Prowler 3.11.2 - Rime Of The Ancient Mariner

What's Changed

Fixes

• fix(ec2_securitygroup_not_used): check if security group is associated by @sergargar in #3026
• fix(GuardDuty): only execute checks if GuardDuty enabled by @sergargar in #3028
• fix(securityhub): Use enabled_regions instead of audited_regions by @jfagoagas in #3029

Chores

• chore(accessanalyzer): include service in allowlist_non_default_regions by @sergargar in #3025
• chore(args): make compatible severity and services arguments by @sergargar in #3024
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #3035
• chore(release): update Prowler Version to 3.11.1 by @sergargar in #3021
• chore: modify latest version msg by @R3DRUN3 in #3036
• chore(azure regions): support non default azure region by @n4ch04 in #3013

Builds

• build(deps): bump alive-progress from 3.1.4 to 3.1.5 by @dependabot in #3033
• build(deps): bump azure-storage-blob from 12.18.3 to 12.19.0 by @dependabot in #3034
• build(deps): bump google-api-python-client from 2.106.0 to 2.107.0 by @dependabot in #3032
• build(deps-dev): bump moto from 4.2.7 to 4.2.8 by @dependabot in #3030
• build(deps-dev): bump pytest-xdist from 3.3.1 to 3.4.0 by @dependabot in #3031

New Contributors

• @R3DRUN3 made their first contribution in #3036

Full Changelog: 3.11.1...3.11.2

Prowler 3.11.1 - Rime Of The Ancient Mariner

What's Changed

Fixes

• fix(aws): check all conditions in IAM policy parser by @mtronrd in #3006
• fix(clean local output dirs): clean dirs when output to S3 by @n4ch04 in #2997
• fix(cloudtrail): handle HasInsightSelectors key by @sergargar in #2996
• fix(docs): improve allowlist examples by @sergargar in #2995
• fix(iam): do not list tags for inline policies by @sergargar in #3014
• fix(iam-sqs): handle exceptions for non-existent resources by @jfagoagas in #3010
• fix(rds): check if engines exist in region by @sergargar in #3012
• fix(s3 race condition): catch error if a bucket does not exist any longer by @kagahd in #3000
• fix(SQS): fix invalid SQS ARNs by @mtronrd in #3016
• refactor(allowlist): simplify and handle corner cases with exceptions empty and * by @jfagoagas in #3019

Chores

• chore(brew): remove brew action by @sergargar in #2994
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2993, #2998, #3001, #3007, #3011, #3020, #2992, #3008 and #3019
• docs(gcp): update GCP permissions by @sergargar in #3008

Builds

• build(deps): bump google-api-python-client from 2.105.0 to 2.106.0 by @dependabot in #3005
• build(deps): bump mkdocs-material from 9.4.7 to 9.4.8 by @dependabot in #3004

New Contributors

• @mtronrd made their first contribution in #3006

Full Changelog: 3.11.0...3.11.1

Prowler 3.11.0 - Rime Of The Ancient Mariner 👻🎃

Sailing on and on and north across the sea
Sailing on and on and north 'til all is calm

Dare to delve into this spectral realm, where the frightful protection of Prowler awaits you.
Happy haunting and secure coding this Halloween! 🧛‍♂️🕸️🌙

New features to highlight in this version:

🔎 Ignore Findings from services not in actual use

• Prowler now allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports.
  prowler <provider> --ignore-unused-services

See more in https://docs.prowler.cloud/en/latest/tutorials/ignore-unused-services/

⚙️ New AWS Allowlist including AWS Control Tower resources

• New allowlist file that ensures that applies to all resources created by AWS Control Tower when setting up a landing zone:
  prowler aws --allowlist prowler/config/aws_allowlist.yaml

See more in https://docs.prowler.cloud/en/latest/tutorials/allowlist/#default-aws-allowlist

🏷️ STS V2 Tokens

• Now Prowler will call Regional AWS STS endpoints to get session tokens valid in all AWS Regions.

See more in https://docs.prowler.cloud/en/latest/tutorials/aws/role-assumption/#sts-endpoint-region

✅ New 9 checks for AWS!

