prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

APACHE-2.0 License

Downloads
192.3K
Stars
9.5K
Committers
239
View Code on GitHub Visit Website View on X
Ecosystems: Azure, Python, Amazon Web Services

Bot releases are visible (Hide)

prowler - Prowler 3.2.0 - Quest for Fire

Published by toniblyx over 1 year ago

Drawn by quest for fire
They searched all through the land
Drawn by quest for fire
Discovery of man.

Quest for Fire is a song part of Piece of Mind album of Iron Maiden. This new version is the result of our quest for your security issues and our quest to help you to improve your cloud security posture. See below the amazing new features we have added to Prowler 3.2.0 ๐Ÿ”ฅQuest for Fire๐Ÿ”ฅ

New features to highlight in this version:

๐Ÿท๏ธ Tag-based scan: now you can scan only resources with specific tags across your entire account with the following command:

๐ŸŽฏ Resource-based scan: now you can scan only a specific resources by the ARN

  • prowler aws --resource-arn arn:aws:iam::012345678910:user/test arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678
  • That command will run all IAM user related checks to test and all VPC related checks to VPC vpc-12345678
  • This is very helpful for new found resources or even pipelines! More information here: https://docs.prowler.cloud/en/latest/tutorials/aws/resource-arn-based-scan/

โš–๏ธ 17 New Security Compliance Frameworks: we added 17 new security frameworks for AWS.

  • In addition to CIS 1.4, CIS 1.5 and Spanish ENS (that comes with more enhancements) we have added the following security frameworks for the AWS provider.
    • CISA Cyber Essentials
    • FedRAMP Low Revision 4
    • FedRAMP Moderate Revision 4
    • Federal Financial Institutions Examination Council (FFIEC)
    • AWS Foundational Security Best Practices
    • General Data Protection Regulation (GDPR)
    • GxP 21 CFR Part 11
    • GxP EU Annex 11
    • HIPAA
    • NIST 800-171 Revision 2
    • NIST 800-53 Revision 4
    • NIST 800-53 Revision 5
    • NIST Cybersecurity Framework (CSF) v1.1
    • PCI v3.2.1
    • RBI Cyber Security Framework
    • SOC 2
  • These can be considered test mode at this point, we are open for feedback and updates.
  • More information about how to use them with Prowler and compliance here: https://docs.prowler.cloud/en/latest/tutorials/compliance/.
  • We want to thank @pedromarting3 for his contribution, AWS and their public documentation and also steampipe.io mod page https://hub.steampipe.io/mods/turbot/aws_compliance because they were pretty helpful for us. ๐Ÿ™๐Ÿผ ๐Ÿคœ๐Ÿผ๐Ÿค›๐Ÿผ

โœ…New check:

  • Check if IAM Access Analyzer is enabled (in addition of the existing one that looks for issues as well)

๐Ÿ“บHandler for output code:

  • Like in v2, now you can handle what output code to get when Prowler gets failed findings. (-z)

๐Ÿ“„Allow list feature now supports Lambda to manage it:

What's Changed:

Fixes:

Documentation

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.1.4...3.2.0

prowler - Prowler 3.1.4 - Revelations

Published by jfagoagas over 1 year ago

Chores

Fixes

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.1.3...3.1.4

prowler - Prowler 3.1.3 - Revelations

Published by sergargar over 1 year ago

Chores

Fixes

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.1.2...3.1.3

prowler - Prowler 3.1.2 - Revelations

Published by sergargar over 1 year ago

Chores

Fixes

Docs

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.1.1...3.1.2

prowler - Prowler 3.1.1 - Revelations

Published by sergargar over 1 year ago

Chores

Fixes

Docs

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.1.0...3.1.1

prowler - Prowler 3.1.0 - Revelations

Published by toniblyx almost 2 years ago

"The swords of scorn divide,
Take not thy thunder from us,
But take away our pride."

Revelations is the second song of the Peace of Mind album of Iron Maiden that was written by Bruce Dickinson.

This last month has been a real revelation for us and we realize how big is our community and how well accepted has been version 3. We have passed the number of 2 Million of downloads ๐Ÿš€ since the project started (not counting forks). As a reference see OSS Insight stats in the last month https://ossinsight.io/collections/security-tool, we became the Top 1 tool thanks to all of you!

