v2.5.0: SQLite and PowerPipe Dashboards Mod!

MetaHub now supports SQLite, so you can use it with PowerPipe for dashboarding!
A Powerpipe mod with 3 dashboards is now included as part of the tool!

Some other improvements, like not exiting on errors and enhancements to the ElasticCache resource.

What's Changed

• improve-elastic-cachche by @gabrielsoltz in #96
• Bump boto3 from 1.34.65 to 1.34.70 by @dependabot in #95
• Bump aws-arn from 0.0.16 to 0.0.17 by @dependabot in #94
• dont-exit-on-errors by @gabrielsoltz in #97
• associations-cache_clusters by @gabrielsoltz in #98
• New SQLite Output and Powerpipe Mod! by @gabrielsoltz in #101
• Bump safety from 3.0.1 to 3.1.0 by @dependabot in #100
• Bump boto3 from 1.34.70 to 1.34.75 by @dependabot in #99

Full Changelog: v2.4.3...v2.5.0

v2.4.3

New filters! You can now filter by Impact keys using the option --mh-filters-impact (in addition to --mh-filters-tags, --mh-filters-config and security hub filters --sh-filters

Examples:

Filter all Security Findings affecting resources with exposure calculated as effectively-public: ./metahub --mh-filters-impact exposure=effectively-public

Filter all Security Findings affecting resources with status calculated as not-attached: ./metahub --mh-filters-impact status=not-attached

Other changes:

• Implement different ASFF fixing mechanisms, as some sources are not correctly generating the outputs. For example, fixing Region when it is not present and fixing Resource Type when it is incorrect.
• Some improvements in error handling
• For some time already, AWS Security Hub has added Tags to the affected resources 🥳 The code will check if the Tags are present as part of the Resources Details, and avoid fetching the API if they are already there.
• New Resource Type: Container, for now, we check if there is a policy attached
• Improved README with examples on how to use MetaHub with PowerPipe, Trivy, and Prowler
• Code quality and improvements

What's Changed

• Implement different ASFF fixing mechanisms and other improvements by @gabrielsoltz in #88
• Bump black from 24.2.0 to 24.3.0 by @dependabot in #91
• Bump boto3 from 1.34.59 to 1.34.65 by @dependabot in #90
• code-improvements by @gabrielsoltz in #92
• New Impact Filters (--mh-filters-impact) by @gabrielsoltz in #93

Full Changelog: v2.4.2...v2.4.3

v2.4.2: fix release issues and update docker

The last release was incomplete due to errors in the docker build process. Now it is fixed, and docker images and dependencies are updated.

What's Changed

• fix-and-update-docker-dependencies by @gabrielsoltz in #86

Full Changelog: v2.4.1...v2.4.2

v2.4.1: Minor fixes and improvements

• New CloudTrail event for AwsEcrRepository
• Improve outputs for Access Impact
• Improve Dependencies version handling

What's Changed

• only-add-statements-once by @gabrielsoltz in #79
• Bump aws-arn from 0.0.10 to 0.0.11 by @dependabot in #80
• Bump aws-arn from 0.0.11 to 0.0.13 by @dependabot in #81
• add-ecr-repository by @gabrielsoltz in #83
• fix-banner-characters by @gabrielsoltz in #84
• pin-dependencies by @gabrielsoltz in #85

New Contributors

• @dependabot made their first contribution in #80

Full Changelog: v2.4.0...v2.4.1

v2.4.0: Accounts improvements for AWS Organizations and more

The AWS account context module has been improved and fixed, and is now enabled by default. Previously, only the AWS Organization admin or delegated admin could fetch AWS Organization information, leading to false positives. This issue has been resolved, and additional AWS organization context, such as parents and policies, has been added.

The CloudFront resource type can now detect s3 associated resources based on its configuration.

Finally, the MetaHub documentation has been completely rewritten.

