prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl

prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
-  "CheckTitle": "Check if Lambda functions invoke API operations are being recorded by CloudTrail.",
-  "CheckType": [],
+  "CheckTitle": "Lambda function Invoke API calls are recorded by CloudTrail",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Defense Evasion"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "Check if Lambda functions invoke API operations are being recorded by CloudTrail.",
-  "Risk": "If logs are not enabled, monitoring of service use and threat analysis is not possible.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html",
+  "Description": "**AWS Lambda** function invocations are recorded as **CloudTrail data events** when trails include `AWS::Lambda::Function` resources.\n\nThe finding reflects whether a function's `Invoke` activity is being logged by an eligible trail.",
+  "Risk": "Without Lambda `Invoke` data events, per-invocation accountability is lost. Adversaries or misused automation can run code without an audit trail, obscuring actor, time, and source. This hinders forensics and enables covert exfiltration or unauthorized changes, impacting **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html",
+    "https://support.icompaas.com/support/solutions/articles/62000127055-ensure-lambda-functions-invoke-api-operations-are-being-recorded-by-cloudtrail"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws cloudtrail put-event-selectors --trail-name <example_resource_name> --advanced-event-selectors '[{\"FieldSelectors\":[{\"Field\":\"eventCategory\",\"Equals\":[\"Data\"]},{\"Field\":\"resources.type\",\"Equals\":[\"AWS::Lambda::Function\"]}]}]'",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CloudTrail::Trail\n    Properties:\n      S3BucketName: <example_resource_name>\n      IsLogging: true\n      EventSelectors:\n        - DataResources:\n            - Type: AWS::Lambda::Function  # Critical: enables Lambda data event logging\n              Values:\n                - arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function  # Critical: logs Invoke events for all functions in the specified account/region\n```",
+      "Other": "1. In the AWS Console, go to CloudTrail > Trails\n2. Select your trail and click Edit or Event logging\n3. Under Data events, choose Add data event selector (or Edit)\n4. Select Lambda function and choose to log data events for all functions (or specify functions)\n5. Save changes",
+      "Terraform": "```hcl\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n  name           = \"<example_resource_name>\"\n  s3_bucket_name = \"<example_resource_name>\"\n\n  event_selector {\n    data_resource {\n      type   = \"AWS::Lambda::Function\"  # Critical: enable Lambda data events\n      values = [\"arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function\"]  # Critical: capture Invoke for all functions in this account/region\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Make sure you are logging information about Lambda operations. Create a lifecycle and use cases for each trail.",
-      "Url": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html"
+      "Text": "Enable **CloudTrail data event logging** for `AWS::Lambda::Function` to capture `Invoke` calls across required Regions and accounts. Apply **least privilege** selectors to scope events, centralize logs with strong retention, and integrate alerts for anomalous invokes as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled"
     }
   },
   "Categories": [
-    "forensics-ready",
     "logging"
   ],
   "DependsOn": [],

prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_no_secrets_in_code",
-  "CheckTitle": "Find secrets in Lambda functions code.",
-  "CheckType": [],
+  "CheckTitle": "Lambda function code contains no hardcoded secrets",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Sensitive Data Identifications/Passwords",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "Find secrets in Lambda functions code.",
-  "Risk": "The use of a hard-coded password increases the possibility of password guessing.  If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
+  "Description": "**Lambda function code** is analyzed for **embedded secrets** across files in the deployment package, detecting patterns like API keys, passwords, tokens, and connection strings. Findings reference file names and line numbers where potential secrets appear.",
+  "Risk": "**Hardcoded secrets** undermine confidentiality and integrity: if code, layers, or artifacts are exposed, attackers can reuse credentials to access databases, APIs, or cloud resources, enabling data exfiltration and unauthorized changes.\n\nRotation is harder, increasing dwell time and blast radius of compromises.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html",
