prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl

prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.metadata.json

@@ -1,28 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_find_secrets_ec2_launch_configuration",
-  "CheckTitle": "[DEPRECATED] Find secrets in EC2 Auto Scaling Launch Configuration",
+  "CheckTitle": "[DEPRECATED] EC2 Auto Scaling launch configuration user data contains no secrets",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Sensitive Data Identifications/Passwords",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:autoscaling:region:account-id:autoScalingGroupName/resource-name",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsAutoScalingLaunchConfiguration",
-  "Description": "[DEPRECATED] Find secrets in EC2 Auto Scaling Launch Configuration",
-  "Risk": "The use of a hard-coded password increases the possibility of password guessing.  If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
+  "Description": "[DEPRECATED] EC2 Auto Scaling launch configurations are analyzed for **secrets** embedded in `User Data`, such as passwords, tokens, or API keys in bootstrapping scripts.",
+  "Risk": "Secrets in `User Data` erode **confidentiality** and **integrity**:\n- Instance users or processes can read or log them\n- Exposed keys enable unauthorized API calls, data exfiltration, and lateral movement\n- Credential reuse increases blast radius across accounts and services",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation Launch Configuration without secrets in UserData\nResources:\n  <example_resource_name>:\n    Type: AWS::AutoScaling::LaunchConfiguration\n    Properties:\n      ImageId: <AMI_ID>\n      InstanceType: <INSTANCE_TYPE>\n      UserData: ''  # Critical: empty user data ensures no secrets are present\n```",
+      "Other": "1. In the AWS Console, go to EC2 > Launch configurations and click Create launch configuration\n2. Reuse the same AMI and instance type; leave User data empty\n3. Go to EC2 > Auto Scaling groups, select the group using the failing launch configuration, click Edit\n4. Under Launch options, select the new launch configuration and Save\n5. After the ASG is updated, delete the old launch configuration",
+      "Terraform": "```hcl\n# Launch configuration with no secrets in user data\nresource \"aws_launch_configuration\" \"<example_resource_name>\" {\n  image_id      = \"<AMI_ID>\"\n  instance_type = \"<INSTANCE_TYPE>\"\n  user_data     = \"\" # Critical: empty user data ensures no secrets are present\n}\n```"
     },
     "Recommendation": {
-      "Text": "Do not include sensitive information in user data within the launch configuration, try to use Secrets Manager instead.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html"
+      "Text": "Never place secrets in `User Data`.\n- Use a managed secret store with an instance role to fetch at runtime\n- Enforce **least privilege**, rotate secrets, and avoid writing secrets to logs\n- Prefer short-lived, scoped credentials and layer controls for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/autoscaling_find_secrets_ec2_launch_configuration"
     }
   },
   "Categories": [

prowler/providers/aws/services/autoscaling/autoscaling_group_capacity_rebalance_enabled/autoscaling_group_capacity_rebalance_enabled.metadata.json

@@ -1,32 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_group_capacity_rebalance_enabled",
-  "CheckTitle": "Check if Amazon EC2 Auto Scaling groups have capacity rebalance enabled.",
+  "CheckTitle": "Amazon EC2 Auto Scaling group has Capacity Rebalancing enabled",
   "CheckType": [
-    "Resilience"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:autoscaling:region:account-id:autoScalingGroup/autoScalingGroupName",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsAutoScalingAutoScalingGroup",
-  "Description": "This control checks whether an Amazon EC2 Auto Scaling group has capacity rebalance enabled.",
-  "Risk": "When you don't use Capacity Rebalancing, Amazon EC2 Auto Scaling doesn't replace Spot Instances until after the Amazon EC2 Spot service interrupts the instances and their health check fails. Before interrupting an instance, Amazon EC2 always gives both an EC2 instance rebalance recommendation and a Spot two-minute instance interruption notice.",
-  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-capacity-rebalancing.html",
+  "Description": "**EC2 Auto Scaling groups** use **Capacity Rebalancing** to act on EC2 `rebalance` recommendations by launching replacement Spot instances and terminating at-risk ones after they are healthy.\n\n*Assesses whether this proactive replacement behavior is enabled.*",
