prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

APACHE-2.0 License

Downloads
192.3K
Stars
9.5K
Committers
239
View Code on GitHub Visit Website View on X
Ecosystems: Azure, Python, Amazon Web Services

Bot releases are hidden (Show)

prowler - Prowler 4.0.0 - The Trooper

Published by jfagoagas 7 months ago

You'll take my life, but I'll take yours too
You'll fire your musket, but I'll run you through
So when you're waiting for the next attack
You'd better stand, there's no turning back

When I started Prowler almost eight years ago, I thought about calling it The Trooper (thetrooper as in the command line sounds good but I thought prowler was even better). I can say today, with no doubt that this version 4.0 of Prowler, The Trooper, is by far the software that I always wanted to release. Now, as a company, with a whole team dedicated to Prowler (Open Source and SaaS), this is even more exciting. With standard support for AWS, Azure, GCP and also Kubernetes, with all new features, this is the beginning of a new era where Open Cloud Security makes an step forward and we say: hey WE ARE HERE FOR REAL and when you're waiting for the next attack, you'd better stand, there's no turning back

Enjoy Prowler - The Trooooooooper! 🀘🏽πŸ”₯ song!

Screenshot 2024-04-04 at 13 00 24

Breaking Changes

  • Allowlist now is called Mutelist
  • Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
  • The --quiet option has been deprecated, now use the --status flag to select the finding's status you want to get from PASS, FAIL or MANUAL.
  • To send only FAILS to AWS Security Hub, now use either --send-sh-only-fails or --security-hub --status FAIL
  • All INFO finding's status has changed MANUAL.

We have deprecated some of our outputs formats:

  • The HTML is replaced for the new Prowler Dashboard (prowler dashboard)
  • The JSON is replaced for the JSON OCSF v1.1.0

New features to highlight in this version

Dashboard

  • Prowler has local dashboard to play with gathered data easier. Run prowler dashboard and enjoy overview data and compliance.
    Screenshot 2024-04-02 at 20 14 04 (1)

πŸŽ›οΈ New Kubernetes provider

  • Prowler has a new Kubernetes provider to improve the security posture of your clusters! Try it now with prowler kubernetes --kubeconfig-file <kube.yaml>
  • CIS Benchmark 1.8 for K8s is included.

πŸ“„ Compliance

  • All compliance frameworks are executed by default and stored in a new location: output/compliance

AWS

  • The AWS provider execution by default does not scan unused services, you can enable it with --scan-unused-services.
  • 2 new checks to detect possible threads, try it now with prowler aws --category threat-detection for Enumeration and Privilege Escalation type of activities.

πŸ—ΊοΈ Azure

  • All Azure findings includes the location!
  • CIS Benchmark for Azure 2.0 and 2.1 is included.

πŸ”‡ Mutelist

  • The renamed mutelist feature is available for all the providers.
  • In AWS a default allowlist is included in the execution.

🌐 Outputs

  • Prowler now the outputs in a common format for all the providers.
  • The only JSON output now follows the OCSF Schema v1.1.0

πŸ’» Providers

  • We have unified the way of including new providers for easier development and to add new ones.

πŸ”¨ Fixer

  • We have included a new argument --fix to allow you to remediate findings. You can list all the available fixers with prowler aws --list-fixers

Features

Documentation

Fixes

Chores

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.16.0...4.0.0

prowler - Prowler 3.16.0 - Back in the Village

Published by jfagoagas 7 months ago

Turn the spotlights on the people
Switch the dial and eat the worm
Take your chances, kill the engine
Drop your bombs and let it burn

Enjoy the last release of Prowler v3 🀘🏽πŸ”₯ with this Iron Maiden song!