What's Changed:

New AWS check iam_role_cross_service_confused_deputy_prevention:

Ensure IAM Service Roles prevents against a cross-service confused deputy attack. Use the aws:SourceArn and aws:SourceAccount global condition context keys in trust relationship policies to limit the permissions that a service has to a specific resource. More information at https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention.

Fixes:

New Contributors:

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.0.2...3.1.0

prowler - Prowler 3.0.2 - Piece of Mind

Published by jfagoagas almost 2 years ago

Features

Fixes

Docs

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.0.1...3.0.2

prowler - Prowler 3.0.1 - Piece of Mind

Published by toniblyx almost 2 years ago

Fixes

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.0.0...3.0.1

prowler - Prowler 3.0.0 - Piece of Mind

Published by toniblyx almost 2 years ago

Today we are releasing a new major version of Prowler ๐ŸŽ‰๐Ÿฅณ๐ŸŽŠ๐Ÿพ, the Version 3 aka Piece of Mind.

Take Prowler v3 as our ๐ŸŽ„Christmas gift ๐ŸŽ for the Cloud Security Community.

Screenshot 2022-12-19 at 22 53 47
Artwork property of Iron Maiden

Piece of Mind was the fourth studio album of Iron Maiden. Its meaning fits perfectly with what we do with Prowler in both senses: being protected and at the same time, this is the software I would have wanted to write when I started Prowler back in 2016 (this is now, more than ever, a piece of my mind). Now this has been possible thanks to my awesome team at Verica.

No doubt that 2022 has been a pretty interesting year for us, we launched ProwlerPro and released many minor versions of Prowler. Now enjoy Sun and Steel while you keep reading these release notes.

If you are an Iron Maiden fan as I am, you have noticed the latest minor release of Prowler (2.12) was a song from this very same album, just a clue of what was coming! In Piece of Mind you can find one of the most popular heavy metal songs of all times, The Trooper, which will be a Prowler version to be released during 2023.

Prowler v3 is more than a new version of Prowler, it is a whole new piece of software, we have fully rewritten it in Python and we have made it multi-cloud adding Azure as our second supported Cloud Provider. Prowler v3 is also way faster, being able to scan an entire AWS account across all regions 37 times faster than before, yes! you read it correctly, what before took hours now it takes literally few minutes or even seconds.

Toni de la Fuente.

New documentation site:

We are also releasing today our brand new documentation site for Prowler at https://docs.prowler.cloud and it is also stored in the docs folder in the repo.

What's Changed:

Here is a list of the most important changes in Prowler v3:

  • ๐Ÿ Python: we got rid of all bash and it is now all in Python. pip install prowler then run prowler thatโ€™s all.
  • ๐Ÿš€ Faster: huge performance improvements.
    Scanning the same account takes from 2.5 hours to 4 minutes.
  • ๐Ÿ’ป Developers and Community: we have made it easier to contribute with new checks and new compliance frameworks. We also included unit tests and native logging features. And now the CLI supports long arguments and options.
  • โ˜๏ธ Multi-cloud: in addition to AWS, we have added Azure.
  • โœ… Checks and Groups: all checks are now more comprehensive and we provide resolution actions in most of them. Their ID is no longer tight to CIS but they are self-explanatory. Groups now are dynamically generated based on checks metadata like services, categories, severity and more).
  • โš–๏ธ Compliance: we are including full support for CIS 1.4, CIS 1.5 and the new Spanish ENS in this release, more to come soon! Compliance also has its own output file with their own metadata and to create your own is easier than ever before making more comprehensive reports.
  • ๐Ÿงฉ Compatibility with v2: most of the options are the same in this version in order to support backward compatibility however some options like assume role or AWS Organizations query are now different and easier to use.
  • ๐Ÿ”„ Consolidated output formats: now both CSV and JSON reports come with the same attributes and compared to v2, they come with more than 40 values per finding. HTML, CSV and JSON are created every time you run prowler.
  • ๐Ÿ“Š Quick Inventory: introduced in v2, we have fine tuned the Quick Inventory feature and now you can get a list of all resources in your AWS accounts within seconds.

