Commit Graph

138 Commits

Author SHA1 Message Date
Andoni Alonso abf51eceee fix(typo): rename generate_compliance_json_from_csv_threatscore (#7698) 2025-05-12 12:29:30 +02:00
Pedro Martín 06f94f884f feat(compliance): add new Prowler Threat Score Compliance Framework (#7603)
Co-authored-by: MrCloudSec <hello@mistercloudsec.com>
2025-04-28 09:57:52 +02:00
Hugo Pereira Brito 52bd48168f feat: adapt Microsoft365 provider to use PowerShell (#7331)
Co-authored-by: MrCloudSec <hello@mistercloudsec.com>
2025-04-15 13:24:09 -04:00
Pepe Fagoaga 24dfd47329 fix(pypi): package name location in pyproject.toml while replicating for prowler-cloud (#7531) 2025-04-15 20:01:27 +05:45
Mario Rodriguez Lopez dcb9267c2f feat(microsof365): Add documentation and compliance file (#6195)
Co-authored-by: MrCloudSec <hello@mistercloudsec.com>
Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
2025-02-10 11:13:06 -05:00
Rubén De la Torre Vico b8b60e6bc5 feat(prowler-check-kreator): ProwlerChecKreator first version (#5099)
Co-authored-by: Sergio <sergio@prowler.com>
2024-11-12 15:00:09 -05:00
Sergio Garcia 239b248935 feat(aws): add new check bedrock_agent_guardrail_enabled (#5509) 2024-10-30 09:41:44 -05:00
Mario Rodriguez Lopez 50cb79ee2f feat(aws): Add new checks ses_identities/glue_data_catalogs/secretsmanager _not_publicly_accessible (#5471) 2024-10-18 16:40:12 -04:00
Pepe Fagoaga f0c027f54e chore(merge): Merge master with Prowler 4.0 (#3467)
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
2024-02-29 11:19:17 +01:00
Sergio Garcia 676e60afb7 feat(gcp): add CIS checks (#2544) 2023-07-06 17:01:56 +02:00
Sergio Garcia 5c4cae8c9d feat(wellarchitected): add WellArchitected service and check (#2461) 2023-06-09 13:19:01 +02:00
Sergio Garcia 25630f1ef5 chore(regions): sort AWS regions (#2198)
Co-authored-by: sergargar <sergargar@users.noreply.github.com>
2023-04-12 13:24:14 +02:00
Sergio Garcia 9590e7d7e0 chore(poetry): make python-poetry as packaging and dependency manager (#1935)
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2023-02-23 11:50:29 +01:00
alexr3y d6bbf8b7cc update(compliance): ENS RD2022 Spanish security framework updates (#1809)
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
2023-02-09 14:14:38 +01:00
Pepe Fagoaga 38fba297e8 fix: remove old example (#1728) 2023-01-17 18:04:12 +01:00
Sergio Garcia 52d65ee4e8 feat(pypi): replicate PyPi package (#1727)
Co-authored-by: sergargar <sergio@verica.io>
2023-01-17 17:53:08 +01:00
Sergio Garcia 458dadc9b6 fix(contrib): Update contrib folder (#1635) 2023-01-04 13:11:51 +01:00
Sergio Garcia 0de6d87af5 feat(aws-regions): update refresh regions action (#1641)
Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2023-01-03 12:59:08 +01:00
Sergio Garcia d9dc6c0a49 fix(global_services): handle global regions correctly (#1594)
Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2022-12-23 12:32:31 +01:00
Sergio Garcia a53f9eb294 fix(aws-cn partition): solve aws-cn partition errors (#1576)
Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
2022-12-22 15:39:50 +01:00
Sergio Garcia ea42a6274b fix(logs): add check_name to logs (#1574) 2022-12-22 11:48:44 +01:00
Pepe Fagoaga 38ba009794 delete: Old Dockerfile (#1550) 2022-12-19 14:23:16 +01:00
Sergio Garcia bb09267f2a feat(pip): Prepare for PyPI (#1531) 2022-12-13 09:07:55 +01:00
alexr3y af1d85ae75 feat(compliance): ENS RD2022 first draft and json converter (#1502) 2022-11-21 12:13:24 +01:00
Toni de la Fuente 25d92ca4b0 feat(CIS): Compliance for CIS AWS 1.4 and 1.5 (#1509) 2022-11-21 11:30:21 +01:00
Pepe Fagoaga 9d3bff9e54 fix: Linter issues (#1471)
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
2022-11-14 16:21:51 +01:00
Sergio Garcia 66d2b7b4d9 feat(ec2_checks): add several checks for ec2 (#1268)
* feat(checks): add extra718

* feat(checks): add extra763

* feat(checks): add extra748, extra749, extra72

* feat(checks): add extra750

* feat(checks): add check45

* feat(checks): add check46, check45, check42, check41

* feat(metadata_sample): add sample of check metadata

* feat(pci-group): add pci group.

