Prowler 5.0.5 - Powerslave

What's Changed

• fix(gha): run API and UI tests in correct versions by @prowler-bot in #6301
• fix(migrations): fix django migration order dependency by @prowler-bot in #6303
• chore(version): update Prowler version by @MrCloudSec in #6293

Full Changelog: 5.0.4...5.0.5

Prowler 5.0.4 - Powerslave

What's Changed

Fixes

• fix(aws): disallow child-accounts to overwrite policy for ai_services_opt_out by @prowler-bot in #6292
• fix(db-utils): fix batch_delete function by @prowler-bot in #6285
• fix(users): fix /users/me behavior when having more than 1 users in the same tenant by @prowler-bot in #6288

Chores

• chore(findings): remove delta new as filter by default in findings by @prowler-bot in #6281
• chore(gha): solve pypi release github action by @prowler-bot in #6286
• chore(menu): add API reference link to the sidebar by @prowler-bot in #6289
• chore(version): update Prowler version by @MrCloudSec in #6277

Full Changelog: 5.0.3...5.0.4

Prowler 5.0.3 - Powerslave

What's Changed

Fixes

• fix(aws): add missing region to Backup Recovery Point by @prowler-bot in #6275
• fix(aws): solve None type errors by @prowler-bot in #6272
• fix(gha): make conditional job for checking the repo by @prowler-bot in #6260

Chores

• chore(api): Use prowler ^5.0 by @prowler-bot in #6267
• chore(gha): build and push OSS UI by @prowler-bot in #6248
• chore: skip action on .env changes by @prowler-bot in #6259
• chore: update Prowler version by @jfagoagas in #6258
• chore(GHA): add gha for API by @prowler-bot in #6247

Full Changelog: 5.0.2...5.0.3

Prowler 5.0.2 - Powerslave

API

Fixes

• fix(RLS): enforce config security by @prowler-bot in #6190
• feat(celery): Add configurable broker visibility timeout setting by @prowler-bot in #6246

Chores

• chore(rls): rename tenant_transaction to rls_transaction by @prowler-bot in #6203

SDK

Fixes

• fix(.env): remove comment by @prowler-bot in #6242

Chores

• chore(version): update Prowler version by @MrCloudSec in #6196

Full Changelog: 5.0.1...5.0.2

Prowler 5.0.1 - Powerslave

UI

Fixes

• fix(invitations): remove wrong url by @prowler-bot in #6012
• fix(users): user detail can be edited now properly by @prowler-bot in #6137

Chores

• chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /ui by @prowler-bot in #6176
• chore(deps): bump nanoid from 3.3.7 to 3.3.8 in /ui by @prowler-bot in #6175
• chore: delete unneeded requirements file by @prowler-bot in #6058

API

Fixes

• fix(deploy): temporal fix for the alpine-python segmentation fault by @prowler-bot in #6115
• fix(tenant): fix delete tenants behavior by @prowler-bot in #6014

SDK

Fixes

• fix(app): add support for TLS 1.3 to Web Apps check by @prowler-bot in #6144
• fix(aurora): Add default ports to the check of using non default ports by @prowler-bot in #6151
• fix(autoscaling): autoscaling_group_launch_configuration_requires_imdsv2 fails if Launch Template is used by @prowler-bot in #6147
• fix(aws): check AWS Owned keys in firehose_stream_encrypted_at_rest by @prowler-bot in #6121
• fix(aws): get firewall manager managed rule groups by @prowler-bot in #6124
• fix(aws): set IAM identity as resource in threat detection by @prowler-bot in #6118
• fix(aws): set same severity for EC2 IMDSv2 checks by @prowler-bot in #6104
• fix(aws): set unique resource IDs by @prowler-bot in #6192
• fix(backup): modify list recovery points call by @prowler-bot in #6096
• fix(compliance_tables): add correct values for findings by @prowler-bot in #6127
• fix(gcp): make sure default project is active by @prowler-bot in #6113
• fix(iam): set unique resource id for each user access key by @prowler-bot in #6134
• fix(rds): add invalid SG to status_extended by @prowler-bot in #6170

Chores

• chore(actions): standardize names by @prowler-bot in #6092

Full Changelog: 5.0.0...5.0.1

Prowler 4.6.2 - Blood Brothers

What's Changed

Fixes

• fix(aws): check AWS Owned keys in firehose_stream_encrypted_at_rest by @prowler-bot in #6120
• fix(aws): get firewall manager managed rule groups by @prowler-bot in #6123
• fix(aws): set IAM identity as resource in threat detection by @prowler-bot in #6117
• fix(aws): set same severity for EC2 IMDSv2 checks by @prowler-bot in #6103
• fix(backup): modify list recovery points call by @prowler-bot in #6057
• fix(compliance_tables): add correct values for findings by @prowler-bot in #6126
• fix(gcp): make sure default project is active by @prowler-bot in #6112
• fix(tests): use datetime.datetime.now() in GCP kms_key_rotation_enabled by @prowler-bot in #6083