• New Account check account_maintain_different_contact_details_to_security_billing_and_operations
• New CloudTrail check cloudtrail_multi_region_enabled_logging_management_events
• New EC2 DataLifecycle Manager service and check dlm_ebs_snapshot_lifecycle_policy_exists
• New EC2 EBS check ec2_ebs_volume_snapshots_exists
• New DocumentDB service and check documentdb_instance_storage_encrypted
• New Support check trustedadvisor_premium_support_plan_subscribed
• New Neptune service and check neptune_cluster_uses_public_subnet
• New Elasticache service and check elasticache_cluster_uses_public_subnet
• New IAM check iam_user_with_temporary_credentials

Thanks to Jit @jit-contrib for their help on this checks.

Try them with prowler aws and improve your security posture now! 🔒

📝 Check Aliases are now supported

• Now, Prowler allows you to use aliases for the checks. You only have to add the CheckAliases key to the check's metadata with a list of the aliases and then, you can execute it with: prowler <provider> -c/--checks <check_alias_1>

See more in https://docs.prowler.cloud/en/latest/tutorials/check-aliases/

What's Changed

Features

• feat(alias): add check alias functionality by @sergargar in #2971
• feat(allowlist): allowlist non-default regions configuration by @sergargar in #2974
• feat(aws): New CloudTrail, DLM, DocumentDB, EC2, Account and Support checks by @jit-contrib in #2675
• feat(aws): New Neptune, ElastiCache, APIGW and IAM checks by @jit-contrib in #2862
• feat(controltower): add AWS Control Tower resources to default Allowlist configuration file by @sergargar in #2953
• feat(ignore unused services): add --ignore-unused-services argument to ignore findings from services not in actual use by @sergargar in #2936
• feat(report interface): add reporting interface call after report by @n4ch04 in #2948
• feat(vpc): add vpc, nacl or subnet names in findings by @sergargar in #2928

Fixes

• fix(allowlist): verify if allowlist file exists by @sergargar in #2988
• fix(APIGateway): Improve check naming by @sergargar in #2952
• fix(cis): remove new lines in CIS csv by @sergargar #2989
• fix(cloudtrail service): typo in logging info by @n4ch04 in #2976
• fix(ec2_instance_imdsv2_enabled ): verify if metadata service is disabled by @therealtoastycat in #2978
• fix(ec2_securitygroup_not_used): Mock Lambda service by @jfagoagas in #2947
• fix(elbv2_desync_mitigation_mode): improve logic by @sergargar in #2986
• fix(gcp): set always location to lowercase by @sergargar in #2970
• fix(GuardDuty): Add enabled_in_account parameter by @jfagoagas in #2979
• fix(outputs): remove empty outputs by @sergargar #2990
• fix(resource filters): add missing resource filters by @sergargar in #2951
• fix(security group): check if security groups are used by Lambda by @sergargar in #2944
• fix(sqs): Handle AWS.SimpleQueueService.NonExistentQueue in list_queue_tags by @jfagoagas in #2939
• fix(sts): force v2 STS tokens by @sergargar in #2956
• fix(vpc): ignore com.amazonaws.vpce endpoints by @sergargar in #2929
• fix(vpc_endpoint_services_allowed_principals_trust_boundaries): Principal by @jfagoagas #2991
• fix(tests): remove tests folder after execution by @jfagoagas in #2962

Documentation

• chore(docs): Add report.region criteria by @jfagoagas in #2930
• docs(config): add missing configurable variables by @kagahd in #2941
• chore(docs): add STS Endpoint and Allowlist updates by @sergargar in #2964
• chore(docs): allowlist non-default regions by @sergargar in #2980
• docs(v2_v3_mapping): document prowler v3.10.0 changes by @kagahd in #2955

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2927, #2937, #2942, #2945, #2954, #2961
• chore(allowlist): Extract allowlist from report by @jfagoagas in #2975
• chore(allowlist): prettify allowlist names by @sergargar in #2963
• chore(APIGatewayV2): improve check naming by @sergargar in #2966
• chore(create_role_to_assume_cfn.yaml): Add DLM permissions by @sergargar in #2949
• chore(gcp): print inactive GCP APIs by @sergargar in #2987
• chore(github): ignore permissions path in GitHub actions by @sergargar in #2950
• chore(permissions): add DLM permissions by @sergargar in #2946

