prowler v2.10 releases: AWS security assessment, auditing and hardening
Prowler: AWS Security Tool
Prowler is a command-line tool for AWS Security Best Practices Assessment, Auditing, Hardening, and Forensics Readiness Tool.
It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.
Read more about CIS Amazon Web Services Foundations Benchmark v1.2.0 – 05-23-2018
Features
+200 checks covering security best practices across all AWS regions and most of AWS services and related to the next groups:
- Identity and Access Management [group1]
- Logging [group2]
- Monitoring [group3]
- Networking [group4]
- CIS Level 1 [cislevel1]
- CIS Level 2 [cislevel2]
- Extras see Extras section [extras]
- Forensics related group of checks [forensics-ready]
- GDPR [gdpr] Read more here
- HIPAA [hipaa] Read more here
- Trust Boundaries [trustboundaries] Read more here
- Secrets
- Internet exposed resources
- EKS-CIS
- Also includes PCI-DSS, ISO-27001, FFIEC, SOC2, ENS (Esquema Nacional de Seguridad of Spain).
- AWS FTR [FTR] Read more here
With Prowler you can:
- Get a direct colorful or monochrome report
- A HTML, CSV, JUNIT, JSON or JSON ASFF format report
- Send findings directly to Security Hub
- Run specific checks and groups or create your own
- Check multiple AWS accounts in parallel or sequentially
- And more! Read examples below
Changelog v2.10
Important changes in this version (read this!):
- Now you can manage the Allow list feature using DynamoDB instead of just a text plain file.
- 7 new checks available for CodeBuild, EMR and Lambda:
New features:
- feat(new): New checks for lambda functions URL by @jfagoagas in #1148
- feat(new): New checks for CodeBuild and EMR added by @0xDivyanshu in #1112
- feat(emr): New check BlockPublicAccessConfiguration for EMR by @jfagoagas in #1120
- feat(new): New custom check extra9999 to build a custom check on the fly by @sectoramen in #1103
- feat(assume-role): Properly handle External ID variable by @chrisdlangton in #1128
- feat(dynamodb_allowlist): Support DynamoDB tables ARN for allowlist input by @sergargar in #1118
- feat(group7): Include extra7178 by @jfagoagas in #1121
- feat(contrib): Serverless multi account Prowler with SecurityHub Integration by @MorlaxAR in #1113
- feat(actions): Upload Prowler containers to registries by @jfagoagas in #1132
- feat(util): K8s cronjob sample files by @charles-josiah in #1140
Enhancements:
- Update CloudFormation template for CodeBuild by @jplock in #1114
- Updated multi-org ProwlerRole.yaml to match current Prowler additions policy by @ChrisGoKim in #1123
- docs(k8s-integration): Beautify README by @1vicente in #1153
Fixes:
- fix(checks): Handle AWS Gov Cloud regions #1160
- fix(check): check_extra7113: Fix wrong listing of RDS instances in regions without databases by @Sinnohd in #1124
- fix(custom-file-in-bucket): Custom file names are also support for S3 output. by @sergargar in #1129
- fix(copyToS3): Upload to S3 only when indicated. by @sergargar in #1134
- fix(actions): tag and push by @jfagoagas in #1142
- fix(readme): Fix correct permissions for DynamoDB allowlist. by @sergargar in #1147
- fix(actions): Ignore changes on Readme by @jfagoagas in #1149
- fix(timestamp): Timestamp to date casting issues solved by @n4ch04 in #1154
- fix(IllegalLocationConstraintException): Recover bucket policy using the right region endpoint by @jfagoagas in #1155
- fix(BucketLocation): Recover bucket policy using the right region endpoint by @jfagoagas in #1156
- fix(remediation): Fix empty remediation fields for checks 7164, 7144 and 7163 by @jfagoagas in #1157
Screenshot
- Sample screenshot of report first lines:
- Sample screenshot of a single check for check 3.3:
Copyright 2018 Netflix, Inc.
Source: https://github.com/Alfresco/
