables in subnet by @prowler-bot in #5122
Chores
- chore(aws): Remove token from log line by @prowler-bot in #4905
- chore(aws_mutelist): Add more Control Tower resources and tests by @prowler-bot in #4902
- chore(ssm): add trusted accounts variable to ssm check by @prowler-bot in #5118
Full Changelog: 4.3.5...4.3.6
Prowler 3.16.17 - Back in the Village
What's Changed
Fixes
- fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4949
- fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4861
- fix(ec2): Manage
UnicodeDecodeError
when reading user data by @github-actions in #4788 - fix(gcp): solve errors in GCP services by @prowler-bot in #5123
- fix(inspector2): Ensure Inspector2 is enabled for ECR, EC2, Lambda and Lambda Code by @prowler-bot in #5066
- fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4952
- fix(v3): remove not supported checks by @sergargar in #5126
- fix(vpc): check all routes tables in subnet by @prowler-bot in #5121
Chores
- chore(aws): match all AWS resource types with SecurityHub supported types in metadata by @prowler-bot in #5064
- chore(aws): Remove token from log line by @jfagoagas in #4904
- chore(awslambda): Enhance function public access check called from other resource by @github-actions in #4793
- chore(azure): Fix CIS 2.1 mapping by @github-actions in #4780
- chore(docs): change ResourceType link of Security Hub by @prowler-bot in #5096
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5083
- chore(ssm): add trusted accounts variable to ssm check by @prowler-bot in #5117
- chore(test): improve
iam_root_hardware_mfa_enabled
tests by @github-actions in #4834 - chore(version): update version logic in Prowler by @github-actions in #4776
Dependencies
- chore(dependencies): update boto3 and botocore packages by @prowler-bot in #4986
- chore(deps): bump azure-identity from 1.17.1 to 1.18.0 by @dependabot in #5105
- chore(deps): bump azure-mgmt-compute from 32.0.0 to 33.0.0 by @dependabot in #4858
- chore(deps): bump azure-mgmt-containerservice from 31.0.0 to 32.0.0 by @dependabot in #5040
- chore(deps): bump azure-mgmt-cosmosdb from 9.5.1 to 9.6.0 by @dependabot in #5103
- chore(deps): bump azure-mgmt-web from 7.3.0 to 7.3.1 by @dependabot in #4810
- chore(deps): bump azure-storage-blob from 12.22.0 to 12.23.0 by @dependabot in #5078
- chore(deps): bump boto3 from 1.35.21 to 1.35.23 by @dependabot in #5114
- chore(deps): bump botocore from 1.35.22 to 1.35.23 by @dependabot in #5101
- chore(deps): bump google-api-python-client from 2.145.0 to 2.146.0 by @dependabot in #5079
- chore(deps): bump msgraph-sdk from 1.7.0 to 1.8.0 by @dependabot in #5102
- chore(deps): bump peter-evans/create-pull-request from 6 to 7 by @dependabot in #4924
- chore(deps): bump pydantic from 1.10.17 to 1.10.18 by @dependabot in #4857
- chore(deps): bump pytz from 2024.1 to 2024.2 by @dependabot in #5006
- chore(deps): bump setuptools from 74.1.2 to 75.1.0 by @dependabot in #5054
- chore(deps): bump slack-sdk from 3.33.0 to 3.33.1 by @dependabot in #5104
- chore(deps): bump tj-actions/changed-files from 44 to 45 by @dependabot in #4823
- chore(deps): bump trufflesecurity/trufflehog from 3.82.1 to 3.82.2 by @dependabot in #5051
- chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.8 to 1.2.9 by @dependabot in #5020
- chore(deps-dev): bump moto from 5.0.13 to 5.0.14 by @dependabot in #4963
- chore(deps-dev): bump pylint from 3.2.6 to 3.2.7 by @dependabot in #4919
- chore(deps-dev): bump pytest-env from 1.1.4 to 1.1.5 by @dependabot in #5092
- chore(deps-dev): bump pytest from 8.3.2 to 8.3.3 by @dependabot in #4994
- chore(deps-dev): bump safety from 3.2.6 to 3.2.7 by @dependabot in #4897
- chore(deps-dev): bump vulture from 2.11 to 2.12 by @dependabot in #5075
Full Changelog: 3.16.16...3.16.17