+  "Risk": "Without **Capacity Rebalancing**, Spot interruptions can drop targets and reduce capacity, causing timeouts, 5xx spikes, and backlog growth. The two-minute notice is often insufficient, reducing service **availability** and increasing the chance of cascading failures and slow recovery.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-ec2-auto-scaling-group-capacity-rebalance-enabled",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-capacity-rebalancing.html",
+    "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/enable-capacity-rebalancing.html",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/enable-capacity-rebalancing-console-cli.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws autoscaling create-auto-scaling-group --capacity-rebalance",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/enable-capacity-rebalancing-console-cli.html",
-      "Terraform": ""
+      "CLI": "aws autoscaling update-auto-scaling-group --auto-scaling-group-name <example_resource_name> --capacity-rebalance",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Capacity Rebalancing on an Auto Scaling group\nResources:\n  <example_resource_name>:\n    Type: AWS::AutoScaling::AutoScalingGroup\n    Properties:\n      MinSize: \"1\"\n      MaxSize: \"1\"\n      AvailabilityZones: [\"<example_az>\"]\n      LaunchTemplate:\n        LaunchTemplateName: <example_resource_name>\n        Version: \"$Default\"\n      CapacityRebalance: true  # CRITICAL: Enables proactive replacement of at-risk Spot instances\n```",
+      "Other": "1. In the AWS Console, go to EC2 > Auto Scaling Groups\n2. Select <example_resource_name> and open the Details tab\n3. Click Allocation strategies > Edit, check Capacity rebalancing\n4. Click Update/Save",
+      "Terraform": "```hcl\n# Terraform: Enable Capacity Rebalancing on an Auto Scaling group\nresource \"aws_autoscaling_group\" \"<example_resource_name>\" {\n  name               = \"<example_resource_name>\"\n  min_size           = 1\n  max_size           = 1\n  desired_capacity   = 1\n  availability_zones = [\"<example_az>\"]\n\n  launch_template {\n    id    = \"<example_resource_id>\"\n    version = \"$Latest\"\n  }\n\n  capacity_rebalance = true  # CRITICAL: Turns on Capacity Rebalancing\n}\n```"
     },
     "Recommendation": {
-      "Text": "When you enable Capacity Rebalancing for your Auto Scaling group, Amazon EC2 Auto Scaling attempts to proactively replace the Spot Instances in your group that have received a rebalance recommendation. This provides an opportunity to rebalance your workload to new Spot Instances that aren't at an elevated risk of interruption.",
-      "Url": "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-ec2-auto-scaling-group-capacity-rebalance-enabled"
+      "Text": "Enable **Capacity Rebalancing** for ASGs that use Spot.\n\nApply resilience practices:\n- Prefer `price-capacity-optimized` allocation\n- Keep headroom below `MaxSize`\n- Use lifecycle hooks to drain/deregister\n- Design stateless, interruption-tolerant workloads (least privilege and defense-in-depth for dependencies)",
+      "Url": "https://hub.prowler.com/check/autoscaling_group_capacity_rebalance_enabled"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/autoscaling/autoscaling_group_elb_health_check_enabled/autoscaling_group_elb_health_check_enabled.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_group_elb_health_check_enabled",
-  "CheckTitle": "Check if Auto Scaling groups associated with a load balancer use ELB health checks.",
+  "CheckTitle": "Auto Scaling group associated with a load balancer has ELB health checks enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:autoscaling:region:account-id:autoScalingGroup/autoScalingGroupName",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsAutoScalingAutoScalingGroup",
-  "Description": "This control checks whether an Amazon EC2 Auto Scaling group that is associated with a load balancer uses Elastic Load Balancing (ELB) health checks. The control fails if the Auto Scaling group doesn't use ELB health checks.",
-  "Risk": "If ELB health checks are not enabled, the Auto Scaling group might not be able to accurately determine the health of instances, which could impact the availability and reliability of the applications running on these instances.",
-  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html#as-add-elb-healthcheck-console",
+  "Description": "EC2 Auto Scaling groups attached to a load balancer are evaluated for **ELB-based health checks** that use the load balancer's target health instead of instance-only checks.",