+    "https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager/",
+    "https://www.cloudcurls.com/2025/08/how-to-manage-secrets-securely-with-aws-secrets-manager.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In AWS Secrets Manager, click Store a new secret and create a secret for the value you hardcoded. Note the secret name/ARN.\n2. In IAM > Roles, open your Lambda execution role and add an inline policy allowing secretsmanager:GetSecretValue on that secret only.\n3. Edit your Lambda function code to remove the hardcoded value and retrieve it at runtime using the AWS SDK (GetSecretValue) with the secret name/ARN.\n4. Deploy the updated function code.",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html"
+      "Text": "Use **AWS Secrets Manager** (or Parameter Store) to store secrets and retrieve at runtime; never put them in code or Lambda env vars.\n- Apply **least privilege** IAM\n- Enable **rotation**\n- Prevent secret logging; encrypt\n- Add CI/CD secret scanning",
+      "Url": "https://hub.prowler.com/check/awslambda_function_no_secrets_in_code"
     }
   },
   "Categories": [

prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.metadata.json

@@ -1,26 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_no_secrets_in_variables",
-  "CheckTitle": "Find secrets in Lambda functions variables.",
-  "CheckType": [],
+  "CheckTitle": "Lambda function environment variables do not contain secrets",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Sensitive Data Identifications/Passwords",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "Find secrets in Lambda functions variables.",
-  "Risk": "The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
+  "Description": "AWS Lambda function environment variables are analyzed for content that resembles **secrets** (API keys, tokens, passwords). Pattern-based detection highlights potential hardcoded credentials present in the function's environment.",
+  "Risk": "Secrets in Lambda environment variables weaken **confidentiality**: users with config read access, runtime introspection, or logs may obtain them. Exposure can grant access to downstream systems, enable **lateral movement**, and allow tampering, impacting **integrity** and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html",
+    "https://support.icompaas.com/support/solutions/articles/62000129505-ensure-there-are-no-secrets-in-lambda-functions-variables"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws lambda get-function-configuration --region <REGION> --function-name <FUNCTION_NAME> --query Environment.Variables",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_3#cloudformation",
-      "Other": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_3",
-      "Terraform": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_3#terraform"
+      "CLI": "aws lambda update-function-configuration --region <REGION> --function-name <FUNCTION_NAME> --environment \"Variables={}\"",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::Lambda::Function\n    Properties:\n      Environment:\n        Variables: {}  # CRITICAL: clears environment variables to ensure no secrets are stored\n```",
+      "Other": "1. Open the AWS Lambda console and select the function\n2. Go to Configuration > Environment variables\n3. Click Edit\n4. Delete variables that contain secrets (or remove all variables)\n5. Click Save",
+      "Terraform": "```hcl\nresource \"aws_lambda_function\" \"<example_resource_name>\" {\n  environment {\n    variables = {} # CRITICAL: remove all env vars so no secrets are present\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html"
+      "Text": "Do not store secrets in environment variables or code. Use **AWS Secrets Manager** or **Parameter Store** with encryption, fetch at runtime using **least privilege** IAM, and prefer short-lived creds via **IAM roles**.\n\nRotate keys, limit configuration read access, and apply **defense in depth** with logging and alerts for secret access.",
+      "Url": "https://hub.prowler.com/check/awslambda_function_no_secrets_in_variables"
     }
   },
   "Categories": [

prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_not_publicly_accessible",
-  "CheckTitle": "Check if Lambda functions have resource-based policy set as Public.",
-  "CheckType": [],
+  "CheckTitle": "Lambda function resource-based policy does not allow public access",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "Check if Lambda functions have resource-based policy set as Public.",
-  "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html",
+  "Description": "**AWS Lambda** function resource-based policies are assessed for **public access**. The finding identifies policies with wildcard or empty `Principal` that allow actions like `lambda:InvokeFunction` to any principal.",
