prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl

prowler/providers/aws/lib/quick_inventory/quick_inventory.py

@@ -267,6 +267,9 @@ def create_output(resources: list, provider: AwsProvider, args):
                 resource["AWS_ResourceID"] = "/".join(
                     item["arn"].split(":")[-1].split("/")[1:]
                 )
+            # Cover SNS case
+            if resource["AWS_Service"] == "sns":
+                resource["AWS_ResourceID"] = item["arn"].split(":")[-1]
             resource["AWS_Tags"] = item["tags"]
             json_output.append(resource)
 

prowler/providers/aws/lib/security_hub/security_hub.py

@@ -165,8 +165,11 @@ class SecurityHub:
                 aws_account_id,
                 aws_partition,
             )
-        if findings and self._enabled_regions:
-            self._findings_per_region = self.filter(findings, send_only_fails)
+        if findings:
+            if not self._enabled_regions:
+                logger.error("No enabled regions found in Security Hub.")
+            else:
+                self._findings_per_region = self.filter(findings, send_only_fails)
 
     def filter(
         self,
@@ -185,6 +188,7 @@ class SecurityHub:
         """
 
         findings_per_region = {}
+        disabled_regions_logged = set()
         try:
             # Create a key per audited region
             for region in self._enabled_regions.keys():
@@ -193,6 +197,12 @@ class SecurityHub:
             for finding in findings:
                 # We don't send findings to not enabled regions
                 if finding.Resources[0].Region not in findings_per_region:
+                    # Only log once per disabled region
+                    if finding.Resources[0].Region not in disabled_regions_logged:
+                        logger.warning(
+                            f"Skipping findings in region {finding.Resources[0].Region} because it is not enabled in Security Hub."
+                        )
+                        disabled_regions_logged.add(finding.Resources[0].Region)
                     continue
 
                 if (

prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.metadata.json

@@ -1,31 +1,45 @@
 {
   "Provider": "aws",
   "CheckID": "accessanalyzer_enabled",
-  "CheckTitle": "Check if IAM Access Analyzer is enabled",
+  "CheckTitle": "IAM Access Analyzer is enabled",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "accessanalyzer",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:access-analyzer:region:account-id:analyzer/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "Other",
-  "Description": "Check if IAM Access Analyzer is enabled",
-  "Risk": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.",
-  "RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
+  "Description": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.",
+  "Risk": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-manage-external.html",
+    "https://aws.amazon.com/iam/access-analyzer/",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html",
+    "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-external.html",
+    "https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-create-internal.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws accessanalyzer create-analyzer --analyzer-name example_resource --type ACCOUNT",
+      "NativeIaC": "```yaml\nResources:\n  example_resource:\n    Type: AWS::AccessAnalyzer::Analyzer  # This resource enables IAM Access Analyzer\n    Properties:\n      AnalyzerName: example_resource\n      Type: ACCOUNT  # This line fixes the security issue\n```",
+      "Other": "1. In the AWS Console, open IAM\n2. Go to Access analyzer > Analyzer settings\n3. Confirm the desired Region\n4. Click Create analyzer\n5. Select Resource analysis - External access\n6. Set Name to \"example_resource\" and Zone of trust to \"Current account\"\n7. Click Create",
+      "Terraform": "```hcl\nresource \"aws_accessanalyzer_analyzer\" \"example_resource\" {\n  analyzer_name = \"example_resource\"\n  type          = \"ACCOUNT\" # This line fixes the security issue\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).",
-      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html"
+      "Text": "Enable **IAM Access Analyzer** across all accounts and active Regions (*or organization-wide*). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.",
+      "Url": "https://hub.prowler.com/check/accessanalyzer_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.metadata.json

