Prowler 2.4.0

New version, new logo and new features, many community contributions, fixes and improvements.

Thanks to all the community for the continuous effort, contributing in many ways, including code and feedback. Prowler is being used by thousands of users and making your cloud infrastructure more secure. THANK YOU.

New Features:

Please read carefully this new features and changes (mostly for CSV output changes) if you have integrations, it may affect you.

Added Risk, Remediation, Link to doc and CAF security epics to controls @pablopagani Added support for new fields Risk, Remediation, Link to doc and CAF security epics to CSV and HTML outputs. New fields are: PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC Added severity field to CSV and HTML output reports Added new logo, screenshots and improved documentation sections Added -N <shodan_api_key> support for extra7102 Added [extra736] Check exposed KMS keys to group internet-exposed Added [extra798] Check if Lambda functions have resource-based policy set as Public Added [extra799] Check if Security Hub is enabled and its standard subscriptions Added 4 new EKS checks @jonjozwiak Added access checks for several checks @zfLQ2qx2 Added additional checks to HIPAA group @gchib297 Added additional GDPR checks to GDPR group @gchib297 Added all new Sagemaker checks to extras Added allow list All findings in single view in html report Added AWS partition variable to the ASFF output format Added AWS service name to json, csv and html outputs Added back extra798 Added Better handle permissions and errors Added CFN template helper for role Added check extra7113 Added check extra798 to gdpr and pci groups @gchib297 Added check extra798 to iso27001 @gchib297 Added check extra798 to PCI Added check for AccessDenied when calling GetBucketLocation in extra73,extra734,extra764 @zfLQ2qx2 Added Check for errors generating credential report, limit loop iterations @zfLQ2qx2 Added check for RDS enhanced monitoring @mpratsch Added check if Enhanced monitoring is enabled on RDS instances Added check23 to group17_internetexposed group @RyanJarv Added check7130 to group7_extras and Fixed some issues Added checks about EKS to groups internet-exposed and forensics Added CodeBuild deployment section Added CodeBuild template original from @stevecjones Added coreutils to Dockerfile Added EKS checks to eks-cis and extras group @jonjozwiak Added Enable Security Hub official integration @toniblyx Added ENS group with new checks Added extra7102 ElasticIP Shodan integration Added extra7102 to groups extras and internetexposed Added extra7113: Check RDS deletion protection Added extra7113: Check RDS instances deletion protection @gchib297 Added extra7133 RDS multi-AZ Added extra796 EKS control plane access to internet-exposed group Added extra799 and extra7100 to group extras Added FFIEC cybersecurity assessment group @gchib297 Added Fixed to generate test summary so reports display graphs correctly @stevecjones Added get_regions function in order to call after assume_role @HG00 Added GetFindings action to example IAM policy for Security Hub Added Glue checks additional  @dlpzx Added Glue checks part 1 @ramondiez Added GovCloud usage information Added group for ENS Spanish Esquema Nacional de Seguridad Added group for pci-dss as reference Added group internet-exposed Added group18 for ISO27001 thanks to @gchib297 issue #637 Added high level architecture Added html to -M in usage Added IAM to extra7100 title Added latest checks to extras group Added more checks mappings to ISO27001 group and reordered the list @mario-platt Added New 7 checks required for ENS Added new check [extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled Added New check 7.98 [extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) @nickmalcolm Added new check extra_7130 to check encryption of a SNS topic @mpratsch Added new check extra7131 RDS minor version upgrade Added new check extra793 for SSL listeners on load balancers @jonjozwiak Added new extras check (7130) to check encryption of a SNS topic Added New group for Sagemaker with 10 new controls Added parameters and made the template parameterised @pacohope added parameters and made the template parameterised. Added Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys Added script to generate html report from multiple csv outputs Added service name to all checks Added service name to sample check Added session durantion option to 12h Added sleep to extra7102 to avoid Shodan API limits Added SOC2 compliance group @gchib297 Added start build automatically Added Support custom folder checks when running all checks @xeroxnir Added support to run inside AWS CloudShell Added Whitelist feature improvements @QuinnStevens

Enhancements:

Enhanced Accept current most restrictive TLSv1.2-only ALB security policy as secure Enhanced Adapt check119 to exclude instances shutting down @stku1985 Enhanced Additional check for location of awscli @zfLQ2qx2 Enhanced Adjusted severity like in Security Hub @xeroxnir Enhanced Allow list checks and groups without credentials Enhanced better handle permissions and errors Enhanced Catch errors assuming role and describing regions @zfLQ2qx2 Enhanced check extra740: reworked to consider all snapshots, use JMESPath query @pacohope Enhanced check extra792 to accept current most restrictive TLSv1.2 @bazbremner Enhanced check119 to exclude instances shutting-down @stku1985 Enhanced clear AWS_DEFAULT_OUTPUT on start @zfLQ2qx2 Enhanced Cloudtrail metrics (check3x) pass if found on any, not every, cloudtrail log @zfLQ2qx2 Enhanced CodeBuild CFN template with scheduler and documentation Enhanced documentation about SecurityHub integration and region filter Enhanced Ensure check28 only looks at symmetric keys Enhanced Ensure that checks are sorted numerically when listing checks @marcjay Enhanced Ensures JSON is the default AWS command output. Enhanced error handling without credentials Enhanced extra7102 increased severity to medium Enhanced extra792 skip check if no HTTPS/SSL Listener plus Added NLB Support @jonjozwiak Enhanced feature to refresh assume role credentials before it expires Enhanced Force default AWS CLI output issue #696 @Kirizan Enhanced Handle shadow CloudTrails more gracefully in checks check21,check22,check24,check27 @zfLQ2qx2 Enhanced html output with scoring information, risk, remediation, doc link and CAF security epics. Enhanced Implement OS neutral method of converting rfc3339 dates to epoch @zfLQ2qx2 Enhanced In CSV output, changed NOTES field header by CHECK_RESULT_EXTENDED. New CSV header looks like: Enhanced PublicIP discovery used in Shodan check_extra7102 @as-km Enhanced reduce needed actions in additions policy @tekdj7 Enhanced Removed textInfo extra information on extra712 Enhanced Security Hub integration @xeroxnir Enhanced Security Hub integration improvement and Added severity for checks @xeroxnir Enhanced Security Hub: Mark as ARCHIVED + Fixed race condition @xeroxnir Enhanced Updated ProwlerExecRoleAdditionalViewPrivileges Policy with lambda:GetFunction Enhanced Use describe-network-interfaces instead of describe-addresses in order to get public IPs #768 Enhanced whitelisting to allow regexes and fuzzy/strict matching Enhanceed Adjusted severity to secrets and Shodan checks

Fixes:

Fixed account id in output file name Fixed changes made in check27 Fixed check extra73 fail message omits bucket name @zfLQ2qx2 Fixed check for public rds instances Fixed check_extra7107 condition Fixed check_extra7116 and check_extra7117 Fixed Check12 BugFixed Remove $ from grep Fixed check12 when MFA is enabled and user contains true in the name @xeroxnir Fixed date command for busybox @zfLQ2qx2 Fixed don't fail check extra737 for keys scheduled for deletion Fixed EKS related checks regarding us-west-1 @njgibbon Fixed error handling for SubscriptionRequiredException in extra77 Fixed execute_group_by_id @xeroxnir Fixed extra7103 parser error Fixed extra7108 parser error Fixed extra7110 title Fixed extra7111 parser error Fixed extra7116 extra7117 outputs and added to extras @ramondiez Fixed extra737 now doesn't fail for keys scheduled for deletion @QuinnStevens Fixed for busybox date command Fixed for check_extra764 @grzegorznittner Fixed for issue 713 Fixed FreeBSD $OSTYPE check @ring-pete Fixed getops OPTARG for custom checks @xeroxnir Fixed include lambda:GetFunction in prowler policy to check AWS Lambda related controls: extra720,extra759,extra760,extra762,extra798 Fixed Include missing AWS function lambda:GetFunction policy in prowler-additions-policy.json to check AWS Lambda @jfagoagas Fixed issue #624 ID of check_extra792 Fixed issue #659 Fixed issue assuming role in regions with STS disabled Fixed issue in extra776 when ECR Scanning imageDigest @adamcanzuk Fixed listing CloudFormation stacks if default output format is not JSON Fixed listing configurations if default output format is not JSON check119,extra742,extra75 and extra772 @anthirian Fixed listing EC2 instances if default output format is not JSON Fixed listing EC2 Security Groups if default output format is not JSON Fixed listing Elastic IPs if default output format is not JSON Fixed log metric filter check3x with multiple trails @bridgecrewio Fixed log metric filter checks (#33) Fixed Make check28 only look at symmetric keys @mdop-wh Fixed moved assume role before listing regions Fixedes issue #744 Fixed output on extra731 Fixed profile and region settings for extra792 ELB SSL ciphers @jonjozwiak Fixed quotes in check extra78 for public RDS instances @goldfiglabs Fixed regex in check43 @ilyas28 Fixed Replace empty space with '\s' in check43 regex @frannovo Fixed report metadata in html output Fixed Security Hub eventual consistency + PREFixed query bug + Archive PASSED @xeroxnir Fixed security-hub integration: Race condition timestamp @xeroxnir Fixed SecurityHub: other os/check Fixedes + batch in 100 findings @xeroxnir Fixed servicename variable in extra72 Fixed Store assumed role expiry time for later checking Fixed syntax in extra7110 Fixed title grammar in check_extra73 @CenturionGamer Fixed typos and Added to extras extra7132 Fixed Update check_extra7130 profile parameter was not set @soffensive