Skip to content

Prowler 3.4.0 - Still Life
Compare
Choose a tag to compare
@MrCloudSec MrCloudSec released this 20 Apr 13:25
· 3085 commits to master since this release
3.4.0
5c8d8c4

Take a look in the pool and what do you see
In the dark depths there faces beckoning me
Can't you see them it's plain for all to see
They were there oh I know you don't believe me

Still Life is one of those jewels that Iron Maiden has (well… aren’t jewels all their songs? 😉) and it is so good that they also included it in their live double vhs/dvd/cd/lp called “Maiden England” back in 1988. The song is based on a book from Ramsey Campbell called "The Inhabitant of the lake and less welcome tenants”, and it is about somebody that see ghosts in the bottom of a lake and gets crazy about that. They are like cloud security vulnerabilities, they are everywhere and seems to be hard to beat them. Listen to the song here 🔥Still Life🔥 while hardening and reading below what we did.

A brand new version of Prowler 3.4.0 at your command! This version won’t make your ghosts to disappear but will help you to put them in their place and in line to start the journey of getting rid of them. Time to shine up your boots with pip install prowler --upgrade.

New features to highlight in this version:

☁️ New support for Google Cloud with 43 checks!:

  • GCP services covered: IAM, BigQuery, CloudSQL, CloudStorage, Compute, KMS and Logging.
  • Run prowler gcp --list-checks for details and visit our Prowler GCP documentation here.

21 new checks for AWS:

  • New services covered like Organizations best practices, SSM Incidents, Resource Explorer, Backup, additional checks for CloudTrail, ECR scan on push check updated, GuardDuty, VPC best practices, IAM (see these ones that will help you a lot!) thanks to @gabrielsoltz
  • Watch out! iam_policy_no_administrative_privileges has been renamed to iam_customer_unattached_policy_no_administrative_privileges
  • New important IAM checks:
    • [iam_aws_attached_policy_no_administrative_privileges] Ensure IAM AWS-Managed policies that allow full ":" administrative privileges are not attached - iam [high]
    • [iam_customer_attached_policy_no_administrative_privileges] Ensure IAM Customer-Managed policies that allow full ":" administrative privileges are not attached - iam [high]
    • [iam_customer_unattached_policy_no_administrative_privileges] Ensure IAM policies that allow full ":" administrative privileges are not created - iam [low]
  • See all checks withprowler aws --list-checks

📊 New html report for Azure and GCP:

  • When running Azure or GCP checks, html report is now also created for you to enjoy them during your security assessments.

⚙️ Custom checks now supported:

  • You can create your custom checks inside Prowler or in your custom folders following our Developer Guide and a Tutorial about it here, new option -x/--checks-folder for your custom checks.

🏷️ Resource Tags supported in Allow list:

What's Changed:

Features

  • feat(allowlist): Add tags filter to allowlist by @sergargar in #2105
  • feat(backup): New backup service and checks by @gabrielsoltz in #2172
  • feat(banner): Include Azure credential banner by @n4ch04 in #2179
  • feat(check): New Check and Service: resourceexplorer2_indexes_found by @gabrielsoltz in #2196
  • feat(check): New check ecr_registry_scan_images_on_push_enabled by @sergargar in #2237
  • feat(check): New CloudTrail check cloudtrail_insights_exist by @gabrielsoltz in #2184
  • feat(check): New CloudTrail check cloudtrail_bucket_requires_mfa_delete by @gabrielsoltz in #2194
  • feat(check): New GuardDuty check guardduty_centrally_managed by @gabrielsoltz in #2195
  • feat(check): New VPC checks by @gabrielsoltz in #2218
  • feat(checks): New IAM Checks no full access to critical services by @gabrielsoltz in #2183
  • feat(checks): New IAM check iam_securityaudit_role_created by @gabrielsoltz in #2182
  • feat(custom checks): Add -x/--checks-folder for custom checks by @sergargar in #2191
  • feat(gcp): Add Google Cloud provider with 43 checks by @sergargar in #2125
  • feat(html): Add html to Azure and GCP by @sergargar in #2181
  • feat(new_checks): New AWS Organizations checks by @gabrielsoltz in #2133
  • feat(orgs checks region): Add region to all Organizations checks by @n4ch04 in #2202
  • feat(ssmincidents): New Service and Checks by @gabrielsoltz in #2219