What's Changed

• cloudfront-s3-associations by @gabrielsoltz in #76
• Account Context Module Improved and Enabled by Default by @gabrielsoltz in #77
• Documentation and Code Improvements by @gabrielsoltz in #78

Full Changelog: v2.3.0...v2.3.1

v2.3.0

For this new version, we have a lot of improvements:

Impact

• owner is a new Impact condition: You can identify the Owner by Tags, Account ID, and Account Alias and assign an impact scoring for each owner.
• Some code improvements to the Impact module for re-using code
• You can now evaluate Application by Account ID or Alias (in addition to tags)
• findings key is now under impact, with the scoring based on findings we will use as part of the final scoring calculation. Expanding this key, you get the details of how many findings we count and their severities.
• The statistics module was improved; now you can get statistics for every impact condition.

Context

• There are new resources like AwsAthenaWorkGroup and new associations for the resource AwsEc2Volume.
• Some improvements to the code for performance and recursion protection.

HTML

• The HTML report for Impact scoring now shows the number instead of the progress bar, making it easier to understand the difference between each row.
• There is a new widget for grouping findings by Impact scoring at the top of the HTML report.

Others

• Ignore not found errors for AwsIamPolicy resource
• Fix incorrect ARNs generated by AWS tools

Security Hub

• The lambda code for the security hub custom action will now execute by applying a filter by ResourceId, instead of Finding Id. This way, for one finding, we can calculate the impact scoring based on all the other findings affecting the same finding.
• Adding Security Hub Insights for Access and Status as part of the Terraform Code

Happy Hunting!

What's Changed

• add_AwsEc2Volume_associations by @gabrielsoltz in #67
• add-resource-AwsAthenaWorkGroup by @gabrielsoltz in #68
• documentation by @gabrielsoltz in #69
• Add Impact Statistics by @gabrielsoltz in #70
• switch-impact-to-number by @gabrielsoltz in #71
• Improve recursion protection and others by @gabrielsoltz in #72
• New Impact Owner key and improvements by @gabrielsoltz in #73
• Impact Findings Improvements by @gabrielsoltz in #74
• lambda-execute-by-resource-id by @gabrielsoltz in #75

Full Changelog: v2.2.0...v2.3.0

2.2.0: New Impact based on Application!

MetaHub now supports Impact scoring based on the new AWS myApplications feature.

The environment impact definition was also improved, and now you can define how many environments you need for your context, based on Tagging and Account information.

What's Changed

• Updating Logos by @gabrielsoltz in #62
• Html design by @gabrielsoltz in #63
• New customisable environment definition support by @gabrielsoltz in #64
• add-impact-application by @gabrielsoltz in #65
• Documentation by @gabrielsoltz in #66

Full Changelog: v2.1.2...v2.2.0

2.1.2: Enrichment and Security Hub integration improvements

Some improvements to the Enrichment feature and the Security Hub integration.

• Enrichment Function Improvements: When enriching a finding, all context categories (tags, account, config, associations, cloudtrail, and impact) are added by default, and this option is configurable using the configuration file. We now use the Criticality field for Impact Scoring.
• The lambda function is no longer configured to enrich findings by default; you need to enable it in the code manually.
• Enabled 2 levels of recursion for some resource types, which seems to be safe and useful.
• The Terraform Code now creates the Security Hub custom action and connects it to the Lambda!
• The Terraform Code now creates Security Hub insights for some of the Impact metrics!
• Don't generate an error when there is no AWS Organization
• Standardizing the status output with the details

2.1.1

Improve logic for caching associations without using recursion

2.1.0: Performance and Recursion

This release focuses on performance and association recursion improvements.

• Associated resources are now "cached" across the whole execution, meaning that if a resource is associated with more than one resource, we only scan it once.
• Recursion for associations is now standardized and valid for any resource in any combination with a maximum of 2 levels, except when there is an IAM Role; we can go to one more level as it's an important resource to understand Context. Before, we were only supporting this recursion level for a few resources like roles, policies, route tables, and volumes. Now, we do 2 recursion levels for any resource.
• Instances and IAM Users are now supported as associated resources for drilling.
• Some previously hardcoded values, like' assume_role_duration' and options related to the outputs, are now in the configuration file.
• The unknown value is now, by default, not computed from the Impact Scoring calculation. This can be configured.
• I'm trying to clean up the main file for a better understanding of its logic, so I'm slowly moving related code together to new files, in this case, everything related to findings.
• Some bug fixing