Prowler 4.4.0 - Alexander the Great
Alexander the Great
His name struck fear into hearts of men
Alexander the Great
Became a legend 'mongst mortal men
Prowler 4.4.0 - Alexander the Great 🚀 is here, bringing a ton of new AWS checks and fixes! We also invite you to enjoy this Iron Maiden song.
A big shout-out to our engineers @danibarranqueroo, @MarioRgzLpz and @HugoPBrito for their fantastic work in developing new checks and to our new external contributors @abant07, @LefterisXefteris, @h4r5h1t, @Jude-Bae and @johannes-engler-mw for their PRs 🥳
New features to highlight in this version
AWS
🔐 Cover IAM non existing AWS actions/resources
Prowler now covers IAM scenarios where policies could have a non existing AWS actions in the NotAction
statement allowing ALL actions in resources (same as non existing resources in NotResource
) like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"NotAction": "prowler:action",
"NotResource": "arn:aws:s3:::calculator"
}
]
}
🤔 How to Prevent AWS AI From Using Your Data
Recently, AWS may be using your data to train its AI models, and you may have unwittingly consented to it.
The new check organizations_opt_out_ai_services_policy
ensure that you stop feeding AWS’s AI with your data.
You can see @QuinnyPig's helpful post about how to opt out here or using the AWS documentation.
🚀 More checks!
Prowler has expanded its AWS coverage with 74 new checks for ACM, CloudFront, CodeBuild, DMS, DocumentDB, DynamoDB, EC2, ECS, EKS, Elasticache, ELB, ELBv2, EKS, GuardDuty, IAM, KMS, Lambda, Neptune, Network Firewall, Organizations, RDS, S3, SageMaker and VPC.
See all the new available checks with
prowler aws --list-checks
acm_certificates_with_secure_key_algorithms
awslambda_function_inside_vpc
awslambda_function_vpc_multi_az
cloudfront_distributions_custom_ssl_certificate
cloudfront_distributions_default_root_object
cloudfront_distributions_https_sni_enabled
cloudfront_distributions_multiple_origin_failover_configured
cloudfront_distributions_origin_traffic_encrypted
cloudfront_distributions_s3_origin_access_control
cloudfront_distributions_s3_origin_non_existent_bucket
codebuild_project_no_secrets_in_variables
codebuild_project_source_repo_url_no_sensitive_credentials
dms_endpoint_ssl_enabled
documentdb_cluster_public_snapshot
dynamodb_accelerator_cluster_in_transit_encryption_enabled
dynamodb_table_deletion_protection_enabled
dynamodb_table_protected_by_backup_plan
ec2_client_vpn_endpoint_connection_logging_enabled
ec2_ebs_volume_protected_by_backup_plan
ec2_instance_paravirtual_type
ec2_instance_uses_single_eni
ec2_launch_template_no_public_ip
ec2_networkacl_unused
ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
ec2_transitgateway_auto_accept_vpc_attachments
ecr_repositories_tag_immutability
ecs_service_no_assign_public_ip
ecs_task_definitions_containers_readonly_access
ecs_task_definitions_host_namespace_not_shared
ecs_task_definitions_host_networking_mode_users
ecs_task_definitions_logging_enabled
ecs_task_definitions_no_privileged_containers
eks_cluster_uses_a_supported_version
elasticache_redis_cluster_automatic_failover_enabled
elasticache_redis_cluster_auto_minor_version_upgrades
elasticache_redis_replication_group_auth_enabled
elbv2_is_in_multiple_az
elb_connection_draining_enabled
elb_cross_zone_load_balancing_enabled
elb_is_in_multiple_az
guardduty_rds_protection_enabled
guardduty_s3_protection_enabled
iam_group_administrator_access_policy
iam_user_administrator_access_policy
kms_cmk_not_deleted_unintentionally
neptune_cluster_copy_tags_to_snapshots
neptune_cluster_integration_cloudwatch_logs
neptune_cluster_public_snapshot
neptune_cluster_snapshot_encrypted
networkfirewall_policy_rule_group_associated
organizations_opt_out_ai_services_policy
rds_cluster_copy_tags_to_snapshots
rds_cluster_critical_event_subscription
rds_cluster_default_admin
rds_cluster_deletion_protection
rds_cluster_iam_authentication_enabled
rds_cluster_integration_cloudwatch_logs
rds_cluster_minor_version_upgrade_enabled
rds_cluster_multi_az
rds_cluster_non_default_port
rds_cluster_storage_encrypted
rds_instance_copy_tags_to_snapshots
rds_instance_critical_event_subscription
rds_instance_event_subscription_parameter_groups
rds_instance_inside_vpc
rds_instance_non_default_port
rds_instance_protected_by_backup_plan
s3_access_point_public_access_block
s3_bucket_cross_account_access
s3_bucket_cross_region_replication
s3_bucket_lifecycle_enabled
sagemaker_endpoint_config_prod_variant_instances
vpc_endpoint_for_ec2_enabled
vpc_vpn_connection_tunnels_up
📜 KISA ISMS-P AWS compliance framework added
Prowler now supports one of Korea’s key security compliance frameworks, the Personal Information & Information Security Management System (ISMS-P) from the Korea Internet & Security Agency (KISA) thanks to @Jude-Bae !