Chores

• chore(container): upload v4 with correct tags by @MrCloudSec in #6093
• chore(containers): support for v4.6 branch by @prowler-bot in #6084
• chore(dependabot): Update for UI and v4 by @prowler-bot in #6087
• chore(deps): bump boto3 from 1.35.66 to 1.35.77 by @dependabot in #6107
• chore(deps): bump botocore from 1.35.66 to 1.35.76 by @dependabot in #6071
• chore(deps): bump botocore from 1.35.76 to 1.35.77 by @dependabot in #6100
• chore(deps): bump microsoft-kiota-abstractions from 1.6.2 to 1.6.6 by @dependabot in #6080
• chore(deps): bump msgraph-sdk from 1.12.0 to 1.14.0 by @dependabot in #6074
• chore(deps): bump slack-sdk from 3.33.4 to 3.33.5 by @dependabot in #6077
• chore(deps): bump trufflesecurity/trufflehog from 3.84.1 to 3.85.0 by @dependabot in #6067
• chore(deps-dev): bump bandit from 1.7.10 to 1.8.0 by @dependabot in #6072
• chore(deps-dev): bump coverage from 7.6.7 to 7.6.9 by @dependabot in #6076
• chore(deps-dev): bump mkdocs-material from 9.5.45 to 9.5.48 by @dependabot in #6078
• chore(deps-dev): bump pylint from 3.3.1 to 3.3.2 by @dependabot in #6099
• chore(deps-dev): bump pytest from 8.3.3 to 8.3.4 by @dependabot in #6075
• chore(deps-dev): bump vulture from 2.13 to 2.14 by @dependabot in #6069
• chore(version): update Prowler version by @MrCloudSec in #5969

Full Changelog: 4.6.1...4.6.2

Prowler 5.0.0 - Powerslave 🚀

Tell me why I had to be a powerslave
I don't wanna die, I'm a god
Why can't I live on?
When the life giver dies
All around is laid waste
And in my last hour
I'm a slave to the power of death

Powerslave was the fifth studio album by Iron Maiden, released on 3 September 1984. 🎸 Fast forward 40 years and 3 months later, we are thrilled to announce the release of Prowler 5.0 a.k.a. Powerslave — our most advanced and comprehensive release to date. Powerslave, also the seventh song on that iconic album, was written by Bruce Dickinson and explores an Egyptian pharaoh's wondering why he has to die, we know that is exactly what we think about Open Source, as soon as it is released, a piece of Open Source software will never die. 🌟

Prowler 5.0.0 - Powerslave is meant to be a game changer 🕹️ in the Cloud Security space as it comes with many new and needed features for our community of users and customers. If we want the cloud adoption to keep growing, we need more Open Source software to help gain confidence in the cloud with open, agnostic and transparent tools, that is what we call of the Open Cloud Security movement. 🌐

---

🎉 What's New?

🖥️ Enhanced UI, API, SDK, and Persistent Storage

• A brand-new UI component to unify all scans and drill down into findings and more.
• Robust APIs to solve a variety of use cases.
• SDKs for seamless integration and automation.
• Persistent storage for reporting, ensuring that your security insights are comprehensive and always accessible.

🔄 Continuous Monitoring and One-Time Assessments

• Support for both continuous monitoring and ad-hoc security assessments.
• Why settle for one-time assessments when you can stay continuously protected? 🛡️

📚 Expanded Detection and Remediation Control Framework

• Over 1,000 security controls across AWS, Azure, Google Cloud, and Kubernetes.
• Numerous remediation options to secure your cloud infrastructure effectively.

🤖 AI-Driven Control Creation

• Leveraging artificial intelligence to automatically generate new detection checks and remediations.
• Stay ahead of the latest threats with cutting-edge security measures. ⚡

---

💾 Get Started

From today, you can:

• Use the Prowler platform on-premises by downloading and running it yourself. As usual, using just the powerful CLI with the same output formats as always (pipx install prowler), or for the whole platform together with new components, just run docker compose up -d from the root folder of Prowler repo, open https://localhost:3000, add your user and start making your cloud secure.
• Or use all in one place, Prowler as a Cloud Service managed by us 🌩️ Visit prowler.com and sign up for 15 days free and let us know what do you think! 🗨️

---

🔮 What’s Next?