@@ -1,31 +1,50 @@
 {
   "Provider": "aws",
   "CheckID": "accessanalyzer_enabled_without_findings",
-  "CheckTitle": "Check if IAM Access Analyzer is enabled without findings",
+  "CheckTitle": "IAM Access Analyzer analyzer is active and has no active findings",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "accessanalyzer",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:access-analyzer:region:account-id:analyzer/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "Other",
-  "Description": "Check if IAM Access Analyzer is enabled without findings",
-  "Risk": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.",
-  "RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
+  "Description": "**IAM Access Analyzer** analyzers are in `Active` state and currently report zero `Active` findings within their scope of monitored resources.",
+  "Risk": "Unresolved `Active` findings indicate unintended external or internal access paths.\n- **Confidentiality**: public/cross-account reads of data (buckets, snapshots, secrets)\n- **Integrity**: rogue role assumption or KMS use enabling policy/data changes\n- **Lateral movement** across accounts",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-remediate.html",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-view.html",
+    "https://aws.amazon.com/iam/access-analyzer/",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-dashboard.html",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html",
+    "https://aws.amazon.com/blogs/security/automate-resolution-for-iam-access-analyzer-cross-account-access-findings-on-iam-roles/",
+    "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AccessAnalyzer/findings.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```yaml\nResources:\n  example_resource:\n    Type: AWS::AccessAnalyzer::Analyzer\n    Properties:\n      AnalyzerName: example_resource\n      Type: ACCOUNT  # This line fixes the security issue\n```",
+      "Other": "1. In the AWS Console, go to IAM > Access analyzer\n2. If no analyzer exists, click Create analyzer, select Type: Account, name it example_resource, and click Create\n3. To clear active findings: under Resource analysis, select your analyzer, select all Active findings, choose Actions > Archive\n4. For unintended access findings, open the finding and follow the linked resource to remove the offending permission (edit the resource policy or role trust policy), then return to the finding and choose Rescan\n5. Confirm the dashboard shows 0 Active findings",
+      "Terraform": "```hcl\nresource \"aws_accessanalyzer_analyzer\" \"example_resource\" {\n  analyzer_name = \"example_resource\"\n  type          = \"ACCOUNT\" # This line fixes the security issue\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).",
-      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html"
+      "Text": "Enable **IAM Access Analyzer** in all relevant Regions and org/account scopes. Triage every `Active` finding:\n- Remove unintended access by tightening resource and trust policies\n- Enforce **least privilege** and separation of duties\n- Archive only validated, intended access\n- Continuously monitor and automate reviews",
+      "Url": "https://hub.prowler.com/check/accessanalyzer_enabled_without_findings"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access",
+    "trust-boundaries",
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.metadata.json

