Prowler-py

Special thanks to all contributors mentioned below.

This new version of Prowler wouldn't be possible without you all. Thanks!

List of Contributors for this release:
zfLQ2qx2
gabrielsoltz
Nimrod Kor
Mr. Secure
Tobi Fuhrimann
jonnyCodev
Or Evron
soffensive
Venki
angabini
Venkatadri Duggina
Samuel Dugo
Martin Kemp
Marcus Maxwell
Fayez Barbari
Dominick Bellizzi
David Lladro
C.J
Ricardo Oliveira
Kim Oliver Fehrs
Kasprzykowski
Jonathan Rau
Jerome Caffet
Barak Schoster Goihman
tomcrawf90
shaunography
james-portman-contino
bgeesaman
barnhartguy
alphad05
Will Thames
Tom Crawford
Ryan John Peck
Roman Vynar
Richard Nienaber
Ralph Rodkey
Nick Malcolm
Nic Doye
Ngọ Anh Đức
Morey Straus
Michael Peterson
Kinnaird McQuade
Kevin Pawloski
JohnVonNeumann
Dom Bellizzi
Clint Moyer
Christopher Morrow
Brian Fallik
Artashes Arabajyan
Affan Malik

New features:
f3bfe90: Add native support for AssumeRole
f979c73: Add quiet mode that only shows failures
be4bbe4: New POC for scoring report
00e5e65: Option "-c" supports one or multiple checks
71355b0: New option "-E" supports exclusion of one or multiple checks
ab5968c: Re remove colors in json output
f006c81: Use custom AWS profile with Role to assume
cea0cfb: Prevent colorization on Failed and Info
8bb1529: More jq_improvements
61ef02e: Reduced API calls
64e38dd: Added megaprowler code for multiaccount (sample implementation)
f32b769: Make 3.x tests simpler and more useful
4bc64e9: Create Pipfile
ea6d9c9: Integration with Yelp detect-secrets
58fdd45: Ability to exclude check from group run
e273ae3: Adding detect_secrets support to Docker
da9cb41: Added jq to Dockerfile and fixes
bc9d4fe: Created a new Dockerfile based on Alpine
a2ccac9: FreeBSD support

New checks:
4098521: Check find secrets in UserData for Auto Scaling groups check_extra775
a824e06: Check if user have unused console login
2f17cfb: Check if CloudFront is using a WAF
4c1d188: Check for unused Elastic IP addresses
3b264d5: Check for internet facing instances with an Instance Profile attached.
7b5ece8: Check IAM Access Analyzer
fe65eaf: Check ECS scan on push
b61af3a: Check secrets in ECS task definition environment variables
961b79a: Check for CloudFront field level encryption
264b84a: Check for ECR scanning
2c531a2: Check for unsupported lambda runtimes
66c59ea: Check for EBS default encryption
40117ed: Checks for EC2 age
b8c7915: Check extra756 Redshift cluster public
5cd7214: Check extra755 open Memcached port
4f00760: Check extra754 open Cassandra port
660b573: Check open MongoDB port
1d45c45: Check open Redis port
3693ee3: Check SG open Postgres port
c36a606: Check SG open MySQL ports
5325bab: Check SG open MySQL ports
e283d35: Check SG open Oracle ports
b95cf5b: Check SG open to any port
c6dfbfd: Check IPv6 support to networking checks
62991cf: Check RDS CloudWatch Log integration
8b4b59e: Check RDS backup and RDS group of checks
a6569a0: Added group12 apigateway checks
50b6e63: Check API Gateway has authorizers
3582b42: Check API Gateway has CloudWatch Logs
65e2ff7: Check API Gateway has authorizers
504a11b: Check API Gateway public or private
f03eccf: Check API Gateway has a WAF ACL attached
d078985: Check API Gateway has client certificate enabled
bde9482: Check to find keys in CloudFormation Outputs

Documentation improvements:
e5e5e84: Add documentation for excluding group checks
4f4591d: Added more install details and docker run
1e1de4f: Added Security Hub integration link
24780b4: Improve documentation with prowler-additions-policy.json
2da125f: UPDATE README.md - fix incorrect group flag
04acb74: Enhanced requirements and installation
bc12717: Added MFA help
d818381: Wazuh integration guide DRAFT
b59d5db: Added new option exclude
2700365: Improved rules ID
08cdf35: Added CODE_OF_CONDUCT.md