Azure
🆕 Azure Container Registries now supported!
@johannes-engler-mw added a new check containerregistry_admin_user_disabled
for verifying if the admin user is disabled for Azure Container Registries.
You can try it with
prowler azure -c containerregistry_admin_user_disabled
🔧 Other issues and bug fixes solved for all the cloud providers
Features
- feat(acm): Add new check for insecure algorithms in certificates by @MarioRgzLpz in #4551
- feat(aws): Add a test_connection method by @jfagoagas in #4563
- feat(aws): add custom exceptions class by @pedrooot in #4847
- feat(aws): Add new check to ensure Aurora MySQL DB Clusters publish audit logs to CloudWatch logs by @danibarranqueroo in #4916
- feat(aws): Add new check to ensure RDS DB clusters are encrypted at rest by @danibarranqueroo in #4931
- feat(aws): Add new check to ensure RDS db clusters copy tags to snapshots by @danibarranqueroo in #4846
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical cluster events by @danibarranqueroo in #4887
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database instance events by @danibarranqueroo in #4891
- feat(aws): Add new check to ensure RDS event notification subscriptions are configured for critical database parameter group events by @danibarranqueroo in #4907
- feat(aws): Add new check to ensure RDS instances are not using default database engine ports by @danibarranqueroo in #4973
- feat(aws): Add new check
opensearch_service_domains_access_control_enabled
by @abant07 in #5203 - feat(aws): add new check
organizations_opt_out_ai_services_policy
by @sergargar in #5152 - feat(aws): Add new CodeBuild check to validate environment variables by @danibarranqueroo in #4632
- feat(aws): Add new KMS check to prevent unintentional key deletion by @danibarranqueroo in #4595
- feat(aws): Add new Neptune check for cluster snapshot visibility by @danibarranqueroo in #4709
- feat(aws): Add new RDS check for deletion protection enabled on clusters by @danibarranqueroo in #4738
- feat(aws): Add new RDS check to ensure db clusters are configured for multiple availability zones by @danibarranqueroo in #4781
- feat(aws): Add new RDS check to ensure db instances are protected by a backup plan by @danibarranqueroo in #4879
- feat(aws): Add new RDS check to verify that cluster minor version upgrade is enabled by @danibarranqueroo in #4725
- feat(aws): Add new RDS check to verify that db instances copy tags to snapshots by @danibarranqueroo in #4806
- feat(aws): Add new S3 check for public access block configuration in access points by @HugoPBrito in #4608
- feat(aws): add tags to Global Accelerator by @puchy22 in #5233
- feat(aws): Split the checks that mix RDS Instances and Clusters by @danibarranqueroo in #4730
- feat(aws) Add check to make sure EKS clusters have a supported version by @abant07 in #4604
- feat(awslambda): add new check
awslambda_function_vpc_multi_az
by @puchy22 in #4816 - feat(awslambda): New check to ensure that a function is inside VPC by @puchy22 in #4783
- feat(azure): add custom exception class by @pedrooot in #4871
- feat(azure): add test_connection method by @pedrooot in #4615
- feat(azure containerregistry): gather service infos and checks disabled admin user by @johannes-engler-mw in #5191
- feat(backup): add tags to backup vaults and backup plans by @puchy22 in #5194
- feat(cloudfront): add new check
cloudfront_distributions_custom_ssl_certificate
by @HugoPBrito in #4959 - feat(cloudfront): Add new check
cloudfront_distributions_default_root_object
by @HugoPBrito in #4938 - feat(cloudfront): add new check
cloudfront_distributions_s3_origin_non_existing_bucket
by @HugoPBrito in #4996 - feat(cloudfront): Add new
cloudfront_distributions_s3_origin_access_control
