2.0.3: More context and Impact improvements

• When calculating the impact for resources without enough context, we now flag them as unknown to avoid affecting the final impact scoring calculations
• New context properties for resource: AwsEc2Subnet

2.0.2: New Impact Checks and Resources

There is a lot of progress on the Impact Module code quality, standardization, and bug fixing.

New Features:

• New Impact Access Check: unrestricted-service: The policy allows an AWS service as principal without restriction.
• New Impact Exposure Check: launch-public: These are resources that can launch other resources as public. For example, an Auto Scaling group or a Subnet.
• New Context Resource: AwsElastiCacheReplicationGroup

2.0.1

Improving documentation and code quality. We are getting there...

What's Changed

• Documentation Improvements by @gabrielsoltz in #51
• Small fixes after the major release by @gabrielsoltz in #52
• Docs and Quality by @gabrielsoltz in #53

Full Changelog: v2.0.0...v2.0.1

2.0.0: This is a completely new MetaHub!

New beginning: this version of MetaHub has created an entirely new, significantly better product.

Changelog Highlights:

• The Meta Outputs concept was deprecated entirely: There are no more MetaTags, MetaChecks, MetaAccount, and MetaTrail as it was too many different things for doing almost the same, adding complexity to the code and making it more difficult to understand the product.
• The new Context module will handle all those tasks together in a faster way, without code duplication, and much more efficiently.
• The module still executes four main processes: config (which includes associations), tags, account, and cloud trail. This version enables by default config and tags; you can allow the other ones using the option --context.
• All the MetaChecks were migrated with new standardized names: We don't follow any more notations like: is_.... or its_attached_to.....; this was very confusing and added a complexity layer. Now, for configurations, we use the name of the configuration parameter, and for associations, a dictionary for each resource type with the list of resources.
• There is a new Impact module: This module executes after context and processes all that information.
• It then takes care of 3 critical tasks:
• For every affected resource, it will analyze five fundamental properties: exposure, access, status, encryption, and environment.
• It will generate a findings metric based on the total amount of security findings and their severity for every resource.
• Based on the previous metric and the output of the critical properties, it will generate an Impact Scoring metric.
• The HTML output was refreshed entirely and can be used for a better understanding of this concept

Happy Hunting!

1.5.1: Bug fixing and updates

What's Changed

• fix_lambda_docker_tagging by @gabrielsoltz in #45
• chore(Lambda): Improved lambda configuration and better docs by @gabrielsoltz in #46
• Readme Improvements by @gabrielsoltz in #47
• fix-input-asff by @gabrielsoltz in #48
• update-python-docker by @gabrielsoltz in #49

Full Changelog: v1.5.0...v1.5.1

1.5.0: Automated Impact Scoring

This release focuses on the new feature Impact Scoring and much more!

MetaHub can now calculate an automated impact score for each security finding by considering both the context of the affected resource and the severities of all findings affecting that resource.

You can read more about this feature here

Also in this release:

• 10 New MetaChecks Resources supported!
• New Output Mode format: XLSX!
• Terraform code for lambda creation now automatically creates the zip files for the lambda and the layer!
• Docker image improvements, new versioning, and reduced image size by using .dockerignore

Happy Hunting

What's Changed

• improvement(terraform): Automated lambda and layer creation using Terraform by @gabrielsoltz in #36
• feat(Metacheck): New MetaCheck is_unrotated for keys and secrets by @gabrielsoltz in #37
• feat: impact scoring by @gabrielsoltz in #35
• feat(outputs): New XLSX output mode and other outputs improvements by @gabrielsoltz in #39
• feat(pipelines): Pre-Commits, GHA and pipelines by @gabrielsoltz in #40
• Fix gha docker by @gabrielsoltz in #41
• chore(Docker): Remove unnecessary files from docker using .dockerignore by @gabrielsoltz in #42
• chore(repo): more pre-commits tweaks by @gabrielsoltz in #43
• feat (MetaChecks): Adding New resources for MetaChecks by @gabrielsoltz in #38
• feat(Outputs): Add impact to outputs by @gabrielsoltz in #44

Full Changelog: v1.4.2...v1.5.0

1.4.2: is_unrestricted Impact MetaCheck improvements

This release focuses on the Impact MetaCheck is_unrestricted, making it consistently effective unrestricted and adding some resources where it was missing.

For example, an S3 bucket is now only effectively unrestricted if the attached policy is unrestricted but also if there is no S3 public access block at the bucket or account level. This logic was reviewed and enforced for every resource. This Impact Metacheck now also answers with the unrestricted policy statement when it's True (instead of only True).

1.4.1: Not found resources handled and new MetaChecks

This release adds new MetaChecks for resource types AwsKmsKey and AwsSecretsManagerSecret and now handles not found for any resource type avoiding metachecks from being executed when the resources are not present.

Meta

• New MetaCheck and MetaTrails for the resource type: AwsKmsKey
• New MetaCheck and MetaTrails for the resource type: AwsSecretsManagerSecret
• MetaCheck is_public removed from AwsEc2NetworkAcl as it's not an effective check
• MetaCheck it_has_name and it_has_subscriptions_confirmed for resource type AwsSnsTopic
• When a resource is not found, MetaChecks answers False

1.4.0: Metahub supercharged with multithreading and a lot more

This release focuses on performance by implementing multithreading, making Metahub run 10x faster!

That's not all:

MetaChecks

• New MetaChecks Resources: AwsEc2Vpc, AwsEc2Subnet and AwsEc2RouteTable
• New Drilled MetaChecks when: its_associated_with_vpcs, its_associated_with_subnets and its_associated_with_route_tables across resources
• Fix: it_has_public_access_block_enabled MetaCheck was always returning the public block's content, meaning it was always True for filters.
• Fix: is_principal_external was being executed even if trusted_accounts was empty, meaning always True because the account was never in an empty list.
• Fix: AwsEc2Subnet bug
• Fix: AwsElasticsearchDomain bug

Lambda / Security Hub Custom Actions

• AWS Security Hub actions (--enrich-findings and --update-findings) can now be run without confirmation (--no-actions-confirmation) useful for automated workflows like Custom Actions/Lambdas
• New Lambda Behaviour for AWS Security Hub custom actions: Lambda will now read the finding from the lambda event and will be executed for each finding in that event with Meta* enabled. It will enrich the finding back in Security Hub in an automated way.
• Enrich Findings functionality now converts MetaChecks to booleans to avoid reaching maximum size limitation from API and make the AWS Security Hub filters really useful.
• Enrich Findings functionality now also adds MetaTrails and MetaAccount.
• Terraform code for the Lambda improved: IAM policies, layers, etc.

Outputs

• Outputs folder is now part of the code to avoid errors with a fresh installation
• Fix statistics counting for resources
• Updated tabulator version for HTML reports
• HTML search by ARN

Others

• Remove unused modules
• Split MetaAccount code
• Implement Security Hub get_findings progress bar

Happy Hunting 🚀

1.3.1: New IAM MetaChecks and more!

This release adds new MetaChecks for critical IAM resources: AwsIamGroup and AwsIamUser and also new MetaChecks for already existing resource AwsIamRole.

It also standardizes the MetaCheck is_attached in resources: AwsAutoScalingLaunchConfiguration, AwsEc2LaunchTemplate, AwsEc2NetworkAcl and AwsEc2SecurityGroup.

New MetaTrails events and bug fixing.