Fixes:
0210c43: check_11_check_access_keys_usage
4a1d406: Check Extra 774 - Fixed bug - was checking account creation time instead of last logon date.
44716cf: mark_only_available_rds_instances_as_violating
1f3aaa8: es_public_domains_filter_condition
6213a74: public_bucket_policy_check_for_conditions
bf9ffc0: extra748_check_for_all_ports
fff605b: fix_extra_764_handle_all_aws
a6516e4: Check 1.1 - check password access and access key usage
4fe5750: Filter for only available rds instances in check
178a34e: Add conditions check for extra716
5f3293a: Add conditions check for extra771
28a8ae7: Check extra748 should fail in case of all ports (0-65535) open
daa26ed: extra764 should also check for principal being AWS = "*"
9bd54ca: Fixed issue 378
4d683a7: fix-check11
4476571: check if last_login_date is a valid date
5069fd2: Associate VPCFlowLog with VPC
0d1807b: Remove `ses:sendemails`
a77d3b0: handle_get_bucket_policy_error
5cebebb: handle_get_bucket_policy_error
528e14d: Update check119
fe2d2b4: check root account access login and fail if used in the last day
74cbbdd: add text info in case of error occurred
029c330: fix check extra 764
2abe360: Update group7_extras
d473ebe: moving MAX_DAYS to the inner scope of the function
f038074: Update prowler-additions-policy.json
f797805: issue 458
ef001af: issue 459
2d712f6: issue-163-CloudFront-WAF
278e382: Update group7_extras
3452ecd: eip_check
f2f8216: issue 460
f735de8: Rewrite of check extra73
9fc0f6c: Remove check 766, dupe of check 765
41ccd45: Add additional error checking to address issue 459
9ed7d75: Add command for check119
b3b9039: cleanup_temp_files
4806d5f: update_check_extra764
a755ec8: update_extra769
3c703de: update_check_extra726
7d324be: Resolve issue with not_available state in results
b22b0af: Misc fixes to check extra764
4cc5cd1: Try to make sure prowler cleans up its temporary files
688f028: Add additional error checkings to check extra769
c84190c: Add error checking to checks extra77 and extra765
23be47a: Enhanced title for check extra723
ab75f19: small_fixes_to_extra731_extra716
20b127f: Added DS IAM actions
cc5da42: add lambda:get* to prowler-additions-policy
1087d60: Small check fixes
d2b3e5e: Added new checks to extras group
0d120a4: check_bucket_policies_public_write
0ab5d87: public-instance-with-instance-profile-attached
39c7ea5: Add feature custom checks folder issue 439
933e415: fix_check26
fc3f4e8: Reuse ACCOUNT_NUM
7e803bb: Change to check 771
8e1aa17: Fix check26 - get the account ID from sts
dd5bf6c: fix_check21
7cb869a: use more generic access-analyzer:List*
559b058: Add trail count to check21 and fail if no trail exist
53f097c: Add "access-analyzer:ListTagsForResource" to prowler-additions-policy.json
b6e34ad: Fix issue 409
4af3dc1: Fix issue 426 updated base64 function
923fadb: check-3xx-whitespace-tolerance
3f68acc: Added missing file iam/prowler-additions-policy.json
2e11e0a: Fix extra764 check
c630c02: Update check_extra768
e18cea2: consolidated ProwlerReadOnlyPolicy and available json
8f91bfe: clean up documentation and added info to check_sample
c513e7a: ecs_task_definition_secrets_check_contribute
2e1cead: extra719
5c8b0aa: check726
15dda01: prowler-misc-updates
d19ae27: Fix merge issue
687686c: Filter out private zones in check extra719
94a9059: Handle Trusted Advisor entitlement issue gracefully
669469e: Update extra764 and extra734, add .gitignore rules for vim
031b68a: fixed typo in iam policy
d737193: extra75-enhancement
f83ce78: prowler-3x-checks
054043d: Update extra75 to aware of default security groups
603ed0b: Update log metric filter checks to latest AWS CIS Foundations Benchmark and provide hints on how to remediate
3a89388: Misc prowler fixes
2e18192: Added pull request template
508a935: fix jq array
6389869: remove_old_check
d026ed5: improve_extra727
529fc64: better_output
5cadd0c: remove_unused_variable
df5def4: comments_and_fix
5252518: extra73
be0bc7a: extra 7.62 - output cleanup
c460e35: obsolete_runtimes
827b1fd: add region info to textFail,textPass output
23a7c7f: fix spelling error in message
e683ea5: fix over-quoting bug
826cc00: replacing git clone with ADD as to not cache layer indefinetely
77b3a9b: unsetting excluded_checks
d4fad17: update pipeline commands to use multi-account path
ddb4983: bring in quoting nits
31a4024: Merge pull request 392 from MrSecure/mega
40a2ea6: fixed region for extra757 and extra758
7e28f85: add cli options
64667ea: grant codebuild the ability to assume audit role
70304dc: suppress remaining shell check warnings
e0a77b3: cleanup using shellcheck
70de023: more output structure cleanup
b5ccdad: change bucket resource name
d0af7f4: remove 'out' from artifact storage path
fc77b4a: Merge pull request 390 from Quiq/master
4540fd7: Add missing permission
44cfa71: updated logging
ecde624: remove unnecessary variables and removed echo
d5f22ab: fixing check26 cross access bug
72b1421: fixing cross account cloudtrail issue
cd52bf8: fix typo
aba697a: List CloudFront distributions only once
49994d1: List successful cases as PASS! for 7.27
f3d617a: Fix Pipfile
1be58e0: Fix issue 323
8333c57: Fixed issue 348 -e option back to work
02d2561: Fix issue 354
30b2f55: support_role_added_to_groups
253fa5e: 351
188a681: check314_case_sensitivity
9e06297: fix_check_extra741
eecb272: Fixed output for PR 339
2ed3378: refactor_check_extra734
bd9ae4b: improve_check_extra73
30e2360: remove filter by roles so that groups are included as well
033e262: [FIX] remove duplicated filter condition | kf/aa/if
2b95f69: [FIX] allow 1.22 checks on policies with only one statement block | kf/aa/if
5bd3f0b: Fix typo
a430ad4: Tabs to 4 spaces
85dc040: Made check314 less case sensitive
a259571: Fixing missing &&
8b2c113: add_detect_secrets_to_docker
cea45f4: remove REGION from Bucket Listing
d7d2246: improved for other file types like empty and very short
e6992e8: ignore None when user data is empty
c8622bc: better check denied
76e6657: refactor check_extra734
de83360: fix locations
d50c3af: add check for explicit deny
3947ee2: Improved -l option to list uniq checks
0db97d5: improve AWS CLI parameters order, same as other checks
588976a: Fixed lack of in PR 331
b1e7dc8: get_date_previous_than_months compatible busybox
c5f1703: add linux and cygwin get_date_previous_than_months function
ea886b8: guardduty_regions
d640086: add guardduty regions
5037cb0: improve code
085dd33: function os
c4ddb8f: review outputs
df6c323: fix extra731 output
004f882: iterate across all default sg, so fail more for each one and also add output sg
a59aedc: Fixed accuracy for check_extra722
da25a02: removed extra746 duplicated with extra722
967fe02: Fixed new API Gateway checks alias
f5708d7: Separate default encryption and bucket policy encryption
4222082: Fixed issue 317
b4c4a46: Fixed issue 315
e0d86c1: Iterate over all regions
a707b38: Revert adding freebsd detector
1956be4: Delete duplicate check extra739
917a323: Fixed check122 to match CIS 1.22 checks requirements, instead of '=~ *' use '== *'
ddad72f: Fix issue 309
b03aca8: Fixed issue 308
9d526ff: Added group11 keys and improved 741 and 742
fa1a3b8: Fix issue 301
c8cc343: Fix issue 303
6d15bb6: Fix issue 300
b60d320: Improved tittle to describe what extra71 does
2bc3575: Improved extra714 to find secrets
3c2ad65: Spelling fix "reshift" means "redshift"
069b540: Fixed typo in hipaa
2e754a5: Fixed check120
8935233: Update check_extra739
c9c4620: format fix
bacdf6e: Check for flowlogs only in active VPCs, avoid false flag if a region has no VPCs
d78424b: gdpr fix
1727758: enhanced gdpr and first wazuh integration bits
573fa46: Fixed AccessDeniedException on extra730
31a0de1: Adding extra340 to GDPR group
25d1aa9: Make check3x more tolerant

