Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
APACHE-2.0 License
Bot releases are hidden (Show)
Published by jfagoagas 7 months ago
You'll take my life, but I'll take yours too
You'll fire your musket, but I'll run you through
So when you're waiting for the next attack
You'd better stand, there's no turning back
When I started Prowler almost eight years ago, I thought about calling it The Trooper (thetrooper
as in the command line sounds good but I thought prowler
was even better). I can say today, with no doubt that this version 4.0 of Prowler, The Trooper, is by far the software that I always wanted to release. Now, as a company, with a whole team dedicated to Prowler (Open Source and SaaS), this is even more exciting. With standard support for AWS, Azure, GCP and also Kubernetes, with all new features, this is the beginning of a new era where Open Cloud Security makes an step forward and we say: hey WE ARE HERE FOR REAL and when you're waiting for the next attack, you'd better stand, there's no turning back
Enjoy Prowler - The Trooooooooper! π€π½π₯ song!
--sts-endpoint-region
since we use AWS STS regional tokens.--quiet
option has been deprecated, now use the --status
flag to select the finding's status you want to get from PASS
, FAIL
or MANUAL
.--send-sh-only-fails
or --security-hub --status FAIL
INFO
finding's status has changed MANUAL
.We have deprecated some of our outputs formats:
prowler dashboard
)Dashboard
prowler dashboard
and enjoy overview data and compliance.ποΈ New Kubernetes provider
prowler kubernetes --kubeconfig-file <kube.yaml>
π Compliance
output/compliance
AWS
--scan-unused-services
.prowler aws --category threat-detection
for Enumeration and Privilege Escalation type of activities.πΊοΈ Azure
π Mutelist
π Outputs
π» Providers
π¨ Fixer
--fix
to allow you to remediate findings. You can list all the available fixers with prowler aws --list-fixers
--namespaces
argument and solve bugs by @sergargar in https://github.com/prowler-cloud/prowler/pull/3431
--sts-endpoint-region
by @sergargar in https://github.com/prowler-cloud/prowler/pull/3046
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.16.0...4.0.0
Published by jfagoagas 7 months ago
Turn the spotlights on the people
Switch the dial and eat the worm
Take your chances, kill the engine
Drop your bombs and let it burn
Enjoy the last release of Prowler v3 π€π½π₯ with this Iron Maiden song!
πͺπΌ 17 New Azure checks
prowler azure --list-checks
π Azure CIS v2.0 and v2.1 coverage
prowler azure --compliance cis_2.1_azure
π§ More fixes and updates for all the providers
vm_ensure_using_managed_disks
metadata by @Hugo966 in https://github.com/prowler-cloud/prowler/pull/3617
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.3...3.16.0
Published by jfagoagas 7 months ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.2...3.15.3
Published by jfagoagas 7 months ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.1...3.15.2
Published by sergargar 7 months ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.15.0...3.15.1
Published by sergargar 7 months ago
Youβre children of the damned
Your backs against the wall
You turn into the light
Youβre burning in the night
Beware the cloud security issues that paralyze! As per Bruce Dickinson comments at the BBC, this Iron Maiden song part of The Number of the Beast album was inspired by by Black Sabbathβs βChildren of the Seaβ. In any case, letβs put all those cloud security misconfigurations against the wall now!
Enjoy it! π€π½π₯
πͺπΌ 40 New Azure checks
See all the new available checks with
prowler azure -l
π Shodan.io support for Azure and GCP
prowler gcp -c compute_public_address_shodan --shodan <API_KEY>
and prowler azure -c network_public_ip_shodan --shodan <API_KEY>
The Shodan API Key can also be set in the
config.yaml
file instead of using the--shodan
flag.
β Added Kubernetes Coverage in Cloud Providers
prowler aws/azure/gcp --services eks/aks/gke
π New AWS FTR Compliance
prowler aws --compliance foundational_technical_review_aws
policy_ensure_asc_enforcement_enabled
by @puchy22 in https://github.com/prowler-cloud/prowler/pull/3452
monitor_ensure_diagnostic_setting_appropriate
by @Hugo966 in https://github.com/prowler-cloud/prowler/pull/3421
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.14.0...3.15.0
Published by sergargar 8 months ago
Home, far away
From the war, a chance to live again
Home, far away
But the war, no chance to live again
Prowler 3.14 is here! Like the PI number, this version will drive you through the magic of fixing security issues in your cloud infrastructure, more Azure checks for your joy and amusement. Enjoy it! π€π½π₯
πͺπΌ 25 New Azure checks
See all the new available checks with
prowler azure -l
last_attempted_execution_date
is None by @sergargar in https://github.com/prowler-cloud/prowler/pull/3394
storage_default_network_access_rule_is_denied
by @Hugo966 in https://github.com/prowler-cloud/prowler/pull/3387
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.13.0...3.14.0
Published by sergargar 8 months ago
last_attempted_execution_date
is None by @sergargar in https://github.com/prowler-cloud/prowler/pull/3394
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.13.0...3.13.1
Published by sergargar 8 months ago
El Dorado, come and play
El Dorado, step this way
Take a ticket for the ride
El Dorado streets of gold
See my ship is oversold
You got one last chance to try
Iron Maiden's El Dorado song is part of the Final Frontier album, and it won a Grammy Award as the best metal song, not bad uh? This song talks about economic situation back in 2010. In the current situation of companies all over the place laying off people, I wanted to give virtual hugs to all that people from the Prowler Team and remember, Open Source is always rewarding for you to learn and for others!