Prowler new default overview:

prowler-3-output

Prowler updated HTML report:

html-output

Prowler compliance overview:

compliance-cis-sample

Prowler list of Azure checks:

azure-checks

What is coming next?

  • More Cloud Providers and more checks: in addition to keep adding new checks to AWS and Azure, we plan to include GCP and OCI soon, let us know if you want to contribute!
  • XML-JUNIT support: we didnโ€™t add that to v3, if you miss it, let us know in https://github.com/prowler-cloud/prowler/discussions
  • Compliance: we will add more compliance frameworks to have as many as in Prowler v2, we appreciate help though!
  • Tags based audit: you will be able to scan only those resources with specific tags.

New Contributors

In addition to the Prowler rock stars @jfagoagas @n4ch04 @sergargar we have a couple of new contributors in this release:

For more information and a detailed list of changes see below:

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.10.0...3.0.0

prowler - Prowler 2.12.1

Published by toniblyx almost 2 years ago

Fixes

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.12.0...2.12.1

prowler - Prowler 2.12.0 - Where Eagles Dare

Published by toniblyx almost 2 years ago

It's snowing outside, the rumbling sound
Of engines roar in the night
The mission is near, the confident men
Are waiting to drop from the sky

Where Eagles Dare is the song that opens the Piece of Mind album of Iron Maiden, released back in 1983, the first one with Nicko McBrain as drummer after Clive Burr left the band, note his first seconds on this piece, it is like Nicko saying "here I go!". This song relates the adventure of a team of soldiers raiding a castle in Germany during the WWII, that is related in the movie with the same name starred by Clint Eastwood and Richard Burton.

For all of you that have contributed to this version (see list below), thank you โค๏ธ!!! And reach out to me on Twitter (@toniblyx - DMs are open) if you want some laptop stickers.

๐Ÿ”ฅImportant changes in this version (read this!)๐Ÿ”ฅ:

New checks:

7.195 [check7195] Ensure CodeArtifact internal packages do not allow external public source publishing. - codeartifact [Critical]

Other changes:

  • CloudTrail checks check21, check22, check23, check24, check26, check27 now include shadow trails in the results (those trails used for multi-region and AWS organizations)
  • New group called cisig2 for CIS Critical Security Controls v8 by @artfulbodger
  • We have deprecated Discord and now we only use Slack, join us here!

New features:

Enhancements:

Fixes:

New Contributors:

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.11.0...2.12.0

prowler - Prowler 2.11.0 - Blood Brothers

Published by toniblyx over 2 years ago

And if you're taking a walk through the garden of life
What do you think you'd expect you would see?
Just like a mirror reflecting the moves of your life
And in the river reflections of me

Steve Harris, founder and bass guitar of Iron Maiden ๐Ÿค˜๐Ÿฝ wrote this song when he lost his father, lyrics and music is beautiful. This release is for those that always look forward and only look back to be thankful and learn. Also this song and version is to thanks my Prowler brothers @jfagoagas, @n4ch04, @sergargar and @drewkerrigan, they are working as beasts every day to make this piece of software better and building something awesome with Prowler underneath called Prowler Pro.

For all of you that have contributed to this version (see list below), thank you โค๏ธ!!! And reach out to me on Twitter (@toniblyx - DMs are open) if you want some laptop stickers.

๐Ÿ”ฅImportant changes in this version (read this!):

  • 14 New checks covering Directory Service, IAM, S3, Workspaces, AppStream and ECR:
7.181 [extra7181] Directory Service monitoring with CloudWatch logs - ds [Medium]
7.182 [extra7182] Directory Service SNS Notifications - ds [Medium]
7.183 [extra7183] Directory Service LDAP Certificates expiration - ds [Medium]
7.184 [extra7184] Directory Service Manual Snapshot Limit - ds [Low]
7.185 [extra7185] Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation - iam [High]
7.186 [extra7186] Check S3 Account Level Public Access Block - s3 [High]
7.187 [extra7187] Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements - workspaces [High]
7.188 [extra7188] Ensure Radius server in DS is using the recommended security protocol - ds [Medium]
7.189 [extra7189] Ensure Multi-Factor Authentication (MFA) using Radius Server is enabled in DS - ds [Medium]
7.190 [extra7190] Ensure user maximum session duration is no longer than 10 hours. - appstream [Medium]
7.191 [extra7191] Ensure session disconnect timeout is set to 5 minutes or less. - appstream [Medium]
7.192 [extra7192] Ensure session idle disconnect timeout is set to 10 minutes or less. - appstream [Medium]
7.193 [extra7193] Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked. - appstream [Medium]
7.194 [extra7194] Check if ECR repositories have lifecycle policies enabled - ecr [Low]

