Skip to content

Releases: prowler-cloud/prowler

Prowler 4.5.1 - Another Life

07 Nov 19:55
f2aa659
Compare
Choose a tag to compare

What's Changed

Fixes

Chores

Full Changelog: 4.5.0...4.5.1

Prowler 4.5.0 - Another Life

05 Nov 19:42
d84d0e7
Compare
Choose a tag to compare

There's a feeling that's inside me
Telling me to get away
But I'm so tired of living
I might as well end today

Prowler 4.5.0 - Another Life 🚀 has arrived, packed with a host of new AWS checks and improvements! We also invite you to enjoy this classic Iron Maiden song.

A huge shout-out to our talented engineers @danibarranqueroo, @MarioRgzLpz, and @HugoPBrito for their amazing work on developing new checks, and a warm welcome to our new engineer @AdriiiPRodri!

Special thanks as well to @sansns for his outstanding contributions to new Fault Tolerance checks, and to our fantastic external contributors @SaintTamnoon, @jonathanbro, and @Nirbhay1997 for their valuable PRs 🥳.

New features to highlight in this version

AWS

🔒 Combat LLMJacking in AWS Bedrock

Following recent insights from Permiso Security on hijacking threats to GenAI infrastructure like AWS Bedrock, we’ve introduced five new checks in Prowler to bolster security:

  1. bedrock_model_invocation_logging_enabled
  2. cloudtrail_threat_detection_llm_jacking
  3. bedrock_agent_guardrail_enabled
  4. bedrock_guardrail_prompt_attack_filter_enabled
  5. bedrock_guardrail_sensitive_information_filter_enabled.

These checks enhance logging, encryption, and guardrail configurations to monitor and mitigate unauthorized access, safeguarding sensitive data and helping detect emerging LLMJacking threats.

🛡️ New Checks to Address IAM Access Analyzer Gaps

In their latest post on securityrunners.io, @SecurityRunners identified gaps in IAM Access Analyzer's ability to detect publicly exposed resources. To close these gaps, we’ve introduced new checks: cloudwatch_log_group_not_publicly_accessible, ses_identities_not_publicly_accessible, glue_data_catalogs_not_publicly_accessible, and secretsmanager_not_publicly_accessible, helping to reliably identify and secure public resources.

🚀 More checks!

Prowler has significantly expanded its AWS coverage, adding 104 new checks across 42 AWS services, including popular ones like Bedrock, DMS, FSx, GuardDuty, SES and WAF, to enhance your cloud security and compliance posture.

