https://prowler.com

You’ll take my life, but I’ll take yours too
You’ll fire your musket, but I’ll run you through
So when you’re waiting for the next attack
You’d better stand, there’s no turning back

When I started Prowler almost eight years ago, I thought about calling it The Trooper (thetrooper as in the command line sounds good but I thought prowler was even better). I can say today, with no doubt that this version 4.0 of Prowler, The Trooper, is by far the software that I always wanted to release. Now, as a company, with a whole team dedicated to Prowler (Open Source and SaaS), this is even more exciting. With standard support for AWS, Azure, GCP and also Kubernetes, with all new features, this is the beginning of a new era where Open Cloud Security makes an step forward and we say: hey WE ARE HERE FOR REAL and when you’re waiting for the next attack, you’d better stand, there’s no turning back

Enjoy Prowler – The Trooooooooper! 🤘🏽🔥 song!

Breaking Changes

• Allowlist now is called Mutelist
• Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
• The --quiet option has been deprecated, now use the --status flag to select the finding’s status you want to get from PASS, FAIL or MANUAL.
• To send only FAILS to AWS Security Hub, now use either --send-sh-only-fails or --security-hub --status FAIL
• All INFO finding’s status has changed MANUAL.

We have deprecated some of our outputs formats:

• The HTML is replaced for the new Prowler Dashboard (prowler dashboard)
• The JSON is replaced for the JSON OCSF v1.1.0

New features to highlight in this version

Dashboard

• Prowler has local dashboard to play with gathered data easier. Run prowler dashboard and enjoy overview data and compliance.
• 
  

🎛️ New Kubernetes provider

• Prowler has a new Kubernetes provider to improve the security posture of your clusters! Try it now with prowler kubernetes --kubeconfig-file <kube.yaml>
• CIS Benchmark 1.8 for K8s is included.

📄 Compliance

• All compliance frameworks are executed by default and stored in a new location: output/compliance

AWS

• The AWS provider execution by default does not scan unused services, you can enable it with --scan-unused-services.
• 2 new checks to detect possible threads, try it now with prowler aws --category threat-detection for Enumeration and Privilege Escalation type of activities.

🗺️ Azure

• All Azure findings includes the location!
• CIS Benchmark for Azure 2.0 and 2.1 is included.

🔇 Mutelist

• The renamed mutelist feature is available for all the providers.
• In AWS a default allowlist is included in the execution.

🌐 Outputs

• Prowler now the outputs in a common format for all the providers.
• The only JSON output now follows the OCSF Schema v1.1.0

💻 Providers

• We have unified the way of including new providers for easier development and to add new ones.

🔨 Fixer

• We have included a new argument --fix to allow you to remediate findings. You can list all the available fixers with prowler aws --list-fixers

Hi there!

I’m so happy to announce that I’ve joined Verica and thanks to their support we have invested a lot on Prowler and we are announcing today the availability of Prowler Pro!

As many of you have noticed, Prowler is growing fast and getting better. Now we are 4 full time engineers. Pepe Fagoaga, Nacho Rivera and Sergio Garcia are the Prowler Pro dream team along with a vibrant community. We are working every day on Prowler to make it better and more comprehensive, with that we are also launching Prowler Pro.

Our main goal is to keep hands on the Open Source version and giving customers better experience at enterprise level with Prowler Pro.

This release name is in honor of Brave New World, a great song of 🔥Iron Maiden🔥 from their Brave New World album. Dedicated to all of you looking forward to having the world we had before COVID… We hope is not hitting you bad. Enjoy the rest of the note below.

Important changes in this version (read this!):

• As you can see, Prowler is now in a new organization called https://github.com/prowler-cloud/.
• When Prowler doesn’t have permissions to check a resources or service it gives an INFO instead of FAIL. We have improved all checks error handling in those use cases when the CLI responds with a AccessDenied, UnauthorizedOperation or AuthorizationError.
• From this version, master branch will be the latest available code and we will keep the stable code as each release, if you are installing or deploying Prowler using git clone to master take that into account and use the latest release instead, i.e.: git clone --branch 2.7 https://github.com/prowler-cloud/prowler or curl https://github.com/toniblyx/prowler/archive/refs/tags/2.7.0.tar.gz -o prowler-2.7.0.tar.gz
• For known issues please see https://github.com/prowler-cloud/prowler/issues the ones open with bug as a red tag.
• Discussions is now open in the Prowler repo https://github.com/prowler-cloud/prowler/discussions, feel free to use it if that works for you better than the current Discord server.
• 11 new checks!! Thanks to @michael-dickinson-sainsburys, @jonloza, @rustic, @Obiakara, @Daniel-Peladeau, @maisenhe, @7thseraph. Now there have a total of 218 checks. See below for details.
• An issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings is now working as expected thanks to @Kirizan
• When credential are in environment variable it failed to review, that was fixed by @lazize
• See below new features and more details for this version.