+  "Risk": "**Public invocation** lets outsiders run code under the function's IAM role.\n\nImpacts:\n- **Confidentiality**: data exfiltration via backend access\n- **Integrity**: unauthorized state changes from side effects\n- **Availability/cost**: invocation floods causing throttling and spend spikes",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/config/latest/developerguide/lambda-function-public-access-prohibited.html",
+    "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws lambda remove-permission --region <REGION> --function-name <QUEUE_NAME> --statement-id FullAccess",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html",
-      "Terraform": ""
+      "CLI": "aws lambda remove-permission --function-name <example_function_name> --statement-id <example_statement_id>",
+      "NativeIaC": "```yaml\n# CloudFormation: restrict Lambda permission to a non-public principal\nResources:\n  <example_resource_name>Permission:\n    Type: AWS::Lambda::Permission\n    Properties:\n      Action: lambda:InvokeFunction\n      FunctionName: <example_resource_name>\n      Principal: 123456789012  # Critical: not \"*\"; limits invoke permission to a specific account to prevent public access\n```",
+      "Other": "1. Open the AWS Lambda console and select the function\n2. Go to Configuration > Permissions\n3. Under Resource-based policy, view the policy statements\n4. Find any statement with Principal set to \"*\" (or { \"AWS\": \"*\" })\n5. Delete that statement and save\n6. If access is needed, re-add a permission for a specific principal only (for example, an AWS account ID or a service principal)",
+      "Terraform": "```hcl\n# Restrict Lambda permission to a non-public principal\nresource \"aws_lambda_permission\" \"<example_resource_name>\" {\n  statement_id  = \"AllowSpecificPrincipal\"\n  action        = \"lambda:InvokeFunction\"\n  function_name = \"<example_resource_name>\"\n  principal     = \"123456789012\"  # Critical: not \"*\"; prevents public access\n}\n```"
     },
     "Recommendation": {
-      "Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
-      "Url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html"
+      "Text": "Remove public principals from function policies. Grant access only to specific accounts, roles, or services using fixed ARNs and **least privilege**. Add conditions like `AWS:SourceAccount` and `AWS:SourceArn` to constrain service triggers. Enforce **separation of duties** and monitor access for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/awslambda_function_not_publicly_accessible"
     }
   },
   "Categories": [

prowler/providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_url_cors_policy",
-  "CheckTitle": "Check Lambda Function URL CORS configuration.",
-  "CheckType": [],
+  "CheckTitle": "Lambda function URL CORS does not allow wildcard origins (*)",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "Check Lambda Function URL CORS configuration.",
-  "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
+  "Description": "**Lambda function URL** CORS policy is reviewed for `AllowOrigins`. The presence of `*` indicates a wide origin allowance in the CORS configuration.",
+  "Risk": "**Wildcard origins** allow any website to call the endpoint from a browser and read responses, weakening origin isolation.\n\nThis can lead to data exposure (C) and unauthorized actions (I) if state-changing methods are reachable, enabling scripted abuse and cross-origin attacks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000229584-ensure-lambda-function-url-cors-configurations-were-checked",
+    "https://docs.aws.amazon.com/lambda/latest/api/API_Cors.html",
+    "https://tutorialsdojo.com/how-to-configure-aws-lambda-function-url-with-cross-origin-resource-sharing/",
+    "https://dev.to/rimutaka/aws-lambda-function-url-with-cors-explained-by-example-14df"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws lambda update-function-url-config --region AWS_REGION --function-name FUNCTION-NAME --auth-type AWS_IAM --cors 'AllowOrigins=https://www.example.com,AllowMethods=*,ExposeHeaders=keep-alive,MaxAge=3600,AllowCredentials=false'",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws lambda update-function-url-config --function-name <example_resource_name> --cors AllowOrigins=https://www.example.com",
+      "NativeIaC": "```yaml\n# CloudFormation: restrict Lambda Function URL CORS to a specific origin\nResources:\n  FunctionUrl:\n    Type: AWS::Lambda::Url\n    Properties:\n      TargetFunctionArn: <example_resource_arn>\n      AuthType: AWS_IAM\n      Cors:\n        AllowOrigins:\n          - https://www.example.com  # Critical: removes '*' wildcard by allowing only this origin\n```",