New features:

Enhancements:

Fixes:

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.10.0...2.11.0

prowler - Prowler 2.10.0 - Flight Of Icarus

Published by toniblyx over 2 years ago

Fly on your way, like an eagle
Fly as high as the sun
On your way, like an eagle
Fly, touch the sun

Flight of Icarus is a song of Iron Maiden released in 1983 as part of their Piece of Mind album. There are some amazing guitar solos in this song and it is so good, watch the video and enjoy it like this new version here:
https://www.youtube.com/watch?v=p4w2BZXL6Ss:

imicarus

Image copyright by Iron Maiden

Important changes in this version (read this!):

  • Now you can manage the Allow list feature using DynamoDB instead of just a text plain file.
  • 7 new checks available for CodeBuild, EMR and Lambda:
7.174 [extra7174] CodeBuild Project last invoked greater than 90 days - codebuild [High]
7.175 [extra7175] CodeBuild Project with an user controlled buildspec - codebuild [High]
7.176 [extra7176] EMR Cluster without Public IP - emr [Medium]
7.177 [extra7177] Publicly accessible EMR Cluster - emr [High]
7.178 [extra7178] EMR Account Public Access Block enabled - emr [High]
7.179 [extra7179] Check Public Lambda Function URL - lambda [High]
7.180 [extra7180] Check Lambda Function URL CORS configuration - lambda [Medium]

New features:

Enhancements:

Fixes:

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.9.0...2.10.0

prowler - Prowler 2.9.0 - Run to the Hills

Published by jfagoagas over 2 years ago

In 1982, Iron Maiden released The Number of the Beast, their third studio album and the first with Bruce Dickinson as their lead vocalist. The song Run to the Hills gives me very good memories, as the time we are living will do the same in the future. That song is one of the greatest metal songs in music history. Enjoy it as we do while releasing this new version of Prowler!
https://www.youtube.com/watch?v=86URGgqONvA

number-of-the-beast

Image copyright by Iron Maiden

Important changes in this version (read this!):

Now, if you want to use your allowlist or custom checks you can retrieve it from a S3 Bucket using -w option along with a S3 URI like s3://bucket/prefix/allowlist_sample.txt

Also, we have enriched some IAM checks to provide more information about resources when the check status is PASS.

New Features

Enhancements

Fixes

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.8.1...2.9.0

prowler - Prowler 2.8.1

Published by sergargar over 2 years ago

What's Changed

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.8.0...2.8.1

prowler - Prowler 2.8.0 - The Ides of March

Published by toniblyx over 2 years ago

The Ides of March is an instrumental song that opens the second studio album of Iron Maiden called Killers. This song is great as an opening, March is the month when spring starts in my side of the world, is always time for optimism. Ides of March also means 15 of March in the Roman calendar (and the day of the assassination of Julius Caesar). Enjoy the song here.

We have put our best to make this release and with important help of the Prowler community of cloud security engineers around the world, thank you all! Special thanks to the Prowler full time engineers @jfagoagas, @n4ch04 and @sergargar! (and Bruce, my dog) โค๏ธ

prowler-team-pic

Important changes in this version (read this!):

Now, if you have AWS Organizations and are scanning multiple accounts using the assume role functionality, Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and add them to CSV and JSON output formats. More information and usage here.