Prowler 3.13 is probably the latest of the 3 series (v4 looks promising!). As you can see, we are working hard on Azure and many other features.
Enjoy it! π€π½π₯
πͺπΌ 21 New Azure checks
See all the new available checks with
prowler azure -l
β New CIS AWS Foundations Benchmark v3.0.0 Compliance
prowler aws --compliance cis_3.0_aws
π New AWS Account Security Onboarding Compliance
prowler aws --compliance aws_account_security_onboarding_aws
π₯³ Python 3.12 is now supported!
pip install prowler
and that's all!π Custom Output File in Quick Inventory
prowler aws -i -F custom-output-file.csv
defender_auto_provisioning_log_analytics_agent_vms_on
by @puchy22 in https://github.com/prowler-cloud/prowler/pull/3322
defender_ensure_system_updates_are_applied
and defender_auto_provisioning_vulnerabilty_assessments_machines_on
by @puchy22 in https://github.com/prowler-cloud/prowler/pull/3327
storage_ensure_private_endpoints_in_storage_accounts
by @pedrooot in https://github.com/prowler-cloud/prowler/pull/3326
storage_key_rotation_90_days
by @pedrooot in https://github.com/prowler-cloud/prowler/pull/3323
defender_ensure_iot_hub_defender_is_on
by @puchy22 in https://github.com/prowler-cloud/prowler/pull/3367
sqlserver_auditing_retention_90_days
by @pedrooot in https://github.com/prowler-cloud/prowler/pull/3345
sqlserver_vulnerability_assessment_enabled
by @pedrooot in https://github.com/prowler-cloud/prowler/pull/3349
storage_ensure_soft_delete_is_enabled
by @pedrooot in https://github.com/prowler-cloud/prowler/pull/3334
sqlserver_auditing_retention_90_days
by @pedrooot in https://github.com/prowler-cloud/prowler/pull/3365
rds_instance_no_public_access
by @sergargar in https://github.com/prowler-cloud/prowler/pull/3341
s3:Get*
case to s3_bucket_policy_public_write_access
by @sergargar in https://github.com/prowler-cloud/prowler/pull/3364
inspector2_findings_exist
check into two by @sergargar in https://github.com/prowler-cloud/prowler/pull/3338
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.12.1...3.13.0
Published by jfagoagas 9 months ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.12.0...3.12.1
Published by jfagoagas 10 months ago
Just sixteen, a pickup truck, out of money, out of luck
I've got nowhere to call my own, hit the gas, and here I go
I'm running free yeah, I'm running free
I'm running free yeah, oh I'm running free
Iron Maiden's Running Free song was published as single of their first album back in 1980. This song is all about running wild and running free as we do at Prowler, making cloud security open and transparent, easy to use and easy to customize, for you and thousands of organizations around the world.
hit the gas, and here I go! This version is full of new features and important improvements requested by our vibrant community. Go ahead and smash your electric guitar and use Prowler straightaway by yourself or just using our service at prowler.com.
Enjoy it! π€π½π₯
βοΈ Custom Checks Metadata
--custom-checks-metadata-file custom_checks_metadata.yaml
. (Thanks @venkyvajrala for the feature!)See more in https://docs.prowler.cloud/en/latest/tutorials/custom-checks-metadata/
π· Custom AWS Role Session name
--role-session-name <role_session_name>
.See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#custom-role-session-name
π§ Scan only AWS enabled regions
𧡠Improved threading using ThreadPoolExecutor
ThreadPoolExecutor
to improve concurrency management and allowing to parallelise per resources not only per regions. Thanks to @Fennerr for the improvement!π Bug fixing
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.3...3.12.0
Published by sergargar 11 months ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.2...3.11.3
Published by sergargar 11 months ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.1...3.11.2
Published by sergargar 12 months ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.11.0...3.11.1
Published by jfagoagas 12 months ago
Sailing on and on and north across the sea
Sailing on and on and north 'til all is calm
Dare to delve into this spectral realm, where the frightful protection of Prowler awaits you.
Happy haunting and secure coding this Halloween! π§ββοΈπΈοΈπ
π Ignore Findings from services not in actual use
prowler <provider> --ignore-unused-services
See more in https://docs.prowler.cloud/en/latest/tutorials/ignore-unused-services/
βοΈ New AWS Allowlist including AWS Control Tower resources
prowler aws --allowlist prowler/config/aws_allowlist.yaml
See more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/#default-aws-allowlist
π·οΈ STS V2 Tokens
See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#sts-endpoint-region
β New 9 checks for AWS!
account_maintain_different_contact_details_to_security_billing_and_operations
cloudtrail_multi_region_enabled_logging_management_events
dlm_ebs_snapshot_lifecycle_policy_exists
ec2_ebs_volume_snapshots_exists
documentdb_instance_storage_encrypted
trustedadvisor_premium_support_plan_subscribed
neptune_uses_a_public_subnet
elasticache_using_public_subnets
iam_use_temporary_credentials
Thanks to Jit @jit-contrib for their help on this checks.