@@ -1,28 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "account_maintain_current_contact_details",
-  "CheckTitle": "Maintain current contact details.",
+  "CheckTitle": "AWS account contact information is current",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "account",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsAccount",
-  "Description": "Maintain current contact details.",
-  "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
+  "ResourceType": "Other",
+  "Description": "**AWS account contact information** is current for the **primary contact** and the **alternate contacts** for `security`, `billing`, and `operations`, with accurate email addresses and phone numbers.",
+  "Risk": "Outdated or single-person contacts delay **security notifications**, slow **incident response**, and complicate **account recovery**.\n\nAWS may throttle services during abuse mitigation, reducing **availability**. Missed alerts enable ongoing misuse, risking **data exfiltration** and unauthorized changes (**integrity**).",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
+    "https://repost.aws/knowledge-center/update-phone-number",
+    "https://support.stax.io/docs/accounts/update-aws-account-contact-details",
+    "https://maartenbruntink.nl/blog/2022/09/26/aws-account-hygiene-101-mass-updating-alternate-account-contacts/",
+    "https://docs.aws.amazon.com/security-ir/latest/userguide/update-account-contact-info.html",
+    "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-primary.html",
+    "https://repost.aws/knowledge-center/add-update-billing-contact",
+    "https://aws.amazon.com/blogs/security/update-the-alternate-security-contact-across-your-aws-accounts-for-timely-security-notifications/",
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_update_contacts.html",
+    "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "No command available.",
+      "CLI": "aws account put-alternate-contact --alternate-contact-type=SECURITY --email-address=<SECURITY_EMAIL> --name=\"<SECURITY_CONTACT_NAME>\" --phone-number=\"<SECURITY_PHONE>\" --title=\"Security\"",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
-      "Terraform": ""
+      "Other": "1. Sign in to the AWS Management Console\n2. Open Billing and Cost Management, then click your account name > Account\n3. Under Contact information, click Edit, update details, then Update\n4. Under Alternate contacts, click Edit\n5. Enter Security contact name, email, and phone (use a team alias), then Update\n6. Repeat for Billing and Operations if needed",
+      "Terraform": "```hcl\n# Set the Security alternate contact for the AWS account\nresource \"aws_account_alternate_contact\" \"<example_resource_name>\" {\n  alternate_contact_type = \"SECURITY\"  # Critical: ensures AWS can reach your security team\n  email_address          = \"<SECURITY_EMAIL>\"  # Critical: contact destination\n  name                   = \"<SECURITY_CONTACT_NAME>\"\n  phone_number           = \"<SECURITY_PHONE>\"\n  title                  = \"Security\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Using the Billing and Cost Management console complete contact details.",
-      "Url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html"
+      "Text": "Adopt:\n- **Primary** and **alternate contacts** for `security`, `billing`, `operations`\n- Shared, monitored aliases and SMS-capable phone numbers (non-personal)\n- Centralized management across accounts with periodic reviews\n- **Least privilege** for who can modify contact data\n- Regular reachability tests and documented ownership",
+      "Url": "https://hub.prowler.com/check/account_maintain_current_contact_details"
     }
   },
   "Categories": [],

prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json

@@ -1,31 +1,43 @@
 {
   "Provider": "aws",
   "CheckID": "account_maintain_different_contact_details_to_security_billing_and_operations",
-  "CheckTitle": "Maintain different contact details to security, billing and operations.",
+  "CheckTitle": "AWS account has distinct Security, Billing, and Operations contact details, different from each other and from the root contact",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
   ],
   "ServiceName": "account",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsAccount",
-  "Description": "Maintain different contact details to security, billing and operations.",
-  "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
-  "RelatedUrl": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html",
+  "ResourceType": "Other",
+  "Description": "**AWS account alternate contacts** are defined for **Security**, **Billing**, and **Operations** with `name`, `email`, and `phone`. The finding evaluates that all three exist, are distinct from one another, and differ from the **primary (root) contact**.",
+  "Risk": "Missing or shared contacts can delay response to abuse alerts, credential compromise, or billing anomalies, reducing **availability** (possible AWS traffic throttling) and raising **confidentiality** and **integrity** risk through extended exposure. If AWS cannot reach you, urgent mitigation may disrupt service.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact",
+    "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
+    "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact-alternate.html",
+    "https://builder.aws.com/content/2qRw97fe8JFwfk2AbpJ3sYNpNvM/aws-bulk-update-alternate-contacts-across-organization",
+    "https://github.com/aws-samples/aws-account-alternate-contact-with-terraform",
+    "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/account-security-alternate-contacts.html",
+    "https://repost.aws/articles/ARDFbpt-bvQ8iuErnqVVcCXQ/managing-aws-organization-alternate-contacts-via-csv"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
-      "Terraform": ""
+      "Other": "1. Sign in to the AWS Management Console with a user that can edit account contacts (root, or IAM with account:PutAlternateContact)\n2. In the upper right, click your account name > Account\n3. Scroll to \"Alternate contacts\" and click Edit\n4. Add all three contacts with unique details:\n   - Billing contact (distinct name, email, phone)\n   - Operations contact (distinct name, email, phone)\n   - Security contact (distinct name, email, phone)\n5. Ensure each contact’s email/phone differs from each other and from the primary (root) contact, then click Update",
+      "Terraform": "```hcl\n# Set distinct alternate contacts for SECURITY, BILLING, and OPERATIONS\n# Critical: each resource sets a required contact type to satisfy the check\n\nresource \"aws_account_alternate_contact\" \"security\" {\n  alternate_contact_type = \"SECURITY\"  # Sets SECURITY contact\n  email_address          = \"security@example.com\"\n  name                   = \"Security Team\"\n  phone_number           = \"+1-555-0100\"\n  title                  = \"Security\"\n}\n\nresource \"aws_account_alternate_contact\" \"billing\" {\n  alternate_contact_type = \"BILLING\"   # Sets BILLING contact\n  email_address          = \"billing@example.com\"\n  name                   = \"Billing Team\"\n  phone_number           = \"+1-555-0101\"\n  title                  = \"Billing\"\n}\n\nresource \"aws_account_alternate_contact\" \"operations\" {\n  alternate_contact_type = \"OPERATIONS\" # Sets OPERATIONS contact\n  email_address          = \"operations@example.com\"\n  name                   = \"Operations Team\"\n  phone_number           = \"+1-555-0102\"\n  title                  = \"Operations\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Using the Billing and Cost Management console complete contact details.",
-      "Url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html"
+      "Text": "Maintain distinct, monitored **Security**, **Billing**, and **Operations** alternate contacts that differ from the root contact.\n- Use team aliases and 24x7 phones\n- Review and test contact paths regularly\n- Centralize at org level for consistency\n\nApplies **operational resilience** and **separation of duties**.",
+      "Url": "https://hub.prowler.com/check/account_maintain_different_contact_details_to_security_billing_and_operations"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.metadata.json