We're continuously adding new features! Keep track of upcoming updates here: roadmap.prowler.com 🛠️

Join us on this journey to revolutionize Open Cloud Security. 🌟

Prowler 4.6.1 - Blood Brothers

What's Changed

Fixes

• fix(aws): exclude threat detection checks if category not present by @prowler-bot in #5934
• fix(azure): containerregistry_not_publicly_accesible is not accurate by @prowler-bot in #5966
• fix(gcp): use session credentials to check if API is active by @prowler-bot in #5936
• fix(k8s): handle Kubernetes kubeconfig content correctly by @prowler-bot in #5967
• fix(list_by_service): execute lambda if requested by @prowler-bot in #5931
• fix(rds): add default key value to RDS event by @prowler-bot in #5965

Full Changelog: 4.6.0...4.6.1

Prowler 4.6.0 - Blood Brothers

And as you look all around at the world in dismay
What do you see, do you think we have learned?
Not if you're taking a look at the war-torn affray
Out in the streets where the babies are burnt

Prowler 4.6.0 - Blood Brothers 🚀 has arrived! Packed with exciting new AWS checks, fixers, and expanded Azure coverage, this release takes your cloud security to the next level. 🎸 While you explore, enjoy the classic Iron Maiden song that inspired this release.

This release is dedicated to the honor and memory of our contributor and friend Javier Hijas who helped Prowler and the Cloud Security Community with his talent over the last years, you will be always in our hearts Javi. Also, special thanks to our amazing new contributors: @drewkerrigan, @metahertz, and @vicferpoy! ⭐ We’d also like to thank @normanecg for all ENS features, @sansns, @StylusFrost, @garym-krrv, and @thomscode for their continued efforts and valuable PRs that keep improving Prowler! 🙌🚀

New features to highlight in this version

AWS

🔒 IAM Root Credentials Management

AWS recently introduced the ability to centrally manage root credentials with AWS Organizations (read more). Prowler now supports this feature with the new check iam_root_credentials_management_enabled, letting you verify whether root credentials management is enabled in your AWS account.

Try it out: prowler aws -c iam_root_credentials_management_enabled

🧑‍🔧 6 New Fixers!

Prowler now includes 6 new fixers to help you automatically remediate misconfigurations in AWS services like DocumentDB, EC2, KMS, Neptune, and RDS.
Run a specific fixer with:

prowler aws -c <check_id> --fixer

See all the new available fixers with prowler aws --list-fixers

1. documentdb_cluster_public_snapshot
2. ec2_ebs_public_snapshot
3. kms_cmk_not_deleted_unintentionally
4. neptune_cluster_public_snapshot
5. rds_instance_no_public_access
6. rds_snapshots_public_access

🚀 13 New AWS Checks Across 10 Services!

We’ve significantly expanded AWS coverage with 13 new checks, enhancing your security and compliance for services like AppSync, DMS, Firehose, Glue, Kinesis, and IAM.

See all the new available checks with prowler aws --list-checks

1. appsync_field_level_logging_enabled
2. appsync_graphql_api_no_api_key_authentication
3. dms_endpoint_redis_in_transit_encryption_enabled
4. dms_replication_task_source_logging_enabled
5. dms_replication_task_target_logging_enabled
6. firehose_stream_encrypted_at_rest
7. glue_etl_jobs_logging_enabled
8. iam_root_credentials_management_enabled
9. kinesis_stream_data_retention_period
10. memorydb_cluster_auto_minor_version_upgrades
11. mq_broker_not_publicly_accessible
12. servicecatalog_portfolio_shared_within_organization_only
13. storagegateway_gateway_fault_tolerant

⚙️ Improved Handling of Unknown Resources

Prowler now avoids creating mocked resource ARNs or IDs for non-existent resources. Instead, it will generate a standardized "Unknown" ARN and ID using the following patterns:

• Unknown resource ARN: arn:<partition>:<service>:<region>:<account-id>:resource-type/unknown
• Unknown resource ID: resource-type/unknown

Azure

💪🏼 New Azure AI Search Check

Thanks to our great contributor @StylusFrost, Prowler now includes Azure AI Search coverage with the new checkaisearch_service_not_publicly_accessible

Give it a try by scanning the Azure Container Registry with prowler azure --service aisearch

🇪🇸📜 Added ENS Compliance Framework

Thanks to @normanecg, Prowler now supports the ENS RD2022 compliance framework for Azure, ensuring enhanced compliance for Spanish organizations.

Give it a try with prowler azure --compliance ens_rd2022_aws

GCP

🇪🇸📜 New ENS Compliance Framework

We’re excited to announce that Prowler now includes the ENS RD2022 compliance framework for GCP, courtesy of @normanecg!