New features:
* Refactored code:
* reduced number of lines in prowler main script and add `includes` folder with parts to easily find and manage all components
* dedicated folder for `checks`, a check per file,
* same for `groups` of checks, now we can create custom groups and run Prowler against your custom group (for example only the checks that your company needs).
* moved Dockerfile to `utils` folder.
* moved IAM policy additions to `iam` folder
* Output changed `PASS` and `FAIL` instead of `OK` and `WARNING` messages displayed.
* Option `-g <group_id>`: run specific group from the existing or new one
* Option `-b`: hide banner
* Check whitelisting: thanks to the new groups management, you can create your own checks based on your needs.
* Custom checks: now it is easier to add a new check, just create your check based on the sample one and add it to a group, or create your own group.
* Added version to the banner and changed description
* Added new check `extra723` that looks for public RDS snapshots (single and cluster)
* Added check `extra724` Certificate Transparency
* Added check ID on every check and group title.
* Added check `extra725` S3 object-level logging (extras and forensics)
* Added check `extra726` Trusted Advisor errors and warnings
* Added check `extra727` SQS queues have policy public
* Added check `extra728` SQS queues have encryption enabled
* Added `-V` flag to see version
* Added check `extra729` no EBS Volumes unencrypted
* Added check `extra730` ACM Certificates are about to expire in 7 days or less
* Added check `extra731` SNS topics have policy set as Public
* Added check `extra732` Geo restrictions are enabled in CloudFront distributions
* Added check `extra733` SAML Providers then STS can be used
* Added check `extra734` S3 buckets have default encryption (SSE) enabled and policy to enforce it
* Added check `extra735` RDS instances storage is encrypted
* Added check `extra736` exposed KMS keys
* Added check `extra737` KMS keys with key rotation disabled
* Added check `extra738` CloudFront distributions are set to HTTPS
* Added check `extra739` ELBs have logging enabled
* Added check `extra740` EBS snapshots are encrypted
* JSON support as output mode `-M json`, thanks to hb3b
* Added support to run on Fargate and uses metadata for credentials, thanks to mattfinlayson
* Added group checks for GDPR and HIPAA, thanks to crashGoBoom for helping out with HIPAA