New features to highlight in this version

πŸ’ͺ🏼 17 New Azure checks

  • Prowler is improving its Azure coverage by including 17 new checks that appears in the CIS Benchmark v2.0.0 and v2.1.0.
    See all the new available checks with prowler azure --list-checks

πŸ”’ Azure CIS v2.0 and v2.1 coverage

  • Prowler includes coverage for two new compliance frameworks for Azure CIS, v2.0.0 and v2.1.0. You can execute these new frameworks with prowler azure --compliance cis_2.1_azure

πŸ”§ More fixes and updates for all the providers

Features

Fixes

Documentation

Chores

Dependencies

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.3...3.16.0

prowler - Prowler 3.15.3 - Children of the Damned

Published by jfagoagas 7 months ago

Chores

Fixes

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.2...3.15.3

prowler - Prowler 3.15.2 - Children of the Damned

Published by jfagoagas 7 months ago

Fixes

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.1...3.15.2

prowler - Prowler 3.15.1 - Children of the Damned

Published by sergargar 7 months ago

Fixes

Chores

Dependencies

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.0...3.15.1

prowler - Prowler 3.15.0 - Children of the Damned

Published by sergargar 7 months ago

You’re children of the damned
Your backs against the wall
You turn into the light
You’re burning in the night

Beware the cloud security issues that paralyze! As per Bruce Dickinson comments at the BBC, this Iron Maiden song part of The Number of the Beast album was inspired by by Black Sabbath’s β€œChildren of the Sea”. In any case, let’s put all those cloud security misconfigurations against the wall now!

Enjoy it! 🀘🏽πŸ”₯

New features to highlight in this version:

πŸ’ͺ🏼 40 New Azure checks

  • Prowler is improving its Azure coverage by including 40 new checks that appears in the CIS Benchmark v2.1.0.
    (Thanks @Hugo966, @pedrooot and @puchy22 for their contributions and performance!)

See all the new available checks with prowler azure -l

πŸ”’ Shodan.io support for Azure and GCP

  • Now, Prowler lets you also check if any public IPs in Azure or GCP are exposed in Shodan.
    Try it with prowler gcp -c compute_public_address_shodan --shodan <API_KEY> and prowler azure -c network_public_ip_shodan --shodan <API_KEY>

The Shodan API Key can also be set in the config.yaml file instead of using the --shodan flag.

βœ… Added Kubernetes Coverage in Cloud Providers

  • New checks that cover Kubernetes managed services in AWS (EKS), Azure (AKS) and in GCP (GKE/GCR) are now available in Prowler. Try them with prowler aws/azure/gcp --services eks/aks/gke

πŸ“ New AWS FTR Compliance

  • AWS FTR helps you identify AWS Well-Architected best practices specific to your software or solution.
    You can execute the new AWS Foundational Technical Review Compliance Framework with prowler aws --compliance foundational_technical_review_aws

Features

Fixes

Chores

Dependencies

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.14.0...3.15.0

prowler - Prowler 3.14.0 - Paschendale

Published by sergargar 8 months ago

Home, far away
From the war, a chance to live again
Home, far away
But the war, no chance to live again

Iron Maiden's Paschendale.

Prowler 3.14 is here! Like the PI number, this version will drive you through the magic of fixing security issues in your cloud infrastructure, more Azure checks for your joy and amusement. Enjoy it! 🀘🏽πŸ”₯

New features to highlight in this version:

πŸ’ͺ🏼 25 New Azure checks

  • Prowler is improving its Azure coverage by including 25 more new checks that appears in the CIS Benchmark v2.0.0.
    (Thanks again @pedrooot and @puchy22 for their contributions, way to go!)

See all the new available checks with prowler azure -l

Features

Fixes

Chores

Dependencies

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.13.0...3.14.0

prowler - Prowler 3.13.1 - El Dorado [YANKED]

Published by sergargar 8 months ago

Fixes

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.13.0...3.13.1

prowler - Prowler 3.13.0 - El Dorado

Published by sergargar 8 months ago

El Dorado, come and play
El Dorado, step this way
Take a ticket for the ride
El Dorado streets of gold
See my ship is oversold
You got one last chance to try

Iron Maiden's El Dorado song is part of the Final Frontier album, and it won a Grammy Award as the best metal song, not bad uh? This song talks about economic situation back in 2010. In the current situation of companies all over the place laying off people, I wanted to give virtual hugs to all that people from the Prowler Team and remember, Open Source is always rewarding for you to learn and for others!

Prowler 3.13 is probably the latest of the 3 series (v4 looks promising!). As you can see, we are working hard on Azure and many other features.

Enjoy it! 🀘🏽πŸ”₯

New features to highlight in this version:

πŸ’ͺ🏼 21 New Azure checks

  • Prowler is improving its Azure coverage by including 21 new checks that appears in the CIS Benchmark v2.0.0.
    (Thanks @pedrooot and @puchy22 for their contributions and performance!)