+  "Risk": "Without **ELB health checks**, the group may keep instances that fail load balancer probes, causing:\n- Reduced **availability** from routing to bad targets\n- Higher error rates impacting transaction **integrity**\n- Inefficient scaling and increased **costs**",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-1",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/auto-scaling-group-health-check.html",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html#as-add-elb-healthcheck-console"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws autoscaling update-auto-scaling-group --auto-scaling-group-name <auto-scaling-group-name> --health-check-type ELB",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-1",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Enable ELB health checks for the Auto Scaling group\nResources:\n  <example_resource_name>:\n    Type: AWS::AutoScaling::AutoScalingGroup\n    Properties:\n      HealthCheckType: ELB  # Remediation: use ELB health checks so the ASG evaluates instance health via the load balancer\n```",
+      "Other": "1. In AWS Console, go to EC2 > Auto Scaling Groups\n2. Select the Auto Scaling group\n3. On the Details tab, click Edit under Health checks\n4. Under Additional health check types, select Elastic Load Balancing (ELB)\n5. Click Update/Save",
+      "Terraform": "```hcl\n# Enable ELB health checks on the Auto Scaling group\nresource \"aws_autoscaling_group\" \"<example_resource_name>\" {\n  health_check_type = \"ELB\"  # Remediation: ensures ASG uses load balancer health status\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your Auto Scaling groups to use ELB health checks to improve the monitoring and availability of your applications.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/auto-scaling-group-health-check.html"
+      "Text": "Enable **ELB health checks** for Auto Scaling groups behind load balancers to reflect real client reachability. Apply **high availability** and **defense in depth** by:\n- Using application-appropriate LB probes\n- Tuning grace and threshold settings to avoid flapping\n- Monitoring health metrics and alerts",
+      "Url": "https://hub.prowler.com/check/autoscaling_group_elb_health_check_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_no_public_ip/autoscaling_group_launch_configuration_no_public_ip.metadata.json

@@ -1,28 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_group_launch_configuration_no_public_ip",
-  "CheckTitle": "Check if Amazon EC2 instances launched using Auto Scaling group launch configurations have Public IP addresses.",
+  "CheckTitle": "Auto Scaling group associated launch configuration does not assign a public IP address",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
   ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:autoscaling:region:account-id:launchConfiguration/launchConfigurationName",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsAutoScalingLaunchConfiguration",
-  "Description": "This control checks whether an Auto Scaling group's associated launch configuration assigns a public IP address to the group's instances. The control fails if the associated launch configuration assigns a public IP address.",
-  "Risk": "Assigning a public IP address to EC2 instances can expose them directly to the internet, increasing the risk of unauthorized access and potential security breaches.",
-  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-auto-scaling-groups-launch-configuration.html",
+  "ResourceType": "AwsAutoScalingAutoScalingGroup",
+  "Description": "**Amazon EC2 Auto Scaling groups** are evaluated to determine whether their associated **launch configuration** assigns **public IP addresses** to instances (e.g., `AssociatePublicIpAddress=true`).",
+  "Risk": "**Publicly addressable instances** are reachable from the Internet, enabling reconnaissance, brute-force, and exploitation of exposed services.\n\nCompromise can lead to remote access, **data exfiltration**, and **lateral movement**, impacting **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-auto-scaling-groups-launch-configuration.html",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws autoscaling create-launch-configuration --launch-configuration-name <new-launch-config> --associate-public-ip-address false",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation Launch Configuration without public IPs\nResources:\n  <example_resource_name>:\n    Type: AWS::AutoScaling::LaunchConfiguration\n    Properties:\n      ImageId: <example_ami_id>\n      InstanceType: <example_instance_type>\n      AssociatePublicIpAddress: false  # Critical: disables assigning public IPs to instances\n```",
+      "Other": "1. In the AWS console, go to EC2 > Auto Scaling > Launch configurations and click Create launch configuration\n2. Use the same AMI and instance type as the current group; under Advanced details set IP address type to Do not assign a public IP address\n3. Create the launch configuration\n4. Go to EC2 > Auto Scaling Groups, select your group, click Edit next to Launch configuration, choose the new configuration, and click Update",
+      "Terraform": "```hcl\n# Launch Configuration without public IPs\nresource \"aws_launch_configuration\" \"<example_resource_name>\" {\n  image_id                    = \"<example_ami_id>\"\n  instance_type               = \"<example_instance_type>\"\n  associate_public_ip_address = false  # Critical: disables assigning public IPs\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create a new launch configuration without a public IP address and update your Auto Scaling groups to use the new configuration.",