New Features

• 11 New checks for Redshift, EFS, CloudWatch, Secrets Manager, DynamoDB and Shield Advanced:

7.160 [extra7160] Check if Redshift has automatic upgrades enabled - redshift [Medium]
7.161 [extra7161] Check if EFS have protects sensative data with encryption at rest - efs [Medium]
7.162 [extra7162] Check if CloudWatch Log Groups have a retention policy of 365 days - cloudwatch [Medium]
7.163 [extra7163] Check if Secrets Manager key rotation is enabled - secretsmanager [Medium]
7.164 [extra7164] Check if CloudWatch log groups are protected by AWS KMS  - logs [Medium]
7.165 [extra7165] Check if DynamoDB: DAX Clusters are encrypted at rest - dynamodb [Medium]
7.166 [extra7166] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced - shield [Medium]
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
7.168 [extra7168] Check if Route53 hosted zones are protected by AWS Shield Advanced - shield [Medium]
7.169 [extra7169] Check if global accelerators are protected by AWS Shield Advanced - shield [Medium]
7.170 [extra7170] Check if internet-facing application load balancers are protected by AWS Shield Advanced - shield [Medium]
7.171 [extra7171] Check if classic load balancers are protected by AWS Shield Advanced - shield [Medium]

• Add -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option by @sectoramen in #974
• Add new functions to backup and restore initial AWS credentials, for better handling chaining role by @sectoramen in #978
• Add additional action permissions for Glue and Shield Advanced checks by @lazize in #995

Enhancements

• Update Dockerfile to use Amazon Linux container image by @Kirizan in #972
• Update Readme: -T option is not mandatory by @jfagoagas in #944
• Add $PROFILE_OPT to CopyToS3 commands by @sectoramen in #976
• Remove unneeded package “file” from Dockerfile by @sectoramen in #977
• Update docs (templates): Improve bug template with more info by @jfagoagas in #982

Fixes

• Fix in README and multiaccount serverless deployment templates by @dlorch in #939
• Fix assume-role: check if -T and -A options are set together by @jfagoagas in #945
• Fix group25 FTR by @lopmoris in #948
• Fix in README link for group25 FTR by @lopmoris in #949
• Fix issue #938 assume_role multiple times by @halfluke in #951
• Fix and clean assume-role to better handle AWS STS CLI errors by @jfagoagas in #946
• Fix issue with Security Hub integration when resolving closed findings are either a lot of new findings, or a lot of resolved findings by @Kirizan in #953
• Fix broken link in README.md by @rtcms in #966
• Fix checks with comma issues in checks by @j2clerck in #975
• Fix: Credential chaining from environment variables by @lazize in #996

New Contributors

• @jonloza made their first contribution in #932
• @Obiakara made their first contribution in #935
• @dlorch made their first contribution in #939
• @Daniel-Peladeau made their first contribution in #937
• @lopmoris made their first contribution in #948
• @halfluke made their first contribution in #951
• @maisenhe made their first contribution in #956
• @rtcms made their first contribution in #966
• @sectoramen made their first contribution in #974
• @j2clerck made their first contribution in #975
• @lazize made their first contribution in #995

Full Changelog: 2.6.1…2.7

This release name is in honor of Phantom of the Opera, one of my favorite songs and a master piece of 🔥Iron Maiden🔥. It starts by “I’ve been lookin’ so long for you now” like looking for security issues, isn’t it? 🤘🏼 Enjoy it here while reading the rest of this note.

Important changes in this version:

• CIS level parameter (ITEM_LEVEL) has been reverted to the csv, json and html outputs (it was removed in 2.5), CIS Scored is not added since it is not relevant in the global Prowler reports. dd398a9
• Security Hub integration has been fixed due to a conflict with duplicated findings in the management account by @xeroxnir
• 12 New checks!! Thanks to @kbgoll05, @qumei, @georgie969, @ShubhamShah11, @jarrettandrulis, @dsensibaugh, @ShubhamShah11, @ManuelUgarte, @tekdj7: Now there are a total of 207. See below for details.
• Known issues, please review https://github.com/toniblyx/prowler/issues?q=is%3Aissue+is%3Aopen+label%3Abug.
• Now there is a Discord server for Prowler available, check it out in README.md.
• There is a maintained Docker Hub repo for Prowler and AWS ECR public repo as well. See badges in README.md for details.
• See below new features for more details of new cool stuff in this version.