@@ -1,28 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "account_security_contact_information_is_registered",
-  "CheckTitle": "Ensure security contact information is registered.",
+  "CheckTitle": "AWS account has security alternate contact registered",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "account",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsAccount",
-  "Description": "Ensure security contact information is registered.",
-  "Risk": "AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.",
+  "ResourceType": "Other",
+  "Description": "Account settings contain a **Security alternate contact** in Alternate Contacts (name, `EmailAddress`, `PhoneNumber`) for targeted AWS security notifications.",
+  "Risk": "Missing or outdated **security contact** can delay or prevent AWS advisories from reaching responders, increasing risk to:\n- Confidentiality: data exfiltration from undetected compromise\n- Integrity: unauthorized changes persist longer\n- Availability: resource abuse (e.g., cryptomining) and outages",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact",
+    "https://docs.prowler.com/checks/aws/iam-policies/iam_19/",
+    "https://support.icompaas.com/support/solutions/articles/62000234161-1-2-ensure-security-contact-information-is-registered-manual-",
+    "https://www.plerion.com/cloud-knowledge-base/ensure-security-contact-information-is-registered",
+    "https://repost.aws/articles/ARDFbpt-bvQ8iuErnqVVcCXQ/managing-aws-organization-alternate-contacts-via-csv"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "No command available.",
+      "CLI": "aws account put-alternate-contact --alternate-contact-type SECURITY --email-address <EMAIL_ADDRESS> --name <CONTACT_NAME> --phone-number <PHONE_NUMBER>",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_19#aws-console",
-      "Terraform": ""
+      "Other": "1. Sign in to the AWS Management Console as the root user or an admin with account:PutAlternateContact\n2. Click your account name (top-right) and select My Account (or Account)\n3. Scroll to Alternate Contacts and click Edit in the Security section\n4. Enter Security Email, Name, and Phone Number\n5. Click Update (or Save changes)",
+      "Terraform": "```hcl\n# Set the SECURITY alternate contact for the current AWS account\nresource \"aws_account_alternate_contact\" \"<example_resource_name>\" {\n  alternate_contact_type = \"SECURITY\"  # Critical: sets Security contact type\n  email_address          = \"security@example.com\"  # Contact email\n  name                   = \"Security Team\"         # Contact name\n  phone_number           = \"+1-555-0100\"          # Contact phone\n}\n```"
     },
     "Recommendation": {
-      "Text": "Go to the My Account section and complete alternate contacts.",
-      "Url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html"
+      "Text": "Define and maintain a **Security alternate contact**:\n- Use a monitored alias (e.g., `security@domain`) and team phone\n- Apply to every account (prefer Org-wide automation)\n- Review after org/personnel changes and test delivery\n- Document ownership and escalation paths\nAlign with **incident response** and **least privilege** principles.",
+      "Url": "https://hub.prowler.com/check/account_security_contact_information_is_registered"
     }
   },
   "Categories": [],

prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.metadata.json

@@ -1,28 +1,32 @@
 {
   "Provider": "aws",
   "CheckID": "account_security_questions_are_registered_in_the_aws_account",
-  "CheckTitle": "Ensure security questions are registered in the AWS account.",
+  "CheckTitle": "[DEPRECATED] AWS root user has security challenge questions configured",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "account",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsAccount",
-  "Description": "Ensure security questions are registered in the AWS account.",
-  "Risk": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. When creating a new AWS account a default super user is automatically created. This account is referred to as the root account. It is recommended that the use of this account be limited and highly controlled. During events in which the root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible through authentication using secret questions and associated answers to recover root login access.",
+  "ResourceType": "Other",
+  "Description": "[DEPRECATED] **AWS account root** configuration may include legacy **security challenge questions** for support identity verification. This evaluates whether those questions are set on the account. *New configuration is discontinued by AWS and remaining support for this feature is time-limited.*",
+  "Risk": "Absence of these questions can limit support-assisted recovery if root credentials or MFA are lost, reducing **availability** and slowing **incident response**. Reliance on KBA also weakens **confidentiality** due to **social engineering**. Treat this as a recovery gap and adopt stronger, phishing-resistant factors.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/aws/iam-policies/iam_15",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/security-challenge-questions.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "No command available.",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_15",
+      "Other": "1. Sign in to the AWS Management Console\n2. Navigate to your AWS account settings page at https://console.aws.amazon.com/billing/home?#/account/\n3. Scroll down to Configure Security Challenge Questions section and click the Edit link\n4. Select three different questions made available by Amazon and provide appropriate answers\n5. Store the answers in a secure but accessible location\n6. Click the Update button to save the changes",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Login as root account and from My Account configure Security questions.",
-      "Url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-security-challenge.html"
+      "Text": "Favor stronger recovery instead of KBA:\n- Enforce **MFA for root** and minimize root use\n- Keep **alternate contacts** and root email current and protected\n- Establish a tightly controlled **break-glass role**, applying least privilege and separation of duties\n- Document and test recovery procedures; monitor root activity",
+      "Url": "https://hub.prowler.com/check/account_security_questions_are_registered_in_the_aws_account"
     }
   },
   "Categories": [],

prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.metadata.json

@@ -1,28 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "acm_certificates_expiration_check",
-  "CheckTitle": "Check if ACM Certificates are about to expire in specific days or less",
+  "CheckTitle": "ACM certificate expires in more than the configured threshold of days",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "acm",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCertificateManagerCertificate",
-  "Description": "Check if ACM Certificates are about to expire in specific days or less",
-  "Risk": "Expired certificates can impact service availability.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
+  "Description": "**ACM certificates** are assessed for **time to expiration** against a configurable threshold. Certificates close to end of validity or already expired are surfaced, covering those attached to services and, *if in scope*, unused ones.",
+  "Risk": "Expired or near-expiry **TLS certificates** can break handshakes, causing **service outages** and failed API calls (**availability**). Emergency fixes raise misconfiguration risk, enabling disabled verification or weak ciphers, which allows **MITM** and data exposure (**confidentiality**/**integrity**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ACM/certificate-expires-in-45-days.html",
+    "https://repost.aws/es/knowledge-center/acm-notification-certificate-renewal",
+    "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
+    "https://repost.aws/questions/QU3sMaeZPMRo2kLcsfJsfuVA/acm-notifications-for-expiring-certificates"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In the AWS Console, open Certificate Manager (ACM)\n2. If the expiring certificate is ACM-issued: select it and complete/restore validation (Create records in Route 53 or add the shown CNAME) so renewal can proceed\n3. If the expiring certificate is imported: click Import a certificate, upload the new certificate and private key, then save\n4. Update the service to use the new/renewed certificate:\n   - ALB/NLB: EC2 > Load Balancers > Listeners > Edit > Change certificate to the new ACM certificate\n   - CloudFront: Distributions > Edit > Viewer certificate > Select the new ACM certificate\n   - API Gateway: Custom domain names > Edit > Choose the new ACM certificate\n5. Verify the old certificate is no longer in use; delete it if not needed",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Monitor certificate expiration and take automated action to renew, replace or remove. Having shorter TTL for any security artifact is a general recommendation, but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check.",
-      "Url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
+      "Text": "Adopt **automated certificate lifecycle management**: prefer **ACM-issued certs with auto-renewal**, or integrate imports with an automated renewal/rotation pipeline. Track expirations with alerts, enforce **least privilege** for cert operations, remove unused certs, and test rollovers to avoid downtime.",
+      "Url": "https://hub.prowler.com/check/acm_certificates_expiration_check"
     }
   },
   "Categories": [],

prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.metadata.json

@@ -1,28 +1,32 @@
 {
   "Provider": "aws",
   "CheckID": "acm_certificates_transparency_logs_enabled",
-  "CheckTitle": "Check if ACM certificates have Certificate Transparency logging enabled",
+  "CheckTitle": "ACM certificate is imported or has Certificate Transparency logging enabled",
   "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "acm",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCertificateManagerCertificate",
-  "Description": "Check if ACM certificates have Certificate Transparency logging enabled",
-  "Risk": "Domain owners can search the log to identify unexpected certificates, whether issued by mistake or malice. Domain owners can also identify Certificate Authorities (CAs) that are improperly issuing certificates.",
-  "RelatedUrl": "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/",
+  "Description": "**ACM-issued certificates** are checked for **Certificate Transparency (CT) logging** being enabled. Certificates with type `IMPORTED` are excluded from evaluation.",
+  "Risk": "Disabling **CT logging** reduces visibility into **misissued or rogue certificates**, weakening confidentiality and integrity. Attackers can **impersonate sites** or run **TLS man-in-the-middle** without timely detection. Unlogged public certs may be distrusted by browsers, impacting availability and user trust.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/",
+    "https://support.icompaas.com/support/solutions/articles/62000129491-ensure-acm-certificates-have-certificate-transparency-logging-enabled"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws acm update-certificate-options --certificate-arn <CERTIFICATE_ARN> --options CertificateTransparencyLoggingPreference=ENABLED",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Certificate Transparency logging on an ACM certificate\nResources:\n  <example_resource_name>:\n    Type: AWS::CertificateManager::Certificate\n    Properties:\n      DomainName: <example_domain_name>\n      CertificateTransparencyLoggingPreference: ENABLED  # Critical: turns on CT logging to pass the check\n```",
+      "Other": "1. Open the AWS Certificate Manager (ACM) console\n2. Select the certificate with transparency logging disabled\n3. Click Actions > Edit transparency logging\n4. Choose Enable transparency logging\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Certificate Transparency logging on an ACM certificate\nresource \"aws_acm_certificate\" \"<example_resource_name>\" {\n  domain_name = \"<example_domain_name>\"\n  options {\n    certificate_transparency_logging_preference = \"ENABLED\"  # Critical: turns on CT logging to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.",
-      "Url": "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/"
+      "Text": "Enable **CT logging** on all ACM-issued public certificates to maintain transparency and rapid revocation.\n\nMonitor CT logs for your domains and alert on unexpected issuances. For sensitive internal names, favor private PKI or non-public hostnames instead of disabling CT, and apply **defense in depth** with short certificate lifetimes.",
+      "Url": "https://hub.prowler.com/check/acm_certificates_transparency_logs_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.metadata.json