See all the new available checks with prowler aws --list-checks

  1. apigateway_restapi_cache_encrypted
  2. apigateway_restapi_tracing_enabled
  3. athena_workgroup_logging_enabled
  4. autoscaling_group_capacity_rebalance_enabled
  5. autoscaling_group_elb_health_check_enabled
  6. autoscaling_group_launch_configuration_no_public_ip
  7. autoscaling_group_launch_configuration_requires_imdsv2
  8. autoscaling_group_multiple_instance_types
  9. autoscaling_group_using_ec2_launch_template
  10. backup_recovery_point_encrypted
  11. bedrock_agent_guardrail_enabled
  12. bedrock_guardrail_prompt_attack_filter_enabled
  13. bedrock_guardrail_sensitive_information_filter_enabled
  14. bedrock_model_invocation_logging_enabled
  15. bedrock_model_invocation_logs_encryption_enabled
  16. cloudfront_distributions_s3_origin_non_existent_bucket
  17. cloudtrail_threat_detection_enumeration
  18. cloudtrail_threat_detection_llm_jacking
  19. cloudtrail_threat_detection_privilege_escalation
  20. cloudwatch_alarm_actions_alarm_state_configured
  21. cloudwatch_alarm_actions_enabled
  22. cloudwatch_log_group_no_critical_pii_in_logs
  23. cloudwatch_log_group_not_publicly_accessible
  24. codebuild_project_logging_enabled
  25. codebuild_project_no_secrets_in_variables
  26. codebuild_project_s3_logs_encrypted
  27. codebuild_report_group_export_encrypted
  28. config_recorder_using_aws_service_role
  29. datasync_task_logging_enabled
  30. directconnect_connection_redundancy
  31. directconnect_virtual_interface_redundancy
  32. dms_endpoint_mongodb_authentication_enabled
  33. dms_endpoint_neptune_iam_authorization_enabled
  34. documentdb_cluster_multi_az_enabled
  35. dynamodb_accelerator_cluster_multi_az
  36. dynamodb_table_autoscaling_enabled
  37. ecs_cluster_container_insights_enabled
  38. ecs_service_fargate_latest_platform_version
  39. ecs_task_definitions_logging_block_mode
  40. ecs_task_set_no_assign_public_ip
  41. efs_access_point_enforce_root_directory
  42. efs_access_point_enforce_user_identity
  43. efs_mount_target_not_publicly_accessible
  44. eks_cluster_not_publicly_accessible
  45. elasticbeanstalk_environment_cloudwatch_logging_enabled
  46. elasticbeanstalk_environment_enhanced_health_reporting
  47. elasticbeanstalk_environment_managed_updates_enabled
  48. elb_desync_mitigation_mode
  49. elb_ssl_listeners_use_acm_certificate
  50. elbv2_cross_zone_load_balancing_enabled
  51. elbv2_nlb_tls_termination_enabled
  52. eventbridge_global_endpoint_event_replication_enabled
  53. fsx_file_system_copy_tags_to_backups_enabled
  54. fsx_file_system_copy_tags_to_volumes_enabled
  55. fsx_windows_file_system_multi_az_enabled
  56. glue_data_catalogs_not_publicly_accessible
  57. glue_etl_jobs_logging_enabled
  58. glue_ml_transform_encrypted_at_rest
  59. guardduty_ec2_malware_protection_enabled
  60. guardduty_eks_audit_log_enabled
  61. guardduty_eks_runtime_monitoring_enabled
  62. guardduty_lambda_protection_enabled
  63. iam_policy_cloudshell_admin_not_attached
  64. kafka_connector_in_transit_encryption_enabled
  65. kinesis_stream_encrypted_at_rest
  66. macie_automated_sensitive_data_discovery_enabled
  67. mq_broker_active_deployment_mode
  68. mq_broker_auto_minor_version_upgrades
  69. mq_broker_cluster_deployment_mode
  70. mq_broker_logging_enabled
  71. networkfirewall_logging_enabled
  72. networkfirewall_multi_az
  73. networkfirewall_policy_default_action_fragmented_packets
  74. networkfirewall_policy_default_action_full_packets
  75. opensearch_service_domains_fault_tolerant_data_nodes
  76. opensearch_service_domains_fault_tolerant_master_nodes
  77. opensearch_service_domains_not_publicly_accessible
  78. rds_cluster_protected_by_backup_plan
  79. rds_instance_transport_encrypted
  80. redshift_cluster_encrypted_at_rest
  81. redshift_cluster_enhanced_vpc_routing
  82. redshift_cluster_in_transit_encryption_enabled
  83. redshift_cluster_multi_az_enabled
  84. redshift_cluster_non_default_database_name
  85. redshift_cluster_non_default_username
  86. s3_bucket_event_notifications_enabled
  87. s3_multi_region_access_point_public_access_block
  88. secretsmanager_not_publicly_accessible
  89. secretsmanager_secret_rotated_periodically
  90. secretsmanager_secret_unused
  91. ses_identity_not_publicly_accessible
  92. transfer_server_in_transit_encryption_enabled
  93. vpc_endpoint_multi_az_enabled
  94. waf_global_rule_with_conditions
  95. waf_global_rulegroup_not_empty
  96. waf_global_webacl_logging_enabled
  97. waf_global_webacl_with_rules
  98. waf_regional_rule_with_conditions
  99. waf_regional_rulegroup_not_empty
  100. waf_regional_webacl_with_rules
  101. wafv2_webacl_rule_logging_enabled
  102. wafv2_webacl_with_rules

Azure

💪🏼 New checks for Azure Container Registry

A big thanks to @johannes-engler-mw for helping expand Prowler's Azure coverage with new checks for Azure Container Registry: containerregistry_uses_private_link and containerregistry_not_publicly_accessible.