check to ensure OAC is configured in distributions by @HugoPBrito in #4939 - feat(cloudfront): add
cloudfront_distributions_origin_traffic_encrypted
check to ensure traffic encryption to custom origins by @HugoPBrito in #4958 - feat(cloudfront): Ensure Cloudfront distributions have origin failover configured by @HugoPBrito in #4868
- feat(cloudfront): Ensure distributions use SNI to serve HTTPS requests by @HugoPBrito in #4888
- feat(codebuild): add tags support to projects by @puchy22 in #5207
- feat(CodeBuild): Ensure source repository URLs do not contain sensitive credentials by @MarioRgzLpz in #4731
- feat(compliance): add KISA ISMS-P compliance framework by @Jude-Bae in #5086
- feat(compliance): add method list_compliance_requirements by @pedrooot in #4890
- feat(compliance): rename Compliance class and add list_compliance by @pedrooot in #4883
- feat(dms): add tags to DMS checks by @puchy22 in #5209
- feat(dms): new check
dms_endpoint_ssl_enabled
by @LefterisXefteris in #4968 - feat(DocumentDB): Add new DocumentDB check for cluster snapshot visibility by @MarioRgzLpz in #4702
- feat(dynamodb): add new check
dynamodb_accelerator_cluster_in_transit_encryption_enabled
by @danibarranqueroo in #5173 - feat(dynamodb): add new check
dynamodb_table_deletion_protection_enabled
by @danibarranqueroo in #5148 - feat(dynamodb): add new check
dynamodb_table_protected_by_backup_plan
by @danibarranqueroo in #5175 - feat(EC2): Add new check for security group port restrictions by @MarioRgzLpz in #4594
- feat(ec2): Amazon EC2 Instances Should Not Use Multiple ENIs by @MarioRgzLpz in #4935
- feat(ec2): Amazon EC2 Paravirtual Instance Types Should Not Be Used by @MarioRgzLpz in #4922
- feat(EC2): Change service to adjust the data saved in template_data in LaunchTemplateVersion by @MarioRgzLpz in #4848
- feat(ec2): Client VPN Endpoints Should Have Client Connection Logging Enabled by @MarioRgzLpz in #4804
- feat(ec2): EBS Volumes Should Be Covered by a Backup Plan by @MarioRgzLpz in #5028
- feat(ec2): Ensure automatic acceptance of VPC attachment requests is disabled by @MarioRgzLpz in #4765
- feat(ec2): Ensure both VPN tunnels for an AWS Site-to-Site VPN connection are UP by @MarioRgzLpz in #4948
- feat(ec2): Ensure EC2 launch templates do not assign public IPs by @MarioRgzLpz in #4852
- feat(ec2): Ensure not default Network Access Control Lists are used by @MarioRgzLpz in #4917
- feat(ecr): Ensure ECR repositories have tag immutability configured by @MarioRgzLpz in #5144
- feat(ecs): add new check
ecs_task_definitions_host_networking_mode_users
by @MarioRgzLpz in #5088 - feat(ecs): Ensure ECS containers have a logging configuration specified by @MarioRgzLpz in #5234
- feat(ecs): Ensure ECS containers have read-only access to root filesystems by @MarioRgzLpz in #5168
- feat(ecs): Ensure ECS containers run as non-privileged by @MarioRgzLpz in #5214
- feat(ecs): Ensure ECS task definitions host's process namespace is not shared by @MarioRgzLpz in #5146
- feat(ecs): Ensure public IP addresses are not assigned automatically by @MarioRgzLpz in #5128
- feat(elasticache): add check
elasticache_redis_cluster_auth_enabled
by @HugoPBrito in #4830 - feat(elasticache): Ensure Redis Cache Clusters Automatically Install Minor Updates by @HugoPBrito in #4699
- feat(elasticache): Ensure Redis replication groups have automatic failover enabled by @HugoPBrito in #4853
- feat(elb): add new check
elb_connection_draining_enabled
by @puchy22 in #5014 - feat(elb): add new check
elb_cross_zone_load_balancing_enabled
by @puchy22 in #4818 - feat(elb): add new check
elb_is_in_multiple_az
by @puchy22 in #4829 - feat(elbv2): add new check
elbv2_is_in_multiple_az
by @puchy22 in #4800 - feat(gcp): add a
test_connection