Dependencies

• build(deps): bump azure-identity from 1.14.1 to 1.15.0 by @dependabot in #2982
• build(deps): bump azure-storage-blob from 12.18.2 to 12.18.3 by @dependabot in #2931
• build(deps): bump google-api-python-client from 2.104.0 to 2.105.0 by @dependabot in #2985
• build(deps): bump mkdocs-material from 9.4.6 to 9.4.7 by @dependabot in #2983
• build(deps): bump shodan from 1.30.0 to 1.30.1 by @dependabot in #2935
• build(deps): bump urllib3 from 1.26.17 to 1.26.18 by @dependabot in #2940
• build(deps-dev): bump moto from 4.2.6 to 4.2.7 by @dependabot in #2984
• build(deps-dev): bump openapi-spec-validator from 0.6.0 to 0.7.1 by @dependabot in #2958
• build(deps-dev): bump pylint from 3.0.1 to 3.0.2 by @dependabot in #2957
• build(deps-dev): bump pytest from 7.4.2 to 7.4.3 by @dependabot in #2981
• build(deps-dev): bump vulture from 2.9.1 to 2.10 by @dependabot in #2960
• build(deps-dev): bump werkzeug from 2.3.4 to 3.0.1 by @dependabot in #2968

New Contributors

• @therealtoastycat made their first contribution in #2978

Full Changelog: 3.10.0...3.11.0

Prowler 3.10.0 - Dance of Death

Then they summoned me over to join in with them
At the dance of the dead
Into the circle of fire I followed them
Into the middle I was led

Dance of Death is an Iron Maiden's song, released on their 2003 album of the same name. The song combines the band's signature heavy metal sound with progressive elements. Lyrically, the song tells a story of a medieval dance of death, a symbolic representation of mortality and the inevitability of death. The lyrics are filled with vivid and dark imagery, and the song features intricate guitar work and powerful vocals from Bruce Dickinson. Enjoy this great song (https://www.youtube.com/watch?v=3659fTXvFts) while reading what's new! 🎸

New features to highlight in this version:

⚙️ New checks for AWS!

• New AWS IAM check iam_role_administratoraccess_policy.
• New AWS WAFv2 check wafv2_webacl_logging_enabled.
• Now the AWS IAM credentials checks (iam_disable_90_days_credentials, iam_disable_45_days_credentials and iam_disable_30_days_credentials) have been changed to two generic checks called iam_user_accesskey_unused and iam_user_console_access_unused. By default, it will fail when they are unused for 45 days, you can configure this value using the max_unused_access_keys_days and max_console_access_days configuration values. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! 🔒

🏷️ Security Hub Tagging

• Now Prowler will add AWS Resource Tags to every Security Hub finding and to json-asff outputs!

🧑‍🤝‍🧑 Five new Prowler contributors!

• Many thanks to @CameronTStark, @sbldevnet, @JackStuart, @devopspacellp and @taylerhaviland for including more checks and keep improving Prowler!

What's Changed

Features

• feat(Dockerfile): add curl package to docker image by @n4ch04 in #2812
• feat(iam): add new check iam_role_administratoraccess_policy by @kagahd in #2822
• feat(iam): improve disable credentials checks by @sergargar in #2909
• feat(json-asff): adds AWS resource tags in json-asff and SecurityHub findings by @sbldevnet in #2786
• feat(unix timestamp): add the --unix-timestamp flag to docs by @n4ch04 in #2816
• feat(unix timestamp): add unix timestamp to outputs by @n4ch04 in #2813
• feat(wafv2): Add check wafv2_webacl_logging_enabled by @devopspacellp in #2898

