Prowler 2.7.0 – Brave

This release name is in honor of Brave New World, a great song of šŸ”„Iron MaidenšŸ”„ from their Brave New World album. Dedicated to all of you looking forward to having the world we had before COVID… We hope is not hitting you bad. Enjoy the rest of the note below.

Image copyright by Iron Maiden Holdings Ltd.

Important changes in this version (read this!):

  • As you can see, Prowler is now in a new organization called https://github.com/prowler-cloud/.
  • When Prowler doesn’t have permissions to check a resources or service it gives an INFO instead of FAIL. We have improved all checks error handling in those use cases when the CLI responds with a AccessDenied, UnauthorizedOperation or AuthorizationError.
  • From this version, master branch will be the latest available code and we will keep the stable code as each release, if you are installing or deploying Prowler using git clone to master take that into account and use the latest release instead, i.e.: git clone --branch 2.7 https://github.com/prowler-cloud/prowler or curl https://github.com/toniblyx/prowler/archive/refs/tags/2.7.0.tar.gz -o prowler-2.7.0.tar.gz
  • For known issues please see https://github.com/prowler-cloud/prowler/issues the ones open with bug as a red tag.
  • Discussions is now open in the Prowler repo https://github.com/prowler-cloud/prowler/discussions, feel free to use it if that works for you better than the current Discord server.
  • 11 new checks!! Thanks to @michael-dickinson-sainsburys, @jonloza, @rustic, @Obiakara, @Daniel-Peladeau, @maisenhe, @7thseraph. Now there have a total of 218 checks. See below for details.
  • An issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings is now working as expected thanks to @Kirizan
  • When credential are in environment variable it failed to review, that was fixed by @lazize
  • See below new features and more details for this version.

New Features

  • 11 New checks for Redshift, EFS, CloudWatch, Secrets Manager, DynamoDB and Shield Advanced:
7.160 [extra7160] Check if Redshift has automatic upgrades enabled - redshift [Medium]
7.161 [extra7161] Check if EFS have protects sensative data with encryption at rest - efs [Medium]
7.162 [extra7162] Check if CloudWatch Log Groups have a retention policy of 365 days - cloudwatch [Medium]
7.163 [extra7163] Check if Secrets Manager key rotation is enabled - secretsmanager [Medium]
7.164 [extra7164] Check if CloudWatch log groups are protected by AWS KMS  - logs [Medium]
7.165 [extra7165] Check if DynamoDB: DAX Clusters are encrypted at rest - dynamodb [Medium]
7.166 [extra7166] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced - shield [Medium]
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
7.168 [extra7168] Check if Route53 hosted zones are protected by AWS Shield Advanced - shield [Medium]
7.169 [extra7169] Check if global accelerators are protected by AWS Shield Advanced - shield [Medium]
7.170 [extra7170] Check if internet-facing application load balancers are protected by AWS Shield Advanced - shield [Medium]
7.171 [extra7171] Check if classic load balancers are protected by AWS Shield Advanced - shield [Medium]
  • Add -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option by @sectoramen in #974
  • Add new functions to backup and restore initial AWS credentials, for better handling chaining role by @sectoramen in #978
  • Add additional action permissions for Glue and Shield Advanced checks by @lazize in #995

Enhancements

  • Update Dockerfile to use Amazon Linux container image by @Kirizan in #972
  • Update Readme: -T option is not mandatory by @jfagoagas in #944
  • Add $PROFILE_OPT to CopyToS3 commands by @sectoramen in #976
  • Remove unneeded package “file” from Dockerfile by @sectoramen in #977
  • Update docs (templates): Improve bug template with more info by @jfagoagas in #982

Fixes

  • Fix in README and multiaccount serverless deployment templates by @dlorch in #939
  • Fix assume-role: check if -T and -A options are set together by @jfagoagas in #945
  • Fix group25 FTR by @lopmoris in #948
  • Fix in README link for group25 FTR by @lopmoris in #949
  • Fix issue #938 assume_role multiple times by @halfluke in #951
  • Fix and clean assume-role to better handle AWS STS CLI errors by @jfagoagas in #946
  • Fix issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings by @Kirizan in #953
  • Fix broken link in README.md by @rtcms in #966
  • Fix checks with comma issues in checks by @j2clerck in #975
  • Fix: Credential chaining from environment variables by @lazize in #996

New Contributors

Full Changelog: 2.6.1…2.7

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.