Prowler-cloud

_Die With Your Boots On_ is a song of Iron Maiden's album _Piece of mind_, it is self explanatory, we like the vibe of that song in their lives, watch it [here](https://www.youtube.com/watch?v=p5jTV81Eyes).
Basically, this is what we do here, we go all in or nothing! 💪🏼
We are bringing the best we have in this code of **Prowler 3.6.0**: some new checks, improved GCP support, new features, more fixes making it a better piece of software and more helpful for your daily job 😄
Remember to run `pip install prowler --upgrade` and rock on! 🤘

New features to highlight in this version:

🥳 **GCP Multi-Project support:**
- Prowler now supports GCP Multi-Project scans! By default Prowler will scan all the GCP Projects that is allowed to scan, if you want to scan a single project or various specific projects you can use the following flag:

prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>


✅ **16 new checks for GCP** (Thanks to jit-contrib ! 💪🏼 ):
- New services ApiKeys, DNS and Dataproc are covered and additional checks for Compute and IAM services.
- See all checks with `prowler gcp --list-checks`

📝 **OCSF Integration** (Hello Amazon Security Lake!):
- OCSF JSON was added as a default output for AWS, Azure and GCP. It was based on the [OCSF Schema's Security Finding v1.0.0-rc.3](https://schema.ocsf.io/1.0.0-rc.3/classes/security_finding?extensions=#).

📊 **AWS Well Architected Framework**:
- The Security Pillar of the [AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html) is now supported by Prowler, you can run it with the following command:

prowler aws --compliance aws_well_architected_framework_security_pillar_aws


⚙️ **MFA supported in AWS**:
- If your IAM entity enforces MFA for AWS Calls you can use `--mfa` and Prowler will ask you to input the following values to get a new session:

prowler aws --mfa
Enter ARN of MFA: arn:aws:iam::012345678910:mfa/xxxxxx
Enter MFA code: XXXXXX


What's Changed
Features
* feat(checks-gcp): Include 4 new checks covering GCP CIS by jit-contrib in https://github.com/prowler-cloud/prowler/pull/2376
* feat(gcp): add 12 new checks for CIS Framework by jit-contrib in https://github.com/prowler-cloud/prowler/pull/2426
* feat(gcp): add `--project-ids` flag and scan all projects by default by sergargar in https://github.com/prowler-cloud/prowler/pull/2393
* feat(mfa): Add MFA flag if it is required by AWS IAM Entity by senyberg in https://github.com/prowler-cloud/prowler/pull/2478
* feat(new_security_framework): AWS Well Architected Framework security pillar by pedromarting3 in https://github.com/prowler-cloud/prowler/pull/2382
* feat(ocsf): add OCSF format as JSON output for AWS, Azure and GCP. Hello Amazon Security Lake! by sergargar in https://github.com/prowler-cloud/prowler/pull/2429
* feat(vpc): add check `vpc_subnet_no_public_ip_by_default` by senyberg in https://github.com/prowler-cloud/prowler/pull/2472
* feat(wellarchitected): add WellArchitected service and check by sergargar in https://github.com/prowler-cloud/prowler/pull/2461