Fixes

• fix(acm): add certificate id by @sergargar in #2903
• fix(apigw): KeyError name by @jfagoagas in #2858
• fix(apikeys_..._90_days): fix key creation time with dinamic date by @n4ch04 in #2798
• fix(autoscaling_find_secrets_ec2_launch_configuration): Fix UnicodeDecodeError by @jfagoagas in #2870
• fix(aws): Include missing ARNs by @jfagoagas in #2880
• fix(azure): Typo in SQL check by @JackStuart in #2881
• fix(cloudtrail_s3_dataevents_read/write_enabled): Handle S3 ARN by @jfagoagas in #2844
• fix(cloudwatch): ignore new lines in filters by @sergargar in #2912
• fix(custom checks): fix import from s3 by @n4ch04 in #2901
• fix(dockerfile): Use latest curl by @jfagoagas in #2897
• fix(Dockerfile): update alpine version by @n4ch04 in #2925
• fix(ds): GetSnapshotLimits for MicrosoftAD by @jfagoagas in #2859
• fix(ebs): improve snapshot encryption logic and typos by @taylerhaviland in #2836
• fix(ec2 ebs/instance checks): unify checks logic by @n4ch04 in #2795
• fix(ec2 nacl checks):unify logic by @n4ch04 in #2799
• fix(ec2 tests): add region and delete search sg checks by @n4ch04 in #2788
• fix(ec2 tests): add tags and region non sg checks by @n4ch04 in #2781
• fix(ec2_elastic_ip_unassigned): rename check by @n4ch04 in #2882
• fix(ec2_instance_..._ssm): mock ssm service and client in all the tests by @n4ch04 in #2804
• fix(eks_control_plane_endpoint_access_restricted): handle endpoint private access by @Fennerr in #2824
• fix(eks_endpoints_not_publicly_accessible): handle endpoint private access by @Fennerr in #2825
• fix(elb): add resource ARN to checks by @sergargar in #2906
• fix(elbv2): Handle LoadBalancerNotFound by @jfagoagas in #2860
• fix(findingID): remove duplicate finding IDs by @sergargar in #2890
• fix(html): unroll regions set prior concat by @n4ch04 in #2790
• fix(iam): findings of some checks may have been lost by @kagahd in #2847
• fix(iam): Handle NoSuchEntityException in ListRolePolicies by @jfagoagas in #2857
• fix(iam): Handle NoSuchEntity when calling list_role_policies by @jfagoagas in #2872
• fix(iam credentials checks): unify logic by @n4ch04 in #2883
• fix(iam creds checks): add missing tests and fix current ones by @n4ch04 in #2888
• fix(iam creds tests): dont use search and negative indexes by @n4ch04 in #2899
• fix(iam_inline_policy_no_administrative_privileges): set resource id as the entity name by @sergargar in #2820
• fix(iam_policy_no_administrative_privileges): check does not exist and maps not to check122 by @kagahd in #2797
• fix(is_valid_arn): include . into resource name by @n4ch04 in #2789
• fix(outputs_unix_timestamp): Remove subsecond by @jfagoagas in #2861
• fix(pipeline): launch linters with file changes by @n4ch04 in #2911
• fix(policy_condition_parser): add StringEquals aws:SourceArn condition by @n4ch04 in #2793
• fix(pre-commit): add file filter to python linters by @n4ch04 in #2818
• fix(remove_custom_checks_module): delete service folder if empty by @n4ch04 in #2885
• fix(s3_bucket_policy_public_write_access): Handle S3 Policy without Principal by @jfagoagas in #2871
• fix(securityhub): archive SecurityHub findings in empty regions by @sergargar in #2908
• fix(sqs_queues_not_publicly_accessible): Improve status extended by @Fennerr in #2848
• fix(storage_ensure_minimum_tls_version_12): misspelling in metadata by @CameronTStark in #2835
• fix(testing docs): fix testing docs typos and syntax by @n4ch04 in #2803
• fix(version): add timeout and check HTTP errors by @sergargar in #2886
• fix(vpc): solves CidrBlock KeyError by @sergargar in #2817
• fix(vpc_peering_routing_tables_with_least_privilege): check only peering routes by @sergargar in #2887
• fix(pull-request.yml): launch linters when source code modified by @n4ch04 in #2922
• fix(build-lint-push pipeline): pass pipeline when ignored files by @n4ch04 in #2915

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2779, #2787, #2791, #2794, #2801, #2802, #2814, #2819, #2821, #2833, #2842, #2845, #2846, #2852, #2853, #2863, #2869, #2873, #2875, #2879, https://github.com/prowler-cloud/prowler/pull/...