-      "Url": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html"
+      "Text": "Place instances in private subnets and disable public addressing (`AssociatePublicIpAddress=false`). Publish services via **load balancers** or **private endpoints**, enforce **least privilege** security groups, and use **SSM**, VPN, or a hardened bastion for admin access. Prefer **launch templates** to standardize network controls.",
+      "Url": "https://hub.prowler.com/check/autoscaling_group_launch_configuration_no_public_ip"
     }
   },
   "Categories": [

prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_requires_imdsv2/autoscaling_group_launch_configuration_requires_imdsv2.metadata.json

@@ -1,31 +1,43 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_group_launch_configuration_requires_imdsv2",
-  "CheckTitle": "Check if Auto Scaling group launch configurations require Instance Metadata Service Version 2 (IMDSv2).",
+  "CheckTitle": "Auto Scaling group enforces IMDSv2 or disables the instance metadata service",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
+    "TTPs/Credential Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:autoscaling:region:account-id:launchConfiguration/launchConfigurationName",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsAutoScalingLaunchConfiguration",
-  "Description": "This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version isn't included in the launch configuration or is configured as token optional, which allows either IMDSv1 or IMDSv2.",
-  "Risk": "If IMDSv2 is not enforced, instances may be vulnerable to certain types of attacks that target the metadata service, potentially exposing sensitive instance information.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html",
+  "ResourceType": "AwsAutoScalingAutoScalingGroup",
+  "Description": "Amazon EC2 Auto Scaling launch configurations are evaluated for **Instance Metadata Service** settings. Instances should have the metadata endpoint `enabled` with `http_tokens=required` (enforcing **IMDSv2**), or have the metadata service `disabled`.\n\nAllowing `http_tokens=optional` or omitting the version leaves legacy access enabled.",
+  "Risk": "Without enforced **IMDSv2**, **SSRF** and local escape paths can access **IAM role credentials**, enabling unauthorized API calls.\n\nAttackers could:\n- Exfiltrate data with stolen tokens\n- Move laterally and modify resources, degrading confidentiality and integrity",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/require-imds-v2.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-3",
+    "https://aws.plainenglish.io/dont-let-metadata-leak-why-imdsv2-is-a-must-and-how-to-migrate-a88e1e285394"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws autoscaling create-launch-configuration --launch-configuration-name <new-launch-config> --metadata-options 'HttpTokens=required'",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-3",
-      "Terraform": ""
+      "CLI": "aws autoscaling create-launch-configuration --launch-configuration-name <new-launch-config> --image-id <AMI_ID> --instance-type <INSTANCE_TYPE> --metadata-options 'HttpTokens=required,HttpEndpoint=enabled'",
+      "NativeIaC": "```yaml\n# CloudFormation: ASG launch configuration enforces IMDSv2\nResources:\n  LaunchConfig:\n    Type: AWS::AutoScaling::LaunchConfiguration\n    Properties:\n      ImageId: <example_ami_id>\n      InstanceType: <example_instance_type>\n      MetadataOptions:\n        HttpTokens: required     # critical: require IMDSv2 tokens (disables IMDSv1)\n        HttpEndpoint: enabled    # critical: keep IMDS enabled while enforcing v2\n\n  AutoScalingGroup:\n    Type: AWS::AutoScaling::AutoScalingGroup\n    Properties:\n      LaunchConfigurationName: !Ref LaunchConfig\n      MinSize: 1\n      MaxSize: 1\n      VPCZoneIdentifier:\n        - <example_subnet_id>\n```",
+      "Other": "1. In the AWS Console, go to EC2 > Auto Scaling > Launch configurations\n2. Click Create launch configuration and choose the same AMI and instance type used by the group\n3. Expand Advanced details and set Metadata options to: Metadata accessible = Enabled, Metadata version = V2 only (token required)\n4. Create the launch configuration\n5. Go to EC2 > Auto Scaling > Auto Scaling groups, select the group, click Edit\n6. Under Launch configuration, select the new launch configuration and Save\n7. (Alternative) To disable IMDS entirely: when creating the launch configuration, set Metadata accessible = Disabled",
