Prowler 2.8.1

What's Changed

• fix(bucket_region): check extra764 doesn't handle bucket region properly by @sergargar in #1077
• fix(detect-secrets): Include missing colon to link values by @jfagoagas in #1078

Full Changelog: 2.8.0...2.8.1

Prowler 2.8.0 - The Ides of March

The Ides of March is an instrumental song that opens the second studio album of Iron Maiden called Killers. This song is great as an opening, March is the month when spring starts in my side of the world, is always time for optimism. Ides of March also means 15 of March in the Roman calendar (and the day of the assassination of Julius Caesar). Enjoy the song here.

We have put our best to make this release and with important help of the Prowler community of cloud security engineers around the world, thank you all! Special thanks to the Prowler full time engineers @jfagoagas, @n4ch04 and @sergargar! (and Bruce, my dog) ❤️

Important changes in this version (read this!):

Now, if you have AWS Organizations and are scanning multiple accounts using the assume role functionality, Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and add them to CSV and JSON output formats. More information and usage here.

New Features

• 1 New check for S3 buckets have ACLs enabled by @jeffmaley in #1023 :
  7.172 [extra7172] Check if S3 buckets have ACLs enabled - s3 [Medium]
• feat(metadata): Include account metadata in Prowler assessments by @toniblyx in #1049

Enhancements

• Add whitelist examples for Control Tower resources by @lorchda in #1013
• Skip packages with broken dependencies when upgrading system by @dlorch in #1009
• Docs: Improve check_sample examples, add general comments by @lazize in #1039
• Added timestamp to temp folders for secrets related checks by @sectoramen in #1041
• Make python3 default in Dockerfile by @sectoramen in #1043
• Docs(readme): Fix typo by @jfagoagas in #1072
• Add(filter-region): Support comma separated regions by @thetemplateblog in #1071

Fixes

• Fix issue extra75 reports default SecurityGroups as unused #1001 by @jansepke in #1006
• Fix issue extra793 filtering out network LBs #1002 by @jansepke in #1007
• Fix formatting by @lorchda in #1012
• Fix docker references by @mike-stewart in #1018
• Fix(check32): filterName base64encoded to avoid space problems in filter names by @n4ch04 in #1020
• Fix: when prowler exits with a non-zero status, the remainder of the block is not executed by @lorchda in #1015
• Fix(extra7148): Error handling and include missing policy by @toniblyx in #1021
• Fix(extra760): Error handling by @lazize in #1025
• Fix(CODEOWNERS): Rename team by @jfagoagas in #1027
• Fix(include/outputs): Whitelist logic reformulated to exactly match input by @n4ch04 in #1029
• Fix CFN CodeBuild example by @mmuller88 in #1030
• Fix typo CodeBuild template by @dlorch in #1010
• Fix(extra736): Recover only Customer Managed KMS keys by @jfagoagas in #1036
• Fix(extra7141): Error handling and include missing policy by @lazize in #1024
• Fix(extra730): Handle invalid date formats checking ACM certificates by @jfagoagas in #1033
• Fix(check41/42): Added tcp protocol filter to query by @n4ch04 in #1035
• Fix(include/outputs):Rolling back whitelist checking to RE check by @n4ch04 in #1037
• Fix(extra758): Reduce API calls. Print correct instance state. by @lazize in #1057
• Fix: extra7167 Advanced Shield and CloudFront bug parsing None output without distributions by @NMuee in #1062
• Fix(extra776): Handle image tag commas and json output by @jfagoagas in #1063
• Fix(whitelist): Whitelist logic reformulated again by @n4ch04 in #1061
• Fix: Change lower case from bash variable expansion to tr by @lazize in #1064
• Fix(check_extra7161): fixed check title by @n4ch04 in #1068
• Fix(extra760): Improve error handling by @lazize in #1055
• Fix(check122): Error when policy name contains commas by @plarso in #1067
• Fix: Remove automatic PR labels by @jfagoagas in #1044
• Fix(ES): Improve AWS CLI query and add error handling for ElasticSearch/OpenSearch checks by @lazize in #1032
• Fix(extra771): jq fail when policy action is an array by @lazize in #1031
• Fix(extra765/776): Add right region to CSV if access is denied by @roman-mueller in #1045
• Fix: extra7167 Advanced Shield and CloudFront bug parsing None output without distributions by @NMuee in #1053

New Contributors

• @jansepke made their first contribution in #1006
• @lorchda made their first contribution in #1012
• @mike-stewart made their first contribution in #1018
• @n4ch04 made their first contribution in #1020
• @jeffmaley made their first contribution in #1023
• @roman-mueller made their first contribution in #1045
• @NMuee made their first contribution in #1053
• @plarso made their first contribution in #1067
• @thetemplateblog made their first contribution in #1071
• @sergargar made their first contribution in #1073

Full Changelog: 2.7.0...2.8.0

Prowler 2.7.0 - Brave

This release name is in honor of Brave New World, a great song of 🔥Iron Maiden🔥 from their Brave New World album. Dedicated to all of you looking forward to having the world we had before COVID... We hope is not hitting you bad. Enjoy!