* feat(cloud9): environment setup.

* fix(protocol): add protocol conditions

Co-authored-by: sergargar <sergio@verica.io>
2022-07-27 00:21:40 +02:00
Sergio Garcia 25dc6c4a20 feat(refresh_aws_regions): Auto refresh of AWS regions for services. (#1221)
* feat(refresh_aws_regions): Auto refresh of AWS regions for services.

* Update refresh_aws_services_regions.yml

* Delete aws_regions_by_service.json

* Update refresh_aws_services_regions.yml

Co-authored-by: sergargar <sergio@verica.io>
2022-06-23 10:47:43 +02:00
Pepe Fagoaga f694a6d12a feat(groups): Launch specific checks from groups and services (#1204) 2022-06-16 13:27:25 +02:00
Toni de la Fuente 5ad517ce83 New folder structure phase 1 2022-05-25 12:54:15 +02:00
1vicente d307898289 Update README.md (#1153)
pretty README.md
2022-05-19 12:14:11 +02:00
Pepe Fagoaga 47f1ca646e fix(typo): ArtifactBucket tags (#1145) 2022-05-17 09:08:11 +02:00
Charles Josiah Rusch Alandt a18b18e530 K8s cronjob sample files (#1140) 2022-05-16 10:58:50 +02:00
Pepe Fagoaga 4d1ffbb652 fix(actions): tag and push (#1142) 2022-05-13 11:20:30 +02:00
Pepe Fagoaga 13423b137e fix(actions): Include AWS region (#1141)
* fix(actions): Include AWS regions

* fix(zip): Quiet output
2022-05-13 10:13:03 +02:00
Milton Torasso 13c96a80db feat(deployment): Serverless multi account Prowler with SecurityHub Integration (#1113) 2022-05-03 13:41:56 +02:00
ChrisGoKim 295bb74acf fix(additions-policy): Updated multi-org ProwlerRole.yaml (#1123) 2022-05-03 11:34:12 +02:00
Justin Plock 04e5804665 Update CloudFormation template for CodeBuild (#1114) 2022-05-03 09:14:38 +02:00
Andrew Grangaard d4da64582c docs(tf-quickstart): Update example code for terraform-quickstart (#1086)
+ use primary repository rather than fork.
+ use default branch.
+ fixed a missing character typos.
+ remove blank end-of-line spaces.

@singergs: thanks for adding this code and the video.
2022-03-30 09:15:38 +02:00
Andrea Di Fabio 31cefa5b3c Make python3 default in Dockerfile (#1043) 2022-03-02 16:21:28 +01:00
Leonardo Azize Martins 9b772a70a1 Fix(extra7141): Error handling and include missing policy (#1024)
* Fix AccessDenied issue when get document

Add check to validate access denied when get document from SSM.
Add missing action permission to allow ssm:GetDocument.

* Double quote variables to prevent globbing and word splitting
2022-02-09 16:01:01 +01:00
Martin Muller 7e90389dab fix: CFN codebuild example (#1030)
Since 2.7.0 this template failed:

```
An error occurred (AccessDeniedException) when calling the GetSubscriptionState operation: User: arn:aws:sts::863046042023:assumed-role/prowler-codebuild-role/AWSCodeBuild-2c3151c9-7c5d-4618-94e5-0234bddce775 is not authorized to perform: shield:GetSubscriptionState on resource: arn:aws:shield::863046042023:subscription/* because no identity-based policy allows the shield:GetSubscriptionState action
       INFO! No AWS Shield Advanced subscription found. Skipping check. 
7.167 [extra7167] Check if Cloudfront distributions are protected by AWS Shield Advanced - shield [Medium]
```

I aligned it with https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-additions-policy.json#L19 .
2022-02-04 12:09:53 -05:00
Toni de la Fuente 1d409d04f2 Fix (extra7148 and add action #1017 (#1021) 2022-02-04 11:58:22 -05:00
Daniel Lorch 679414418e Fix: when prowler exits with a non-zero status, the remainder of the block is not executed (#1015)
* Fix: when prowler exits with a non-zero status, the remainder of the block is not executed