+      "Terraform": "```hcl\n# ASG launch configuration enforces IMDSv2\nresource \"aws_launch_configuration\" \"example\" {\n  image_id      = \"<example_ami_id>\"\n  instance_type = \"<example_instance_type>\"\n\n  metadata_options {\n    http_tokens   = \"required\"  # critical: require IMDSv2 tokens (blocks IMDSv1)\n    http_endpoint = \"enabled\"   # critical: IMDS enabled while enforcing v2\n  }\n}\n\nresource \"aws_autoscaling_group\" \"example\" {\n  launch_configuration = aws_launch_configuration.example.name\n  min_size             = 1\n  max_size             = 1\n  vpc_zone_identifier  = [\"<example_subnet_id>\"]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create a new launch configuration that requires IMDSv2 and update your Auto Scaling groups to use the new configuration.",
-      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html"
+      "Text": "Require **IMDSv2** for Auto Scaling-launched instances by setting `http_tokens=required` when metadata is `enabled`. *If metadata is not needed*, disable it.\n\nApply **least privilege** to instance roles, set IMDSv2 as an account default, and use **defense in depth** (egress filtering, SSRF protections) to limit exposure.",
+      "Url": "https://hub.prowler.com/check/autoscaling_group_launch_configuration_requires_imdsv2"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.metadata.json

@@ -1,30 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_group_multiple_az",
-  "CheckTitle": "EC2 Auto Scaling Group should use multiple Availability Zones",
-  "CheckType": [],
+  "CheckTitle": "Auto Scaling group uses multiple Availability Zones",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service"
+  ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:autoscaling:region:account-id:autoScalingGroupName/resource-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsAutoScalingAutoScalingGroup",
-  "Description": "EC2 Auto Scaling Group should use multiple Availability Zones",
-  "Risk": "In case of a failure in a single Availability Zone, the Auto Scaling Group will not be able to launch new instances to replace the failed ones.",
-  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html",
+  "Description": "**EC2 Auto Scaling groups** use **multiple Availability Zones** within a Region, with instances distributed across more than one zone rather than confined to a single zone.",
+  "Risk": "Relying on a single zone concentrates failure risk and harms **availability**. An AZ outage or capacity shortfall can block replacements and scaling, causing downtime, dropped traffic, and a wider blast radius. Recovery can lag because workloads can't shift to healthy zones.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-az-console.html",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-availability-zone-balanced.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/multiple-availability-zones.html",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/disaster-recovery-resiliency.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws autoscaling update-auto-scaling-group",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/multiple-availability-zones.html",
-      "Terraform": ""
+      "CLI": "aws autoscaling update-auto-scaling-group --auto-scaling-group-name <example_resource_name> --vpc-zone-identifier \"<subnet_id_az1>,<subnet_id_az2>\"",
+      "NativeIaC": "```yaml\n# CloudFormation: ensure ASG spans multiple AZs\nResources:\n  <example_resource_name>:\n    Type: AWS::AutoScaling::AutoScalingGroup\n    Properties:\n      MinSize: '1'\n      MaxSize: '1'\n      LaunchTemplate:\n        LaunchTemplateId: <example_resource_id>\n        Version: '$Latest'\n      VPCZoneIdentifier:\n        - <subnet_id_az1>\n        - <subnet_id_az2>  # CRITICAL: Add a second subnet in a different AZ to ensure multiple AZs\n```",
+      "Other": "1. In the AWS Console, go to EC2 > Auto Scaling Groups\n2. Select the group and open the Details tab\n3. Click Network > Edit\n4. In Subnets, add one more subnet from a different Availability Zone\n5. Click Update to save",
+      "Terraform": "```hcl\n# Terraform: ensure ASG spans multiple AZs\nresource \"aws_autoscaling_group\" \"<example_resource_name>\" {\n  min_size = 1\n  max_size = 1\n\n  launch_template {\n    id      = \"<example_resource_id>\"\n    version = \"$Latest\"\n  }\n\n  vpc_zone_identifier = [\n    \"<subnet_id_az1>\",\n    \"<subnet_id_az2>\" # CRITICAL: two subnets in different AZs to pass the check\n  ]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure multiple Availability Zones for EC2 Auto Scaling Group",
-      "Url": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html"
+      "Text": "Distribute each group across at least two **Availability Zones** to design for failure. Use a load balancer to spread traffic and health-based replacement to sustain capacity. Apply **resilience** and **fault isolation** principles so service continues during zonal degradation.",