method by @sergargar in #4616 - feat(gcp): add custom exceptions clas by @pedrooot in #4908
- feat(glue): add tags to Glue checks by @puchy22 in #5213
- feat(guardduty): add new check
guardduty_rds_protection_enabled
by @HugoPBrito in #5100 - feat(guardduty): add new check
guardduty_s3_protection_enabled
by @danibarranqueroo in #5087 - feat(html): Add number of muted findings in HTML report #4703 by @abant07 in #4895
- feat(IAM): add new check
iam_group_administrator_access_policy
by @puchy22 in #4831 - feat(iam): add new check
iam_user_administrator_access_policy
by @puchy22 in #4802 - feat(inspector2): Add more tests to inspector2_is_enabled check by @MarioRgzLpz in #5150
- feat(kubernetes): add a test_connection method by @sergargar in #4684
- feat(kubernetes): add custom exception class by @pedrooot in #4912
- feat(neptune): add new check
neptune_cluster_copy_tags_to_snapshots
by @danibarranqueroo in #5062 - feat(neptune): add new check
neptune_cluster_integration_cloudwatch_logs
by @danibarranqueroo in #5048 - feat(neptune): add new check
neptune_cluster_snapshot_encrypted
by @danibarranqueroo in #5058 - feat(networkfirewall): add new check
networkfirewall_policy_rule_group_associated
by @HugoPBrito in #5225 - feat(networkfirewall): change
network_firewalls
from list to dict by @HugoPBrito in #5169 - feat(opensearch): Add domain inside VPC case for public domain check by @puchy22 in #4570
- feat(rds): add missing tags to RDS checks by @puchy22 in #5230
- feat(rds): add new check
rds_cluster_non_default_port
by @danibarranqueroo in #5113 - feat(rds): add new check
rds_instance_inside_vpc
by @danibarranqueroo in #5029 - feat(s3): Add new check
s3_bucket_cross_account_access
by @HugoPBrito in #5082 - feat(s3): add
s3_bucket_cross_region_replication
check by @HugoPBrito in #4761 - feat(s3): add
s3_bucket_lifecycle_enabled
check by @HugoPBrito in #4801 - feat(sagemaker): Ensure SageMaker Endpoint Production Variants have Initial Instance Count greater than one by @MarioRgzLpz in #5045
- feat(secrets): improve detect secrets checks and add config by @pedrooot in #4915
- feat(securityhub): add tags
securityhub_enabled
by @puchy22 in #5231 - feat(slack): add more information about critical findings by @abant07 in #5042
- feat(threat-detection): Use IAM Identity for Cloudtrail Threat Detection instead of IP by @abant07 in #5166
- feat(vpc): Ensure Amazon EC2 Is Configured to Use VPC Endpoints Created for the Amazon EC2 Service by @MarioRgzLpz in #4872
- feat(wafv2): add tags to
wafv2_webacl_logging_enabled
by @puchy22 in #5243
Fixes
- fix(accessanalyzer): refactor accessanalyzer enabled fixer test by @pedrooot in #5026
- fix(acm): Change check logic to scan only in use certificates by @MarioRgzLpz in #4732
- fix(asff): include status extended in ASFF output by @sergargar in #5097
- fix(audit): solve resources audit by @sergargar in #4983
- fix(aws): always use audited partition by @sergargar in #5174
- fix(aws): change check metadata ec2_securitygroup_allow_wide_open_public_ipv4 by @pedrooot in #4946
- fix(aws): change
protected_by_backup_plan
checks by @danibarranqueroo in #5204 - fix(aws): enchance check cloudformation_stack_outputs_find_secrets by @pedrooot in #4859
- fix(aws): enhance resource arn filtering by @sergargar in #4821
- fix(aws): handle AWS key-only tags by @sergargar in #4845
- fix(aws): handle none type attributes by @sergargar in #5216
- fix(aws): make intersection to retrieve checks to execute by @pedrooot in #4970
- fix(aws): raise ArgumentTypeError for parser by @pedrooot in #4921
- fix(aws): run Prowler as IAM Root or Federated User by @sergargar in #4712
- fix(awslamba): add audit config to lambda_client in tests by @pedrooot in #4999
- fix(backport): Workaround not to fail if no backport is needed by @jfagoagas in #4707