Prowler 3.9.0 - Flash of the Blade

As a young boy chasing dragons
With your wooden sword so mighty
You're St. George or you're David and you always killed the beast
Times change very quickly and you had to grow up early
A house in smoking ruins and the bodies at your feet

Sometimes chasing dragons and some times walking on the edge of the blade. This Iron Maiden's song Flash of the Blade tells a good history about what comes on the table these days. Enjoy this great song written by Bruce Dickinson back in 1984 (https://www.youtube.com/watch?v=Qx0s8OqgBIw) while reading what's new!

New features to highlight in this version:

⚙️ New checks for AWS!

• New AWS Athena service with two new checks athena_workgroup_encryption and athena_workgroup_enforce_configuration.
• New AWS S3 check s3_bucket_kms_encryption.
• New AWS EC2 check ec2_instance_detailed_monitoring_enabled.
• New AWS IAM check iam_inline_policy_no_administrative_privileges with a new feature in the IAM service which now is capable of retrieving the inline policies for the Users, Roles and Groups.
• Now in the AWS ECR ecr_repositories_scan_vulnerabilities_in_latest_image you can configure the minimum severity for this check to raise a FAIL finding using the ecr_repository_vulnerability_minimum_severity configuration value. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/

Try them with prowler aws and improve your security posture now! 🔒

🖌️ New CLI flag

• List all the checks in JSON format, ready to be consumed by the --checks-file flag. Try it with prowler aws --list-checks-json.

📖 Developer Guide

• We keep improving the Prowler documentation, specially the Developer Guide to help our contributors. Check it in the following link https://docs.prowler.cloud/en/latest/developer-guide/introduction/.

🧑‍🤝‍🧑 Two new Prowler contributors!

• Many thanks to @vysakh-devopspace and @gerardocampo for including more checks and keep improving Prowler!

What's Changed

Features

• feat(s3): Add S3 KMS encryption check by @singergs in #2757
• feat(ec2): New check ec2_instance_detailed_monitoring_enabled by @vysakh-devopspace in #2735
• feat(checks): dump all checks as a json file by @jchrisfarris in #2683
• feat(ecr_repositories_scan_vulnerabilities_in_latest_image): Minimum severity is configurable by @jfagoagas in #2736
• feat(iam): Check inline policies in IAM Users, Groups & Roles for admin priv's by @gerardocampo in #2750
• feat(compliance): Update AWS compliance frameworks after PR 2750 by @gerardocampo in #2771
• feat(athena): New AWS Athena service + 2 workgroup checks by @jfagoagas in #2696

Fixes

• fix(azure): Status extended ends with a dot by @jfagoagas in #2725
• fix(is_account_only_allowed_in_condition): Context name on conditions are case-insensitive by @christiandavilakoobin in #2726
• fix(gcp): Status extended ends with a dot by @jfagoagas in #2734
• fix(get_checks_from_input_arn): fix function and add tests by @n4ch04 in #2749
• fix(get_checks_from_input_arn): fix logic and add tests by @n4ch04 in #2764
• fix(get_regions_from_audit_resources): fix logic and add tests by @n4ch04 in #2766
• fix(nacls): Tests by @jfagoagas in #2760
• fix(iam_policy_allows_privilege_escalation): Handle admin permission so * by @jfagoagas in #2763
• fix(checks_to_execute): --checks and --resource_arn working together by @jfagoagas in #2743
• fix(ec2_securitygroup_default_restrict_traffic): fix check only allow empty rules by @n4ch04 in #2777

Chores

• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2733, #2737, #2741, #2744, #2748, #2759, #2767 and #2773, #2776
• chore(parser): Move provider logic to their folder by @jfagoagas in #2746
• chore(s3): Move lib to the AWS provider and include tests by @jfagoagas in #2664

Security

• fix(security): GitPython issue by @jfagoagas in #2720

Documentation

• docs(style): Add more details by @jfagoagas in #2724
• docs(testing): Mocking the service and the service client at the service client level by @jfagoagas in #2747
• docs(audit_config): How to use it by @jfagoagas in #2739
• docs: explain output formats by @jfagoagas in #2774
• docs: Include new config ecr_repository_vulnerability_minimum_severity by @jfagoagas in #2775