+      "Other": "1. In the AWS Console, go to Lambda > Functions and select <example_resource_name>\n2. Open Configuration > Function URL > Edit\n3. In CORS, remove '*' from Allowed origins and enter https://www.example.com\n4. Save changes",
+      "Terraform": "```hcl\n# Terraform: restrict Lambda Function URL CORS to a specific origin\nresource \"aws_lambda_function_url\" \"example\" {\n  function_name      = \"<example_resource_name>\"\n  authorization_type = \"AWS_IAM\"\n  cors {\n    allow_origins = [\"https://www.example.com\"] # Critical: removes '*' wildcard by allowing only this origin\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html"
+      "Text": "Apply least privilege to CORS:\n- Restrict `AllowOrigins` to trusted domains; avoid `*`\n- Limit `AllowMethods`/`AllowHeaders`; disable `AllowCredentials` unless required\n- Prefer authenticated access (e.g., `AWS_IAM`) and enforce resource policies for defense in depth",
+      "Url": "https://hub.prowler.com/check/awslambda_function_url_cors_policy"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.metadata.json

@@ -1,26 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_url_public",
-  "CheckTitle": "Check Public Lambda Function URL.",
-  "CheckType": [],
+  "CheckTitle": "Lambda function URL is not publicly accessible",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "Check Public Lambda Function URL.",
-  "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
+  "Description": "**AWS Lambda function URLs** are assessed to determine whether `AuthType` enforces **AWS IAM authentication** or permits **public invocation**.\n\nApplies to functions with a function URL and highlights when requests must be authenticated and authorized via IAM principals.",
+  "Risk": "An unauthenticated function URL lets anyone invoke code:\n- Confidentiality: data exposure\n- Integrity: unintended changes via over-privileged logic\n- Availability: DoS/denial-of-wallet through high request rates\n\nAttackers can script calls, exfiltrate data, and pivot using the function's permissions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/iam-auth-function-url.html",
+    "https://www.roastdev.com/post/aws-lambda-url-invocations-with-iam-authentication-and-throttling-limits",
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
+    "https://dev.to/aws-builders/hands-on-aws-lambda-function-url-with-aws-iam-authentication-type-180g",
+    "https://www.rahulpnath.com/blog/how-to-secure-and-authenticate-lambda-function-urls/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws lambda update-function-url-config --region AWS_REGION --function-name FUNCTION-NAME --auth-type AWS_IAM",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws lambda update-function-url-config --function-name <FUNCTION_NAME> --auth-type AWS_IAM",
+      "NativeIaC": "```yaml\n# CloudFormation: set Lambda Function URL to require IAM auth\nResources:\n  FunctionUrl:\n    Type: AWS::Lambda::Url\n    Properties:\n      TargetFunctionArn: arn:aws:lambda:<region>:<account-id>:function/<example_resource_name>\n      AuthType: AWS_IAM  # CRITICAL: requires IAM authentication, preventing public access\n```",
+      "Other": "1. In AWS Console, go to Lambda > Functions and open <example_resource_name>\n2. Select Configuration > Function URL > Edit\n3. Set Auth type to AWS_IAM\n4. Click Save",
+      "Terraform": "```hcl\n# Set Lambda Function URL to require IAM authentication\nresource \"aws_lambda_function_url\" \"example\" {\n  function_name      = \"<example_resource_name>\"\n  authorization_type = \"AWS_IAM\"  # CRITICAL: blocks public access by requiring IAM auth\n}\n```"
     },
     "Recommendation": {
-      "Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html"
+      "Text": "Enforce `AWS_IAM` on function URLs and apply **least privilege**:\n- Grant `lambda:InvokeFunctionUrl` only to required principals\n- Avoid `*` principals or broad conditions\n- Limit CORS to trusted origins and methods\n- Set reserved concurrency to contain abuse\n\nConsider **defense in depth** (WAF/CDN or private access) for Internet use.",
+      "Url": "https://hub.prowler.com/check/awslambda_function_url_public"
     }
   },
   "Categories": [

prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_using_supported_runtimes",
-  "CheckTitle": "Find obsolete Lambda runtimes.",
-  "CheckType": [],
+  "CheckTitle": "Lambda function uses a supported runtime",
+  "CheckType": [
+    "Software and Configuration Checks/Patch Management",
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "Find obsolete Lambda runtimes.",