Fixes
* fix(arn validator): include `:` in regex by n4ch04 in https://github.com/prowler-cloud/prowler/pull/2471
* fix(aws): Add missing resources ARN by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2453
* fix(azure): fix empty subscriptions case by n4ch04 in https://github.com/prowler-cloud/prowler/pull/2455
* fix(backup): Handle last_execution_date when None by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2454
* fix(browser auth): fix browser auth in Azure to include tenant id by n4ch04 in https://github.com/prowler-cloud/prowler/pull/2415
* fix(cloudfront): Bad https_enabled check comparison by christiandavilakoobin in https://github.com/prowler-cloud/prowler/pull/2430
* fix(codebuild): handle FAIL in codebuild_project_user_controlled_buildspec by sergargar in https://github.com/prowler-cloud/prowler/pull/2410
* fix(dataevents checks): add trails home region by n4ch04 in https://github.com/prowler-cloud/prowler/pull/2484
* fix(ec2): handle false positive in `ec2_securitygroup_allow_ingress_from_internet_to_any_port` by sergargar in https://github.com/prowler-cloud/prowler/pull/2449
* fix(ecr): handle LifecyclePolicyNotFoundException by sergargar in https://github.com/prowler-cloud/prowler/pull/2411
* fix(efs): Include resource ARN and handle from input by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2452
* fix(inventory): handle exception for every call by sergargar in https://github.com/prowler-cloud/prowler/pull/2457
* fix(kms): check only KMS CMK tags by sergargar in https://github.com/prowler-cloud/prowler/pull/2468
* fix(README): add references to tenant-id when browser auth by n4ch04 in https://github.com/prowler-cloud/prowler/pull/2439
* fix(services): Handle AWS service errors by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2440
* fix(services): verify Route53 records and handle TrustedAdvisor error by sergargar in https://github.com/prowler-cloud/prowler/pull/2448
* fix(typo): typo in README.md by sergargar in https://github.com/prowler-cloud/prowler/pull/2406
* fix(typo) typo in README.md by toniblyx in https://github.com/prowler-cloud/prowler/pull/2407

Chores
* chore(arn): add missing ARNs to AWS Services by sergargar in https://github.com/prowler-cloud/prowler/pull/2476
* chore(arn): include ARN of AWS accounts by sergargar in https://github.com/prowler-cloud/prowler/pull/2477
* chore(boto3): update boto3 config by sergargar in https://github.com/prowler-cloud/prowler/pull/2459
* chore(compliance): Update Description in aws_well_architected_framework_security_pillar_aws.json by sssalim-aws in https://github.com/prowler-cloud/prowler/pull/2432
* chore(docs): add summary table to README.md by toniblyx in https://github.com/prowler-cloud/prowler/pull/2402
* chore(docs): Create CONTRIBUTING.md by toniblyx in https://github.com/prowler-cloud/prowler/pull/2416
* chore(docs): improve allowlist suggestion by sergargar in https://github.com/prowler-cloud/prowler/pull/2466
* chore(docs): improve custom checks docs by sergargar in https://github.com/prowler-cloud/prowler/pull/2428
* chore(logo): Add Prowler logo in SVG format & Propose to Prowler icon design by dsict in https://github.com/prowler-cloud/prowler/pull/2423
* chore(quick inventory): add warning message by sergargar in https://github.com/prowler-cloud/prowler/pull/2460
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2474
* chore(vpc): add mapPublicIpOnLaunch attribute to VPC subnets by senyberg in https://github.com/prowler-cloud/prowler/pull/2470

Dependencies
* build(deps): bump alive-progress from 3.1.1 to 3.1.4 by dependabot in https://github.com/prowler-cloud/prowler/pull/2446
* build(deps): bump boto3 from 1.26.142 to 1.26.147 by dependabot in https://github.com/prowler-cloud/prowler/pull/2480
* build(deps): bump botocore from 1.29.147 to 1.29.152 by dependabot in https://github.com/prowler-cloud/prowler/pull/2482
* build(deps): bump cryptography from 40.0.2 to 41.0.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2436
* build(deps): bump google-api-python-client from 2.86.0 to 2.88.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2483
* build(deps): bump mkdocs-material from 9.1.12 to 9.1.15 by dependabot in https://github.com/prowler-cloud/prowler/pull/2420
* build(deps): bump pydantic from 1.10.8 to 1.10.9 by dependabot in https://github.com/prowler-cloud/prowler/pull/2481
* build(deps-dev): bump coverage from 7.2.5 to 7.2.7 by dependabot in https://github.com/prowler-cloud/prowler/pull/2422
* build(deps-dev): bump docker from 6.1.2 to 6.1.3 by dependabot in https://github.com/prowler-cloud/prowler/pull/2445
* build(deps-dev): bump moto from 4.1.10 to 4.1.11 by dependabot in https://github.com/prowler-cloud/prowler/pull/2443
* build(deps-dev): bump pytest-xdist from 3.3.0 to 3.3.1 by dependabot in https://github.com/prowler-cloud/prowler/pull/2421
* build(deps-dev): bump pytest from 7.3.1 to 7.3.2 by dependabot in https://github.com/prowler-cloud/prowler/pull/2479