Give them a try by scanning the Azure Container Registry with prowler azure --service containerregistry

GCP

🔎 Scan your GCP Organization

Now you can limit the scan to projects within a specific Google Cloud organization by using the --organization-id option with the GCP organization ID:
prowler gcp --organization-id organization-id

See more in our documentation

🔧 Other issues and bug fixes solved for all the cloud providers

What's Changed

Features

Read more

Prowler 4.4.1 - Alexander the Great

09 Oct 15:59
a4e655b
Compare
Choose a tag to compare

What's Changed

Fixes

Chores

Full Changelog: 4.4.0...4.4.1

Prowler 4.4.0 - Alexander the Great

30 Sep 19:41
f1f0609
Compare
Choose a tag to compare

Alexander the Great
His name struck fear into hearts of men
Alexander the Great
Became a legend 'mongst mortal men

Prowler 4.4.0 - Alexander the Great 🚀 is here, bringing a ton of new AWS checks and fixes! We also invite you to enjoy this Iron Maiden song.

A big shout-out to our engineers @danibarranqueroo, @MarioRgzLpz and @HugoPBrito for their fantastic work in developing new checks and to our new external contributors @abant07, @LefterisXefteris, @h4r5h1t, @Jude-Bae and @johannes-engler-mw for their PRs 🥳

New features to highlight in this version

AWS

🔐 Cover IAM non existing AWS actions/resources

Prowler now covers IAM scenarios where policies could have a non existing AWS actions in the NotAction statement allowing ALL actions in resources (same as non existing resources in NotResource) like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "NotAction": "prowler:action",
            "NotResource": "arn:aws:s3:::calculator"
        }
    ]
}

More info in LinkedIn post by @Chan9390 here.

🤔 How to Prevent AWS AI From Using Your Data

Recently, AWS may be using your data to train its AI models, and you may have unwittingly consented to it.
The new check organizations_opt_out_ai_services_policy ensure that you stop feeding AWS’s AI with your data.
You can see @QuinnyPig's helpful post about how to opt out here or using the AWS documentation.

🚀 More checks!

Prowler has expanded its AWS coverage with 74 new checks for ACM, CloudFront, CodeBuild, DMS, DocumentDB, DynamoDB, EC2, ECS, EKS, Elasticache, ELB, ELBv2, EKS, GuardDuty, IAM, KMS, Lambda, Neptune, Network Firewall, Organizations, RDS, S3, SageMaker and VPC.

