And as you look all around at the world in dismay
What do you see, do you think we have learned?
Not if you're taking a look at the war-torn affray
Out in the streets where the babies are burnt
Prowler 4.6.0 - Blood Brothers 🚀 has arrived! Packed with exciting new AWS checks, fixers, and expanded Azure coverage, this release takes your cloud security to the next level. 🎸 While you explore, enjoy the classic Iron Maiden song that inspired this release.
Special thanks to our amazing new contributors: @drewkerrigan, @metahertz, and @vicferpoy! ⭐ We’d also like to thank @normanecg, @sansns, @StylusFrost, @garym-krrv, and @thomscode for their continued efforts and valuable PRs that keep improving Prowler! 🙌🚀
New features to highlight in this version
AWS
🔒 IAM Root Credentials Management
AWS recently introduced the ability to centrally manage root credentials with AWS Organizations (read more). Prowler now supports this feature with the new check iam_root_credentials_management_enabled
, letting you verify whether root credentials management is enabled in your AWS account.
Try it out:
prowler aws -c iam_root_credentials_management_enabled
🧑🔧 6 New Fixers!
Prowler now includes 6 new fixers to help you automatically remediate misconfigurations in AWS services like DocumentDB, EC2, KMS, Neptune, and RDS.
Run a specific fixer with:
prowler aws -c <check_id> --fixer
See all the new available fixers with
prowler aws --list-fixers
1. documentdb_cluster_public_snapshot
2. ec2_ebs_public_snapshot
3. kms_cmk_not_deleted_unintentionally
4. neptune_cluster_public_snapshot
5. rds_instance_no_public_access
6. rds_snapshots_public_access
🚀 13 New AWS Checks Across 10 Services!
We’ve significantly expanded AWS coverage with 13 new checks, enhancing your security and compliance for services like AppSync, DMS, Firehose, Glue, Kinesis, and IAM.
See all the new available checks with
prowler aws --list-checks
1. appsync_field_level_logging_enabled
2. appsync_graphql_api_no_api_key_authentication
3. dms_endpoint_redis_in_transit_encryption_enabled
4. dms_replication_task_source_logging_enabled
5. dms_replication_task_target_logging_enabled
6. firehose_stream_encrypted_at_rest
7. glue_etl_jobs_logging_enabled
8. iam_root_credentials_management_enabled
9. kinesis_stream_data_retention_period
10. memorydb_cluster_auto_minor_version_upgrades
11. mq_broker_not_publicly_accessible
12. servicecatalog_portfolio_shared_within_organization_only
13. storagegateway_gateway_fault_tolerant
⚙️ Improved Handling of Unknown Resources
Prowler now avoids creating mocked resource ARNs or IDs for non-existent resources. Instead, it will generate a standardized "Unknown" ARN and ID using the following patterns:
- Unknown resource ARN:
arn:<partition>:<service>:<region>:<account-id>:resource-type/unknown
- Unknown resource ID:
resource-type/unknown
Azure
💪🏼 New Azure AI Search Check
Thanks to our great contributor @StylusFrost, Prowler now includes Azure AI Search coverage with the new checkaisearch_service_not_publicly_accessible
Give it a try by scanning the Azure Container Registry with
prowler azure --service aisearch
🇪🇸📜 Added ENS Compliance Framework
Thanks to @normanecg, Prowler now supports the ENS RD2022 compliance framework for Azure, ensuring enhanced compliance for Spanish organizations.
Give it a try with
prowler azure --compliance ens_rd2022_aws
GCP
🇪🇸📜 New ENS Compliance Framework
We’re excited to announce that Prowler now includes the ENS RD2022 compliance framework for GCP, courtesy of @normanecg!