* Fix: do not trigger exit code 3 on failed checks, so that the remainder of the block is executed
2022-02-02 17:45:56 +01:00
Daniel Lorch b26370d508 Typo (breaking change) (#1010)
Co-authored-by: Daniel Lorch <lorchda@amazon.ch>
2022-02-02 11:13:31 -05:00
Daniel Lorch 72b30aa45f Skip packages with broken dependencies when upgrading system (#1009)
Co-authored-by: Daniel Lorch <lorchda@amazon.ch>
2022-02-02 11:12:58 -05:00
Pepe Fagoaga 90565099bd Change references from toniblyx to prowler-cloud (#1003)
Co-authored-by: Toni de la Fuente <toni@blyx.com>
2022-01-27 12:17:38 +01:00
Toni de la Fuente 2b2814723f Prowler 2.7.0 - Brave (#998)
* Extra7161 EFS encryption at rest check

* Added check_extra7162 which checks if Log groups have 365 days retention

* fixed code to handle all regions and formatted output

* changed check title, resource type and service name as well as making the code more dynamic

* Extra7161 EFS encryption at rest check

* New check_extra7163 Secrets Manager key rotation enabled

* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster

* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml

* Fix link to quicksight dashboard

* Install detect-secrets (e.g. for check_extra742)

* Updating check_extra7163 with requested changes

* fix(assumed-role): Check if -T and -A options are set

* docs(Readme): `-T` option is not mandatory

* fix(assume-role): Handle AWS STS CLI errors

* fix(assume-role): Handle AWS STS CLI errors

* Update group25_FTR

When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.

* Update README.md

broken link for capital letters in group file (group25_FTR)

* #938 issue assume_role multiple times should be fixed

* Label 2.7.0-1December2021 for tests

* Fixed error that appeared if the number of findings was very high.

* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.

* Added line to delete the temp folder after everything is done.

* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe

* updated CHECK_RISK

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added issue templates

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* Fix #963 check 792 to force json in ELB queries

* Fix #957 check 763 had us-east-1 region hardcoded

* Fix #962 check 7147 ALTERNATE NAME

* Fix #940 handling error when can not list functions

* Added new checks 7164 and 7165 to group extras

* Added invalid check or group id to the error message #962

* Fix Broken Link

* Add docker volume example to README.md

* Updated Dockerfile to use amazonlinux container

* Updated Dockerfile with AWS cli v2

* Added upgrade to the RUN

* Added cache purge to Dockerfile

* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3

* exporting the ENV variables

* fixed bracket

* Improved documentation for install process

* fix checks with comma issues

* Added -D option to copy to S3 with the initial AWS credentials

* Cosmetic variable name change

* Added $PROFILE_OPT to CopyToS3 commands

* remove commas

* removed file as it is not needed

* Improved help usage options -h

* Fixed CIS LEVEL on 7163 through 7165

* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set

* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced

* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced

* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced

* New check 7169 Global accelerators are protected by AWS Shield Advanced

* New check 7170 Application load balancers are protected by AWS Shield Advanced

* New check 7171 Classic load balancers are protected by AWS Shield Advanced

* Include example for global resources

* Add AWS Advance Shield protection checks corrections

* Added Shield actions GetSubscriptionState and DescribeProtection

* Added Shield actions GetSubscriptionState and DescribeProtection

* docs(templates): Improve bug template with more info (#982)

* Removed echoes after role chaining fix

* Changed Route53 checks7152 and 7153 to INFO when no domains found

* Changed Route53 checks 7152 and 7153 title to clarify

* Added passed security groups in output to check 778

* Added passed security groups and updated title to check 777

* Added FAIL as error handling when SCP prevents queries to regions

* Label version 2.7.0-6January2022

* Updated .dockerignore with .github/

* Fix: issue #758 and #984

* Fix: issue #741 CloudFront and real-time logs

* Fix issues #971 set all as INFO instead of FAIL when no access to resource

* Fix: issue #986

* Add additional action permissions for Glue and Shield Advanced checks @lazize

* Add extra shield action permission

Allows the shield:GetSubscriptionState action

* Add permission actions

Make sure all files where permission actions are necessary will have the same actions

* Fix: Credential chaining from environment variables @lazize #996f

If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role

* Lable version 2.7.0-24January2022

Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>
2022-01-24 13:49:47 +01:00
Victor GRENU 32e5738c46 fix readme for terraform kickstarter 2021-11-13 14:48:16 +01:00
Toni de la Fuente 5d5250076b Updated documentation about detect-secrets version to use issue #806 2021-11-04 19:50:33 +01:00