Fixes

  • fix(audit_info): Azure subscriptions parsing error by @n4ch04 in #2147
  • fix(aws_provider): Fix assessment session name by @jfagoagas in #2132
  • fix(azure output): Change default values of audit identity metadata by @n4ch04 in #2144
  • fix(brew): Move brew formula action to the bottom by @sergargar in #2135
  • fix(cloudformation): Handle ValidationError by @jfagoagas in #2166
  • fix(dax): Call list_tags using the cluster ARN by @jfagoagas in #2167
  • fix(defender service): Retrieve key dicts with get by @n4ch04 in #2129
  • fix(delete check): Delete check ec2.._in_use_without_ingrgess_filtering by @n4ch04 in #2148
  • fix(docs): Check extra_742 name adjusted in the V2 to V3 mapping by @cerontrustly in #2154
  • fix(elb-test): Use a mocked current audit info by @jfagoagas in #2207
  • fix(elbv2 desync check): Mixed elbv2 desync and smuggling by @n4ch04 in #2171
  • fix(errors): Solve ECR and CodeArtifact errors by @sergargar in #2239
  • fix(gcp): Handle error when Project ID is None by @sergargar in #2130
  • fix(global services): Fix global services region by @n4ch04 in #2203
  • fix(iam): Handle LimitExceededException when calling generate_credential_report by @jfagoagas in #2168
  • fix(iam): Handle no display name error in service account by @sergargar in #2176
  • fix(iam tests): Mock audit_info object by @sergargar in #2226
  • fix(iam_policy_no_administrative_privileges): Check attached policies and AWS-Managed by @sergargar in #2200
  • fix(kms): Handle empty principal error by @sergargar in #2192
  • fix(logging): Add default resource id when no resources by @sergargar in #2177
  • fix(output bucket): Solve IsADirectoryError using compliance flag by @sergargar in #2121
  • fix(pipeline build): Fix wording when build and push by @n4ch04 in #2169
  • fix(pypi): Set base branch when updating release version by @jfagoagas in #2152
  • fix(quickinventory): AttributError when creating inventory table by @bnugent in #2122
  • fix(rds): Handle DBSnapshotNotFound by @jfagoagas in #2165
  • fix(readme): Add GCP provider to README introduction by @sergargar in #2143
  • fix(redshift): correct description in redshift_cluster_automatic_upgrades by @rubtoa #2246
  • fix(resourceexplorer2): Solve test and region by @sergargar in #2206
  • fix(resource_not_found): Handle error by @jfagoagas in #2136
  • fix(rds): exclude Aurora in rds_instance_transport_encrypted check by @sergargar #2245
  • fix(s3): Handle if ignore_public_acls is None by @jfagoagas in #2128
  • fix(secretsmanager_automatic_rotation_enabled): Improve description for Secrets Manager secret rotation by @visit1985 in #2156
  • fix(ssm): Handle ValidationException when retrieving documents by @jfagoagas in #2146
  • fix(test): Call cloudtrail_s3_dataevents_write_enabled check by @jfagoagas in #2204
  • fix(test): Mock audit info in services #2208 #2210 #2211 #2209 #2224 #2215 #2223 #2212 #2213 #2225
  • fix(version): Handle request response property by @sergargar in #2175

Builds

Chores

  • chore(regions): Sort AWS regions by @sergargar in #2198
  • chore(regions_update): Changes in regions for AWS services. by @sergargar in #2236
  • chore(docs): Developer Guide - how to create a new check by @sergargar in #2137
  • chore(docs): Improve quick inventory section by @sergargar in #2117
  • chore(docs): Improve reporting documentation by @sergargar in #2119
  • chore(docs): Remove list severities by @jfagoagas in #2116

New Contributors

Full Changelog: 3.3.4...3.4.0

Contributors

bnugent, visit1985, and 7 other contributors
Assets 2
Loading