Give it a try with
prowler gcp --compliance ens_rd2022_aws
🔧 Other issues and bug fixes solved for all the cloud providers
What's Changed
Features
- feat(appsync): add new check
appsync_field_level_logging_enabled
by @MarioRgzLpz in #5602 - feat(appsync): add new check
appsync_graphql_apis_no_api_key_authentication
by @MarioRgzLpz in #5591 - feat(appsync): Add new service AppSync by @MarioRgzLpz in #5589
- feat(aws): add MemoryDB service by @sansns in #5546
- feat(aws): add new check
iam_root_credentials_management_enabled
by @MrCloudSec in #5801 - feat(aws): add new service
firehose
by @HugoPBrito in #5620 - feat(aws): get regions by partition by @pedrooot in #5748
- feat(aws): Update check metadata with
logging
category by @sansns in #5639 - feat(aws): Update check metadata with
redudancy
category by @sansns in #5640 - feat(azure): Add get_regions method for provider by @vicferpoy in #5774
- feat(azure): AI Search service check not publicly accesible by @StylusFrost in #5846
- feat(compliance): add ENSRD2022 for Azure and GCP by @pedrooot in #5746
- feat(dms): add new check
dms_endpoint_redis_tls_enabled
by @danibarranqueroo in #5583 - feat(dms): add new check
dms_replication_task_source_logging_enabled
by @danibarranqueroo in #5627 - feat(dms): add new check
dms_replication_task_target_logging_enabled
by @danibarranqueroo in #5631 - feat(documentdb): add new fixer
documentdb_cluster_public_snapshot_fixer
by @danibarranqueroo in #5759 - feat(ec2): add new fixer
ec2_ebs_public_snapshot_fixer
by @danibarranqueroo in #5825 - feat(firehose): add new check
firehose_stream_encrypted_at_rest
by @HugoPBrito in #5635 - feat(gcp): add get regions method by @pedrooot in #5756
- feat(jira): add jira integration by @pedrooot in #5629
- feat(kinesis): add new check
kinesis_stream_data_retention_period
by @HugoPBrito in #5547 - feat(kms): add new fixer
kms_cmk_not_deleted_unintentionally_fixer
by @danibarranqueroo in #5842 - feat(mq): add
mq_broker_not_publicly_accessible
check by @sansns in #5604 - feat(neptune): add new fixer
neptune_cluster_public_snapshot_fixer
by @danibarranqueroo in #5749 - feat(prowler-check-kreator):
ProwlerChecKreator
first version by @puchy22 in #5099 - feat(rds): add new fixer
rds_instance_no_public_access_fixer
by @danibarranqueroo in #5794 - feat(rds): add new fixer
rds_snapshots_public_access_fixer
by @danibarranqueroo in #5773 - feat(rds): add
rds_cluster_protected_by_backup_plan
check by @sansns in #5638 - feat(servicecatalog): Add new check
servicecatalog_portfolio_shared_within_organization_only
by @MarioRgzLpz in #5632 - feat(servicecatalog): Add new service servicecatalog by @MarioRgzLpz in #5618
- feat(sgw): add
storagegateway_fault_tolerance
check by @sansns in #5570
Fixes
- fix(aws): exclude member accounts in IAM Root Credentials check by @MrCloudSec in #5813
- fix(aws): remove
cloudwatch_log_group_no_critical_pii_in_logs
check by @MrCloudSec in #5736 - fix(aws): update EKS check in compliance frameworks by @MrCloudSec in #5672
- fix(compliance): CIS details for new EFS Controls by @garym-krrv in #5858
- fix(compliance): use subscriptionid instead of name for azure cis by @pedrooot in #5786
- fix(connection): return Connection on generic exception by @jfagoagas in #5636
- fix(docker): add g++ to Dockerfile for presidio-analyzer compatibility by @MrCloudSec in #5645
- fix(docs): provider typo by @HugoPBrito in #5713
- fix(docs): Update misc tutorial categories example by @drewkerrigan in #5644
- fix(ec2): add default value to Name key for image information by @puchy22 in #5747
- fix(ec2): unique finding per Security Group in high risk ports check by @MarioRgzLpz in #5697
- fix(gcp): do not require organization id to get projects by @MrCloudSec in #5637