See all the new available checks with prowler aws --list-checks

  1. acm_certificates_with_secure_key_algorithms
  2. awslambda_function_inside_vpc
  3. awslambda_function_vpc_multi_az
  4. cloudfront_distributions_custom_ssl_certificate
  5. cloudfront_distributions_default_root_object
  6. cloudfront_distributions_https_sni_enabled
  7. cloudfront_distributions_multiple_origin_failover_configured
  8. cloudfront_distributions_origin_traffic_encrypted
  9. cloudfront_distributions_s3_origin_access_control
  10. cloudfront_distributions_s3_origin_non_existent_bucket
  11. codebuild_project_no_secrets_in_variables
  12. codebuild_project_source_repo_url_no_sensitive_credentials
  13. dms_endpoint_ssl_enabled
  14. documentdb_cluster_public_snapshot
  15. dynamodb_accelerator_cluster_in_transit_encryption_enabled
  16. dynamodb_table_deletion_protection_enabled
  17. dynamodb_table_protected_by_backup_plan
  18. ec2_client_vpn_endpoint_connection_logging_enabled
  19. ec2_ebs_volume_protected_by_backup_plan
  20. ec2_instance_paravirtual_type
  21. ec2_instance_uses_single_eni
  22. ec2_launch_template_no_public_ip
  23. ec2_networkacl_unused
  24. ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
  25. ec2_transitgateway_auto_accept_vpc_attachments
  26. ecr_repositories_tag_immutability
  27. ecs_service_no_assign_public_ip
  28. ecs_task_definitions_containers_readonly_access
  29. ecs_task_definitions_host_namespace_not_shared
  30. ecs_task_definitions_host_networking_mode_users
  31. ecs_task_definitions_logging_enabled
  32. ecs_task_definitions_no_privileged_containers
  33. eks_cluster_uses_a_supported_version
  34. elasticache_redis_cluster_automatic_failover_enabled
  35. elasticache_redis_cluster_auto_minor_version_upgrades
  36. elasticache_redis_replication_group_auth_enabled
  37. elbv2_is_in_multiple_az
  38. elb_connection_draining_enabled
  39. elb_cross_zone_load_balancing_enabled
  40. elb_is_in_multiple_az
  41. guardduty_rds_protection_enabled
  42. guardduty_s3_protection_enabled
  43. iam_group_administrator_access_policy
  44. iam_user_administrator_access_policy
  45. kms_cmk_not_deleted_unintentionally
  46. neptune_cluster_copy_tags_to_snapshots
  47. neptune_cluster_integration_cloudwatch_logs
  48. neptune_cluster_public_snapshot
  49. neptune_cluster_snapshot_encrypted
  50. networkfirewall_policy_rule_group_associated
  51. organizations_opt_out_ai_services_policy
  52. rds_cluster_copy_tags_to_snapshots
  53. rds_cluster_critical_event_subscription
  54. rds_cluster_default_admin
  55. rds_cluster_deletion_protection
  56. rds_cluster_iam_authentication_enabled
  57. rds_cluster_integration_cloudwatch_logs
  58. rds_cluster_minor_version_upgrade_enabled
  59. rds_cluster_multi_az
  60. rds_cluster_non_default_port
  61. rds_cluster_storage_encrypted
  62. rds_instance_copy_tags_to_snapshots
  63. rds_instance_critical_event_subscription
  64. rds_instance_event_subscription_parameter_groups
  65. rds_instance_inside_vpc
  66. rds_instance_non_default_port
  67. rds_instance_protected_by_backup_plan
  68. s3_access_point_public_access_block
  69. s3_bucket_cross_account_access
  70. s3_bucket_cross_region_replication
  71. s3_bucket_lifecycle_enabled
  72. sagemaker_endpoint_config_prod_variant_instances
  73. vpc_endpoint_for_ec2_enabled
  74. vpc_vpn_connection_tunnels_up

📜 KISA ISMS-P AWS compliance framework added

Prowler now supports one of Korea’s key security compliance frameworks, the Personal Information & Information Security Management System (ISMS-P) from the Korea Internet & Security Agency (KISA) thanks to @Jude-Bae !

Azure

🆕 Azure Container Registries now supported!

@johannes-engler-mw added a new check containerregistry_admin_user_disabled for verifying if the admin user is disabled for Azure Container Registries.