Important changes in this version (read this!):

• As you can see, Prowler is now in a new organization called https://github.com/prowler-cloud/.
• When Prowler doesn't have permissions to check a resources or service it gives an INFO instead of FAIL. We have improved all checks error handling in those use cases when the CLI responds with a AccessDenied, UnauthorizedOperation or AuthorizationError.
• From this version, master branch will be the latest available code and we will keep the stable code as each release, if you are installing or deploying Prowler using git clone to master take that into account and use the latest release instead, i.e.: git clone --branch 2.7 https://github.com/prowler-cloud/prowler or curl https://github.com/toniblyx/prowler/archive/refs/tags/2.7.0.tar.gz -o prowler-2.7.0.tar.gz
• For known issues please see https://github.com/prowler-cloud/prowler/issues the ones open with bug as a red tag.
• Discussions is now open in the Prowler repo https://github.com/prowler-cloud/prowler/discussions, feel free to use it if that works for you better than the current Discord server.
• 11 new checks!! Thanks to @michael-dickinson-sainsburys, @jonloza, @rustic, @Obiakara, @Daniel-Peladeau, @maisenhe, @7thseraph and @tekdj7. Now there have a total of 218 checks. See below for details.
• An issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings is now working as expected thanks to @Kirizan
• When credential are in environment variable it failed to review, that was fixed by @lazize
• See below new features and more details for this version.

New Features

• 11 New checks for Redshift, EFS, CloudWatch, Secrets Manager, DynamoDB and Shield Advanced:

7.160 [extra7160] Check if Redshift has automatic upgrades enabled - redshift [Medium]
7.161 [extra7161] Check if EFS have protects sensative data with encryption at rest - efs [Medium]
7.162 [extra7162] Check if CloudWatch Log Groups have a retention policy of 365 days - cloudwatch [Medium]
7.163 [extra7163] Check if Secrets Manager key rotation is enabled - secretsmanager [Medium]
7.164 [extra7164] Check if CloudWatch log groups are protected by AWS KMS  - logs [Medium]
7.165 [extra7165] Check if DynamoDB: DAX Clusters are encrypted at rest - dynamodb [Medium]
7.166 [extra7166] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced - shield [Medium]
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
7.168 [extra7168] Check if Route53 hosted zones are protected by AWS Shield Advanced - shield [Medium]
7.169 [extra7169] Check if global accelerators are protected by AWS Shield Advanced - shield [Medium]
7.170 [extra7170] Check if internet-facing application load balancers are protected by AWS Shield Advanced - shield [Medium]
7.171 [extra7171] Check if classic load balancers are protected by AWS Shield Advanced - shield [Medium]

• Add -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option by @sectoramen in #974
• Add new functions to backup and restore initial AWS credentials, for better handling chaining role by @sectoramen in #978
• Add additional action permissions for Glue and Shield Advanced checks by @lazize in #995

Enhancements

• Update Dockerfile to use Amazon Linux container image by @Kirizan in #972
• Update Readme: -T option is not mandatory by @jfagoagas in #944
• Add $PROFILE_OPT to CopyToS3 commands by @sectoramen in #976
• Remove unneeded package "file" from Dockerfile by @sectoramen in #977
• Update docs (templates): Improve bug template with more info by @jfagoagas in #982

Fixes

• Fix in README and multiaccount serverless deployment templates by @dlorch in #939
• Fix assume-role: check if -T and -A options are set together by @jfagoagas in #945
• Fix group25 FTR by @lopmoris in #948
• Fix in README link for group25 FTR by @lopmoris in #949
• Fix issue #938 assume_role multiple times by @halfluke in #951
• Fix and clean assume-role to better handle AWS STS CLI errors by @jfagoagas in #946
• Fix issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings by @Kirizan in #953
• Fix broken link in README.md by @rtcms in #966
• Fix checks with comma issues in checks by @j2clerck in #975
• Fix: Credential chaining from environment variables by @lazize in #996

New Contributors

• @jonloza made their first contribution in #932
• @Obiakara made their first contribution in #935
• @dlorch made their first contribution in #939
• @Daniel-Peladeau made their first contribution in #937
• @lopmoris made their first contribution in #948
• @halfluke made their first contribution in #951
• @maisenhe made their first contribution in #956
• @rtcms made their first contribution in #966
• @sectoramen made their first contribution in #974
• @j2clerck made their first contribution in #975
• @lazize made their first contribution in #995

Full Changelog: 2.6.1...2.7

Prowler 2.6.1

What's Changed

• e4edb5e - Enhancement IAM assumed role session duration error handling by @jfagoagas
• 3e78f01 - Fix Terraform Kickstarter path in README by @z0ph
• cee6437 - Fix issue #926 resource id and remediation typo
• b251f31 - Fix issue #925 replace sensible by sensitive in multiple checks
• 50de9f2 - Fix output for checks check3x when no CW group is in place
• a6ba580 - Fix severity case variable

New Contributors

• @z0ph made their first contribution in #927
• Thanks @fredski-github for reporting bugs.