- fix(gcp): scan only ACTIVE projects by @MrCloudSec in #5743
- fix(guardduty): fix
guardduty_is_enabled_fixer
test by @danibarranqueroo in #5668 - fix(iam): use
get
to get the key by @pedrooot in #5785 - fix(kubernetes): filter apiGroup in permission checks by @MrCloudSec in #5829
- fix(kubernetes): validate seccomp profile at pod and container levels by @MrCloudSec in #5814
- fix(lock): Use detect-secrets from package not repo by @jfagoagas in #5656
- fix(mutelist): set arguments while loading providers by @thomscode in #5653
- fix(rds): fix typo error in
rds_snapshots_public_access_fixer
test by @danibarranqueroo in #5826 - fix(severity): add enum for severity values by @pedrooot in #5856
- fix(wafv2): only list resources for regional Web ACLs by @HugoPBrito in #5811
Chores
- chore(aws): deprecate
glue_etl_jobs_logging_enabled
check by @MrCloudSec in #5670 - chore(deps): bump aiohttp from 3.10.10 to 3.10.11 by @dependabot in #5815
- chore(deps): bump alive-progress from 3.1.5 to 3.2.0 by @dependabot in #5689
- chore(deps): bump azure-keyvault-keys from 4.9.0 to 4.10.0 by @dependabot in #5660
- chore(deps): bump azure-mgmt-containerservice from 32.0.0 to 32.1.0 by @dependabot in #5664
- chore(deps): bump azure-mgmt-containerservice from 32.1.0 to 33.0.0 by @dependabot in #5706
- chore(deps): bump azure-mgmt-cosmosdb from 9.6.0 to 9.7.0 by @dependabot in #5834
- chore(deps): bump azure-mgmt-network from 27.0.0 to 28.0.0 by @dependabot in #5703
- chore(deps): bump azure-mgmt-resource from 23.1.1 to 23.2.0 by @dependabot in #5684
- chore(deps): bump azure-storage-blob from 12.23.1 to 12.24.0 by @dependabot in #5767
- chore(deps): bump boto3 from 1.35.29 to 1.35.55 by @dependabot in #5685
- chore(deps): bump boto3 from 1.35.55 to 1.35.57 by @dependabot in #5719
- chore(deps): bump boto3 from 1.35.57 to 1.35.58 by @dependabot in #5741
- chore(deps): bump boto3 from 1.35.58 to 1.35.60 by @dependabot in #5770
- chore(deps): bump boto3 from 1.35.60 to 1.35.63 by @dependabot in #5809
- chore(deps): bump boto3 from 1.35.63 to 1.35.64 by @dependabot in #5835
- chore(deps): bump boto3 from 1.35.64 to 1.35.65 by @dependabot in #5853
- chore(deps): bump boto3 from 1.35.65 to 1.35.66 by @dependabot in #5860
- chore(deps): bump botocore from 1.35.29 to 1.35.55 by @dependabot in #5663
- chore(deps): bump botocore from 1.35.55 to 1.35.56 by @dependabot in #5683
- chore(deps): bump botocore from 1.35.56 to 1.35.57 by @dependabot in #5702
- chore(deps): bump botocore from 1.35.57 to 1.35.58 by @dependabot in #5721
- chore(deps): bump botocore from 1.35.58 to 1.35.59 by @dependabot in #5740
- chore(deps): bump botocore from 1.35.59 to 1.35.60 by @dependabot in #5765
- chore(deps): bump botocore from 1.35.60 to 1.35.61 by @dependabot in #5780
- chore(deps): bump botocore from 1.35.61 to 1.35.63 by @dependabot in #5797
- chore(deps): bump botocore from 1.35.63 to 1.35.64 by @dependabot in #5818
- chore(deps): bump botocore from 1.35.64 to 1.35.65 by @dependabot in #5836
- chore(deps): bump botocore from 1.35.65 to 1.35.66 by @dependabot in #5850
- chore(deps): bump codecov/codecov-action from 4 to 5 by @dependabot in #5783
- chore(deps): bump dash from 2.18.1 to 2.18.2 by @dependabot in #5682
- chore(deps): bump google-api-python-client from 2.147.0 to 2.151.0 by @dependabot in #5661
- chore(deps): bump google-api-python-client from 2.151.0 to 2.152.0 by @dependabot in #5742
- chore(deps): bump google-api-python-client from 2.152.0 to 2.153.0 by @dependabot in #5763
- chore(deps): bump google-api-python-client from 2.153.0 to 2.154.0 by @dependabot in #5851
- chore(deps): bump microsoft-kiota-abstractions from 1.3.3 to 1.6.0 by @dependabot in #5662
- chore(deps): bump microsoft-kiota-abstractions from 1.6.0 to 1.6.2 by @dependabot in #5720