You can try it with prowler azure -c containerregistry_admin_user_disabled

🔧 Other issues and bug fixes solved for all the cloud providers

Features

  • feat(acm): Add new check for insecure algorithms in certificates by @MarioRgzLpz in #4551
  • feat(aws): Add a test_connection method by @jfagoagas in #4563
  • feat(aws): add custom exceptions class by @pedrooot in #4847
  • feat(aws): Add new check to ensure Aurora MySQL DB Clusters publish audit logs to CloudWatch logs by @danibarranqueroo in #4916
  • feat(aws): Add new check to ensure RDS DB clusters are encrypted at rest by @danibarranqueroo in #4931
  • feat(aws): Add new check to ensure RDS db clusters copy tags to snapshots by @danibarranqueroo in #4846
  • feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical cluster events by @danibarranqueroo in #4887
  • feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database instance events by @danibarranqueroo in #4891
  • feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database parameter group events by @danibarranqueroo in #4907
  • feat(aws): Add new check to ensure RDS instances are not using default database engine ports by @danibarranqueroo in #4973
  • feat(aws): Add new check opensearch_service_domains_access_control_enabled by @abant07 in #5203
  • feat(aws): add new check organizations_opt_out_ai_services_policy by @sergargar in #5152
  • feat(aws): Add new CodeBuild check to validate environment variables by @danibarranqueroo in #4632
  • feat(aws): Add new KMS check to prevent unintentional key deletion by @danibarranqueroo in #4595
  • feat(aws): Add new Neptune check for cluster snapshot visibility by @danibarranqueroo in #4709
  • feat(aws): Add new RDS check for deletion protection enabled on clusters by @danibarranqueroo in #4738
  • feat(aws): Add new RDS check to ensure db clusters are configured for multiple availability zones by @danibarranqueroo in #4781
  • feat(aws): Add new RDS check to ensure db instances are protected by a backup plan by @danibarranqueroo in #4879
  • feat(aws): Add new RDS check to verify that cluster minor version upgrade is enabled by @danibarranqueroo in #4725
  • feat(aws): Add new RDS check to verify that db instances copy tags to snapshots by @danibarranqueroo in #4806
  • feat(aws): Add new S3 check for public access block configuration in access points by @HugoPBrito in #4608
  • feat(aws): add tags to Global Accelerator by @puchy22 in #5233
  • feat(aws): Split the checks that mix RDS Instances and Clusters by @danibarranqueroo in #4730
  • feat(aws) Add check to make sure EKS clusters have a supported version by @abant07 in https://github.com/prowler-cloud/prow...
Read more

Prowler 4.3.7 - The Alchemist

23 Sep 19:55
a18bc89
Compare
Choose a tag to compare

What's Changed

Fixes

Full Changelog: 4.3.6...4.3.7

Prowler 4.3.6 - The Alchemist

20 Sep 19:18
6d0a659
Compare
Choose a tag to compare

What's Changed

Fixes

  • fix(asff): include status extended in ASFF output by @prowler-bot in #5116
  • fix(audit): solve resources audit by @prowler-bot in #4988
  • fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4950
  • fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4862
  • fix(aws): handle AWS key-only tags by @github-actions in #4854
  • fix(aws): make intersection to retrieve checks to execute by @prowler-bot in #4974
  • fix(gcp): solve errors in GCP services by @prowler-bot in #5124
  • fix(gcp): add default project for org level checks by @prowler-bot in #5132
  • fix(iam-gcp): add getters in iam_service for gcp by @prowler-bot in #5001
  • fix(lightsail): Remove second call to is_resource_filtered by @prowler-bot in #5125
  • fix(main): logic for resource_tag and resource_arn usage by @prowler-bot in #4982
  • fix(metadata): change description from documentdb_cluster_deletion_protection by @prowler-bot in #4913
  • fix(rds): Modify RDS Event Notification Subscriptions for Security Groups Events check by @prowler-bot in #4977
  • fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4953
  • fix(vpc): check all routes tables in subnet by @prowler-bot in #5122