New Features

Enhancements

Fixes

New Contributors

Full Changelog: https://github.com/prowler-cloud/prowler/compare/2.7.0...2.8.0

prowler - Prowler 2.7.0 - Brave

Published by toniblyx over 2 years ago

This release name is in honor of Brave New World, a great song of ๐Ÿ”ฅIron Maiden๐Ÿ”ฅ from their Brave New World album. Dedicated to all of you looking forward to having the world we had before COVID... We hope is not hitting you bad. Enjoy!

Important changes in this version (read this!):

  • As you can see, Prowler is now in a new organization called https://github.com/prowler-cloud/.
  • When Prowler doesn't have permissions to check a resources or service it gives an INFO instead of FAIL. We have improved all checks error handling in those use cases when the CLI responds with a AccessDenied, UnauthorizedOperation or AuthorizationError.
  • From this version, master branch will be the latest available code and we will keep the stable code as each release, if you are installing or deploying Prowler using git clone to master take that into account and use the latest release instead, i.e.: git clone --branch 2.7 https://github.com/prowler-cloud/prowler or curl https://github.com/toniblyx/prowler/archive/refs/tags/2.7.0.tar.gz -o prowler-2.7.0.tar.gz
  • For known issues please see https://github.com/prowler-cloud/prowler/issues the ones open with bug as a red tag.
  • Discussions is now open in the Prowler repo https://github.com/prowler-cloud/prowler/discussions, feel free to use it if that works for you better than the current Discord server.
  • 11 new checks!! Thanks to @michael-dickinson-sainsburys, @jonloza, @rustic, @Obiakara, @Daniel-Peladeau, @maisenhe, @7thseraph and @tekdj7. Now there have a total of 218 checks. See below for details.
  • An issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings is now working as expected thanks to @Kirizan
  • When credential are in environment variable it failed to review, that was fixed by @lazize
  • See below new features and more details for this version.

New Features

  • 11 New checks for Redshift, EFS, CloudWatch, Secrets Manager, DynamoDB and Shield Advanced:
7.160 [extra7160] Check if Redshift has automatic upgrades enabled - redshift [Medium]
7.161 [extra7161] Check if EFS have protects sensative data with encryption at rest - efs [Medium]
7.162 [extra7162] Check if CloudWatch Log Groups have a retention policy of 365 days - cloudwatch [Medium]
7.163 [extra7163] Check if Secrets Manager key rotation is enabled - secretsmanager [Medium]
7.164 [extra7164] Check if CloudWatch log groups are protected by AWS KMS  - logs [Medium]
7.165 [extra7165] Check if DynamoDB: DAX Clusters are encrypted at rest - dynamodb [Medium]
7.166 [extra7166] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced - shield [Medium]
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
7.168 [extra7168] Check if Route53 hosted zones are protected by AWS Shield Advanced - shield [Medium]
7.169 [extra7169] Check if global accelerators are protected by AWS Shield Advanced - shield [Medium]
7.170 [extra7170] Check if internet-facing application load balancers are protected by AWS Shield Advanced - shield [Medium]
7.171 [extra7171] Check if classic load balancers are protected by AWS Shield Advanced - shield [Medium]

Enhancements

Fixes

New Contributors

Full Changelog: https://github.com/toniblyx/prowler/compare/2.6.1...2.7

prowler - Prowler 2.6.1

Published by toniblyx almost 3 years ago

What's Changed

  • e4edb5e - Enhancement IAM assumed role session duration error handling by @jfagoagas
  • 3e78f01 - Fix Terraform Kickstarter path in README by @z0ph
  • cee6437 - Fix issue #926 resource id and remediation typo
  • b251f31 - Fix issue #925 replace sensible by sensitive in multiple checks
  • 50de9f2 - Fix output for checks check3x when no CW group is in place
  • a6ba580 - Fix severity case variable

New Contributors

Full Changelog: https://github.com/toniblyx/prowler/compare/2.6.0...2.6.1

prowler - Prowler 2.6.0 - Phantom

Published by toniblyx almost 3 years ago

Prowler 2.6.0 - Phantom

This release name is in honor to Phantom of the Opera, one of my favorite songs and a master piece of ๐Ÿ”ฅIron Maiden๐Ÿ”ฅ. It starts by "I've been lookin' so long for you now" like looking for security issues, isn't it? ๐Ÿค˜๐Ÿผ Enjoy it here while reading the rest of this note.