Improvements:
* Adapted to the latest CIS for AWS 1.2, thanks to gpatt
* option `-l` now shows all groups not only default ones, with all its checks title.
* changed `!/bin/bash` to `!/usr/bin/env bash` 182 thanks to doshitan
* `check28` 181 thanks to doshitan
* `check41` and `check44` 180 thanks to subramani95
* Changed output functions to `textInfo`, `textFail` and `textPass`
* Hide banner on CSV output mode for group check
* Added version to banner
* Improved current directory handler for includes
* Improved error handling on `check111`
* Improved instance profile handling issue 200, thanks to netflash and ceyes
* Improved default region handling issue 202, thanks to ceyes
* Improvements on account ID handling in CSV output issue 205, thanks to MrSecure
* Improved `check28`, thanks to nexeck
* Improved `check_extra73` to support graceful failing of buckets with corrupt/unintended permissions, thanks to hb3b
* Improved `check111`, thanks to roo7break and martinusnel
* Improved `check27`
* Improved group error handling
* Improved `check115`, `check315` and `check13` and its documentaion, thanks to rheak
* Improved `extra725`, thanks to martinusnel
* Improved username filtering for `check12` for CIS 1.2, thanks to gpatt
* Improved username filtering for `check116` for CIS 1.2, thanks to gpatt
* Improved `extra713`, thanks to mbode
* Improved credentials handling, thanks to flomotlik
* Improved `check112` to avoid extra API call, thanks to jlamande
* Improved `check29`, thanks onkymykiss1

Fixes:
* `check22` 194 thanks to mbode
* `check717` 188 thanks to ahhh
* Fixed required IAM permissions 187 thanks to rtkjbillo
* Disable concurrency checks to `check_extra73` due to API limits
* Fixed issue 268
* Mark CIS level2 and 2 properly, also marker to sample check thanks to MrSecure
* Fixed mismatched check_type on `check18 ` thanks to MrSecure
* Fixed typo on `check311` thanks to MrSecure
* Ensure credential report is available before running any checks thanks to MrSecure
* Fixed checks on group3 to prevent duplicates, thanks to myoung34
* Fixed `extra73` to use `$PROFILE_OPT` properly, thanks to sidewinder12s
* Fixed checks `extra727` and `extra728` to use `$PROFILE_OPT` properly, thanks to tmonk42
* Fixed `check14`, thanks to atomdampflok
* Fixed checks listing, thanks to UranusBytes
* Fixed `check13` for never logged users, thanks to jlamande

Documentation:
* Added new way to create custom checks and custom groups
* Improved Prowler description
* Added command to save report to S3
* Update all CIS document links to AWS version thanks to sidewinder12s
* Changed license for checks that are not CIS and rest of code but CIS checks to Apache 2.0
* Added license and commercial use disclaimer to README
* Added info about GDPR and HIPAA
* Improved README formatting and typos, thanks to craighurley and slmingol
* Added new needed IAM roles, thanks to yapale, mixmatch and jlamande