- chore(deps): bump msgraph-sdk from 1.8.0 to 1.11.0 by @dependabot in #5687
- chore(deps): bump msgraph-sdk from 1.11.0 to 1.12.0 by @dependabot in #5722
- chore(deps): bump slack-sdk from 3.33.1 to 3.33.3 by @dependabot in #5688
- chore(deps): bump slack-sdk from 3.33.3 to 3.33.4 by @dependabot in #5837
- chore(deps): bump trufflesecurity/trufflehog from 3.83.2 to 3.83.3 by @dependabot in #5647
- chore(deps): bump trufflesecurity/trufflehog from 3.83.3 to 3.83.4 by @dependabot in #5692
- chore(deps): bump trufflesecurity/trufflehog from 3.83.4 to 3.83.5 by @dependabot in #5708
- chore(deps): bump trufflesecurity/trufflehog from 3.83.5 to 3.83.6 by @dependabot in #5723
- chore(deps): bump trufflesecurity/trufflehog from 3.83.6 to 3.83.7 by @dependabot in #5819
- chore(deps): bump trufflesecurity/trufflehog from 3.83.7 to 3.84.0 by @dependabot in #5862
- chore(deps): bump trufflesecurity/trufflehog from 3.84.0 to 3.84.1 by @dependabot in #5870
- chore(deps-dev): bump black from 24.8.0 to 24.10.0 by @dependabot in #5667
- chore(deps-dev): bump coverage from 7.6.1 to 7.6.4 by @dependabot in #5686
- chore(deps-dev): bump coverage from 7.6.4 to 7.6.6 by @dependabot in #5793
- chore(deps-dev): bump coverage from 7.6.6 to 7.6.7 by @dependabot in #5795
- chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.9 to 1.3.0 by @dependabot in #5704
- chore(deps-dev): bump mkdocs-material from 9.5.39 to 9.5.44 by @dependabot in #5659
- chore(deps-dev): bump mkdocs-material from 9.5.44 to 9.5.45 by @dependabot in #5852
- chore(deps-dev): bump pytest-cov from 5.0.0 to 6.0.0 by @dependabot in #5666
- chore(deps-dev): bump pytest-randomly from 3.15.0 to 3.16.0 by @dependabot in #5705
- chore(deps-dev): bump safety from 3.2.8 to 3.2.9 by @dependabot in #5681
- chore(deps-dev): bump vulture from 2.12 to 2.13 by @dependabot in #5665
- chore(ec2): add name from image information to status_extended by @puchy22 in #5755
- chore(iam): add exception for public policy in EKS service by @puchy22 in #4759
- chore(iam): add missing service catalog permissions by @MrCloudSec in #5816
- chore(labeler): Add compliance by @jfagoagas in #5790
- chore(README): update summary table by @MrCloudSec in #5633
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5655
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5694
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5709
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5732
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5744
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5771
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5784
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5802
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5824
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5839
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5863
- chore(version): update Prowler version by @MrCloudSec in #5642
- docs(aws): improve docstrings by @pedrooot in #5714
- docs(azure): improve docstrings by @pedrooot in #5715
- docs(gcp): improve docstrings by @pedrooot in #5716
- docs(kubernetes): improve docstrings for methods by @pedrooot in #5717
- docs: Update
contact.md
with new Slack join URL by @metahertz in #5671 - refactor(arn): fine tune arn and resources id for unknown values by @pedrooot in #5841
- refactor(arn): refactor arn for unknown resources by @pedrooot in #5712
- refactor(aws): Rename get_regions and validate partition by @jfagoagas in #5772
- refactor(azure): get locations with self session by @pedrooot in #5751
New Contributors
- @drewkerrigan made their first contribution in #5644
- @metahertz made their first contribution in #5671
- @vicferpoy made their first contribution in #5774
Full Changelog: 4.5.3...4.6.0