Try them with prowler aws
and improve your security posture now! π
π Check Aliases are now supported
prowler <provider> -c/--checks <check_alias_1>
See more in https://docs.prowler.cloud/en/latest/tutorials/check-aliases/
--ignore-unused-services
argument to ignore findings from services not in actual use by @sergargar in https://github.com/prowler-cloud/prowler/pull/2936
enabled_in_account
parameter by @jfagoagas in https://github.com/prowler-cloud/prowler/pull/2979
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.10.0...3.11.0
Published by sergargar about 1 year ago
Then they summoned me over to join in with them
At the dance of the dead
Into the circle of fire I followed them
Into the middle I was led
Dance of Death is an Iron Maiden's song, released on their 2003 album of the same name. The song combines the band's signature heavy metal sound with progressive elements. Lyrically, the song tells a story of a medieval dance of death, a symbolic representation of mortality and the inevitability of death. The lyrics are filled with vivid and dark imagery, and the song features intricate guitar work and powerful vocals from Bruce Dickinson. Enjoy this great song (https://www.youtube.com/watch?v=3659fTXvFts) while reading what's new! πΈ
βοΈ New checks for AWS!
iam_role_administratoraccess_policy
.wafv2_webacl_logging_enabled
.iam_disable_90_days_credentials
, iam_disable_45_days_credentials
and iam_disable_30_days_credentials
) have been changed to two generic checks called iam_user_accesskey_unused
and iam_user_console_access_unused
. By default, it will fail when they are unused for 45 days, you can configure this value using the max_unused_access_keys_days
and max_console_access_days
configuration values. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/
Try them with prowler aws
and improve your security posture now! π
π·οΈ Security Hub Tagging
π§βπ€βπ§ Five new Prowler contributors!
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.9.0...3.10.0
Published by jfagoagas about 1 year ago
As a young boy chasing dragons
With your wooden sword so mighty
You're St. George or you're David and you always killed the beast
Times change very quickly and you had to grow up early
A house in smoking ruins and the bodies at your feet
Sometimes chasing dragons and some times walking on the edge of the blade. This Iron Maiden's song Flash of the Blade tells a good history about what comes on the table these days. Enjoy this great song written by Bruce Dickinson back in 1984 (https://www.youtube.com/watch?v=Qx0s8OqgBIw) while reading what's new!
βοΈ New checks for AWS!
athena_workgroup_encryption
and athena_workgroup_enforce_configuration
.s3_bucket_kms_encryption
.ec2_instance_detailed_monitoring_enabled
.iam_inline_policy_no_administrative_privileges
with a new feature in the IAM service which now is capable of retrieving the inline policies for the Users, Roles and Groups.ecr_repositories_scan_vulnerabilities_in_latest_image
you can configure the minimum severity for this check to raise a FAIL finding using the ecr_repository_vulnerability_minimum_severity
configuration value. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/
Try them with prowler aws
and improve your security posture now! π
ποΈ New CLI flag
--checks-file
flag. Try it with prowler aws --list-checks-json
.π Developer Guide
π§βπ€βπ§ Two new Prowler contributors!
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.2...3.9.0
Published by sergargar about 1 year ago
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.1...3.8.2
Published by sergargar about 1 year ago
--config-file config.yaml
by @jfagoagas in https://github.com/prowler-cloud/prowler/pull/2679
resolve_security_hub_previous_findings
by @sergargar in https://github.com/prowler-cloud/prowler/pull/2687
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.0...3.8.1
Published by jfagoagas about 1 year ago
A war in heaven in God's rage
He put me in this burning cage
Holy fury locks me in
Imprisoned by my deadly sin
Every hour the shadow king
Wonders what his clock will bring
I've lived and loved and that's for sure
My fatal quest forever more
2 weeks before this release, most of the Prowler full time team were watching Iron Maiden live, probably the best day of the year for us being together. This song Days of Future Past was the fourth they played in that show, we invite you to play it while reading what is new in this version that we have just crafted for you all right before BlackHat, DEFCON and BSides Vegas. Remember we will be at Black Hat Arsenal on Wednesday!
Special thanks for contributions on this release to @jchrisfarris, @edurra and @gabriel-pragin-clearscale, your code and feedback is very helpful to improve Prowler. THANK YOU!
π₯³ GCP scans are now x10 faster!
prowler gcp --compliance cis_2.0_gcp
if you dare!π New Azure service supported sqlserver
and 3 new checks available
sqlserver_auditing_enabled
, sqlserver_azuread_administrator_enabled
and sqlserver_unrestricted_inbound_access
.sqlserver
with 3 checks. Try them with prowler azure --service sqlserver
and let us know!βοΈ New checks for AWS!:
s3_bucket_public_list_acl
and s3_bucket_public_write_acl
. Try them with prowler aws --service s3
and improve your security posture now!Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.7.2...3.8.0