-  "Risk": "If you have functions running on a runtime that will be deprecated in the next 60 days, Lambda notifies you by email that you should prepare by migrating your function to a supported runtime. In some cases, such as security issues that require a backwards-incompatible update, or software that does not support a long-term support (LTS) schedule, advance notice might not be possible. After a runtime is deprecated, Lambda might retire it completely at any time by disabling invocation. Deprecated runtimes are not eligible for security updates or technical support.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html",
+  "Description": "**Lambda functions** using **obsolete runtimes**-such as `python3.8`, `nodejs14.x`, `go1.x`, `ruby2.7`-are identified against a curated list of deprecated runtime identifiers.",
+  "Risk": "Unmaintained runtimes lack security patches, exposing code and libraries to known CVEs (**confidentiality, integrity**).\n\nDeprecation can block create/update and break builds, causing failed deployments or runtime errors (**availability**). Tooling may stop supporting builds, slowing fixes and recovery.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/blogs/compute/managing-aws-lambda-runtime-upgrades/",
+    "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/supported-runtime-environment.html",
+    "https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws lambda update-function-configuration --region AWS-REGION --function-name FUNCTION-NAME --runtime 'RUNTIME'",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws lambda update-function-configuration --function-name <FUNCTION_NAME> --runtime <SUPPORTED_RUNTIME>",
+      "NativeIaC": "```yaml\n# CloudFormation: set Lambda to a supported runtime\nResources:\n  <example_resource_name>:\n    Type: AWS::Lambda::Function\n    Properties:\n      Role: <example_role_arn>\n      Handler: <example_handler>\n      Runtime: <SUPPORTED_RUNTIME>  # FIX: change to a supported runtime (e.g., python3.12) to pass the check\n      Code:\n        S3Bucket: <example_bucket_name>\n        S3Key: <example_object_key>\n```",
+      "Other": "1. Open the AWS Lambda console and select the function\n2. Go to Configuration > Runtime settings > Edit\n3. In Runtime, choose a supported runtime (e.g., python3.12) and click Save",
+      "Terraform": "```hcl\n# Set Lambda to a supported runtime\nresource \"aws_lambda_function\" \"<example_resource_name>\" {\n  function_name = \"<example_resource_name>\"\n  role          = \"<example_role_arn>\"\n  handler       = \"<example_handler>\"\n  runtime       = \"<SUPPORTED_RUNTIME>\" # FIX: use a supported runtime (e.g., python3.12) to pass the check\n  filename      = \"<example_package.zip>\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Test new runtimes as they are made available. Implement them in production as soon as possible.",
-      "Url": "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html"
+      "Text": "Upgrade to **supported LTS runtimes** (AL2/AL2023) and include runtime upgrades in a secure SDLC.\n\nTest in staging, deploy via versions/aliases, and keep dependencies current. Monitor deprecation notices. Apply guardrails to block deprecated `runtime` values and allow only approved runtimes, aligning with **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/awslambda_function_using_supported_runtimes"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "container-security"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/awslambda/awslambda_function_vpc_multi_az/awslambda_function_vpc_multi_az.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "awslambda_function_vpc_multi_az",
-  "CheckTitle": "Check if AWS Lambda Function VPC is deployed Across Multiple Availability Zones",
-  "CheckType": [],
+  "CheckTitle": "Lambda function is configured with VPC subnets in at least two Availability Zones",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+  ],
   "ServiceName": "awslambda",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsLambdaFunction",
-  "Description": "This control checks whether an AWS Lambda function connected to a VPC operates in at least the specified number of Availability Zones (AZs). A failure occurs if the function does not operate in the required number of AZs, which by default is two.",
-  "Risk": "A Lambda function not deployed across multiple AZs increases the risk of a single point of failure, which can result in a complete disruption of the function's operations if an AZ becomes unavailable.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/operatorguide/networking-vpc.html",
+  "Description": "**AWS Lambda** functions attached to a VPC use subnets that span at least the required number of **Availability Zones** (`2` by default).\n\nThe evaluation counts the unique AZs of the function's configured subnets.",
+  "Risk": "Single-AZ placement limits **availability**. An AZ outage or subnet/IP exhaustion can block ENI creation and VPC access, causing failed invocations, timeouts, and event backlogs.\n\nThis degrades uptime and can delay processing of critical events.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/lambda/latest/operatorguide/networking-vpc.html",