Dependencies

• build(deps-dev): bump vulture from 2.7 to 2.8 by @dependabot in #2727
• build(deps): bump mkdocs-material from 9.1.20 to 9.1.21 by @dependabot in #2728
• build(deps): bump google-api-python-client from 2.95.0 to 2.96.0 by @dependabot in #2729
• build(deps-dev): bump coverage from 7.2.7 to 7.3.0 by @dependabot in #2730
• build(deps): bump azure-identity from 1.13.0 to 1.14.0 by @dependabot in #2731
• build(deps): bump mkdocs-material from 9.1.21 to 9.2.1 by @dependabot in #2752
• build(deps): bump google-api-python-client from 2.96.0 to 2.97.0 by @dependabot in #2753
• build(deps-dev): bump pytest-randomly from 3.13.0 to 3.15.0 by @dependabot in #2755
• build(deps): bump azure-mgmt-storage from 21.0.0 to 21.1.0 by @dependabot in #2756
• build(deps): bump shodan from 1.29.1 to 1.30.0 by @dependabot in #2754

Tests

• test(python): Test with 3.9, 3.10, 3.11 by @jfagoagas in #2718
• test(coverage): Add Codecov by @jfagoagas in #2719
• test(s3): Mock S3Control when used by @jfagoagas in #2722
• fix(test-vpc): use the right import paths by @jfagoagas in #2732
• tests(check_security_group) by @jfagoagas in #2740
• chore(tests): Replace sure with standard assert by @jfagoagas in #2738
• test(vpc_endpoint_services_allowed_principals_trust_boundaries) by @jfagoagas in #2768
• fix(test): Update moto to 4.1.15 and update tests by @jfagoagas in #2769

New Contributors

• @vysakh-devopspace made their first contribution in #2735
• @gerardocampo made their first contribution in #2750

Full Changelog: 3.8.2...3.9.0

Prowler 3.8.2 - Days of Future Past

Fixes

• fix(shub): handle default output filename error by @sergargar in #2709
• fix(s3_bucket_policy_public_write_access): look at account and bucket-level public access block settings by @jchrisfarris in #2715

Chores

• chore(release): update Prowler Version to 3.8.1 by @sergargar in #2706
• docs(developer-guide): Update checks, services and include testing by @jfagoagas in #2705
• chore(aws): Improve tests and status from accessanalyzer to cloudwatch by @jfagoagas in #2711
• chore(aws): 2nd round - Improve tests and include dot in status extended by @jfagoagas in #2714
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2712 and #2717

Documentation

• docs(dev-guide): Fix a list and include some details to use the report by @jfagoagas in #2710

Full Changelog: 3.8.1...3.8.2

Prowler 3.8.1 - Days of Future Past

Fixes

• fix(cloudfront): fix ViewerProtocolPolicy and GeoRestrictionType by @jfagoagas in #2701
• fix(config): Pass a configuration file using --config-file config.yaml by @jfagoagas in #2679
• fix(ec2-securitygroups): Handle IPv6 public by @jfagoagas in #2690
• fix(Enum): handle Enum classes correctly by @sergargar in #2702
• fix(ds): Restore enums without optional by @jfagoagas in #2704
• fix(iam): password policy expiration by @jfagoagas in #2694
• fix(iam-dynamodb): Handle errors by @jfagoagas in #2680
• fix(iam_role_cross_service_confused_deputy_prevention): add ResourceAccount and PrincipalAccount conditions by @sergargar in #2689
• fix(organizations): request Organization Info after assume_role occurs by @jchrisfarris in #2682
• fix(security hub): include custom output filename in resolve_security_hub_previous_findings by @sergargar in #2687
• fix(sns): allow default SNS policy with SourceOwner by @christiandavilakoobin in #2698
• fix(typo): spelling typo in organizations_scp_check_deny_regions by @sergargar in #2691

Dependencies

• build(deps): bump mkdocs from 1.4.3 to 1.5.2 by @dependabot in #2684
• build(deps-dev): bump pylint from 2.17.4 to 2.17.5 by @dependabot in #2685

