Prowler 2.3.0RC

List of Contributors for this release:

This new version of Prowler wouldn't be possible without you all. Thanks!

Marc Jay
Urjit Singh Bhatia
Philipp Zeuner
Ngọ Anh Đức
Patrick Downey
Nimrod Kor and the Bridgecrewio guys
Huang Yaming
Marcel Beck
Faraz Angabini
Kasprzykowski
Huang Yaming
Alex Gray
nalansitan
jonjozwiak
dhirajdatar
Julio Delgado Jr
He.Longfei
Christopher Morrow

Reach out to me on Twitter @toniblyx if you have contributed to this release and you have been missed, sorry about that!

New features:

• Security Hub native integration and ASFF format
• Whitelist support
• Multiple reports and formats at the same time (mono,csv,json,json-asff,junit-xml) like prowler-output-accountid-timestamp.json
• Support for Junit output to use it with Jenkins (-M junit-xml)
• New checks for Trusted boundaries, Elasticsearch, IMDSv2, ECR vulnerabilities, more find secrets and VPC security groups. Comprehensive list below.
• Support for assume role and multi-accounts
• Improved support for AWS GovCloud (US)
• Improved support for AWS-CLI v1 and v2

Other improvements:

• Improved listing of Checks and Groups (-l to see all checks, -L for all groups and -l g groupname to list checks in a particular group)
• Enhanced set entropy for detect-secrets from env BASE64_LIMIT and HEX_LIMIT @yumminhuang (3df2786)
• Improved GetCallerIdentity handling / credentials
• Enhanced documentation with more commands and examples

New checks:

• 7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark) [extras, secrets]
• 7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS benchmark) [extras]
• 7.77 [extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark) [extras]
• 7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark) [extras]
• 7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports [extras, elasticsearch]
• 7.80 [extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled [extras, elasticsearch]
• 7.81 [extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled [extras, elasticsearch]
• 7.82 [extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled [extras, elasticsearch]
• 7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled [extras, elasticsearch]
• 7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled [extras, elasticsearch]
• 7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available [extras, elasticsearch]
• 7.86 [extra786] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (Not Scored) (Not part of CIS benchmark) [extras]
• 7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports [extras, elasticsearch]
• 7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains [extras, elasticsearch]
• 7.89 [extra789] Find trust boundaries in VPC endpoint services connections [trustboundaries]
• 7.90 [extra790] Find trust boundaries in VPC endpoint services whitelisted principles [trustboundaries]

And in case you missed them because they were hidden:

• 7.59 [extra759] Find secrets in Lambda functions variables (Not Scored) (Not part of CIS benchmark) [secrets]
• 7.60 [extra760] Find secrets in Lambda functions code (Not Scored) (Not part of CIS benchmark) [secrets]

Fixes and minor changes:

• Fixed AWS partition variable on generateJsonAsffOutput (f618a16)
• Added back LIST_OF_CHECKS_AND_GROUPS.md (412c9c1)
• Print warnings with the right color code (8cdf383)
• Improve check21 If no account cloudtrail trail is found, check org trail @nimrodkor @bridgecrewio (996f785)
• If no local cloudtrail trail is found - check org trail (dd0ef8c)
• Fix issue with aws-cli v2 and timestamp on check24 #585 (a2cbcc0)
• Fix check12's grep to find users with true in their name who really have password access @nimrodkor @bridgecrewio (5450bf9)
• Ensure that hyphen is at end of tr string to prevent 'reverse collating sequence order' error in GNU tr @marcjay (e4ae0a4)
• Improved AWS partition handle (1f949b4)
• Add $ to end of regex (dbca70e)
• Fix check12's grep to find users who really have password access (54f2b72)
• Fix output modes strings to ensure correct outputs are selected @marcjay (6844733)
• Ensure that hyphen is at end of tr string to prevent 'reverse collating sequence order' error in GNU tr Stop echo from adding newlines using -n, removing the need to stop replacing new-line characters with underscores (e25125f)
• Updated checks with hardcoded arn to support GovCloud partition (13ca147)
• Improved extra734 for GovCloud (dbb3ed9)
• Fixed issue with govcloud on extra764 #536 (7dc790a)
• Improved GetCallerIdentity handling / credentials (8c9aea1)
• Added txt output as mono for -M (9f03bd7)
• Added account id to the output filename (43fb877)
• Simplified caller id info on outputs (ef952ce)
• Check if gbase64 (GNU) is available on Mac and use it in preference to BSD base64 @marcjay (0cca77a)
• Fix -E flag no longer excluding checks @marcjay (5b9cf7f)
• Added CSV header to the output file too #565 (9cbdefc)
• Extend check13 to meet all CIS rules and consolidate with extra774 (ad66254)
• Updated textInfo message on extra712 (d6374f8)
• Enhancement: extra768 only check latest version of ECS task definition (38a970f)
• Get the list of families and then get latest task definition (5b83701)
• Fix invalid references to $i when it should reference a local $group_index variable (8f17933)
• Improved extra716 and extra788 (6747b20)
• Only check latest version of task definition (172f4b2)
• Fix arithmetic expression for calculating test duration (fa17829)
• Add the ability to generate JUnit XML reports with a -J flag (9943903)
• Ignore inline whitelist comments, pass checkid to filter ignores specifically for checks (bf72025)
• Merge branch 'marcjay-simplify-check-id-variables' (4625270)
• Fixed title in group16_trustboundaries (f065beb)
• Added more sample commands and updates (2de49c3)
• Allow multiple report types at once #345 (4ea1864)
• Fixed issue with regions on check21 (11c182c)
• support arn:aws:s3::: on extra725 (036ae64)
• Adjust execute_check() now that check71's ID has changed Fix minor typo in a comment (7e5a4a1)
• Limit CHECK_ID to a single value, handing the left-pad formatting in one place (0f49468)
• Fix: extra741 - Check if User Data is a valid GZIP file before attempting to gunzip @marcjay (df52057)
• Add clarifying text to pass/fail messages (460f656)
• Extra741 - Check if User Data is a valid GZIP file before attempting to gunzip (c4374a2)
• Prowler IAM Policy Enhancements and README Updates @tekdj7 (9be0b3f)
• Extra725 - Improved support cross account and region cloudtrail @patdowney (a426462)
• Extra720 - Support cross account and cross-region cloudtrail @patdowney (8a7344e)
• Fixed check23_error_fails (7f2e097)
• Fixed check26_error_fails (67504e8)
• Fixed check121-filter-out-password-access-513 (3c77130)
• Fixed fix-no-information-extra774-501 (d855432)
• Fixed handle-gnu-date-as-default-on-mac-osx-534 (3e1d9ea)
• Convert tabs to spaces within modified function (24e6919)
• Avoid changing the execution order of checks when some checks are excluded (57c15c2)
• Fixed check121 - Filter out users who do not have a console password (4f623b4)
• Detect when GNU coreutils is installed on Mac OS X and use the correct date functions (d9588f4)
• Remove the varying number of days in the message so that message stays consistent over time (ce1058d)
• Handle IAM credential report containing 'no_information' for a user's last console login date (8d9c7e8)
• Add CHECK_ASFF_RESOURCE_TYPE variables for recently added checks (c02811f)
• Remove --output text in CLOUDTRAILBUCKET_LOGENABLED (7982cc4)
• Support cross-region and cross-account object-level cloudtrail logs for S3 (b6adfd5)
• Remove HomeRegion predicate from describe-trails in extras725 (78ccc7d)
• Use TrailARN property to query get-event-selectors in checks_extra725 (fc83a98)
• Added new checks to group extras (effc3eb)
• Improvements and new checks for elasticsearch (6ea37b0)
• Remove HomeRegion predicate from describe-trails to look for cross-region trails too (84711d1)
• Use TrailARN property to query get-event-selectors (4ff6856)
• Fixed typo in extra786 (9c4e629)
• New check for Metadata Service Version 2 #413 (bd432fe)
• Improved policy handling on extra716 (b5e1c90)
• Improved policy handling on extra716 (afb908f)
• v2.2.1 with new function and Improved extra779 and extra716 (e567ccb)
• Improved extra716 filters and auth check (2e2fe96)
• Added custom ports variable to extra779 (1ae5d5d)
• Ignore imported ACM Certificate in check_extra724 (1419d48)
• Added connection test for port 9300 in both linux and macosx on extra779 (8faf1f4)
• Updated ES check titles and results (eae4722)
• Enhanced extra779 with better authentication test and TEST_ES_AUTHENTICATION disabled (ee82424)
• Added initial PCI group without checks yet, issue #296 (b4aaf0b)
• Modify group names header to clarify what is CIS only (f809f2f)
• Fixed query on extra779 (1615478)
• Fixed extra774 (705d756)
• Added extra777 - Security Groups with too many rules @renuez (30941c3)
• check_extra774 - revert changes (25bc869)
• extra774 - check correct date, consolidate files and fix report generation (d620274)
• check26 - on failure, output info and not failure (b704568)
• check23 - on failure, output info and not failure (259f24e)
• Support whitelists per check (56a4fd8)
• Updated check21 (0979f42)
• Add $PROFILE_OPT to the CLI (53ee538)
• Updated check_extra778 to use PROFILE_OPT and AWSCLI (cb5858d)
• Fixed check_extra778 reference CHECK_ID (1b2b52e)
• Updated check_extra778 to exclude 0.0.0.0/0 edge case (f5d083f)
• Fixed check_extra788 logic bug related to SECURITY_GROUP and improved check_cidr() isolation (f585ca5)
• Refactored check name to check_extra778 (f149fb7)
• Improve performance of check_extra742 by limiting to one AWS CLI call (8173c20)
• Enable check extra776 in extra group (95cb26f)
• Updated check_extra776 title (4646dbc)
• feat: New check for ecr image scan findings (db260da)
• Updated check_extra777 to fix CHECK_ALTERNATE variable (162ff05)
• Fixed check check119_ignore_terminated (655aae7)
• Fixed check119 needs to ignore terminated instances (c9508c2)
• Fixed check numbers for 774,775 (2321655)