- fix(cloudfront): duplicated link in
cloudfront_distributions_https_sni_enabled
check by @HugoPBrito in #5047 - fix(ec2): Manage
UnicodeDecodeError
when reading user data by @puchy22 in #4785 - fix(ecr): change log level of non-scanned images by @sergargar in #4747
- fix(ecr): handle non-existing findingSeverityCounts key by @sergargar in #4746
- fix(elasticache): get correct automatic failover attribute by @HugoPBrito in #5084
- fix(gcp): add default project for org level checks by @sergargar in #5003
- fix(gcp): check cloudsql sslMode by @pedrooot in #4635
- fix(gcp): check next rotation time in KMS keys by @pedrooot in #4633
- fix(gcp): solve errors in GCP services by @sergargar in #5016
- fix(gcp): use KMS key id in checks by @sergargar in #4610
- fix(iam): fill resource id with inline policy entity by @pedrooot in #5120
- fix(iam): handle no arn serial numbers for MFA devices by @pedrooot in #4697
- fix(iam): update logic of Root Hardware MFA check by @sergargar in #4726
- fix(iam-gcp): add getters in iam_service for gcp by @pedrooot in #4998
- fix(inspector2): Ensure Inspector2 is enabled for ECR, EC2, Lambda and Lambda Code by @MarioRgzLpz in #5061
- fix(lightsail): Remove second call to
is_resource_filtered
by @h4r5h1t in #5044 - fix(main): logic for resource_tag and resource_arn usage by @pedrooot in #4979
- fix(metadata): change description from documentdb_cluster_deletion_protection by @pedrooot in #4909
- fix(mutelist): change logic for tags in aws mutelist by @pedrooot in #4786
- fix(outputs): refactor unroll_tags to use str as tags by @pedrooot in #4817
- fix(rds): add comprobations before list tags by @puchy22 in #5249
- fix(rds): get the db_instances values by @pedrooot in #4866
- fix(rds): handle new rds arn template function syntax by @sergargar in #4980
- fix(rds): Modify RDS Event Notification Subscriptions for Security Groups Events check by @danibarranqueroo in #4969
- fix(scan_test): change resource_tags to a dict by @pedrooot in #4631
- fix(security-groups): remove RFC1918 from ec2_securitygroup_allow_wide_open_public_ipv4 by @pedrooot in #4951
- fix(sns): add condition to sns topics by @pedrooot in #4498
- fix(tags): handle AWS dictionary type tags by @sergargar in #4656
- fix(tests): patch
head_bucket
function correctly by @sergargar in #5246 - fix(version): update version flag logic by @sergargar in #4688
- fix(vpc): check all routes tables in subnet by @sergargar in #5081
- fix: handle empty input regions by @sergargar in #4841
Chores
- chore(actions): Run for v4.* branch by @jfagoagas in #4682
- chore(autoscaling): deprecate check
autoscaling_find_secrets_ec2_launch_configuration
by @puchy22 in #5205 - chore(aws): add mixed regions test for
s3_access_point_public_access_block
by @LefterisXefteris in #4877 - chore(aws): Change RDS instance type from list to dict by @danibarranqueroo in #4851
- chore(aws): Convert ELB and ELBv2 attributes to dictionaries by @puchy22 in #4575
- chore(aws): handle NotAction cases in IAM policies by @sergargar in #5035
- chore(aws): improve IAM Resource Policy public logic by @sergargar in #5067
- chore(AWS): match all AWS resource types with SecurityHub supported types in metadata by @puchy22 in #4882
- chore(aws): Remove token from log line by @jfagoagas in #4903
- chore(aws-region): Use Prowler Bot by @jfagoagas in #4863
- chore(awslambda): Enhance function public access check called from other resource by @puchy22 in #4679
- chore(aws_mutelist): Add more Control Tower resources and tests by @jfagoagas in #4900
- chore(azure): Fix CIS 2.1 mapping by @puchy22 in #4760
- chore(backport): Automate all the things! by @jfagoagas in #4669
- chore(backport): update backport PR title by @sergargar in #4686