New Contributors
* jit-contrib made their first contribution in https://github.com/prowler-cloud/prowler/pull/2376
* dsict made their first contribution in https://github.com/prowler-cloud/prowler/pull/2423
* sssalim-aws made their first contribution in https://github.com/prowler-cloud/prowler/pull/2432
* christiandavilakoobin made their first contribution in https://github.com/prowler-cloud/prowler/pull/2430
* senyberg made their first contribution in https://github.com/prowler-cloud/prowler/pull/2470

**Full Changelog**: https://github.com/prowler-cloud/prowler/compare/3.5.3...3.6.0

Fixes

* fix(ClientError): handle ClientErrors in DynamoDB and Directory Service by sergargar in https://github.com/prowler-cloud/prowler/pull/2400
* fix(OSError): handle different OSErrors by kij in https://github.com/prowler-cloud/prowler/pull/2398
* fix(allowlist) - `tags` parameter is a string, not a list by kppullin in https://github.com/prowler-cloud/prowler/pull/2375
* fix(aws): Handle unique map keys by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2390
* fix(categories): remove empty categories from metadata by sergargar in https://github.com/prowler-cloud/prowler/pull/2401
* fix(inspector2): fix active findings count by sergargar in https://github.com/prowler-cloud/prowler/pull/2395
* fix(pypi-release): Push version change to the branch by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2374
* fix(route53_dangling_ip_subdomain_takeover): notify only IPs with AWS IP Ranges by sergargar in https://github.com/prowler-cloud/prowler/pull/2396

Dependencies
* build(deps): bump azure-identity from 1.12.0 to 1.13.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2386
* build(deps): bump boto3 from 1.26.125 to 1.26.138 by dependabot in https://github.com/prowler-cloud/prowler/pull/2389
* build(deps): bump botocore from 1.29.134 to 1.29.138 by dependabot in https://github.com/prowler-cloud/prowler/pull/2383
* build(deps): bump requests from 2.30.0 to 2.31.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2388
* build(deps): bump shodan from 1.29.0 to 1.29.1 by dependabot in https://github.com/prowler-cloud/prowler/pull/2385
* build(deps-dev): bump moto from 4.1.9 to 4.1.10 by dependabot in https://github.com/prowler-cloud/prowler/pull/2384

Chores
* chore(quick-inventory): send quick inventory to output bucket by sergargar in https://github.com/prowler-cloud/prowler/pull/2399
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2378

New Contributors
* kij made their first contribution in https://github.com/prowler-cloud/prowler/pull/2398

**Full Changelog**: https://github.com/prowler-cloud/prowler/compare/3.5.2...3.5.3

Fixes
* fix(action): solve pypi-release action creating the release branch by sergargar in https://github.com/prowler-cloud/prowler/pull/2364
* fix(sts): Use the right region to validate credentials by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2349
* fix(resource_not_found): Handle error by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2370
* fix(ssm incidents): check if service available in aws partition by sergargar in https://github.com/prowler-cloud/prowler/pull/2372

Chores
* chore(docs): format regions-and-partitions by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2371
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2366

**Full Changelog**: https://github.com/prowler-cloud/prowler/compare/3.5.1...3.5.2

Fixes
* fix(README): order providers alphabetically by sergargar in https://github.com/prowler-cloud/prowler/pull/2344
* fix(README): update Architecture image and PyPi links by sergargar in https://github.com/prowler-cloud/prowler/pull/2345
* fix(route53): handle empty Records in Zones by sergargar in https://github.com/prowler-cloud/prowler/pull/2351

Dependencies
* build(deps): bump pymdown-extensions from 9.11 to 10.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2355
* build(deps): bump shodan from 1.28.0 to 1.29.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2356
* build(deps): bump botocore from 1.29.125 to 1.29.134 by dependabot in https://github.com/prowler-cloud/prowler/pull/2357
* build(deps-dev): bump pytest-xdist from 3.2.1 to 3.3.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2358
* build(deps): bump mkdocs-material from 9.1.8 to 9.1.12 by dependabot in https://github.com/prowler-cloud/prowler/pull/2359
* build(deps-dev): bump docker from 6.1.1 to 6.1.2 by dependabot in https://github.com/prowler-cloud/prowler/pull/2360

Chores
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2350
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2353


**Full Changelog**: https://github.com/prowler-cloud/prowler/compare/3.5.0...3.5.1

I like the story behind [this](https://es.wikipedia.org/wiki/To_Tame_a_Land) Iron Maiden song. Enjoy Prowler 3.5.0 - Dune!