See all the new available checks with prowler azure -l

βœ… New CIS AWS Foundations Benchmark v3.0.0 Compliance

  • On Jan 31st, CIS released the new v3.0.0 for Amazon Web Services Foundations and it is now available on Prowler. You can execute the new CIS version with with prowler aws --compliance cis_3.0_aws

πŸ“Š New AWS Account Security Onboarding Compliance

  • It is based on the post from Artem Marusov, you can execute this checklist when onboarding new AWS Accounts to existing AWS Organization with prowler aws --compliance aws_account_security_onboarding_aws

πŸ₯³ Python 3.12 is now supported!

  • Now you can execute Prowler using Python 3.12. Install Prowler with pip install prowler and that's all!

πŸ“ Custom Output File in Quick Inventory

  • Support for the already existing options -F (output file) when using the quick inventory feature (-i) on AWS. You can test it with prowler aws -i -F custom-output-file.csv

Features

Fixes

Chores

Dependencies

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.12.1...3.13.0

prowler - Prowler 3.12.1 - Running Free

Published by jfagoagas 9 months ago

Fixes

Chores

Docs

Dependencies

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.12.0...3.12.1

prowler - Prowler 3.12.0 - Running Free

Published by jfagoagas 10 months ago

Just sixteen, a pickup truck, out of money, out of luck
I've got nowhere to call my own, hit the gas, and here I go
I'm running free yeah, I'm running free
I'm running free yeah, oh I'm running free

Iron Maiden's Running Free song was published as single of their first album back in 1980. This song is all about running wild and running free as we do at Prowler, making cloud security open and transparent, easy to use and easy to customize, for you and thousands of organizations around the world.

hit the gas, and here I go! This version is full of new features and important improvements requested by our vibrant community. Go ahead and smash your electric guitar and use Prowler straightaway by yourself or just using our service at prowler.com.

Enjoy it! 🀘🏽πŸ”₯

New features to highlight in this version:

✍️ Custom Checks Metadata

  • Now you can override the Severity from a check using the --custom-checks-metadata-file custom_checks_metadata.yaml. (Thanks @venkyvajrala for the feature!)

See more in https://docs.prowler.cloud/en/latest/tutorials/custom-checks-metadata/

πŸ‘· Custom AWS Role Session name

  • Now you can customize the Role Session name that Prowler uses when assuming an AWS Role with --role-session-name <role_session_name>.

See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#custom-role-session-name

πŸ”§ Scan only AWS enabled regions

  • Prowler now only scans AWS regions if they are enabled making the scan faster without the need to review services in regions that are not enabled.

🧡 Improved threading using ThreadPoolExecutor

  • For the AWS Service now we use a ThreadPoolExecutor to improve concurrency management and allowing to parallelise per resources not only per regions. Thanks to @Fennerr for the improvement!

πŸ› Bug fixing

  • Now the AWS Lambda service scans each Lambda function for secrets without the need to persist the code in memory therefore reducing drastically the memory usage.
  • Tons of bug fixes in services, outputs, checks and some other core functions.

Features

Fixes

Chores

Docs

Dependencies

Tests

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.3...3.12.0

prowler - Prowler 3.11.3 - Rime Of The Ancient Mariner

Published by sergargar 11 months ago

What's Changed

Fixes

Chores

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.2...3.11.3

prowler - Prowler 3.11.2 - Rime Of The Ancient Mariner

Published by sergargar 11 months ago

What's Changed

Fixes

Chores

Builds

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.1...3.11.2

prowler - Prowler 3.11.1 - Rime Of The Ancient Mariner

Published by sergargar 12 months ago

What's Changed

Fixes

Chores

Builds

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.0...3.11.1

prowler - πŸŽƒπŸ‘» Prowler 3.11.0 - Rime Of The Ancient Mariner πŸ‘»πŸŽƒ

Published by jfagoagas 12 months ago

Sailing on and on and north across the sea
Sailing on and on and north 'til all is calm

Dare to delve into this spectral realm, where the frightful protection of Prowler awaits you.
Happy haunting and secure coding this Halloween! πŸ§›β€β™‚οΈπŸ•ΈοΈπŸŒ™