- chore(backport): Use Prowler-Bot PAT by @jfagoagas in #4855
- chore(bot): Use bot Token by @jfagoagas in #5163
- chore(check_metadata): Rename to CheckMetadata by @jfagoagas in #4864
- chore(cloudtrail): add remediation link to check
cloudtrail_s3_dataevents_read_enabled
by @HugoPBrito in #4764 - chore(cloudtrail): add remediation link to check
cloudtrail_s3_dataevents_write_enabled
by @HugoPBrito in #4762 - chore(dependencies): update boto3 and botocore packages by @sergargar in #4976
- chore(deps): bump aiohttp from 3.9.5 to 3.10.2 by @dependabot in #4713
- chore(deps): bump azure-identity from 1.17.1 to 1.18.0 by @dependabot in #5108
- chore(deps): bump azure-mgmt-compute from 32.0.0 to 33.0.0 by @dependabot in #4856
- chore(deps): bump azure-mgmt-containerservice from 31.0.0 to 32.0.0 by @dependabot in #5036
- chore(deps): bump azure-mgmt-cosmosdb from 9.5.1 to 9.6.0 by @dependabot in #5111
- chore(deps): bump azure-mgmt-network from 26.0.0 to 27.0.0 by @dependabot in #5201
- chore(deps): bump azure-mgmt-web from 7.3.0 to 7.3.1 by @dependabot in #4813
- chore(deps): bump azure-storage-blob from 12.23.0 to 12.23.1 by @dependabot in #5240
- chore(deps): bump boto3 from 1.35.26 to 1.35.28 by @dependabot in #5232
- chore(deps): bump botocore from 1.35.28 to 1.35.29 by @dependabot in #5239
- chore(deps): bump cryptography from 43.0.0 to 43.0.1 by @dependabot in #4923
- chore(deps): bump cryptography from 43.0.0 to 43.0.1 by @dependabot in #4928
- chore(deps): bump dash from 2.17.1 to 2.18.0 by @dependabot in #4932
- chore(deps): bump dash from 2.18.0 to 2.18.1 by @dependabot in #5024
- chore(deps): bump google-api-python-client from 2.146.0 to 2.147.0 by @dependabot in #5185
- chore(deps): bump kubernetes from 30.1.0 to 31.0.0 by @dependabot in #5137
- chore(deps): bump msgraph-sdk from 1.7.0 to 1.8.0 by @dependabot in #5110
- chore(deps): bump numpy from 2.0.1 to 2.0.2 by @dependabot in #4869
- chore(deps): bump pandas from 2.2.2 to 2.2.3 by @dependabot in #5139
- chore(deps): bump peter-evans/create-pull-request from 6 to 7 by @dependabot in #4926
- chore(deps): bump pytz from 2024.1 to 2024.2 by @dependabot in #5012
- chore(deps): bump slack-sdk from 3.33.0 to 3.33.1 by @dependabot in #5107
- chore(deps): bump tj-actions/changed-files from 44 to 45 by @dependabot in #4822
- chore(deps): bump trufflesecurity/trufflehog from 3.82.5 to 3.82.6 by @dependabot in #5222
- chore(deps): update docs dependencies by @sergargar in #5098
- chore(deps-dev): bump bandit from 1.7.9 to 1.7.10 by @dependabot in #5157
- chore(deps-dev): bump black from 24.4.2 to 24.8.0 by @dependabot in #4627
- chore(deps-dev): bump coverage from 7.6.0 to 7.6.1 by @dependabot in #4640
- chore(deps-dev): bump flake8 from 7.1.0 to 7.1.1 by @dependabot in #4643
- chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.8 to 1.2.9 by @dependabot in #5023
- chore(deps-dev): bump mkdocs-material from 9.5.36 to 9.5.38 by @dependabot in #5206
- chore(deps-dev): bump moto from 5.0.14 to 5.0.15 by @dependabot in #5158
- chore(deps-dev): bump pylint from 3.3.0 to 3.3.1 by @dependabot in #5187
- chore(deps-dev): bump pytest-env from 1.1.4 to 1.1.5 by @dependabot in #5090
- chore(deps-dev): bump pytest from 8.3.2 to 8.3.3 by @dependabot in #4991
- chore(deps-dev): bump safety from 3.2.7 to 3.2.8 by @dependabot in #5238
- chore(deps-dev): bump vulture from 2.11 to 2.12 by @dependabot in #5071
- chore(docs): change ResourceType link of Security Hub by @sergargar in #5063
- chore(ec2): add tags to report of EC2 launch templates by @puchy22 in #5210
- chore(ec2): Change security groups to dict by @puchy22 in #4700
- chore(elbv2): add SecurityHub link to
elbv2_desync_mitigation_mode