Give it a try with prowler gcp --compliance ens_rd2022_aws

🔧 Other issues and bug fixes solved for all the cloud providers

What's Changed

Features

• feat(appsync): add new check appsync_field_level_logging_enabled by @MarioRgzLpz in #5602
• feat(appsync): add new check appsync_graphql_apis_no_api_key_authentication by @MarioRgzLpz in #5591
• feat(appsync): Add new service AppSync by @MarioRgzLpz in #5589
• feat(aws): add MemoryDB service by @sansns in #5546
• feat(aws): add new check iam_root_credentials_management_enabled by @MrCloudSec in #5801
• feat(aws): add new service firehose by @HugoPBrito in #5620
• feat(aws): get regions by partition by @pedrooot in #5748
• feat(aws): Update check metadata with logging category by @sansns in #5639
• feat(aws): Update check metadata with redudancy category by @sansns in #5640
• feat(azure): Add get_regions method for provider by @vicferpoy in #5774
• feat(azure): AI Search service check not publicly accesible by @StylusFrost in #5846
• feat(compliance): add ENSRD2022 for Azure and GCP by @pedrooot in #5746
• feat(dms): add new check dms_endpoint_redis_tls_enabled by @danibarranqueroo in #5583
• feat(dms): add new check dms_replication_task_source_logging_enabled by @danibarranqueroo in #5627
• feat(dms): add new check dms_replication_task_target_logging_enabled by @danibarranqueroo in #5631
• feat(documentdb): add new fixer documentdb_cluster_public_snapshot_fixer by @danibarranqueroo in #5759
• feat(ec2): add new fixer ec2_ebs_public_snapshot_fixer by @danibarranqueroo in #5825
• feat(firehose): add new check firehose_stream_encrypted_at_rest by @HugoPBrito in #5635
• feat(gcp): add get regions method by @pedrooot in #5756
• feat(jira): add jira integration by @pedrooot in #5629
• feat(kinesis): add new check kinesis_stream_data_retention_period by @HugoPBrito in #5547
• feat(kms): add new fixer kms_cmk_not_deleted_unintentionally_fixer by @danibarranqueroo in #5842
• feat(mq): add mq_broker_not_publicly_accessible check by @sansns in #5604
• feat(neptune): add new fixer neptune_cluster_public_snapshot_fixer by @danibarranqueroo in #5749
• feat(prowler-check-kreator): ProwlerChecKreator first version by @puchy22 in #5099
• feat(rds): add new fixer rds_instance_no_public_access_fixer by @danibarranqueroo in #5794
• feat(rds): add new fixer rds_snapshots_public_access_fixer by @danibarranqueroo in #5773
• feat(rds): add rds_cluster_protected_by_backup_plan check by @sansns in #5638
• feat(servicecatalog): Add new check servicecatalog_portfolio_shared_within_organization_only by @MarioRgzLpz in #5632
• feat(servicecatalog): Add new service servicecatalog by @MarioRgzLpz in #5618
• feat(sgw): add storagegateway_fault_tolerance check by @sansns in #5570

Fixes

• fix(aws): exclude member accounts in IAM Root Credentials check by @MrCloudSec in #5813
• fix(aws): remove cloudwatch_log_group_no_critical_pii_in_logs check by @MrCloudSec in #5736
• fix(aws): update EKS check in compliance frameworks by @MrCloudSec in #5672
• fix(compliance): CIS details for new EFS Controls by @garym-krrv in #5858
• fix(compliance): use subscriptionid instead of name for azure cis by @pedrooot in #5786
• fix(connection): return Connection on generic exception by @jfagoagas in #5636
• fix(docker): add g++ to Dockerfile for presidio-analyzer compatibility by @MrCloudSec in #5645
• fix(docs): provider typo by @HugoPBrito in #5713
• fix(docs): Update misc tutorial categories example by @drewkerrigan in #5644
• fix(ec2): add default value to Name key for image information by @puchy22 in #5747
• fix(ec2): unique finding per Security Group in high risk ports check by @MarioRgzLpz in #5697
• fix(gcp): do not require organization id to get projects by @MrCloudSec in #5637
• fix(gcp): scan only ACTIVE projects by @MrCloudSec in https://g...

Prowler 4.5.3 - Another Life

What's Changed

• chore(ec2): add name from image information to status_extended by @prowler-bot in #5758
• chore(version): update Prowler version by @MrCloudSec in #5737
• fix(ec2): add default value to Name key for image information by @prowler-bot in #5754
• fix(gcp): scan only ACTIVE projects by @prowler-bot in #5752

Full Changelog: 4.5.2...4.5.3