Documentation

• docs(aws-orgs): Update syntax by @jfagoagas in #2703
• docs(organizations): fix script and improve titles by @sergargar in #2693

Chores

• chore(azure): Improve AzureService class with set_clients by @jfagoagas in #2676
• chore(print): prettify prints of listings and logs by @sergargar in #2699
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2677, #2688, #2692 and #2700
• chore(service): service class type hints by @jfagoagas in #2695

Full Changelog: 3.8.0...3.8.1

Prowler 3.8.0 - Days of Future Past

A war in heaven in God's rage
He put me in this burning cage
Holy fury locks me in
Imprisoned by my deadly sin
Every hour the shadow king
Wonders what his clock will bring
I've lived and loved and that's for sure
My fatal quest forever more

2 weeks before this release, most of the Prowler full time team were watching Iron Maiden live, probably the best day of the year for us being together. This song Days of Future Past was the fourth they played in that show, we invite you to play it while reading what is new in this version that we have just crafted for you all right before BlackHat, DEFCON and BSides Vegas. Remember we will be at Black Hat Arsenal on Wednesday!

Special thanks for contributions on this release to @jchrisfarris, @edurra and @gabriel-pragin-clearscale, your code and feedback is very helpful to improve Prowler. THANK YOU!

New features to highlight in this version:

🥳 GCP scans are now x10 faster!

• We have improved the way Prowler scans GCP regions, locations and zones so now it is on average 10 times faster than before. Try it with prowler gcp --compliance cis_2.0_gcp if you dare!

📝 New Azure service supported sqlserver and 3 new checks available

• sqlserver_auditing_enabled, sqlserver_azuread_administrator_enabled and sqlserver_unrestricted_inbound_access.
• We have added new service to the Azure provider for sqlserver with 3 checks. Try them with prowler azure --service sqlserver and let us know!

⚙️ New checks for AWS!:

• Two new checks for AWS for S3:s3_bucket_public_list_acl and s3_bucket_public_write_acl. Try them with prowler aws --service s3 and improve your security posture now!

What's Changed

Features

• feat(aws): New AWSService class as parent by @jfagoagas in #2638
• feat(azure): add Azure SQL Server service and 3 checks by @edurra in #2665
• feat(azure): New parent class by @jfagoagas in #2642
• feat(gcp): Add internet-exposed and encryption categories by @jfagoagas in #2663
• feat(gcp): Improve gcp performance by @sergargar in #2662
• feat(gcp): Parent class by @jfagoagas in #2641
• feat(s3): Add checks for publicly listable Buckets or writable buckets by ACL by @jchrisfarris in #2628

Fixes

• fix(cloudtrail): Set status to INFO when trail is outside the audited account by @jfagoagas in #2643
• fix(cryptography): Update to 41.0.3 by @jfagoagas in #2661
• fix(docs): Azure auth and Slack integration by @jfagoagas in #2659
• fix(ec2_instance_secrets_user_data): Include line numbers in status by @jfagoagas in #2639
• fix(iam_policy_allows_privilege_escalation): Handle permissions in groups by @jfagoagas in #2655
• fix(outputs): Not use reserved keyword list as variable by @jfagoagas in #2657
• fix(s3_bucket_level_public_access_block): check s3 public access block at account level by @sergargar in #2653
• fix(sns): handle topic policy conditions by @sergargar in #2660
• fix(test_only_aws_service_linked_roles): Flaky test by @jfagoagas in #2666
• fix(vpc_endpoint_connections_trust_boundaries): Handle AWS Account ID as Principal by @jfagoagas in #2611

Tests

• test(ec2): security groups by @jfagoagas in #2627
• fix(test): mock VPC client by @jfagoagas in #2640
• test(azure): Defender service by @jfagoagas in #2669
• test(azure): IAM service by @jfagoagas in #2670
• test(azure): SQL Server Service by @jfagoagas in #2671
• test(azure): Storage Service by @jfagoagas in #2672

Chores

• chore(metadata): Typos by @gabriel-pragin-clearscale in #2629 and #2646
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2630, #2634, #2637, #2654 and #2658
• chore(security-hub): Explain Unique ID by @jfagoagas in #2631
• refactor(vpc_endpoint_connections_trust_boundaries) by @jfagoagas in #2667
• chore(readme): update providers summary table by @sergargar in #2673