metadata by @puchy22 in #4791 - chore(elbv2): Add SecurityHub link to
elbv2_ssl_listeners
metadata by @puchy22 in #4787 - chore(labeler): Run also for v4.* by @jfagoagas in #4687
- chore(organizations): improve AWS Organizations service by @sergargar in #5151
- chore(prowler): change all methods from services from format double underscore to single underscore by @puchy22 in #4910
- chore(pull-request): add check for backport by @pedrooot in #4901
- chore(rds): Revert changes on inherited instance checks by @danibarranqueroo in #4827
- chore(README): update checks summary table by @puchy22 in #5119
- chore(readme): Update Slack invite link by @toniblyx in #4875
- chore(README): update summary table by @sergargar in #4984
- chore(README): update summary table by @sergargar in #5248
- chore(readme): Update the number of AWS checks by @puchy22 in #4860
- chore(refactor): make Provider generation global by @sergargar in #4961
- chore(regions): Update labels for backporting by @jfagoagas in #4678
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #5224
- chore(release): Remove unused step by @jfagoagas in #4874
- chore(scan-class): add new scan class by @pedrooot in #4564
- chore(ssm): add tags to
ssm_managed_compliant_patching
by @puchy22 in #5245 - chore(ssm): add trusted accounts variable to ssm check by @sergargar in #5005
- chore(test): improve
iam_root_hardware_mfa_enabled
tests by @sergargar in #4833 - chore(version): update master version by @sergargar in #4681
- chore(version): update version logic in Prowler by @sergargar in #4654
- chore: change SaaS for Prowler by @jfagoagas in #4651
- chore: remove not used variable by @jfagoagas in #4873
- docs(check): change where extract ResourceTypes by @puchy22 in #5030
- docs(dev-guide): refer poetry docs for installation by @puchy22 in #5031
- docs(developer-guide): add info about docstrings by @pedrooot in #4701
- docs(fixers): improve docs about fixers by @pedrooot in #4889
- docs(is_item_matched): update docstrings for method by @pedrooot in #4836
- docs(mutelist): Add service_* documentation by @jfagoagas in #4650
- docs(Tutorials): include volume option when running dashboard in docker by @thejaywhy in #4620
- docs: change installation methods by @puchy22 in #5192
- refactor(aws): Refactor provider by @pedrooot in #4808
- refactor(azure): refactor azure provider by @pedrooot in #4653
- refactor(azure): remove validate_arguments for CLI by @pedrooot in #4985
- refactor(check_metadata): move bulk_load_checks_metadata inside class by @pedrooot in #4934
- refactor(cloudfront): replace origins dictionary with custom Origin class by @HugoPBrito in #4981
- refactor(execute_check): refactor execute method by @pedrooot in #4975
- refactor(gcp): refactor GCP provider by @pedrooot in #4790
- refactor(kubernetes): refactor Kubernetes provider by @pedrooot in #4805
- refactor(mutelist): Remove re.match and improve docs by @jfagoagas in #4637
- refactor(output_options): remove output options from provider by @pedrooot in #5149
- refactor(provider): move audit and fixer config inside the provider by @pedrooot in #4960
- refactor(s3): Changed buckets variable type form list to dict by @HugoPBrito in #4742
- refactor(tags): convert tags to a dictionary by @sergargar in #4598
- test(awslambda): Cover possible checks with moto instead MagicMock by @puchy22 in #4609
New Contributors
- @thejaywhy made their first contribution in #4620
- @abant07 made their first contribution in #4604
- @MarioRgzLpz made their first contribution in #4551
- @LefterisXefteris made their first contribution in #4877
- @h4r5h1t made their first contribution in #5044
- @Jude-Bae made their first contribution in #5086
- @johannes-engler-mw made their first contribution in #5191
Full Changelog: 4.3.7...4.4.0