Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
Then they summoned me over to join in with them At the dance of the dead Into the circle of fire I followed them Into the middle I was led
Dance of Death is an Iron Maiden's song, released on their 2003 album of the same name. The song combines the band's signature heavy metal sound with progressive elements. Lyrically, the song tells a story of a medieval dance of death, a symbolic representation of mortality and the inevitability of death. The lyrics are filled with vivid and dark imagery, and the song features intricate guitar work and powerful vocals from Bruce Dickinson. Enjoy this great song (https://www.youtube.com/watch?v=3659fTXvFts) while reading what's new! 🎸
⚙️ New checks for AWS!
iam_role_administratoraccess_policy
.wafv2_webacl_logging_enabled
.iam_disable_90_days_credentials
, iam_disable_45_days_credentials
and iam_disable_30_days_credentials
) have been changed to two generic checks called iam_user_accesskey_unused
and iam_user_console_access_unused
. By default, it will fail when they are unused for 45 days, you can configure this value using the max_unused_access_keys_days
and max_console_access_days
configuration values. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/
Try them with prowler aws
and improve your security posture now! 🔒
🏷️ Security Hub Tagging
🧑🤝🧑 Five new Prowler contributors!
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.9.0...3.10.0
As a young boy chasing dragons With your wooden sword so mighty You're St. George or you're David and you always killed the beast Times change very quickly and you had to grow up early A house in smoking ruins and the bodies at your feet
Sometimes chasing dragons and some times walking on the edge of the blade. This Iron Maiden's song Flash of the Blade tells a good history about what comes on the table these days. Enjoy this great song written by Bruce Dickinson back in 1984 (https://www.youtube.com/watch?v=Qx0s8OqgBIw) while reading what's new!
⚙️ New checks for AWS!
athena_workgroup_encryption
and athena_workgroup_enforce_configuration
.s3_bucket_kms_encryption
.ec2_instance_detailed_monitoring_enabled
.iam_inline_policy_no_administrative_privileges
with a new feature in the IAM service which now is capable of retrieving the inline policies for the Users, Roles and Groups.ecr_repositories_scan_vulnerabilities_in_latest_image
you can configure the minimum severity for this check to raise a FAIL finding using the ecr_repository_vulnerability_minimum_severity
configuration value. Read more at https://docs.prowler.cloud/en/latest/tutorials/configuration_file/
Try them with prowler aws
and improve your security posture now! 🔒
🖌️ New CLI flag
--checks-file
flag. Try it with prowler aws --list-checks-json
.📖 Developer Guide
🧑🤝🧑 Two new Prowler contributors!
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.2...3.9.0
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.1...3.8.2
--config-file config.yaml
by @jfagoagas in https://github.com/prowler-cloud/prowler/pull/2679
resolve_security_hub_previous_findings
by @sergargar in https://github.com/prowler-cloud/prowler/pull/2687
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.8.0...3.8.1
A war in heaven in God's rage He put me in this burning cage Holy fury locks me in Imprisoned by my deadly sin Every hour the shadow king Wonders what his clock will bring I've lived and loved and that's for sure My fatal quest forever more
2 weeks before this release, most of the Prowler full time team were watching Iron Maiden live, probably the best day of the year for us being together. This song Days of Future Past was the fourth they played in that show, we invite you to play it while reading what is new in this version that we have just crafted for you all right before BlackHat, DEFCON and BSides Vegas. Remember we will be at Black Hat Arsenal on Wednesday!
Special thanks for contributions on this release to @jchrisfarris, @edurra and @gabriel-pragin-clearscale, your code and feedback is very helpful to improve Prowler. THANK YOU!