Important changes in this version:

  • CIS level parameter (ITEM_LEVEL) has been reverted to the csv, json and html outputs (it was removed in 2.5), CIS Scored is not added since it is not relevant in the global Prowler reports. dd398a9
  • Security Hub integration has been fixed due to a conflict with duplicated findings in the management account by @xeroxnir
  • 12 New checks!! Thanks to @kbgoll05, @qumei, @georgie969, @ShubhamShah11, @jarrettandrulis, @dsensibaugh, @ShubhamShah11, @ManuelUgarte, @tekdj7: Now there are a total of 207. See below for details.
  • Known issues, please review https://github.com/toniblyx/prowler/issues?q=is%3Aissue+is%3Aopen+label%3Abug.
  • Now there is a Discord server for Prowler available, check it out in README.md.
  • There is a maintained Docker Hub repo for Prowler and AWS ECR public repo as well. See badges in README.md for details.
  • See below new features for more details of new cool stuff in this version.

New Features:

  • 12 New checks for efs, redshift, elb, dynamodb, route53, cloiudformation, elb and apigateway:
7.148 [extra7148] Check if EFS File systems have backup enabled - efs [Medium]
7.149 [extra7149] Check if Redshift Clusters have automated snapshots enabled - redshift [Medium]
7.150 [extra7150] Check if Elastic Load Balancers have deletion protection enabled - elb [Medium]
7.151 [extra7151] Check if DynamoDB tables point-in-time recovery (PITR) is enabled - dynamodb [Medium]
7.152 [extra7152] Enable Privacy Protection for for a Route53 Domain - route53 [Medium]
7.153 [extra7153] Enable Transfer Lock for a Route53 Domain - route53 [Medium]
7.154 [extra7154] Enable termination protection for Cloudformation Stacks - cloudformation [MEDIUM]
7.155 [extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode - elb [MEDIUM]
7.156 [extra7156] Checks if API Gateway V2 has Access Logging enabled - apigateway [Medium]
7.157 [extra7157] Check if API Gateway V2 has configured authorizers - apigateway [Medium]
7.158 [extra7158] Check if ELBV2 has listeners underneath - elb [Medium]
7.159 [extra7159] Check if ELB has listeners underneath - elb [Medium]

Enhancements:

Fixes:

New Contributors

Full Changelog: https://github.com/toniblyx/prowler/compare/2.5.0...2.6.0

Thank you all for your contributions, Prowler community is awesome! ๐Ÿฅณ

prowler - Prowler 2.5.0 - Senjutsu

Published by toniblyx about 3 years ago

Prowler 2.5.0 - Senjutsu

prowler-logo-new

This new version was planned to celebrate AWS re:Inforce that would have taken place on August 24th and 25th but has been cancelled and the new studio album of Iron Maiden (Senjutsu) to be released on September 3rd 2021. In any case, enjoy this new version. More cool stuff coming soon!

Prowler would have been present in the re:Inforce 2021 conference with a pretty expected workshop called "Building Prowler into a QuickSight powered AWS security dashboard". Templates and workshop link to be public soon. For updates follow me on Twitter: https://twitter.com/ToniBlyx.

image

As Prowler keeps growing in user base and downloads (averages 1400 clones/day), there are more contributions and I want to thank you all for your feedback and code. Please keep contributing to make the Internet more secure.

New Features:

Please read carefully this new features and changes (for CSV output and also to improve the data in json ASFF for Security Hub integration) if you have integrations using CSV, it may affect you.