New features to highlight in this version:

πŸ”Ž Ignore Findings from services not in actual use

  • Prowler now allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports.
    prowler <provider> --ignore-unused-services

See more in https://docs.prowler.cloud/en/latest/tutorials/ignore-unused-services/

βš™οΈ New AWS Allowlist including AWS Control Tower resources

  • New allowlist file that ensures that applies to all resources created by AWS Control Tower when setting up a landing zone:
    prowler aws --allowlist prowler/config/aws_allowlist.yaml

See more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/#default-aws-allowlist

🏷️ STS V2 Tokens

  • Now Prowler will call Regional AWS STS endpoints to get session tokens valid in all AWS Regions.

See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#sts-endpoint-region

βœ… New 9 checks for AWS!

  • New Account check account_maintain_different_contact_details_to_security_billing_and_operations
  • New CloudTrail check cloudtrail_multi_region_enabled_logging_management_events
  • New EC2 DataLifecycle Manager service and check dlm_ebs_snapshot_lifecycle_policy_exists
  • New EC2 EBS check ec2_ebs_volume_snapshots_exists
  • New DocumentDB service and check documentdb_instance_storage_encrypted
  • New Support check trustedadvisor_premium_support_plan_subscribed
  • New Neptune service and check neptune_uses_a_public_subnet
  • New Elasticache service and check elasticache_using_public_subnets
  • New IAM check iam_use_temporary_credentials

Thanks to Jit @jit-contrib for their help on this checks.

Try them with prowler aws and improve your security posture now! πŸ”’

πŸ“ Check Aliases are now supported

  • Now, Prowler allows you to use aliases for the checks. You only have to add the CheckAliases key to the check's metadata with a list of the aliases and then, you can execute it with: prowler <provider> -c/--checks <check_alias_1>

See more in https://docs.prowler.cloud/en/latest/tutorials/check-aliases/

What's Changed

Features

Fixes

Documentation

Chores

Dependencies

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.10.0...3.11.0

prowler - Prowler 3.10.0 - Dance of Death

Published by sergargar about 1 year ago

Then they summoned me over to join in with them
At the dance of the dead
Into the circle of fire I followed them
Into the middle I was led

Dance of Death is an Iron Maiden's song, released on their 2003 album of the same name. The song combines the band's signature heavy metal sound with progressive elements. Lyrically, the song tells a story of a medieval dance of death, a symbolic representation of mortality and the inevitability of death. The lyrics are filled with vivid and dark imagery, and the song features intricate guitar work and powerful vocals from Bruce Dickinson. Enjoy this great song (https://www.youtube.com/watch?v=3659fTXvFts) while reading what's new! 🎸

New features to highlight in this version:

βš™οΈ New checks for AWS!

  • New AWS IAM check iam_role_administratoraccess_policy.
  • New AWS WAFv2 check wafv2_webacl_logging_enabled.
  • Now the AWS IAM credentials checks (iam_disable_90_days_credentials, iam_disable_45_days_credentials and iam_disable_30_days_credentials) have been changed to two generic checks called iam_user_accesskey_unused and iam_user_console_access_unused. By default, it will fail when they are unused for 45 days, you can configure this value using the max_unused_access_keys_days and max_console_access_days configuration values. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! πŸ”’

🏷️ Security Hub Tagging

  • Now Prowler will add AWS Resource Tags to every Security Hub finding and to json-asff outputs!

πŸ§‘β€πŸ€β€πŸ§‘ Five new Prowler contributors!

  • Many thanks to @CameronTStark, @sbldevnet, @JackStuart, @devopspacellp and @taylerhaviland for including more checks and keep improving Prowler!

What's Changed

Features

Fixes

Chores

Dependencies

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.9.0...3.10.0

prowler - Prowler 3.9.0 - Flash of the Blade

Published by jfagoagas about 1 year ago

As a young boy chasing dragons
With your wooden sword so mighty
You're St. George or you're David and you always killed the beast
Times change very quickly and you had to grow up early
A house in smoking ruins and the bodies at your feet

Sometimes chasing dragons and some times walking on the edge of the blade. This Iron Maiden's song Flash of the Blade tells a good history about what comes on the table these days. Enjoy this great song written by Bruce Dickinson back in 1984 (https://www.youtube.com/watch?v=Qx0s8OqgBIw) while reading what's new!

