Prowler 3.6.0 - Boots On

Die With Your Boots On is a song of Iron Maiden's album Piece of mind, it is self explanatory, we like the vibe of that song in their lives, watch it here.
Basically, this is what we do here, we go all in or nothing! 💪🏼
We are bringing the best we have in this code of Prowler 3.6.0: some new checks, improved GCP support, new features, more fixes making it a better piece of software and more helpful for your daily job 😄
Remember to run pip install prowler --upgrade and rock on! 🤘

New features to highlight in this version:

🥳 GCP Multi-Project support:

• Prowler now supports GCP Multi-Project scans! By default Prowler will scan all the GCP Projects that is allowed to scan, if you want to scan a single project or various specific projects you can use the following flag:

prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>

✅ 16 new checks for GCP (Thanks to @jit-contrib ! 💪🏼 ):

• New services ApiKeys, DNS and Dataproc are covered and additional checks for Compute and IAM services.
• See all checks with prowler gcp --list-checks

📝 OCSF Integration (Hello Amazon Security Lake!):

• OCSF JSON was added as a default output for AWS, Azure and GCP. It was based on the OCSF Schema's Security Finding v1.0.0-rc.3.

📊 AWS Well Architected Framework:

• The Security Pillar of the AWS Well-Architected Framework is now supported by Prowler, you can run it with the following command:

prowler aws --compliance aws_well_architected_framework_security_pillar_aws

⚙️ MFA supported in AWS:

• If your IAM entity enforces MFA for AWS Calls you can use --mfa and Prowler will ask you to input the following values to get a new session:

prowler aws --mfa
Enter ARN of MFA: arn:aws:iam::012345678910:mfa/xxxxxx
Enter MFA code: XXXXXX

What's Changed

Features

• feat(checks-gcp): Include 4 new checks covering GCP CIS by @jit-contrib in #2376
• feat(gcp): add 12 new checks for CIS Framework by @jit-contrib in #2426
• feat(gcp): add --project-ids flag and scan all projects by default by @sergargar in #2393
• feat(mfa): Add MFA flag if it is required by AWS IAM Entity by @senyberg in #2478
• feat(new_security_framework): AWS Well Architected Framework security pillar by @pedromarting3 in #2382
• feat(ocsf): add OCSF format as JSON output for AWS, Azure and GCP. Hello Amazon Security Lake! by @sergargar in #2429
• feat(vpc): add check vpc_subnet_no_public_ip_by_default by @senyberg in #2472
• feat(wellarchitected): add WellArchitected service and check by @sergargar in #2461

Fixes

• fix(arn validator): include : in regex by @n4ch04 in #2471
• fix(aws): Add missing resources ARN by @jfagoagas in #2453
• fix(azure): fix empty subscriptions case by @n4ch04 in #2455
• fix(backup): Handle last_execution_date when None by @jfagoagas in #2454
• fix(browser auth): fix browser auth in Azure to include tenant id by @n4ch04 in #2415
• fix(cloudfront): Bad https_enabled check comparison by @christiandavilakoobin in #2430
• fix(codebuild): handle FAIL in codebuild_project_user_controlled_buildspec by @sergargar in #2410
• fix(dataevents checks): add trails home region by @n4ch04 in #2484
• fix(ec2): handle false positive in ec2_securitygroup_allow_ingress_from_internet_to_any_port by @sergargar in #2449
• fix(ecr): handle LifecyclePolicyNotFoundException by @sergargar in #2411
• fix(efs): Include resource ARN and handle from input by @jfagoagas in #2452
• fix(inventory): handle exception for every call by @sergargar in #2457
• fix(kms): check only KMS CMK tags by @sergargar in #2468
• fix(README): add references to tenant-id when browser auth by @n4ch04 in #2439
• fix(services): Handle AWS service errors by @jfagoagas in #2440
• fix(services): verify Route53 records and handle TrustedAdvisor error by @sergargar in #2448
• fix(typo): typo in README.md by @sergargar in #2406
• fix(typo) typo in README.md by @toniblyx in #2407

Chores

• chore(arn): add missing ARNs to AWS Services by @sergargar in #2476
• chore(arn): include ARN of AWS accounts by @sergargar in #2477
• chore(boto3): update boto3 config by @sergargar in #2459
• chore(compliance): Update Description in aws_well_architected_framework_security_pillar_aws.json by @sssalim-aws in #2432
• chore(docs): add summary table to README.md by @toniblyx in #2402
• chore(docs): Create CONTRIBUTING.md by @toniblyx in #2416
• chore(docs): improve allowlist suggestion by @sergargar in #2466
• chore(docs): improve custom checks docs by @sergargar in #2428
• chore(logo): Add Prowler logo in SVG format & Propose to Prowler icon design by @dsict in #2423
• chore(quick inventory): add warning message by @sergargar in #2460
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2474
• chore(vpc): add mapPublicIpOnLaunch attribute to VPC subnets by @senyberg in #2470

Dependencies

• build(deps): bump alive-progress from 3.1.1 to 3.1.4 by @dependabot in #2446
• build(deps): bump boto3 from 1.26.142 to 1.26.147 by @dependabot in #2480
• build(deps): bump botocore from 1.29.147 to 1.29.152 by @dependabot in #2482
• build(deps): bump cryptography from 40.0.2 to 41.0.0 by @dependabot in #2436
• build(deps): bump google-api-python-client from 2.86.0 to 2.88.0 by @dependabot in #2483
• build(deps): bump mkdocs-material from 9.1.12 to 9.1.15 by @dependabot in #2420
• build(deps): bump pydantic from 1.10.8 to 1.10.9 by @dependabot in #2481
• build(deps-dev): bump coverage from 7.2.5 to 7.2.7 by @dependabot in #2422
• build(deps-dev): bump docker from 6.1.2 to 6.1.3 by @dependabot in #2445
• build(deps-dev): bump moto from 4.1.10 to 4.1.11 by @dependabot in #2443
• build(deps-dev): bump pytest-xdist from 3.3.0 to 3.3.1 by @dependabot in #2421
• build(deps-dev): bump pytest from 7.3.1 to 7.3.2 by @dependabot in #2479

New Contributors

• @jit-contrib made their first contribution in #2376
• @dsict made their first contribution in #2423
• @sssalim-aws made their first contribution in #2432
• @christiandavilakoobin made their first contribution in #2430
• @senyberg made their first contribution in #2470

Full Changelog: 3.5.3...3.6.0