🥳 GCP scans are now x10 faster!
prowler gcp --compliance cis_2.0_gcp
if you dare!📝 New Azure service supported sqlserver
and 3 new checks available
sqlserver_auditing_enabled
, sqlserver_azuread_administrator_enabled
and sqlserver_unrestricted_inbound_access
.sqlserver
with 3 checks. Try them with prowler azure --service sqlserver
and let us know!⚙️ New checks for AWS!:
s3_bucket_public_list_acl
and s3_bucket_public_write_acl
. Try them with prowler aws --service s3
and improve your security posture now!Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.7.2...3.8.0
guardduty_is_enabled
by @sergargar in https://github.com/prowler-cloud/prowler/pull/2616
__get_object_lock_configuration__
warning logs by @jfagoagas in https://github.com/prowler-cloud/prowler/pull/2608
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.7.1...3.7.2
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.7.0...3.7.1
Trapped in the web, but I cut the threads Show you the gates of tomorrow Trapped in the web, no mercy is shed Show you the gates of tomorrow Trapped in the web, slaves to the dead Show you the gates of tomorrow Trapped in the web, but I cut the threads Show you the gates of tomorrow
As the song says, this version of Prowler is opening gates of tomorrow! More compliance frameworks like MITRE ATT&CK®, ISO27001 (2013), AWS Well-Architected Framework Reliability pillar (in addition to the existing Security pillar), better support for the Allowlist feature, with all 73 checks for GCP covering CIS Benchmark 2.0 for Google Cloud! Take this one and start closing doors to the bad guys!
🥳 GCP CIS v2.0.0 benchmark coverage!
prowler gcp --compliance cis_2.0_gcp
📝 New AWS compliance frameworks available
prowler aws --compliance mitre_attack_aws
prowler aws --compliance iso27001_2013_aws
prowler aws --compliance aws_well_architected_framework_reliability_pillar_aws
prowler aws --compliance ens_rd2022_aws
⚙️ Allowlist supports exceptions:
Allowlist:
Accounts:
"*":
Checks:
"ecs_task_definitions_no_environment_secrets":
Regions:
- "*"
Resources:
- "*"
Exceptions:
Accounts:
- "0123456789012"
Regions:
- "eu-west-1"
- "eu-south-2" # Will ignore every resource in check ecs_task_definitions_no_environment_secrets except the ones in account 0123456789012 located in eu-south-2 or eu-west-1
"123456789012":
Checks:
"*":
Regions:
- "*"
Resources:
- "*"
Exceptions:
Resources:
- "test"
Tags:
- "environment=prod" # Will ignore every resource except in account 123456789012 except the ones containing the string "test" and tag environment=prod
multi-account-securityhub/run-prowler-securityhub.sh
to v3 by @sergargar in https://github.com/prowler-cloud/prowler/pull/2503
iam_role_cross_service_confused_deputy_prevention
by @sergargar in https://github.com/prowler-cloud/prowler/pull/2533
get_default_region
function in AWS Services by @sergargar in https://github.com/prowler-cloud/prowler/pull/2524
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.6.1...3.7.0
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.6.0...3.6.1
Die With Your Boots On is a song of Iron Maiden's album Piece of mind, it is self explanatory, we like the vibe of that song in their lives, watch it here.
Basically, this is what we do here, we go all in or nothing! 💪🏼
We are bringing the best we have in this code of Prowler 3.6.0: some new checks, improved GCP support, new features, more fixes making it a better piece of software and more helpful for your daily job 😄
Remember to run pip install prowler --upgrade
and rock on! 🤘
🥳 GCP Multi-Project support:
prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
✅ 16 new checks for GCP (Thanks to @jit-contrib ! 💪🏼 ):
prowler gcp --list-checks
📝 OCSF Integration (Hello Amazon Security Lake!):
📊 AWS Well Architected Framework:
prowler aws --compliance aws_well_architected_framework_security_pillar_aws
⚙️ MFA supported in AWS:
--mfa
and Prowler will ask you to input the following values to get a new session:prowler aws --mfa
Enter ARN of MFA: arn:aws:iam::012345678910:mfa/xxxxxx
Enter MFA code: XXXXXX
--project-ids
flag and scan all projects by default by @sergargar in https://github.com/prowler-cloud/prowler/pull/2393
vpc_subnet_no_public_ip_by_default
by @senyberg in https://github.com/prowler-cloud/prowler/pull/2472
:
in regex by @n4ch04 in https://github.com/prowler-cloud/prowler/pull/2471
ec2_securitygroup_allow_ingress_from_internet_to_any_port
by @sergargar in https://github.com/prowler-cloud/prowler/pull/2449
Full Changelog: https://github.com/prowler-cloud/prowler/compare/3.5.3...3.6.0