Releases: gabrielsoltz/metahub
2.0.3: More context and Impact improvements
- When calculating the impact for resources without enough context, we now flag them as unknown to avoid affecting the final impact scoring calculations
- New context properties for resource:
AwsEc2Subnet
2.0.2: New Impact Checks and Resources
There is a lot of progress on the Impact Module code quality, standardization, and bug fixing.
New Features:
- New Impact Access Check:
unrestricted-service
: The policy allows an AWS service as principal without restriction. - New Impact Exposure Check:
launch-public
: These are resources that can launch other resources as public. For example, an Auto Scaling group or a Subnet. - New Context Resource:
AwsElastiCacheReplicationGroup
2.0.1
Improving documentation and code quality. We are getting there...
What's Changed
- Documentation Improvements by @gabrielsoltz in #51
- Small fixes after the major release by @gabrielsoltz in #52
- Docs and Quality by @gabrielsoltz in #53
Full Changelog: v2.0.0...v2.0.1
2.0.0: This is a completely new MetaHub!
New beginning: this version of MetaHub has created an entirely new, significantly better product.
Changelog Highlights:
- The
Meta Outputs
concept was deprecated entirely: There are no moreMetaTags
,MetaChecks
,MetaAccount
, andMetaTrail
as it was too many different things for doing almost the same, adding complexity to the code and making it more difficult to understand the product. - The new Context module will handle all those tasks together in a faster way, without code duplication, and much more efficiently.
- The module still executes four main processes:
config
(which includes associations),tags
,account
, andcloud trail
. This version enables by defaultconfig
andtags
; you can allow the other ones using the option--context.
- All the
MetaChecks
were migrated with new standardized names: We don't follow any more notations like:is_....
orits_attached_to.....
; this was very confusing and added a complexity layer. Now, for configurations, we use the name of the configuration parameter, and for associations, a dictionary for each resource type with the list of resources. - There is a new Impact module: This module executes after context and processes all that information.
- It then takes care of 3 critical tasks:
- For every affected resource, it will analyze five fundamental properties:
exposure
,access
,status
,encryption
, andenvironment
. - It will generate a findings metric based on the total amount of security findings and their severity for every resource.
- Based on the previous metric and the output of the critical properties, it will generate an Impact Scoring metric.
- The HTML output was refreshed entirely and can be used for a better understanding of this concept
Happy Hunting!
1.5.1: Bug fixing and updates
What's Changed
- fix_lambda_docker_tagging by @gabrielsoltz in #45
- chore(Lambda): Improved lambda configuration and better docs by @gabrielsoltz in #46
- Readme Improvements by @gabrielsoltz in #47
- fix-input-asff by @gabrielsoltz in #48
- update-python-docker by @gabrielsoltz in #49
Full Changelog: v1.5.0...v1.5.1
1.5.0: Automated Impact Scoring
This release focuses on the new feature Impact Scoring and much more!
MetaHub can now calculate an automated impact score for each security finding by considering both the context of the affected resource and the severities of all findings affecting that resource.
You can read more about this feature here
Also in this release:
- 10 New MetaChecks Resources supported!
- New Output Mode format: XLSX!
- Terraform code for lambda creation now automatically creates the zip files for the lambda and the layer!
- Docker image improvements, new versioning, and reduced image size by using
.dockerignore
Happy Hunting
What's Changed
- improvement(terraform): Automated lambda and layer creation using Terraform by @gabrielsoltz in #36
- feat(Metacheck): New MetaCheck
is_unrotated
for keys and secrets by @gabrielsoltz in #37 - feat: impact scoring by @gabrielsoltz in #35
- feat(outputs): New XLSX output mode and other outputs improvements by @gabrielsoltz in #39
- feat(pipelines): Pre-Commits, GHA and pipelines by @gabrielsoltz in #40
- Fix gha docker by @gabrielsoltz in #41
- chore(Docker): Remove unnecessary files from docker using .dockerignore by @gabrielsoltz in #42
- chore(repo): more pre-commits tweaks by @gabrielsoltz in #43
- feat (MetaChecks): Adding New resources for MetaChecks by @gabrielsoltz in #38
- feat(Outputs): Add impact to outputs by @gabrielsoltz in #44
Full Changelog: v1.4.2...v1.5.0
1.4.2: is_unrestricted Impact MetaCheck improvements
This release focuses on the Impact MetaCheck is_unrestricted
, making it consistently effective unrestricted and adding some resources where it was missing.
For example, an S3 bucket is now only effectively unrestricted if the attached policy is unrestricted but also if there is no S3 public access block at the bucket or account level. This logic was reviewed and enforced for every resource. This Impact Metacheck now also answers with the unrestricted policy statement when it's True (instead of only True).
1.4.1: Not found resources handled and new MetaChecks
This release adds new MetaChecks for resource types AwsKmsKey
and AwsSecretsManagerSecret
and now handles not found for any resource type avoiding metachecks from being executed when the resources are not present.
Meta
- New MetaCheck and MetaTrails for the resource type:
AwsKmsKey
- New MetaCheck and MetaTrails for the resource type:
AwsSecretsManagerSecret
- MetaCheck
is_public
removed fromAwsEc2NetworkAcl
as it's not an effective check - MetaCheck
it_has_name
andit_has_subscriptions_confirmed
for resource typeAwsSnsTopic
- When a resource is not found, MetaChecks answers
False
1.4.0: Metahub supercharged with multithreading and a lot more
This release focuses on performance by implementing multithreading, making Metahub run 10x faster!
That's not all:
MetaChecks
- New MetaChecks Resources:
AwsEc2Vpc
,AwsEc2Subnet
andAwsEc2RouteTable
- New Drilled MetaChecks when:
its_associated_with_vpcs
,its_associated_with_subnets
andits_associated_with_route_tables
across resources - Fix:
it_has_public_access_block_enabled
MetaCheck was always returning the public block's content, meaning it was always True for filters. - Fix:
is_principal_external
was being executed even if trusted_accounts was empty, meaning always True because the account was never in an empty list. - Fix: AwsEc2Subnet bug
- Fix: AwsElasticsearchDomain bug
Lambda / Security Hub Custom Actions
- AWS Security Hub actions (
--enrich-findings
and--update-findings
) can now be run without confirmation (--no-actions-confirmation
) useful for automated workflows like Custom Actions/Lambdas - New Lambda Behaviour for AWS Security Hub custom actions: Lambda will now read the finding from the lambda event and will be executed for each finding in that event with Meta* enabled. It will enrich the finding back in Security Hub in an automated way.
- Enrich Findings functionality now converts MetaChecks to booleans to avoid reaching maximum size limitation from API and make the AWS Security Hub filters really useful.
- Enrich Findings functionality now also adds MetaTrails and MetaAccount.
- Terraform code for the Lambda improved: IAM policies, layers, etc.
Outputs
- Outputs folder is now part of the code to avoid errors with a fresh installation
- Fix statistics counting for resources
- Updated tabulator version for HTML reports
- HTML search by ARN
Others
- Remove unused modules
- Split MetaAccount code
- Implement Security Hub get_findings progress bar
Happy Hunting 🚀
1.3.1: New IAM MetaChecks and more!
This release adds new MetaChecks for critical IAM resources: AwsIamGroup
and AwsIamUser
and also new MetaChecks for already existing resource AwsIamRole
.
It also standardizes the MetaCheck is_attached
in resources: AwsAutoScalingLaunchConfiguration
, AwsEc2LaunchTemplate
, AwsEc2NetworkAcl
and AwsEc2SecurityGroup
.
New MetaTrails events and bug fixing.