Full Changelog: 2.6.0...2.6.1

Prowler 2.6.0 - Phantom

Prowler 2.6.0 - Phantom

This release name is in honor to Phantom of the Opera, one of my favorite songs and a master piece of 🔥Iron Maiden🔥. It starts by "I've been lookin' so long for you now" like looking for security issues, isn't it? 🤘🏼 Enjoy it here while reading the rest of this note.

Important changes in this version:

• CIS level parameter (ITEM_LEVEL) has been reverted to the csv, json and html outputs (it was removed in 2.5), CIS Scored is not added since it is not relevant in the global Prowler reports. dd398a9
• Security Hub integration has been fixed due to a conflict with duplicated findings in the management account by @xeroxnir
• 12 New checks!! Thanks to @kbgoll05, @qumei, @georgie969, @ShubhamShah11, @jarrettandrulis, @dsensibaugh, @ShubhamShah11, @ManuelUgarte, @tekdj7: Now there are a total of 207. See below for details.
• Known issues, please review https://github.com/toniblyx/prowler/issues?q=is%3Aissue+is%3Aopen+label%3Abug.
• Now there is a Discord server for Prowler available, check it out in README.md.
• There is a maintained Docker Hub repo for Prowler and AWS ECR public repo as well. See badges in README.md for details.
• See below new features for more details of new cool stuff in this version.

New Features:

• 12 New checks for efs, redshift, elb, dynamodb, route53, cloiudformation, elb and apigateway:

7.148 [extra7148] Check if EFS File systems have backup enabled - efs [Medium]
7.149 [extra7149] Check if Redshift Clusters have automated snapshots enabled - redshift [Medium]
7.150 [extra7150] Check if Elastic Load Balancers have deletion protection enabled - elb [Medium]
7.151 [extra7151] Check if DynamoDB tables point-in-time recovery (PITR) is enabled - dynamodb [Medium]
7.152 [extra7152] Enable Privacy Protection for for a Route53 Domain - route53 [Medium]
7.153 [extra7153] Enable Transfer Lock for a Route53 Domain - route53 [Medium]
7.154 [extra7154] Enable termination protection for Cloudformation Stacks - cloudformation [MEDIUM]
7.155 [extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode - elb [MEDIUM]
7.156 [extra7156] Checks if API Gateway V2 has Access Logging enabled - apigateway [Medium]
7.157 [extra7157] Check if API Gateway V2 has configured authorizers - apigateway [Medium]
7.158 [extra7158] Check if ELBV2 has listeners underneath - elb [Medium]
7.159 [extra7159] Check if ELB has listeners underneath - elb [Medium]

• New checks group FTR (AWS Foundational Technical Review) by @jfagoagas
• New feature added flags Z to control if Prowler returns exit code 3 on a failed check by @Kirizan in #865
• New Prowler Terraform Kickstarter by @singergs
• New way to deploy Prowler at Organizational level with serverless by @bella-kwon
• New feature: adding the ability to provide a file for checks -C to be ran by @Kirizan in #891

Enhancements:

• Enhanced scoring when only INFO is detected
• Enhanced ignore archived findings in GuardDuty for check extra7139 by @chbiel in https://github.com/toniblyx/prowler
• /pull/851
• Updated prowler-codebuild-role name for CFN StackSets name length limit by @varunirv in #846
• Added feature to allow role ARN while using -R parameter by @mmuller88 in #860
• Updated documentation regarding a confusion with the -q option (issue #884) by @w0rmr1d3r in #890

Fixes:

• Fixed extra737 remove false positives due to policies with condition by @rinaudjaws in #849
• Fixed title, remediation and doc link for check extra768 by @w0rmr1d3r in #853
• Fixed typo in risk description for check29 by @kamiryo in #858
• Fixed bug in extra784 by @tayivan-sg in #856
• Fixed support policy arn in check120 by @hersh86 in #862
• Fixed typo and HTTP capitalisation in extra7142 by @acknosyn in #863
• Fixed Security Hub conflict with duplicated findings in the management account #711 by @xeroxnir in #873
• Fixed doc reference link in check23 @FallenAtticus by @FallenAtticus in #864
• Fixed duplicated region in textFail message for extra741 by @pablopagani in #880
• Updated parts from check7152 accidentally left in by @jarrettandrulis in #895
• Fix check extra734 about S3 buckets default encryption with StringNotEquals by @rustic in #896
• Fix Shodan typo in -h usage text by @jfagoagas in #899
• Fixed typo in README.md by @bevel-zgates in #908