+      "Url": "https://hub.prowler.com/check/autoscaling_group_multiple_az"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_group_multiple_instance_types",
-  "CheckTitle": "EC2 Auto Scaling Group should use multiple instance types in multiple Availability Zones.",
+  "CheckTitle": "Auto Scaling group spans multiple Availability Zones and has multiple instance types per Availability Zone",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:autoscaling:region:account-id:autoScalingGroupName/resource-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsAutoScalingAutoScalingGroup",
-  "Description": "This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types in all the Availability Zones, meaning that there should be multiple Availability Zones with multiple instances on each one. The control fails if the Auto Scaling group has only one instance type defined.",
-  "Risk": "Using only one instance type in an Auto Scaling group reduces the flexibility to launch new instances when there is insufficient capacity for that specific type, potentially affecting the availability of the application.",
-  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html",
+  "Description": "**EC2 Auto Scaling groups** are evaluated for using **multiple instance types** in each **Availability Zone** and spanning more than one AZ.\n\nGroups are identified when every AZ defines at least two instance types; groups with any AZ using a single or no type, or confined to one AZ, are noted.",
+  "Risk": "Limited to one instance type per AZ or a single AZ, scaling can stall during **capacity shortages**, hindering **failover** and degrading **availability** (timeouts, backlog growth). Costs may spike if only expensive capacity is available. Reduced diversity increases the likelihood of prolonged outages during zonal or market disruptions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-multiple-instance-type-az.html",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-6"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws autoscaling create-auto-scaling-group --mixed-instances-policy ...",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-6",
-      "Terraform": ""
+      "CLI": "aws autoscaling update-auto-scaling-group --auto-scaling-group-name <example_resource_name> --mixed-instances-policy '{\"LaunchTemplate\":{\"LaunchTemplateSpecification\":{\"LaunchTemplateName\":\"<example_resource_name>\",\"Version\":\"$Latest\"},\"Overrides\":[{\"InstanceType\":\"<INSTANCE_TYPE_1>\"},{\"InstanceType\":\"<INSTANCE_TYPE_2>\"}]}}' --vpc-zone-identifier \"<subnet_id_1>,<subnet_id_2>\"",
+      "NativeIaC": "```yaml\n# CloudFormation: Ensure ASG uses multiple instance types across multiple AZs\nResources:\n  <example_resource_name>:\n    Type: AWS::AutoScaling::AutoScalingGroup\n    Properties:\n      MinSize: \"1\"\n      MaxSize: \"1\"\n      VPCZoneIdentifier:\n        - <subnet_id_1>  # CRITICAL: Use subnets in different AZs to span multiple AZs\n        - <subnet_id_2>  # CRITICAL: Ensures at least two Availability Zones\n      MixedInstancesPolicy:\n        LaunchTemplate:\n          LaunchTemplateSpecification:\n            LaunchTemplateName: <example_resource_name>\n            Version: $Latest\n          Overrides:\n            - InstanceType: <INSTANCE_TYPE_1>  # CRITICAL: Multiple instance types per AZ\n            - InstanceType: <INSTANCE_TYPE_2>  # CRITICAL: Multiple instance types per AZ\n```",
+      "Other": "1. In the AWS Console, go to EC2 > Auto Scaling Groups and select <example_resource_name>\n2. Click Edit\n3. Under Network, add at least two subnets in different Availability Zones\n4. Under Launch options, choose Mixed instance types\n5. Select your Launch template and set Version to $Latest\n6. Add at least two Instance types in Overrides\n7. Click Update to save",
+      "Terraform": "```hcl\n# Terraform: Ensure ASG uses multiple instance types across multiple AZs\nresource \"aws_autoscaling_group\" \"<example_resource_name>\" {\n  name               = \"<example_resource_name>\"\n  min_size           = 1\n  max_size           = 1\n  vpc_zone_identifier = [\"<subnet_id_1>\", \"<subnet_id_2>\"] # CRITICAL: Subnets in different AZs\n\n  mixed_instances_policy {\n    launch_template {\n      launch_template_specification {\n        launch_template_name = \"<example_resource_name>\"\n        version              = \"$Latest\"\n      }\n      override { instance_type = \"<INSTANCE_TYPE_1>\" } # CRITICAL: Multiple instance types per AZ\n      override { instance_type = \"<INSTANCE_TYPE_2>\" } # CRITICAL: Multiple instance types per AZ\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your EC2 Auto Scaling group to use multiple instance types across multiple Availability Zones.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-multiple-instance-type-az.html"
