Prowler 3.7.0 - Gates of Tomorrow

Trapped in the web, but I cut the threads
Show you the gates of tomorrow
Trapped in the web, no mercy is shed
Show you the gates of tomorrow
Trapped in the web, slaves to the dead
Show you the gates of tomorrow
Trapped in the web, but I cut the threads
Show you the gates of tomorrow

As the song says, this version of Prowler is opening gates of tomorrow! More compliance frameworks like MITRE ATT&CK®, ISO27001 (2013), AWS Well-Architected Framework Reliability pillar (in addition to the existing Security pillar), better support for the Allowlist feature, with all 73 checks for GCP covering CIS Benchmark 2.0 for Google Cloud! Take this one and start closing doors to the bad guys!

New features to highlight in this version:

🥳 GCP CIS v2.0.0 benchmark coverage!

• Prowler now supports CIS v2.0.0 benchmark for Google Cloud Platform! There were added 73 checks of GCP to fully cover the CIS framework, you can execute it with the following flag to get all CSV standard and compliance, HTML, JSON and JSON OCSF reports:

prowler gcp --compliance cis_2.0_gcp

📝 New AWS compliance frameworks available

• Prowler now supports MITRE ATT&CK for AWS, ISO27001 (2013) for AWS and AWS Well-Architected Framework Reliability Pillar v0.1. Also, the Spanish ENS RD2022 Compliance Framework has been updated.

• You can run the new compliance frameworks with the following command:

prowler aws --compliance mitre_attack_aws
prowler aws --compliance iso27001_2013_aws
prowler aws --compliance aws_well_architected_framework_reliability_pillar_aws
prowler aws --compliance ens_rd2022_aws

⚙️ Allowlist supports exceptions:

• For each check you can except Accounts, Regions, Resources and/or Tags, see more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/. Thanks @zfLQ2qx2 for the feedback!

Allowlist:
  Accounts:
    "*":
      Checks:
        "ecs_task_definitions_no_environment_secrets":
          Regions:
            - "*"
          Resources:
            - "*"
          Exceptions:
            Accounts:
              - "0123456789012"
            Regions:
              - "eu-west-1"
              - "eu-south-2"        # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1

    "123456789012":
      Checks:
        "*":
          Regions:
            - "*"
          Resources:
            - "*"
          Exceptions:
            Resources:
              - "test"
            Tags:
              - "environment=prod"   # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod

What's Changed

Features

• feat(ENS): complete ENS Compliance Framework mapping by @sergargar in #2534
• feat(MITRE): add MITRE ATT&CK framework for AWS by @sergargar in #2537
• feat(allowlist): add exceptions to allowlist by @sergargar in #2527
• feat(compliance): AWS Well-Architected Framework Reliability Pillar v0.1 by @sssalim-aws in #2536
• feat(compliance): add ISO27001 compliance framework by @pedromarting3 in #2517
• feat(lambda service): mapping lambda service to awslambda by @n4ch04 in #2538
• feat(gcp): add CIS checks by @sergargar in #2544

Fixes

• fix(apigw): Update metadata for API GW checks by @n4ch04 in #2512
• fix(bigquery_dataset_public_access): handle status correctly by @sergargar in #2542
• fix(cloudwatch secrets): fix nonetype error handling by @n4ch04 in #2543
• fix(compliance): add version to ISO27001 by @sergargar in #2523
• fix(compliance): remove unnecessary Optional attributes by @sergargar in #2514
• fix(contrib): migrate multi-account-securityhub/run-prowler-securityhub.sh to v3 by @sergargar in #2503
• fix(gcp): update Prowler SDK info of GCP by @sergargar in #2515
• fix(iam): add StringLike condition in iam_role_cross_service_confused_deputy_prevention by @sergargar in #2533
• fix(list-checks): handle listing checks when -s by @sergargar in #2540
• fix(security hub): solve Security Hub format requirements by @sergargar in #2520
• fix(vpc): handle ephemeral VPC endpoint services by @n4ch04 in #2501
• fix(reporting docs): fix S3 reporting desc by @n4ch04 in #2551
• fix(allowlist): reformat allowlist logic by @n4ch04 in #2555

Chores

• chore(OCSF): improve OCSF logic by @sergargar in #2502
• chore(ec2): reduce noise in Security Groups checks by @sergargar in #2525
• chore(region): add get_default_region function in AWS Services by @sergargar in #2524
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2539
• chore(docs): update DynamoDB allowlist example by @sergargar in #2552
• chore(docs): Update Amazon Linux 2 installation by @czantoine in #2553

Dependencies

• build(deps): bump boto3 from 1.26.147 to 1.26.156 by @dependabot in #2511
• build(deps): bump botocore from 1.29.156 to 1.29.161 by @dependabot in #2528
• build(deps): bump google-api-python-client from 2.89.0 to 2.90.0 by @dependabot in #2531
• build(deps): bump mkdocs-material from 9.1.16 to 9.1.17 by @dependabot in #2529
• build(deps-dev): bump moto from 4.1.11 to 4.1.12 by @dependabot in #2530
• build(deps-dev): bump openapi-spec-validator from 0.5.6 to 0.5.7 by @dependabot in #2507
• build(deps-dev): bump pytest from 7.3.2 to 7.4.0 by @dependabot in #2532

New Contributors

• @czantoine made their first contribution in #2553

Full Changelog: 3.6.1...3.7.0