  • New CSV headers, added PROWLER_START_TIME:
    PROFILE{SEP}ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC,CHECK_RESOURCE_ID,PROWLER_START_TIME.
  • 14 New checks (@jfagoagas, @nayabpatel, @Outrun207 and @pablopagani):
7.134 [extra7134] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21  - ec2 [High]
7.135 [extra7135] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092  - ec2 [High]
7.136 [extra7136] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23  - ec2 [High]
7.137 [extra7137] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434  - ec2 [High]
7.138 [extra7138] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port - ec2 [High]
7.139 [extra7139] There are High severity GuardDuty findings  - guardduty [High]
7.140 [extra7140] Check if there are SSM Documents set as public - ssm [High]
7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
7.142 [extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based http request smuggling - elb [Medium]
7.143 [extra7143] Check if EFS have policies which allow access to everyone - efs [Critical]
7.144 [extra7144] Check if CloudWatch has allowed cross-account sharing - cloudwatch [Medium]
7.145 [extra7145] Check if Lambda functions have policies which allow access to any AWS account - lambda [Critical]
7.146 [extra7146] Check if there is any unassigned Elastic IP - ec2 [Low]
7.147 [extra7147] Check if S3 Glacier vaults have policies which allow access to everyone - glacier [Critical]
  • Docker images are available in the official ECR https://gallery.ecr.aws/prowler/prowler (if you run Prowler with Fargate this will help you). Images at https://hub.docker.com/r/toniblyx/prowler won't be updated.
  • Now when using -M option prowler shows standard output but saves desired reports in background
  • Added code for better experience running Prowler in AWS CloudShell @hackersifu
  • Added support for custom output folder and S3 bucket (see ./prowler -h for details) using bucket-owner-full-control.
  • Added support for custom output file (see ./prowler -h for details) @yangsec888
  • Added servicename to the title for ASFF and used for QuickSight dashboard
  • Added resourceid and more metadata to the ASFF file to be imported in Security Hub @singergs
  • Added s3 and glue required permissions and removed obsoletes
  • Added section with info about regions in README.md
  • Added WAF CLASSIC check for extra7129 @kamiryo
  • Added severity and servicename to the default output, removed blue color on check ID.
  • Removed duplicated checks extra756 and extra737 @w0rmr1d3r

Enhancements:

  • HTML report: filtering and other nice things @nickmalcolm
  • License file and banner cosolidation
  • Now it shows default output regardless custom outputs called with -M
  • Clean up check title without info related to CIS (like scored, etc. CIS support still in Prowler)
  • Updated Docker image to Alpine to 3.13 and with py3-pip in Dockerfile @gliptak
  • Improved error handling sts get-caller-identity @pablopagani
  • Improved error handling when listing regions @pablopagani
  • Updated html report color contrast for WCAG 2.1 accessibility standards @danielperez660
  • Updated Prowler additions policy
  • Updated check12 - Missing MFA at the beginning of remediation @thorkill
  • Removed CSV header in stdout
  • Updated README to include reference to CloudShell https://github.com/toniblyx/prowler/tree/2.5/util/cloudshell @hackersifu
  • Updated README with better coverage of -f <filterregion> usage info

Fixes:

  • Fixed Security Hub integration error resource type is always empty #776
  • Fixed credential renewal broke on Alpine Linux #775
  • Fixed check extra747 grammar #774
  • Fixed grammar issue in scoring @w0rmr1d3r
  • Fixed check21 to fail if trail is off
  • Fixed aws organizations multi-account deployment s3 upload issue @owlvat
  • Corrected bug on groups when listing checks @pablopagani
  • Fixed issue #811 @h1008
  • Fixed kms keys compatibility in cli v2 and v1 @dbellizzi
  • Fixed typo in check extra7141 ID
  • Fixed alias of extra7139
  • Fixed link to doc for check45 check46 extra7138 and extras

*If you have made a contribution to this released and I missed your Github id here, my apologies and please let me know to include you. Thank you!

Package Rankings
Top 6.01% on Pypi.org
Related Projects
cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to q...

01 Mar 2016 5,195
examples

Infrastructure, containers, and serverless apps to AWS, Azure, GCP, and Kubernetes... all deploye...

27 Oct 2017 2,356
cs-suite

Cloud Security Suite - One stop tool for auditing the security posture of AWS/GCP/Azure infrastru...

16 Aug 2017 1,122
pulumi

Pulumi - Infrastructure as Code in any programming language ๐Ÿš€

31 Oct 2016 21,518
checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as c...

27 Nov 2019 6,762
awesome-cloud-security

๐Ÿ›ก๏ธ Awesome Cloud Security Resources โš”๏ธ

10 May 2020 1,921
object-store-python

Python bindings and arrow integration for the rust object_store crate.

10 Sep 2022 52