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "acm_certificates_with_secure_key_algorithms",
-  "CheckTitle": "Check if ACM Certificates use a secure key algorithm",
+  "CheckTitle": "ACM certificate uses a secure key algorithm",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
   ],
   "ServiceName": "acm",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCertificateManagerCertificate",
-  "Description": "Check if ACM Certificates use a secure key algorithm (RSA 2048 bits or more, or ECDSA 256 bits or more). For example certificates that use RSA-1024 can be compromised because the encryption could be broken in no more than 2^80 guesses making it vulnerable to a factorization attack.",
-  "Risk": "Certificates with weak RSA or ECDSA keys can be compromised because the length of the key defines the security of the encryption. The number of bits in the key determines the number of guesses an attacker would have to make in order to decrypt the data. The more bits in the key, the more secure the encryption.",
-  "RelatedUrl": "https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html",
+  "Description": "**ACM certificates** are evaluated for the **public key algorithm and size**, identifying those that use weak parameters such as `RSA-1024` or ECDSA `P-192`. Certificates using `RSA-2048+` or ECDSA `P-256+` meet the secure baseline.",
+  "Risk": "**Weak certificate keys** reduce TLS confidentiality and authenticity.\n\nFeasible factoring or discrete log attacks can reveal private keys, enabling **man-in-the-middle**, session decryption, and **certificate spoofing**, leading to data exposure and tampering.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://noise.getoto.net/2022/11/08/how-to-evaluate-and-use-ecdsa-certificates-in-aws-certificate-manager/",
+	"https://docs.aws.amazon.com/acm/latest/userguide/data-protection.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: ACM certificate with secure key algorithm\nResources:\n  <example_resource_name>:\n    Type: AWS::CertificateManager::Certificate\n    Properties:\n      DomainName: <example_domain>\n      KeyAlgorithm: EC_prime256v1  # CRITICAL: ensures a secure key algorithm (RSA-2048+ or ECDSA P-256+)\n```",
+      "Other": "1. In the AWS Console, go to Certificate Manager (ACM)\n2. Click Request a certificate and enter <example_domain>\n3. Under Key algorithm, select ECDSA P-256 (or RSA 2048)\n4. Complete validation (DNS is recommended)\n5. In the service using the certificate (e.g., ALB/CloudFront/API Gateway), replace the old certificate with the new one\n6. Delete the insecure certificate (e.g., RSA-1024 or P-192) once no longer in use.",
+      "Terraform": "```hcl\n# Terraform: ACM certificate with secure key algorithm\nresource \"aws_acm_certificate\" \"<example_resource_name>\" {\n  domain_name   = \"<example_domain>\"\n  key_algorithm = \"EC_prime256v1\"  # CRITICAL: ensures a secure key algorithm (RSA-2048+ or ECDSA P-256+)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that all ACM certificates use a secure key algorithm. If any certificates use smaller keys, regenerate them with a secure key size and update any systems that rely on these certificates.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-2"
+      "Text": "Use **strong algorithms**: `RSA-2048+` or ECDSA `P-256/P-384`. Replace weak or legacy certificates and prevent their use via policy.\n\nPrefer ECDSA where compatible, apply **least privilege** to private keys, enforce modern TLS policies, and automate renewal to maintain cryptographic strength.",
+      "Url": "https://hub.prowler.com/check/acm_certificates_with_secure_key_algorithms"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""