+      "Text": "Adopt a **mixed instances** strategy for resilience:\n- Use diverse instance families and sizes per AZ\n- Distribute capacity across multiple AZs\n- Favor allocation approaches that tolerate spot/on-demand scarcity\nApply **redundancy** and **fault tolerance** principles and validate scaling policies to avoid single points of capacity failure.",
+      "Url": "https://hub.prowler.com/check/autoscaling_group_multiple_instance_types"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/autoscaling/autoscaling_group_using_ec2_launch_template/autoscaling_group_using_ec2_launch_template.metadata.json

@@ -1,31 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "autoscaling_group_using_ec2_launch_template",
-  "CheckTitle": "Check if Amazon EC2 Auto Scaling groups use EC2 launch templates.",
+  "CheckTitle": "Amazon EC2 Auto Scaling group uses an EC2 launch template",
   "CheckType": [
     "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "autoscaling",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:autoscaling:region:account-id:autoScalingGroup/autoScalingGroupName",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsAutoScalingAutoScalingGroup",
-  "Description": "This control checks whether an Amazon EC2 Auto Scaling group is created using an EC2 launch template. The control fails if the Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy.",
-  "Risk": "Using launch configurations instead of launch templates may limit your access to the latest EC2 features and improvements, reducing the flexibility and efficiency of your Auto Scaling groups.",
-  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-template.html",
+  "Description": "**EC2 Auto Scaling groups** use an **EC2 launch template** directly or via a `mixed instances policy` to define instance configuration and versioned settings.",
+  "Risk": "Without a launch template, there is no **versioned, auditable baseline** for instance settings, increasing configuration drift. Inconsistent metadata and network options can enable unauthorized access or unstable deployments, degrading confidentiality and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-launch-template.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-9",
+    "https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-template.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws autoscaling create-auto-scaling-group --launch-template LaunchTemplateId=<template-id>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-9",
-      "Terraform": ""
+      "CLI": "aws autoscaling update-auto-scaling-group --auto-scaling-group-name <example_resource_name> --launch-template LaunchTemplateId=<template-id>",
+      "NativeIaC": "```yaml\n# CloudFormation: attach a Launch Template to the ASG\nResources:\n  ASG:\n    Type: AWS::AutoScaling::AutoScalingGroup\n    Properties:\n      MinSize: '0'\n      MaxSize: '1'\n      VPCZoneIdentifier:\n        - <example_subnet_id>\n      LaunchTemplate: # critical: ensures the ASG uses an EC2 launch template (fixes the check)\n        LaunchTemplateId: <example_launch_template_id> # references the EC2 Launch Template\n        Version: $Default\n```",
+      "Other": "1. In the AWS console, go to EC2 > Auto Scaling Groups\n2. Select <example_resource_name> and click Edit\n3. Under \"Launch template or configuration\", choose Launch template and select your template and version (Default or Latest)\n4. Click Update to save",
+      "Terraform": "```hcl\n# Terraform: attach a Launch Template to the ASG\nresource \"aws_autoscaling_group\" \"example\" {\n  min_size            = 0\n  max_size            = 1\n  vpc_zone_identifier = [\"<example_subnet_id>\"]\n\n  launch_template {\n    id      = \"<example_launch_template_id>\" # critical: ensures the ASG uses an EC2 launch template (fixes the check)\n    version = \"$Default\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use EC2 launch templates when creating Auto Scaling groups to ensure access to the latest features and improvements.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-launch-template.html"
+      "Text": "Adopt **launch templates** for all Auto Scaling groups and include them in any `mixed instances policy`. Use versioning with approvals, enforce hardened defaults (least privilege roles, secure metadata like `IMDSv2`, encrypted storage), and apply change control to ensure consistency and defense in depth.",
+      "Url": "https://hub.prowler.com/check/autoscaling_group_using_ec2_launch_template"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/autoscaling/autoscaling_service.py

@@ -33,7 +33,7 @@ class AutoScaling(AWSService):
                         self.launch_configurations[arn] = LaunchConfiguration(
                             arn=arn,
                             name=configuration["LaunchConfigurationName"],
-                            user_data=configuration["UserData"],
+                            user_data=configuration.get("UserData", ""),
                             image_id=configuration["ImageId"],