New features to highlight in this version:

🥳 **Slack integration:**
- Prowler now supports Slack integrations! Send a summary of the execution with a Slack APP in your channel, see more in our [Integrations Docs](https://docs.prowler.cloud/en/latest/tutorials/integrations/#slack)



✅ **9 new checks for AWS**:
- New services covered like FMS and NetworkFirewall, additional checks for AutoScaling, Organizations, RDS, Route53, S3, SSM Incidents and Workspaces.
- New important checks:
- `iam_role_cross_account_readonlyaccess_policy` Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts
- `route53_dangling_ip_subdomain_takeover` Check if Route53 Records contains dangling IPs (based on https://github.com/assetnote/ghostbuster)
- See all checks with`prowler aws --list-checks`

🔨 **Allowlist improvements:**
- You can allowlist an specific service and include regex expressions in the tags, see more in our [Allowlist Docs](https://docs.prowler.cloud/en/latest/tutorials/allowlist/)

What's Changed:

Features
* feat(allowlist): allowlist a specific service by sergargar in https://github.com/prowler-cloud/prowler/pull/2331
* feat(allowlist): Support regexes in Tags to allow "or"-like conditional matching by kppullin in https://github.com/prowler-cloud/prowler/pull/2300
* feat(autoscaling): new check autoscaling_group_multiple_az by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2273
* feat(FMS): New Service FMS and Check fms_accounts_compliant by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2259
* feat(iam): add `iam_role_cross_account_readonlyaccess_policy` check by sergargar in https://github.com/prowler-cloud/prowler/pull/2312
* feat(NetworkFirewall): New Service and Check by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2261
* feat(Organizations): New check organizations_tags_policies_enabled_and_attached by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2287
* feat(pre-commit): added trufflehog to pre-commit by n4ch04 in https://github.com/prowler-cloud/prowler/pull/2311
* feat(rds): new check rds_instance_deprecated_engine_version by pedromarting3 in https://github.com/prowler-cloud/prowler/pull/2298
* feat(route53): add route53_dangling_ip_subdomain_takeover check by sergargar in https://github.com/prowler-cloud/prowler/pull/2288
* feat(s3): add s3_bucket_object_lock check by sergargar in https://github.com/prowler-cloud/prowler/pull/2274
* feat(slack): add Slack App integration by sergargar in https://github.com/prowler-cloud/prowler/pull/2305
* feat(ssmincidents): Use regional_client region instead of audit_profile region by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2306
* feat(workspaces): New check workspaces_vpc_2private_1public_subnets_nat by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2286

Fixes
* fix(access-analyzer): Handle ResourceNotFoundException by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2336
* fix(apigateway2): correct paginator name by sergargar in https://github.com/prowler-cloud/prowler/pull/2283
* fix(backup): Return [] when None AdvancedBackupSettings by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2304
* fix(backups): change severity and only check report_plans if plans exists by gabrielsoltz in https://github.com/prowler-cloud/prowler/pull/2291
* fix(client_error): Handle errors by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2308
* fix(cloudfront_distributions_https_enabled): Add default case by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2329
* fix(cloudtrail): handle InsightNotEnabledException error by sergargar in https://github.com/prowler-cloud/prowler/pull/2322
* fix(ecr): Refactor service by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2302
* fix(emr): Handle InvalidRequestException by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2320
* fix(iam): Handle ListRoleTags and policy errors by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2319
* fix(opensearch): Handle invalid JSON policy by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2262
* fix(rds): check configurations for DB instances at cluster level by sergargar in https://github.com/prowler-cloud/prowler/pull/2277
* fix(resourceexplorer2): add resource id by sergargar in https://github.com/prowler-cloud/prowler/pull/2335
* fix(s3): handle NoSuchBucket error by sergargar in https://github.com/prowler-cloud/prowler/pull/2289
* fix(sagemaker): Handle ValidationException by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2321
* fix(sns_topics_not_publicly_accessible): Change PASS behaviour by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2282
* fix(trustedadvisor): avoid not_available checks by sergargar in https://github.com/prowler-cloud/prowler/pull/2323
* fix(typo): remove redundant lines by kagahd in https://github.com/prowler-cloud/prowler/pull/2307
* fix(typo): typo in `backup_vaults_exist` check title by sergargar in https://github.com/prowler-cloud/prowler/pull/2317
* fix(vpc services): list to dicts in vpc and subnets by n4ch04 in https://github.com/prowler-cloud/prowler/pull/2310

