New features:

• Refactored code:
  • reduced number of lines in prowler main script and add includes folder with parts to easily find and manage all components
  • dedicated folder for checks, a check per file,
  • same for groups of checks, now we can create custom groups and run Prowler against your custom group (for example only the checks that your company needs).
  • moved Dockerfile to utils folder.
  • moved IAM policy additions to iam folder
• Output changed PASS and FAIL instead of OK and WARNING messages displayed.
• Option -g <group_id>: run specific group from the existing or new one
• Option -b: hide banner
• Check whitelisting: thanks to the new groups management, you can create your own checks based on your needs.
• Custom checks: now it is easier to add a new check, just create your check based on the sample one and add it to a group, or create your own group.
• Added version to the banner and changed description
• Added new check extra723 that looks for public RDS snapshots (single and cluster)
• Added check extra724 Certificate Transparency
• Added check ID on every check and group title.
• Added check extra725 S3 object-level logging (extras and forensics)
• Added check extra726 Trusted Advisor errors and warnings
• Added check extra727 SQS queues have policy public
• Added check extra728 SQS queues have encryption enabled
• Added -V flag to see version
• Added check extra729 no EBS Volumes unencrypted
• Added check extra730 ACM Certificates are about to expire in 7 days or less
• Added check extra731 SNS topics have policy set as Public
• Added check extra732 Geo restrictions are enabled in CloudFront distributions
• Added check extra733 SAML Providers then STS can be used
• Added check extra734 S3 buckets have default encryption (SSE) enabled and policy to enforce it
• Added check extra735 RDS instances storage is encrypted
• Added check extra736 exposed KMS keys
• Added check extra737 KMS keys with key rotation disabled
• Added check extra738 CloudFront distributions are set to HTTPS
• Added check extra739 ELBs have logging enabled
• Added check extra740 EBS snapshots are encrypted
• JSON support as output mode -M json, thanks to @hb3b
• Added support to run on Fargate and uses metadata for credentials, thanks to @mattfinlayson
• Added group checks for GDPR and HIPAA, thanks to @crashGoBoom for helping out with HIPAA

Improvements:

• Adapted to the latest CIS for AWS 1.2, thanks to @gpatt
• option -l now shows all groups not only default ones, with all its checks title.
• changed #!/bin/bash to #!/usr/bin/env bash #182 thanks to @doshitan
• check28 #181 thanks to @doshitan
• check41 and check44 #180 thanks to @subramani95
• Changed output functions to textInfo, textFail and textPass
• Hide banner on CSV output mode for group check
• Added version to banner
• Improved current directory handler for includes
• Improved error handling on check111
• Improved instance profile handling issue #200, thanks to @netflash and @ceyes
• Improved default region handling issue #202, thanks to @ceyes
• Improvements on account ID handling in CSV output issue #205, thanks to @MrSecure
• Improved check28, thanks to @nexeck
• Improved check_extra73 to support graceful failing of buckets with corrupt/unintended permissions, thanks to @hb3b
• Improved check111, thanks to @roo7break and @martinusnel
• Improved check27
• Improved group error handling
• Improved check115, check315 and check13 and its documentaion, thanks to @rheak
• Improved extra725, thanks to @martinusnel
• Improved username filtering for check12 for CIS 1.2, thanks to @gpatt
• Improved username filtering for check116 for CIS 1.2, thanks to @gpatt
• Improved extra713, thanks to @mbode
• Improved credentials handling, thanks to @flomotlik
• Improved check112 to avoid extra API call, thanks to @jlamande
• Improved check29, thanks @onkymykiss1

Fixes:

• check22 #194 thanks to @mbode
• check717 #188 thanks to @ahhh
• Fixed required IAM permissions #187 thanks to @rtkjbillo
• Disable concurrency checks to check_extra73 due to API limits
• Fixed issue #268
• Mark CIS level2 and 2 properly, also marker to sample check thanks to @MrSecure
• Fixed mismatched check_type on check18 thanks to @MrSecure
• Fixed typo on check311 thanks to @MrSecure
• Ensure credential report is available before running any checks thanks to @MrSecure
• Fixed checks on group3 to prevent duplicates, thanks to @myoung34
• Fixed extra73 to use $PROFILE_OPT properly, thanks to @sidewinder12s
• Fixed checks extra727 and extra728 to use $PROFILE_OPT properly, thanks to @tmonk42
• Fixed check14, thanks to @atomdampflok
• Fixed checks listing, thanks to @UranusBytes
• Fixed check13 for never logged users, thanks to @jlamande

Documentation:

• Added new way to create custom checks and custom groups
• Improved Prowler description
• Added command to save report to S3
• Update all CIS document links to AWS version thanks to @sidewinder12s
• Changed license for checks that are not CIS and rest of code but CIS checks to Apache 2.0
• Added license and commercial use disclaimer to README
• Added info about GDPR and HIPAA
• Improved README formatting and typos, thanks to @craighurley and @slmingol
• Added new needed IAM roles, thanks to @yapale, @mixmatch and @jlamande

Special thanks to:

@philipmeadows for his help and ideas on code refactoring