                             region=regional_client.region,
                             http_tokens=configuration.get("MetadataOptions", {}).get(

prowler/providers/aws/services/awslambda/awslambda_function_inside_vpc/awslambda_function_inside_vpc.metadata.json

@@ -1,29 +1,42 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_inside_vpc",
-  "CheckTitle": "Ensure AWS Lambda Functions Are Deployed Inside a VPC",
-  "CheckType": [],
+  "CheckTitle": "Lambda function is deployed inside a VPC",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "This check verifies whether an AWS Lambda function is deployed within a Virtual Private Cloud (VPC). Deploying Lambda functions inside a VPC improves security by allowing control over the network environment, reducing the exposure to public internet threats.",
-  "Risk": "Lambda functions not deployed in a VPC may expose your application to increased security risks, including unauthorized access and data breaches. Without the network isolation provided by a VPC, your Lambda functions are more vulnerable to attacks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html",
+  "Description": "**AWS Lambda function** uses **VPC networking** with specified subnets and security groups, rather than the default Lambda-managed network.\n\nPresence of a VPC association (`vpc_id`) indicates private connectivity to VPC resources.",
+  "Risk": "Without VPC attachment, functions lack network isolation and granular egress control, weakening **confidentiality** and **integrity**.\n\nTraffic must use public endpoints, raising risks of data exfiltration and SSRF via unrestricted outbound. If private databases are required, missing VPC access can impact **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html",
+    "https://repost.aws/pt/knowledge-center/lambda-dedicated-vpc",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-in-vpc.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-3",
+    "https://stackoverflow.com/questions/55074793/how-can-we-force-aws-lamda-to-run-securely-in-a-vpc",
+    "https://www.techtarget.com/searchCloudComputing/answer/How-do-I-configure-AWS-Lambda-functions-in-a-VPC/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws lambda update-function-configuration --region <region-name> --function-name <function-name> --vpc-config SubnetIds=<subnet-id-1>,<subnet-id-2>,SecurityGroupIds=<security-group-id>",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-in-vpc.html",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-3",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1/"
+      "CLI": "aws lambda update-function-configuration --function-name <example_resource_name> --vpc-config SubnetIds=<example_subnet_id>,SecurityGroupIds=<example_security_group_id>",
+      "NativeIaC": "```yaml\nAWSTemplateFormatVersion: '2010-09-09'\nResources:\n  LambdaFunction:\n    Type: AWS::Lambda::Function\n    Properties:\n      FunctionName: <example_resource_name>\n      Role: <example_role_arn>\n      Handler: index.handler\n      Runtime: python3.12\n      Code:\n        S3Bucket: <example_code_bucket>\n        S3Key: <example_code_key>\n      # Critical: Attach the function to a VPC by specifying at least one subnet and one security group\n      # This sets VpcConfig, which gives the function a VPC ID and makes the check PASS\n      VpcConfig:\n        SubnetIds:\n          - <example_subnet_id>\n        SecurityGroupIds:\n          - <example_security_group_id>\n```",
+      "Other": "1. In the AWS Lambda console, open your function\n2. Go to Configuration > VPC and click Edit\n3. Select the target VPC\n4. Choose at least one Subnet and one Security group\n5. Click Save",
+      "Terraform": "```hcl\nresource \"aws_lambda_function\" \"example\" {\n  function_name = \"<example_resource_name>\"\n  role          = \"<example_role_arn>\"\n  handler       = \"index.handler\"\n  runtime       = \"python3.12\"\n  filename      = \"<example_package.zip>\"\n\n  # Critical: VPC config attaches the function to a VPC, providing a VPC ID so the check passes\n  vpc_config {\n    subnet_ids         = [\"<example_subnet_id>\"]      # at least one subnet\n    security_group_ids = [\"<example_security_group_id>\"]\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your AWS Lambda functions to operate within a Virtual Private Cloud (VPC) to enhance security and control network access.",
-      "Url": ""
+      "Text": "Attach functions to a VPC with private subnets and restrictive security groups to enforce **least privilege** and egress control.\n- Prefer **VPC endpoints** for AWS services\n- Use NAT only when necessary\n- Spread subnets across AZs for resilience\n- Govern with IAM conditions requiring `VpcIds`, `SubnetIds`, and `SecurityGroupIds`.",
+      "Url": "https://hub.prowler.com/check/awslambda_function_inside_vpc"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""