Chores
* chore(docs): improve GCP docs by sergargar in https://github.com/prowler-cloud/prowler/pull/2318
* chore(docs): improve security hub docs by sergargar in https://github.com/prowler-cloud/prowler/pull/2285
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2334

Dependencies
* build(deps): bump boto3 from 1.26.115 to 1.26.125 by dependabot in https://github.com/prowler-cloud/prowler/pull/2327
* build(deps): bump botocore from 1.29.115 to 1.29.125 by dependabot in https://github.com/prowler-cloud/prowler/pull/2301
* build(deps): bump google-api-python-client from 2.84.0 to 2.86.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2296
* build(deps): bump mkdocs-material from 9.1.6 to 9.1.8 by dependabot in https://github.com/prowler-cloud/prowler/pull/2294
* build(deps): bump mkdocs from 1.4.2 to 1.4.3 by dependabot in https://github.com/prowler-cloud/prowler/pull/2324
* build(deps-dev): bump coverage from 7.2.3 to 7.2.5 by dependabot in https://github.com/prowler-cloud/prowler/pull/2297
* build(deps-dev): bump docker from 6.0.1 to 6.1.1 by dependabot in https://github.com/prowler-cloud/prowler/pull/2326
* build(deps-dev): bump moto from 4.1.8 to 4.1.9 by dependabot in https://github.com/prowler-cloud/prowler/pull/2328
* build(deps-dev): bump pylint from 2.17.3 to 2.17.4 by dependabot in https://github.com/prowler-cloud/prowler/pull/2325


New Contributors
* kppullin made their first contribution in https://github.com/prowler-cloud/prowler/pull/2300

**Full Changelog**: https://github.com/prowler-cloud/prowler/compare/3.4.1...3.5.0

Fixes
* fix(iam_role_cross_service_confused_deputy_prevention): avoid service linked roles by sergargar in https://github.com/prowler-cloud/prowler/pull/2249
* fix(version): execute check current version function only when `-v` by sergargar in https://github.com/prowler-cloud/prowler/pull/2263
* fix(log_group_retention): handle log groups that never expire by jfagoagas in https://github.com/prowler-cloud/prowler/pull/2272

Chores
* chore(test): add rds_instance_transport_encrypted test by sergargar in https://github.com/prowler-cloud/prowler/pull/2252
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2251
* chore(regions_update): Changes in regions for AWS services. by sergargar in https://github.com/prowler-cloud/prowler/pull/2258
* chore(test): add CloudWatch and Logs tests by sergargar in https://github.com/prowler-cloud/prowler/pull/2264

Builds
* build(deps-dev): bump pytest from 7.3.0 to 7.3.1 by dependabot in https://github.com/prowler-cloud/prowler/pull/2266
* build(deps-dev): bump pylint from 2.17.2 to 2.17.3 by dependabot in https://github.com/prowler-cloud/prowler/pull/2267
* build(deps-dev): bump moto from 4.1.7 to 4.1.8 by dependabot in https://github.com/prowler-cloud/prowler/pull/2268
* build(deps): bump boto3 from 1.26.105 to 1.26.115 by dependabot in https://github.com/prowler-cloud/prowler/pull/2269
* build(deps): bump azure-mgmt-security from 4.0.0 to 5.0.0 by dependabot in https://github.com/prowler-cloud/prowler/pull/2270


**Full Changelog**: https://github.com/prowler-cloud/prowler/compare/3.4.0...3.4.1