Dependencies

• build(deps): bump azure-mgmt-authorization from 3.0.0 to 4.0.0 by @dependabot in #2652
• build(deps): bump google-api-python-client from 2.94.0 to 2.95.0 by @dependabot in #2649
• build(deps): bump mkdocs-material from 9.1.19 to 9.1.20 by @dependabot in #2648
• build(deps-dev): bump flake8 from 6.0.0 to 6.1.0 by @dependabot in #2651
• build(deps-dev): bump moto from 4.1.13 to 4.1.14 by @dependabot in #2650

New Contributors

• @jchrisfarris made their first contribution in #2628
• @edurra made their first contribution in #2665

Full Changelog: 3.7.2...3.8.0

Prowler 3.7.2 - Gates of Tomorrow

Fixes

• fix(allowlist): single account checks handling by @n4ch04 in #2585
• fix(assume_role): Set the AWS STS endpoint region by @jfagoagas in #2587
• fix(compute): solve key errors in compute service by @sergargar in #2610
• fix(ec2_ami_public): correct check metadata and logic by @sergargar in #2618
• fix(ecs_task_def_secrets): Improve description to explain findings by @jfagoagas in #2621
• fix(guardduty): handle disabled detectors in guardduty_is_enabled by @sergargar in #2616
• fix(opensearch): log exception as WARNING by @jfagoagas in #2581
• fix(pypi-release): solve GH action for release by @sergargar in #2624
• fix(s3): __get_object_lock_configuration__ warning logs by @jfagoagas in #2608
• fix(security): certifi issue by @jfagoagas in #2623
• fix(ssm_incidents): Handle empty name by @jfagoagas in #2591

Dependencies

• build(deps): bump azure-storage-blob from 12.16.0 to 12.17.0 by @dependabot in #2596
• build(deps): bump google-api-python-client from 2.93.0 to 2.94.0 by @dependabot in #2614
• build(deps): bump mkdocs-material from 9.1.18 to 9.1.19 by @dependabot in #2615
• build(deps): bump pydantic from 1.10.11 to 1.10.12 by @dependabot in #2613
• build(deps-dev): bump moto from 4.1.12 to 4.1.13 by @dependabot in #2598

Chores

• chore(ec2): add SG name to resource_details by @sergargar in #2495
• chore(metadata): Typos by @gabriel-pragin-clearscale in #2594
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2606

Tests

• test(aws_provider): Role and User MFA by @jfagoagas in #2486

Documentation

• docs(boto3-configuration): format list by @jfagoagas in #2609
• docs(README): typos in README.md by @kagahd in #2579

New Contributors

• @gabriel-pragin-clearscale made their first contribution in #2594

Full Changelog: 3.7.1...3.7.2

Prowler 3.7.1 - Gates of Tomorrow

Fixes

• fix(iam): Handle NoSuchEntityException when calling list_attached_role_policies by @jfagoagas in #2571
• fix(allowlist): handle wildcard in account field by @n4ch04 in #2577
• fix(cond parser): add policy condition parser & apply in SQS public check by @n4ch04 in #2575

Dependencies

• build(deps-dev): bump pytest-randomly from 3.12.0 to 3.13.0 by @dependabot in #2567
• build(deps): bump boto3 from 1.26.161 to 1.26.165 by @dependabot in #2566
• build(deps): bump pydantic from 1.10.9 to 1.10.11 by @dependabot in #2568
• build(deps-dev): bump openapi-spec-validator from 0.5.7 to 0.6.0 by @dependabot in #2569
• build(deps): bump google-api-python-client from 2.91.0 to 2.92.0 by @dependabot in #2570

Chores

• chore(compliance): CIS Benchmark 2.0 for AWS by @toniblyx in #2562
• chore(regions_update): Changes in regions for AWS services. by @sergargar in #2560, #2561, #2572, #2574

Tests

• test(outputs): Remove debug by @jfagoagas in #2559

Documentation

• docs: Update Compliance in README by @toniblyx in #2563

Full Changelog: 3.7.0...3.7.1