Chores

Full Changelog: 4.3.5...4.3.6

Prowler 3.16.17 - Back in the Village

20 Sep 17:01
a952d1d
Compare
Choose a tag to compare

What's Changed

Fixes

  • fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4949
  • fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @prowler-bot in #4861
  • fix(ec2): Manage UnicodeDecodeError when reading user data by @github-actions in #4788
  • fix(gcp): solve errors in GCP services by @prowler-bot in #5123
  • fix(inspector2): Ensure Inspector2 is enabled for ECR, EC2, Lambda and Lambda Code by @prowler-bot in #5066
  • fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @prowler-bot in #4952
  • fix(v3): remove not supported checks by @sergargar in #5126
  • fix(vpc): check all routes tables in subnet by @prowler-bot in #5121

Chores

  • chore(aws): match all AWS resource types with SecurityHub supported types in metadata by @prowler-bot in #5064
  • chore(aws): Remove token from log line by @jfagoagas in #4904
  • chore(awslambda): Enhance function public access check called from other resource by @github-actions in #4793
  • chore(azure): Fix CIS 2.1 mapping by @github-actions in #4780
  • chore(docs): change ResourceType link of Security Hub by @prowler-bot in #5096
  • chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5083
  • chore(ssm): add trusted accounts variable to ssm check by @prowler-bot in #5117
  • chore(test): improve iam_root_hardware_mfa_enabled tests by @github-actions in #4834
  • chore(version): update version logic in Prowler by @github-actions in #4776

Dependencies

Full Changelog: 3.16.16...3.16.17

Prowler 4.3.5 - The Alchemist [HOTFIX]

22 Aug 18:26
ea4bf5b
Compare
Choose a tag to compare

What's Changed

Hotfix

  • fix: handle empty input regions by @github-actions in #4842

Full Changelog: 4.3.4...4.3.5

Prowler 4.3.4 - The Alchemist [YANKED]

22 Aug 16:15
ac623b7
Compare
Choose a tag to compare

What's Changed

Fixes

  • fix(aws): enhance resource arn filtering by @github-actions in #4837
  • fix(aws): run Prowler as IAM Root or Federated User by @github-actions in #4773
  • fix(ec2): Manage UnicodeDecodeError when reading user data by @github-actions in #4789
  • fix(ecr): change log level of non-scanned images by @github-actions in #4769
  • fix(ecr): handle non-existing findingSeverityCounts key by @github-actions in #4767
  • fix(iam): handle no arn serial numbers for MFA devices by @github-actions in #4711
  • fix(iam): update logic of Root Hardware MFA check by @github-actions in #4775
  • fix(mutelist): change logic for tags in aws mutelist by @github-actions in #4803
  • fix(outputs): refactor unroll_tags to use str as tags by @github-actions in #4819
  • fix(version): update version flag logic by @github-actions in #4771

Chores

  • chore(awslambda): Enhance function public access check called from other resource by @github-actions in #4794
  • chore(azure): fix CIS 2.1 mapping by @github-actions in #4792
  • chore(test): improve iam_root_hardware_mfa_enabled tests by @github-actions in #4835

Full Changelog: 4.3.3...4.3.4

Prowler 3.16.16 - Back in the Village

16 Aug 17:07
2b0c93d
Compare
Choose a tag to compare

What's Changed

Fixes

  • fix(ecr): handle non-existing findingSeverityCounts key by @github-actions in #4766
  • fix(ecr): change log level of non-scanned images by @github-actions in #4768
  • fix(aws): run Prowler as IAM Root or Federated User by @github-actions in #4772
  • fix(iam): update logic of Root Hardware MFA check by @github-actions in #4774

Chores

  • chore(deps): bump google-api-python-client from 2.140.0 to 2.141.0 by @dependabot in #4749
  • chore(deps): bump trufflesecurity/trufflehog from 3.81.8 to 3.81.9 by @dependabot in #4755
  • chore(deps): bump botocore from 1.34.160 to 1.34.162 by @dependabot in #4757
  • chore(regions_update): Changes in regions for AWS services. by @github-actions in #4770

Full Changelog: 3.16.15...3.16.16