New features to highlight in this version:

βš™οΈ New checks for AWS!

  • New AWS Athena service with two new checks athena_workgroup_encryption and athena_workgroup_enforce_configuration.
  • New AWS S3 check s3_bucket_kms_encryption.
  • New AWS EC2 check ec2_instance_detailed_monitoring_enabled.
  • New AWS IAM check iam_inline_policy_no_administrative_privileges with a new feature in the IAM service which now is capable of retrieving the inline policies for the Users, Roles and Groups.
  • Now in the AWS ECR ecr_repositories_scan_vulnerabilities_in_latest_image you can configure the minimum severity for this check to raise a FAIL finding using the ecr_repository_vulnerability_minimum_severity configuration value. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! πŸ”’

πŸ–ŒοΈ New CLI flag

  • List all the checks in JSON format, ready to be consumed by the --checks-file flag. Try it with prowler aws --list-checks-json.

πŸ“– Developer Guide

πŸ§‘β€πŸ€β€πŸ§‘ Two new Prowler contributors!

  • Many thanks to @vysakh-devopspace and @gerardocampo for including more checks and keep improving Prowler!

What's Changed

Features

Fixes

Chores

Security

Documentation

Dependencies

Tests

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.2...3.9.0

prowler - Prowler 3.8.2 - Days of Future Past

Published by sergargar about 1 year ago

Fixes

Chores

Documentation

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.1...3.8.2

prowler - Prowler 3.8.1 - Days of Future Past

Published by sergargar about 1 year ago

Fixes

Dependencies

Documentation

Chores

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.0...3.8.1

prowler - Prowler 3.8.0 - Days of Future Past

Published by jfagoagas about 1 year ago

A war in heaven in God's rage
He put me in this burning cage
Holy fury locks me in
Imprisoned by my deadly sin
Every hour the shadow king
Wonders what his clock will bring
I've lived and loved and that's for sure
My fatal quest forever more

2 weeks before this release, most of the Prowler full time team were watching Iron Maiden live, probably the best day of the year for us being together. This song Days of Future Past was the fourth they played in that show, we invite you to play it while reading what is new in this version that we have just crafted for you all right before BlackHat, DEFCON and BSides Vegas. Remember we will be at Black Hat Arsenal on Wednesday!

Special thanks for contributions on this release to @jchrisfarris, @edurra and @gabriel-pragin-clearscale, your code and feedback is very helpful to improve Prowler. THANK YOU!

New features to highlight in this version:

πŸ₯³ GCP scans are now x10 faster!

  • We have improved the way Prowler scans GCP regions, locations and zones so now it is on average 10 times faster than before. Try it with prowler gcp --compliance cis_2.0_gcp if you dare!

πŸ“ New Azure service supported sqlserver and 3 new checks available

  • sqlserver_auditing_enabled, sqlserver_azuread_administrator_enabled and sqlserver_unrestricted_inbound_access.
  • We have added new service to the Azure provider for sqlserver with 3 checks. Try them with prowler azure --service sqlserver and let us know!

βš™οΈ New checks for AWS!:

  • Two new checks for AWS for S3:s3_bucket_public_list_acl and s3_bucket_public_write_acl. Try them with prowler aws --service s3 and improve your security posture now!

What's Changed

Features

Fixes

Tests

Chores

Dependencies

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.7.2...3.8.0

Package Rankings
Top 6.01% on Pypi.org
Related Projects
cs-suite

Cloud Security Suite - One stop tool for auditing the security posture of AWS/GCP/Azure infrastru...

16 Aug 2017 1,122
examples

Infrastructure, containers, and serverless apps to AWS, Azure, GCP, and Kubernetes... all deploye...

27 Oct 2017 2,356
pulumi

Pulumi - Infrastructure as Code in any programming language πŸš€

31 Oct 2016 21,518
cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to q...

01 Mar 2016 5,195
object-store-python

Python bindings and arrow integration for the rust object_store crate.

10 Sep 2022 52
awesome-cloud-security

πŸ›‘οΈ Awesome Cloud Security Resources βš”οΈ

10 May 2020 1,921
checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as c...

27 Nov 2019 6,762