2.1.1

Improve logic for caching associations without using recursion

2.1.0: Performance and Recursion

This release focuses on performance and association recursion improvements.

• Associated resources are now "cached" across the whole execution, meaning that if a resource is associated with more than one resource, we only scan it once.
• Recursion for associations is now standardized and valid for any resource in any combination with a maximum of 2 levels, except when there is an IAM Role; we can go to one more level as it's an important resource to understand Context. Before, we were only supporting this recursion level for a few resources like roles, policies, route tables, and volumes. Now, we do 2 recursion levels for any resource.
• Instances and IAM Users are now supported as associated resources for drilling.
• Some previously hardcoded values, like' assume_role_duration' and options related to the outputs, are now in the configuration file.
• The unknown value is now, by default, not computed from the Impact Scoring calculation. This can be configured.
• I'm trying to clean up the main file for a better understanding of its logic, so I'm slowly moving related code together to new files, in this case, everything related to findings.
• Some bug fixing

2.0.3: More context and Impact improvements

• When calculating the impact for resources without enough context, we now flag them as unknown to avoid affecting the final impact scoring calculations
• New context properties for resource: AwsEc2Subnet

2.0.2: New Impact Checks and Resources

There is a lot of progress on the Impact Module code quality, standardization, and bug fixing.

New Features:

• New Impact Access Check: unrestricted-service: The policy allows an AWS service as principal without restriction.
• New Impact Exposure Check: launch-public: These are resources that can launch other resources as public. For example, an Auto Scaling group or a Subnet.
• New Context Resource: AwsElastiCacheReplicationGroup

2.0.1

Improving documentation and code quality. We are getting there...

What's Changed

• Documentation Improvements by @gabrielsoltz in #51
• Small fixes after the major release by @gabrielsoltz in #52
• Docs and Quality by @gabrielsoltz in #53

Full Changelog: v2.0.0...v2.0.1

2.0.0: This is a completely new MetaHub!

New beginning: this version of MetaHub has created an entirely new, significantly better product.

Changelog Highlights:

• The Meta Outputs concept was deprecated entirely: There are no more MetaTags, MetaChecks, MetaAccount, and MetaTrail as it was too many different things for doing almost the same, adding complexity to the code and making it more difficult to understand the product.
• The new Context module will handle all those tasks together in a faster way, without code duplication, and much more efficiently.
• The module still executes four main processes: config (which includes associations), tags, account, and cloud trail. This version enables by default config and tags; you can allow the other ones using the option --context.
• All the MetaChecks were migrated with new standardized names: We don't follow any more notations like: is_.... or its_attached_to.....; this was very confusing and added a complexity layer. Now, for configurations, we use the name of the configuration parameter, and for associations, a dictionary for each resource type with the list of resources.
• There is a new Impact module: This module executes after context and processes all that information.
• It then takes care of 3 critical tasks:
• For every affected resource, it will analyze five fundamental properties: exposure, access, status, encryption, and environment.
• It will generate a findings metric based on the total amount of security findings and their severity for every resource.
• Based on the previous metric and the output of the critical properties, it will generate an Impact Scoring metric.
• The HTML output was refreshed entirely and can be used for a better understanding of this concept

Happy Hunting!

1.5.1: Bug fixing and updates

What's Changed

• fix_lambda_docker_tagging by @gabrielsoltz in #45
• chore(Lambda): Improved lambda configuration and better docs by @gabrielsoltz in #46
• Readme Improvements by @gabrielsoltz in #47
• fix-input-asff by @gabrielsoltz in #48
• update-python-docker by @gabrielsoltz in #49

Full Changelog: v1.5.0...v1.5.1

1.5.0: Automated Impact Scoring

This release focuses on the new feature Impact Scoring and much more!

MetaHub can now calculate an automated impact score for each security finding by considering both the context of the affected resource and the severities of all findings affecting that resource.

You can read more about this feature here

Also in this release:

• 10 New MetaChecks Resources supported!
• New Output Mode format: XLSX!
• Terraform code for lambda creation now automatically creates the zip files for the lambda and the layer!
• Docker image improvements, new versioning, and reduced image size by using .dockerignore

Happy Hunting

What's Changed

• improvement(terraform): Automated lambda and layer creation using Terraform by @gabrielsoltz in #36
• feat(Metacheck): New MetaCheck is_unrotated for keys and secrets by @gabrielsoltz in #37
• feat: impact scoring by @gabrielsoltz in #35
• feat(outputs): New XLSX output mode and other outputs improvements by @gabrielsoltz in #39
• feat(pipelines): Pre-Commits, GHA and pipelines by @gabrielsoltz in #40
• Fix gha docker by @gabrielsoltz in #41
• chore(Docker): Remove unnecessary files from docker using .dockerignore by @gabrielsoltz in #42
• chore(repo): more pre-commits tweaks by @gabrielsoltz in #43
• feat (MetaChecks): Adding New resources for MetaChecks by @gabrielsoltz in #38
• feat(Outputs): Add impact to outputs by @gabrielsoltz in #44

Full Changelog: v1.4.2...v1.5.0

1.4.2: is_unrestricted Impact MetaCheck improvements

This release focuses on the Impact MetaCheck is_unrestricted, making it consistently effective unrestricted and adding some resources where it was missing.

For example, an S3 bucket is now only effectively unrestricted if the attached policy is unrestricted but also if there is no S3 public access block at the bucket or account level. This logic was reviewed and enforced for every resource. This Impact Metacheck now also answers with the unrestricted policy statement when it's True (instead of only True).

1.4.1: Not found resources handled and new MetaChecks

This release adds new MetaChecks for resource types AwsKmsKey and AwsSecretsManagerSecret and now handles not found for any resource type avoiding metachecks from being executed when the resources are not present.

Meta

• New MetaCheck and MetaTrails for the resource type: AwsKmsKey
• New MetaCheck and MetaTrails for the resource type: AwsSecretsManagerSecret
• MetaCheck is_public removed from AwsEc2NetworkAcl as it's not an effective check
• MetaCheck it_has_name and it_has_subscriptions_confirmed for resource type AwsSnsTopic
• When a resource is not found, MetaChecks answers False