Special thanks to:
philipmeadows for his help and ideas on code refactoring

New features:
* Refactored code:
* reduced number of lines in prowler main script and add `includes` folder with parts to easily find and manage all components
* dedicated folder for `checks`, a check per file,
* same for `groups` of checks, now we can create custom groups and run Prowler against your custom group (for example only the checks that your company needs).
* moved Dockerfile to `utils` folder.
* moved IAM policy additions to `iam` folder
* Output changed `PASS` and `FAIL` instead of `OK` and `WARNING` messages displayed.
* Option `-g <group_id>`: run specific group from the existing or new one
* Option `-b`: hide banner
* Check whitelisting: thanks to the new groups management, you can create your own checks based on your needs.
* Custom checks: now it is easier to add a new check, just create your check based on the sample one and add it to a group, or create your own group.
* Added version to the banner and changed description
* Added new check `extra723` that looks for public RDS snapshots (single and cluster)

Improvements:
* option `-l` now shows all groups not only default ones, with all its checks title.
* `check73` now doees the S3 check in parallel thanks to vsMeecles and Jonathan Glass
* changed `!/bin/bash` to `!/usr/bin/env bash` 182 thanks to doshitan
* `check28` 181 thanks to doshitan
* `check41` and `check44` 180 thanks to subramani95

Fixes:
* `check22` 194 thanks to mbode
* `check717` 188 thanks to ahhh
* fixed required IAM permissions 187 thanks to rtkjbillo

Documentation:
* Added new way to create custom checks and custom groups

Special thanks to:
philipmeadows for his help and ideas on code refactoring

New features:
- New **forensics ready** group of checks: it includes existing and new ones to ensure your AWS account is ready for a deep forensic investigation if needed `prowler -c forensics-ready`
- Added option `-e` to exclude all extra checks (they may make prowler take longer to finish)
- New check `extra78` Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark) thanks to sidewinder12s
- New check `extra79` Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark) thanks to sidewinder12s
- New check `extra710` Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark) thanks to sidewinder12s
- New check `extra711` Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark) thanks to sidewinder12s
- New check `extra712` Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
- New check `extra713` Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
- New check `extra714` Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
- New check `extra715` Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
- New check `extra716` Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)
- New check `extra717` Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
- New check `extra718` Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
- New check `extra719` Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
- New check `extra720` Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
- New check `extra721` Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
- New check `extra722` Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)

Fixes:
- Typo in extra72 by neonbunny
- check114 by subramani95

Improvements:
- PR 150 Load of authentication credentials
- PR 164 check31 by subramani95
- PR 167 OSTYPE handling to support Alpine docker containers

Documentation:
- Added section https://github.com/Alfresco/prowlerforensics-ready-checks to README
- Added all new extra checks to README

Special thanks to:
sidewinder12s subramani95 neonbunny and SubatomicHero.

New features:
- More extra checks to find public AMIs, ECR repos and EC2 snapshots
- New flag `-l` to list all available checks
- New Dockerfile to create your own image with prowler

Fixes:
- Issue 133 text fix in check36
- Issue 137 fix in check114
- Issue 136 fix in check113
- Issue 135 fix regarding [[]] statements
- Issue 134 fix in check124
- Issue 131 fix in check312
- Issue 130 fix in check12
- Issue 129 fix in checks section 3

Improvements:
- Refactored title and checks id in the script

Documentation:
- Added section how to add Custom Checks to README
- Added section Third Party Integrations to README

Thanks to st33v wassies tomas-milata sente pbugnion

prowler-1.4
- New features
101 Added -n option to show check numbers easier to sort, ie. 1.02 instead of 1.2.
- Improvements
83 better check73 checking bucket permissions (ACL and Policies)
81 Improved extra73 - S3 bucket permissions
84 Improved and error handling for check15 and check111, improved check41
- Fixes
82 Fixed bug in extra73 for buckets in EU (eu-west-1)
86 Fix LICENSE
87 Fix temp file issue
91 Broken sed expression & typos
92 Fix scored output
95 Added --max-items option to extra72
97 Removed printCurrentDate() and added current date to banner
98 Updated infoReferenceLong() text and moved the function call
99 Remove bit.ly reference
100 Removed printCurrentDate reference
103 Fix check14 if users contain same strings as table tittle

Thanks MrSecure neonbunny hemedga jphuynh steverigby for your help and suggestions.

- Fixes regarding SNS checks and some other small fixes
- Added CIS profile definitions (profile1 and profile2 as stated in their documentation)
- Added extra checks (extra71, extra72 and extra73 to check admins w/o MFA, Search Publicly shared EBS Snapshots and S3 buckets open to the internet)
- Improved documentation