New Contributors

• @varunirv made their first contribution in #846
• @rinaudjaws made their first contribution in #849
• @chbiel made their first contribution in #851
• @tayivan-sg made their first contribution in #856
• @bella-kwon made their first contribution in #857
• @mmuller88 made their first contribution in #860
• @hersh86 made their first contribution in #862
• @acknosyn made their first contribution in #863
• @FallenAtticus made their first contribution in #864
• @georgie969 made their first contribution in #866
• @ManuelUgarte made their first contribution in #869
• @jarrettandrulis made their first contribution in #875
• @ShubhamShah11 made their first contribution in #877
• @dsensibaugh made their first contribution in #889
• @rustic made their first contribution in #896
• @zqumei0 made their first contribution in #894
• @bevel-zgates made their first contribution in #908

Full Changelog: 2.5.0...2.6.0

Thank you all for your contributions, Prowler community is awesome! 🥳

Prowler 2.5.0 - Senjutsu

Prowler 2.5.0 - Senjutsu

This new version was planned to celebrate AWS re:Inforce that would have taken place on August 24th and 25th but has been cancelled and the new studio album of Iron Maiden (Senjutsu) to be released on September 3rd 2021. In any case, enjoy this new version. More cool stuff coming soon!

Prowler would have been present in the re:Inforce 2021 conference with a pretty expected workshop called "Building Prowler into a QuickSight powered AWS security dashboard". Templates and workshop link to be public soon. For updates follow me on Twitter: https://twitter.com/ToniBlyx.

As Prowler keeps growing in user base and downloads (averages 1400 clones/day), there are more contributions and I want to thank you all for your feedback and code. Please keep contributing to make the Internet more secure.

New Features:

Please read carefully this new features and changes (for CSV output and also to improve the data in json ASFF for Security Hub integration) if you have integrations using CSV, it may affect you.

• New CSV headers, added PROWLER_START_TIME:
  PROFILE{SEP}ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC,CHECK_RESOURCE_ID,PROWLER_START_TIME.
• 14 New checks (@jfagoagas, @nayabpatel, @Outrun207 and @pablopagani):

7.134 [extra7134] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21  - ec2 [High]
7.135 [extra7135] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092  - ec2 [High]
7.136 [extra7136] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23  - ec2 [High]
7.137 [extra7137] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434  - ec2 [High]
7.138 [extra7138] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port - ec2 [High]
7.139 [extra7139] There are High severity GuardDuty findings  - guardduty [High]
7.140 [extra7140] Check if there are SSM Documents set as public - ssm [High]
7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
7.142 [extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based http request smuggling - elb [Medium]
7.143 [extra7143] Check if EFS have policies which allow access to everyone - efs [Critical]
7.144 [extra7144] Check if CloudWatch has allowed cross-account sharing - cloudwatch [Medium]
7.145 [extra7145] Check if Lambda functions have policies which allow access to any AWS account - lambda [Critical]
7.146 [extra7146] Check if there is any unassigned Elastic IP - ec2 [Low]
7.147 [extra7147] Check if S3 Glacier vaults have policies which allow access to everyone - glacier [Critical]

• Docker images are available in the official ECR https://gallery.ecr.aws/prowler/prowler (if you run Prowler with Fargate this will help you). Images at https://hub.docker.com/r/toniblyx/prowler won't be updated.
• Now when using -M option prowler shows standard output but saves desired reports in background
• Added code for better experience running Prowler in AWS CloudShell @hackersifu
• Added support for custom output folder and S3 bucket (see ./prowler -h for details) using bucket-owner-full-control.
• Added support for custom output file (see ./prowler -h for details) @yangsec888
• Added servicename to the title for ASFF and used for QuickSight dashboard
• Added resourceid and more metadata to the ASFF file to be imported in Security Hub @singergs
• Added s3 and glue required permissions and removed obsoletes
• Added section with info about regions in README.md
• Added WAF CLASSIC check for extra7129 @kamiryo
• Added severity and servicename to the default output, removed blue color on check ID.
• Removed duplicated checks extra756 and extra737 @w0rmr1d3r

Enhancements:

• HTML report: filtering and other nice things @nickmalcolm
• License file and banner cosolidation
• Now it shows default output regardless custom outputs called with -M
• Clean up check title without info related to CIS (like scored, etc. CIS support still in Prowler)
• Updated Docker image to Alpine to 3.13 and with py3-pip in Dockerfile @gliptak
• Improved error handling sts get-caller-identity @pablopagani
• Improved error handling when listing regions @pablopagani
• Updated html report color contrast for WCAG 2.1 accessibility standards @danielperez660
• Updated Prowler additions policy
• Updated check12 - Missing MFA at the beginning of remediation @thorkill
• Removed CSV header in stdout
• Updated README to include reference to CloudShell https://github.com/toniblyx/prowler/tree/2.5/util/cloudshell @hackersifu
• Updated README with better coverage of -f <filterregion> usage info

Fixes:

• Fixed Security Hub integration error resource type is always empty #776
• Fixed credential renewal broke on Alpine Linux #775
• Fixed check extra747 grammar #774
• Fixed grammar issue in scoring @w0rmr1d3r
• Fixed check21 to fail if trail is off
• Fixed aws organizations multi-account deployment s3 upload issue @owlvat
• Corrected bug on groups when listing checks @pablopagani
• Fixed issue #811 @h1008
• Fixed kms keys compatibility in cli v2 and v1 @dbellizzi
• Fixed typo in check extra7141 ID
• Fixed alias of extra7139
• Fixed link to doc for check45 check46 extra7138 and extras

*If you have made a contribution to this released and I missed your Github id here, my apologies and please let me know to include you. Thank you!

Prowler 2.4.1

Prowler 2.4.1

Fixes

Fixed Security Hub integration error resource type is always empty #776
Fixed credential renewal broke on Alpine Linux #775
Fixed check extra747 grammar #774

Prowler 2.4.0

Prowler 2.4.0

New version, new logo and new features, many community contributions, fixes and improvements.

Thanks to all the community for the continuous effort, contributing in many ways, including code and feedback. Prowler is being used by thousands of users and making your cloud infrastructure more secure. THANK YOU.

New Features:

Please read carefully this new features and changes (mostly for CSV output changes) if you have integrations, it may affect you.

Added Risk, Remediation, Link to doc and CAF security epics to controls @pablopagani
Added support for new fields Risk, Remediation, Link to doc and CAF security epics to CSV and HTML outputs. New fields are:
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC
Added severity field to CSV and HTML output reports
Added new logo, screenshots and improved documentation sections
Added -N <shodan_api_key> support for extra7102
Added [extra736] Check exposed KMS keys to group internet-exposed
Added [extra798] Check if Lambda functions have resource-based policy set as Public
Added [extra799] Check if Security Hub is enabled and its standard subscriptions
Added 4 new EKS checks @jonjozwiak
Added access checks for several checks @zfLQ2qx2
Added additional checks to HIPAA group @gchib297
Added additional GDPR checks to GDPR group @gchib297
Added all new Sagemaker checks to extras
Added allow list All findings in single view in html report
Added AWS partition variable to the ASFF output format
Added AWS service name to json, csv and html outputs
Added back extra798
Added Better handle permissions and errors
Added CFN template helper for role
Added check extra7113
Added check extra798 to gdpr and pci groups @gchib297
Added check extra798 to iso27001 @gchib297
Added check extra798 to PCI
Added check for AccessDenied when calling GetBucketLocation in extra73,extra734,extra764 @zfLQ2qx2
Added Check for errors generating credential report, limit loop iterations @zfLQ2qx2
Added check for RDS enhanced monitoring @mpratsch
Added check if Enhanced monitoring is enabled on RDS instances
Added check23 to group17_internetexposed group @RyanJarv
Added check7130 to group7_extras and Fixed some issues
Added checks about EKS to groups internet-exposed and forensics
Added CodeBuild deployment section
Added CodeBuild template original from @stevecjones
Added coreutils to Dockerfile
Added EKS checks to eks-cis and extras group @jonjozwiak
Added Enable Security Hub official integration @toniblyx
Added ENS group with new checks
Added extra7102 ElasticIP Shodan integration
Added extra7102 to groups extras and internetexposed
Added extra7113: Check RDS deletion protection
Added extra7113: Check RDS instances deletion protection @gchib297
Added extra7133 RDS multi-AZ
Added extra796 EKS control plane access to internet-exposed group
Added extra799 and extra7100 to group extras
Added FFIEC cybersecurity assessment group @gchib297
Added Fixed to generate test summary so reports display graphs correctly @stevecjones
Added get_regions function in order to call after assume_role @HG00
Added GetFindings action to example IAM policy for Security Hub
Added Glue checks additional  @dlpzx
Added Glue checks part 1 @ramondiez
Added GovCloud usage information
Added group for ENS Spanish Esquema Nacional de Seguridad
Added group for pci-dss as reference
Added group internet-exposed
Added group18 for ISO27001 thanks to @gchib297 issue #637
Added high level architecture
Added html to -M in usage
Added IAM to extra7100 title
Added latest checks to extras group
Added more checks mappings to ISO27001 group and reordered the list @mario-platt
Added New 7 checks required for ENS
Added new check [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled
Added New check 7.98 [extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) @nickmalcolm
Added new check extra_7130 to check encryption of a SNS topic @mpratsch
Added new check extra7131 RDS minor version upgrade
Added new check extra793 for SSL listeners on load balancers @jonjozwiak
Added new extras check (7130) to check encryption of a SNS topic
Added New group for Sagemaker with 10 new controls
Added parameters and made the template parameterised @pacohope
added parameters and made the template parameterised.
Added Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys
Added script to generate html report from multiple csv outputs
Added service name to all checks
Added service name to sample check
Added session durantion option to 12h
Added sleep to extra7102 to avoid Shodan API limits
Added SOC2 compliance group @gchib297
Added start build automatically
Added Support custom folder checks when running all checks @xeroxnir
Added support to run inside AWS CloudShell
Added Whitelist feature improvements @QuinnStevens