New Features:

• 12 New checks for efs, redshift, elb, dynamodb, route53, cloiudformation, elb and apigateway:

7.148 [extra7148] Check if EFS File systems have backup enabled - efs [Medium]
7.149 [extra7149] Check if Redshift Clusters have automated snapshots enabled - redshift [Medium]
7.150 [extra7150] Check if Elastic Load Balancers have deletion protection enabled - elb [Medium]
7.151 [extra7151] Check if DynamoDB tables point-in-time recovery (PITR) is enabled - dynamodb [Medium]
7.152 [extra7152] Enable Privacy Protection for for a Route53 Domain - route53 [Medium]
7.153 [extra7153] Enable Transfer Lock for a Route53 Domain - route53 [Medium]
7.154 [extra7154] Enable termination protection for Cloudformation Stacks - cloudformation [MEDIUM]
7.155 [extra7155] Check whether the Application Load Balancer is configured with defensive or strictest desync mitigation mode - elb [MEDIUM]
7.156 [extra7156] Checks if API Gateway V2 has Access Logging enabled - apigateway [Medium]
7.157 [extra7157] Check if API Gateway V2 has configured authorizers - apigateway [Medium]
7.158 [extra7158] Check if ELBV2 has listeners underneath - elb [Medium]
7.159 [extra7159] Check if ELB has listeners underneath - elb [Medium]

• New checks group FTR (AWS Foundational Technical Review) by @jfagoagas
• New feature added flags Z to control if Prowler returns exit code 3 on a failed check by @Kirizan in #865
• New Prowler Terraform Kickstarter by @singergs
• New way to deploy Prowler at Organizational level with serverless by @bella-kwon
• New feature: adding the ability to provide a file for checks -C to be ran by @Kirizan in #891

Enhancements:

• Enhanced scoring when only INFO is detected
• Enhanced ignore archived findings in GuardDuty for check extra7139 by @chbiel in https://github.com/toniblyx/prowler
• /pull/851
• Updated prowler-codebuild-role name for CFN StackSets name length limit by @varunirv in #846
• Added feature to allow role ARN while using -R parameter by @mmuller88 in #860
• Updated documentation regarding a confusion with the -q option (issue #884) by @w0rmr1d3r in #890

Fixes:

• Fixed extra737 remove false positives due to policies with condition by @rinaudjaws in #849
• Fixed title, remediation and doc link for check extra768 by @w0rmr1d3r in #853
• Fixed typo in risk description for check29 by @kamiryo in #858
• Fixed bug in extra784 by @tayivan-sg in #856
• Fixed support policy arn in check120 by @hersh86 in #862
• Fixed typo and HTTP capitalisation in extra7142 by @acknosyn in #863
• Fixed Security Hub conflict with duplicated findings in the management account #711 by @xeroxnir in #873
• Fixed doc reference link in check23 @FallenAtticus by @FallenAtticus in #864
• Fixed duplicated region in textFail message for extra741 by @pablopagani in #880
• Updated parts from check7152 accidentally left in by @jarrettandrulis in #895
• Fix check extra734 about S3 buckets default encryption with StringNotEquals by @rustic in #896
• Fix Shodan typo in -h usage text by @jfagoagas in #899
• Fixed typo in README.md by @bevel-zgates in #908

New Contributors

• @varunirv made their first contribution in #846
• @rinaudjaws made their first contribution in #849
• @chbiel made their first contribution in #851
• @tayivan-sg made their first contribution in #856
• @bella-kwon made their first contribution in #857
• @mmuller88 made their first contribution in #860
• @hersh86 made their first contribution in #862
• @acknosyn made their first contribution in #863
• @FallenAtticus made their first contribution in #864
• @georgie969 made their first contribution in #866
• @ManuelUgarte made their first contribution in #869
• @jarrettandrulis made their first contribution in #875
• @ShubhamShah11 made their first contribution in #877
• @dsensibaugh made their first contribution in #889
• @rustic made their first contribution in #896
• @zqumei0 made their first contribution in #894
• @bevel-zgates made their first contribution in #908

Full Changelog: 2.5.0…2.6.0

Thank you all for your contributions, Prowler community is awesome! 🥳

Using AWS CloudShell is probably the easier an quicker way to run Prowler in your AWS account.

Just start AWS CloudShell and run these commands:

git clone https://github.com/toniblyx/prowler
pip3 install detect-secrets --user
cd prowler 
./prowler

If you run Prowler and realize that takes more time that the CloudShell session you can use screen command line tool for that (screen manager with VT100/ANSI terminal emulation). To install it:

sudo yum install screen -y

Run Prowler in a screen session:

screen -dmS prowler sh -c "./prowler -M html"

Check existing running screen sessions:

screen -ls

Attach to the Prowler session:

screen -r prowler

Use ‘Ctrl+a d’ to detach without terminating.

If you want to run Prowler from CloudShell against multiple accounts, first declare a variable with all account you want to assess:

export AWS_ACCOUNTS='1111111 222222 333333'

Then, make sure you have a role to assume on each of those accounts. See this template (create_role_to_assume_cfn.yaml) that may help, then run this command:

for accountId in $AWS_ACCOUNTS; do  screen -dmS prowler sh -c "./prowler -A $accountId -R ProwlerExecRole -M csv,json,html"; done

For more options and details go to: https://github.com/toniblyx/prowler or run ./prowler -h.