Enhancements:

Enhanced Accept current most restrictive TLSv1.2-only ALB security policy as secure
Enhanced Adapt check119 to exclude instances shutting down @stku1985
Enhanced Additional check for location of awscli @zfLQ2qx2
Enhanced Adjusted severity like in Security Hub @xeroxnir
Enhanced Allow list checks and groups without credentials
Enhanced better handle permissions and errors
Enhanced Catch errors assuming role and describing regions @zfLQ2qx2
Enhanced check extra740: reworked to consider all snapshots, use JMESPath query @pacohope
Enhanced check extra792 to accept current most restrictive TLSv1.2 @bazbremner
Enhanced check119 to exclude instances shutting-down @stku1985
Enhanced clear AWS_DEFAULT_OUTPUT on start @zfLQ2qx2
Enhanced Cloudtrail metrics (check3x) pass if found on any, not every, cloudtrail log @zfLQ2qx2
Enhanced CodeBuild CFN template with scheduler and documentation
Enhanced documentation about SecurityHub integration and region filter
Enhanced Ensure check28 only looks at symmetric keys
Enhanced Ensure that checks are sorted numerically when listing checks @marcjay
Enhanced Ensures JSON is the default AWS command output.
Enhanced error handling without credentials
Enhanced extra7102 increased severity to medium
Enhanced extra792 skip check if no HTTPS/SSL Listener plus Added NLB Support @jonjozwiak
Enhanced feature to refresh assume role credentials before it expires
Enhanced Force default AWS CLI output issue #696 @Kirizan
Enhanced Handle shadow CloudTrails more gracefully in checks check21,check22,check24,check27 @zfLQ2qx2
Enhanced html output with scoring information, risk, remediation, doc link and CAF security epics.
Enhanced Implement OS neutral method of converting rfc3339 dates to epoch @zfLQ2qx2
Enhanced In CSV output, changed NOTES field header by CHECK_RESULT_EXTENDED. New CSV header looks like:
Enhanced PublicIP discovery used in Shodan check_extra7102 @as-km
Enhanced reduce needed actions in additions policy @tekdj7
Enhanced Removed textInfo extra information on extra712
Enhanced Security Hub integration @xeroxnir
Enhanced Security Hub integration improvement and Added severity for checks @xeroxnir
Enhanced Security Hub: Mark as ARCHIVED + Fixed race condition @xeroxnir
Enhanced Updated ProwlerExecRoleAdditionalViewPrivileges Policy with lambda:GetFunction
Enhanced Use describe-network-interfaces instead of describe-addresses in order to get public IPs #768
Enhanced whitelisting to allow regexes and fuzzy/strict matching
Enhanceed Adjusted severity to secrets and Shodan checks

Fixes:

Fixed account id in output file name
Fixed changes made in check27
Fixed check extra73 fail message omits bucket name @zfLQ2qx2
Fixed check for public rds instances
Fixed check_extra7107 condition
Fixed check_extra7116 and check_extra7117
Fixed Check12 BugFixed Remove $ from grep
Fixed check12 when MFA is enabled and user contains true in the name @xeroxnir
Fixed date command for busybox @zfLQ2qx2
Fixed don't fail check extra737 for keys scheduled for deletion
Fixed EKS related checks regarding us-west-1 @njgibbon
Fixed error handling for SubscriptionRequiredException in extra77
Fixed execute_group_by_id @xeroxnir
Fixed extra7103 parser error
Fixed extra7108 parser error
Fixed extra7110 title
Fixed extra7111 parser error
Fixed extra7116 extra7117 outputs and added to extras @ramondiez
Fixed extra737 now doesn't fail for keys scheduled for deletion @QuinnStevens
Fixed for busybox date command
Fixed for check_extra764 @grzegorznittner
Fixed for issue 713
Fixed FreeBSD $OSTYPE check @ring-pete
Fixed getops OPTARG for custom checks @xeroxnir
Fixed include lambda:GetFunction in prowler policy to check AWS Lambda related controls: extra720,extra759,extra760,extra762,extra798
Fixed Include missing AWS function lambda:GetFunction policy in prowler-additions-policy.json to check AWS Lambda @jfagoagas
Fixed issue #624 ID of check_extra792
Fixed issue #659
Fixed issue assuming role in regions with STS disabled
Fixed issue in extra776 when ECR Scanning imageDigest @adamcanzuk
Fixed listing CloudFormation stacks if default output format is not JSON
Fixed listing configurations if default output format is not JSON check119,extra742,extra75 and extra772 @Anthirian
Fixed listing EC2 instances if default output format is not JSON
Fixed li...

Prowler 2.3.0-18122020

Label version 2.3.0-18122020

Prowler 2.3.0RC

List of Contributors for this release:

This new version of Prowler wouldn't be possible without you all. Thanks!

Marc Jay
Urjit Singh Bhatia
Philipp Zeuner
Ngọ Anh Đức
Patrick Downey
Nimrod Kor and the Bridgecrewio guys
Huang Yaming
Marcel Beck
Faraz Angabini
Kasprzykowski
Huang Yaming
Alex Gray
nalansitan
jonjozwiak
dhirajdatar
Julio Delgado Jr
He.Longfei
Christopher Morrow

Reach out to me on Twitter @toniblyx if you have contributed to this release and you have been missed, sorry about that!

New features:

• Security Hub native integration and ASFF format
• Whitelist support
• Multiple reports and formats at the same time (mono,csv,json,json-asff,junit-xml) like prowler-output-accountid-timestamp.json
• Support for Junit output to use it with Jenkins (-M junit-xml)
• New checks for Trusted boundaries, Elasticsearch, IMDSv2, ECR vulnerabilities, more find secrets and VPC security groups. Comprehensive list below.
• Support for assume role and multi-accounts
• Improved support for AWS GovCloud (US)
• Improved support for AWS-CLI v1 and v2

Other improvements:

• Improved listing of Checks and Groups (-l to see all checks, -L for all groups and -l g groupname to list checks in a particular group)
• Enhanced set entropy for detect-secrets from env BASE64_LIMIT and HEX_LIMIT @yumminhuang (3df2786)
• Improved GetCallerIdentity handling / credentials
• Enhanced documentation with more commands and examples

New checks:

• 7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark) [extras, secrets]
• 7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS benchmark) [extras]
• 7.77 [extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark) [extras]
• 7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark) [extras]
• 7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports [extras, elasticsearch]
• 7.80 [extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled [extras, elasticsearch]
• 7.81 [extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled [extras, elasticsearch]
• 7.82 [extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled [extras, elasticsearch]
• 7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled [extras, elasticsearch]
• 7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled [extras, elasticsearch]
• 7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available [extras, elasticsearch]
• 7.86 [extra786] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (Not Scored) (Not part of CIS benchmark) [extras]
• 7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports [extras, elasticsearch]
• 7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains [extras, elasticsearch]
• 7.89 [extra789] Find trust boundaries in VPC endpoint services connections [trustboundaries]
• 7.90 [extra790] Find trust boundaries in VPC endpoint services whitelisted principles [trustboundaries]

And in case you missed them because they were hidden:

• 7.59 [extra759] Find secrets in Lambda functions variables (Not Scored) (Not part of CIS benchmark) [secrets]
• 7.60 [extra760] Find secrets in Lambda functions code (Not Scored) (Not part of CIS benchmark) [secrets]

Fixes and minor changes:

• Fixed AWS partition variable on generateJsonAsffOutput (f618a16)
• Added back LIST_OF_CHECKS_AND_GROUPS.md (412c9c1)
• Print warnings with the right color code (8cdf383)
• Improve check21 If no account cloudtrail trail is found, check org trail @nimrodkor @bridgecrewio (996f785)
• If no local cloudtrail trail is found - check org trail (dd0ef8c)
• Fix issue with aws-cli v2 and timestamp on check24 #585 (a2cbcc0)
• Fix check12's grep to find users with true in their name who really have password access @nimrodkor @bridgecrewio (5450bf9)
• Ensure that hyphen is at end of tr string to prevent 'reverse collating sequence order' error in GNU tr @marcjay (e4ae0a4)
• Improved AWS partition handle (1f949b4)
• Add $ to end of regex (dbca70e)
• Fix check12's grep to find users who really have password access (54f2b72)
• Fix output modes strings to ensure correct outputs are selected @marcjay (6844733)
• Ensure that hyphen is at end of tr string to prevent 'reverse collating sequence order' error in GNU tr Stop echo from adding newlines using -n, removing the need to stop replacing new-line characters with underscores (e25125f)
• Updated checks with hardcoded arn to support GovCloud partition (13ca147)
• Improved extra734 for GovCloud (dbb3ed9)
• Fixed issue with govcloud on extra764 #536 (7dc790a)
• Improved GetCallerIdentity handling / credentials (8c9aea1)
• Added txt output as mono for -M (9f03bd7)
• Added account id to the output filename (43fb877)
• Simplified caller id info on outputs (ef952ce)
• Check if gbase64 (GNU) is available on Mac and use it in preference to BSD base64 @marcjay (0cca77a)
• Fix -E flag no longer excluding checks @marcjay (5b9cf7f)
• Added CSV header to the output file too #565 (9cbdefc)
• Extend check13 to meet all CIS rules and consolidate with extra774 (ad66254)
• Updated textInfo message on extra712 (d6374f8)
• Enhancement: extra768 only check latest version of ECS task definition (38a970f)
• Get the list of families and then get latest task definition (5b83701)
• Fix invalid references to $i when it should reference a local $group_index variable (8f17933)
• Improved extra716 and extra788 (6747b20)
• Only check latest version of task definition (172f4b2)
• Fix arithmetic expression for calculating test duration (fa17829)
• Add the ability to generate JUnit XML reports with a -J flag (9943903)
• Ignore inline whitelist comments, pass checkid to filter ignores specifically for checks (bf72025)
• Merge branch 'marcjay-simplify-check-id-variables' (4625270)
• Fixed title in group16_trustboundaries (f065beb)
• Added more sample commands and updates (2de49c3)
• Allow multiple report types at once #345 (4ea1864)
• Fixed issue with regions on check21 (11c182c)
• support arn:aws:s3::: on extra725 (036ae64)
• Adjust execute_check() now that check71's ID has changed Fix minor typo in a comment (7e5a4a1)
• Limit CHECK_ID to a single value, handing the left-pad formatting in one place (0f49468)
• Fix: extra741 - Check if User Data is a valid GZIP file before attempting to gunzip @marcjay (df52057)
• Add clarifying text to pass/fail messages (460f656)
• Extra741 - Check if User Data is a valid GZIP file before attempting to gunzip (c4374a2)
• Prowler IAM Policy Enhancements and README Updates @tekdj7 (9be0b3f)
• Extra725 - Improved support cross account and region cloudtrail @patdowney (a426462)
• Extra720 - Support cross account and cross-region cloudtrail @patdowney (8a7344e)
• Fixed check23_error_fails (7f2e097)
• Fixed check26_error_fails (67504e8)
• Fixed check121-filter-out-password-access-513 (3c77130)
• Fixed fix-no-information-extra774-501 (d855432)
• Fixed handle-gnu-date-as-default-on-mac-osx-534 (3e1d9ea)
• Convert tabs to spaces within modified function (24e6919)
• Avoid changing the execution order of checks when some checks are excluded (57c15c2)
• Fixed check121 - Filter out users who do not have a console password (4f623b4)
• Detect when GNU coreutils is installed on Mac OS X and use the correct date functions (d9588f4)
• Remove the varying number of days in the message so that message stays consistent over time (ce1058d)
• Handle IAM credential report containing 'no_information' for a user's last console login date (8d9c7e8)
• Add CHECK_ASFF_RESOURCE_TYPE variables for recently added checks (c02811f)
• Remove --output text in CLOUDTRAILBUCKET_LOGENABLED (7982cc4)
• Support cross-region and cross-account object-level cloudtrail logs for S3 (b6adfd5)
• Remove HomeRegion predicate from describe-trails in extras725 (78ccc7d)
• Use TrailARN property to query get-event-selectors in checks_extra725 (fc83a98)
• Added new checks to group extras (effc3eb)
• Improvements and new checks for elasticsearch (6ea37b0)
• Remove HomeRegion predicate from describe-trails to look for cross-region trails too (84711d1)
• Use TrailARN property to query get-event-selectors (4ff6856)
• Fixed typo in extra786 (9c4e629)
• New check for Metadata Service Version 2 #413 (bd432fe)
• Improved policy handling on extra716 (b5e1c90)
• Improved policy handling on extra716 (afb908f)
• v2.2.1 with new function and Improved extra779 and extra716 (e567ccb)
• Improved extra716 filters and auth check (2e2fe96)
• Added custom ports variable to extra779 (1ae5d5d)
• Ignore imported ACM Certificate in check_extra724 (1419d48)
• Added connection test for port 9300 in both linux and macosx on extra779 (8faf1f4)
• Updated ES check titles and results (eae4722)
• Enhanced extra...