+    "https://stackzonecom.tawk.help/article/aws-config-rule-lambda-vpc-multi-az-check",
+    "https://stackoverflow.com/questions/62052490/why-aws-lambda-suggests-to-set-up-two-subnets-if-vpc-is-configured",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-5"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-5",
-      "Terraform": ""
+      "CLI": "aws lambda update-function-configuration --function-name <example_resource_name> --vpc-config SubnetIds=<subnet_id_az1>,<subnet_id_az2>,SecurityGroupIds=<example_security_group_id>",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::Lambda::Function\n    Properties:\n      Role: <example_role_arn>\n      Handler: index.handler\n      Runtime: python3.12\n      Code:\n        ZipFile: |\n          def handler(event, context):\n            return \"\"\n      VpcConfig:\n        SecurityGroupIds:\n          - <example_security_group_id>\n        SubnetIds:\n          - <subnet_id_az1>  # Critical: select subnets in different AZs\n          - <subnet_id_az2>  # Critical: ensures function operates in >=2 AZs\n```",
+      "Other": "1. Open the Lambda console and select the function\n2. Go to Configuration > VPC > Edit\n3. Select the target VPC and choose at least two subnets in different Availability Zones\n4. Select a security group\n5. Click Save",
+      "Terraform": "```hcl\nresource \"aws_lambda_function\" \"<example_resource_name>\" {\n  function_name = \"<example_resource_name>\"\n  role          = \"<example_role_arn>\"\n  handler       = \"index.handler\"\n  runtime       = \"python3.12\"\n  filename      = \"function.zip\"\n\n  vpc_config {\n    subnet_ids         = [\"<subnet_id_az1>\", \"<subnet_id_az2>\"] # Critical: subnets in different AZs\n    security_group_ids = [\"<example_security_group_id>\"]\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that your AWS Lambda functions connected to a VPC are distributed across multiple Availability Zones (AZs) to enhance availability and resilience.",
-      "Url": "https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html"
+      "Text": "Distribute VPC-connected functions across subnets in `2` distinct AZs to ensure **fault tolerance**.\n- Choose subnets from different AZs\n- Avoid AZ-pinned configs or fixed IPs\n- Provide per-AZ egress/endpoints and routing\n- Regularly test AZ failover\nAligns with **resilience** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/awslambda_function_vpc_multi_az"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.metadata.json

@@ -1,33 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "backup_plans_exist",
-  "CheckTitle": "Ensure that there is at least one AWS Backup plan",
+  "CheckTitle": "At least one AWS Backup plan exists",
   "CheckType": [
-    "Recover",
-    "Resilience",
-    "Backup"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "backup",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:backup-plan:backup-plan-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsBackupBackupPlan",
-  "Description": "This check ensures that there is at least one backup plan in place.",
-  "Risk": "Without a backup plan, an organization may be at risk of losing important data due to accidental deletion, system failures, or natural disasters. This can result in significant financial and reputational damage for the organization.",
-  "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/about-backup-plans.html",
+  "Description": "**AWS Backup** is assessed for the existence of at least one **backup plan** that schedules and retains recovery points for selected resources.\n\nThe evaluation determines whether any plan is configured; when none is found-even if backup vaults exist-the absence of a plan is noted.",
+  "Risk": "Without a backup plan, resources lack scheduled recovery points, undermining RPO/RTO.\n- Irrecoverable data after deletion or corruption (integrity)\n- Prolonged outages due to unavailable restores (availability)\n- Inconsistent backups that hinder investigations and controlled recovery",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://awscli.amazonaws.com/v2/documentation/api/2.0.33/reference/backup/create-backup-plan.html",
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/about-backup-plans.html",
+    "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan",
+    "https://medium.com/@christopheradamson253/backup-strategies-using-aws-backup-1b17b94a7957"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws backup create-backup-plan --backup-plan <backup_plan_name> --backup-plan-rule <backup_rule_name>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws backup create-backup-plan --backup-plan \"{\\\"BackupPlanName\\\":\\\"<example_resource_name>\\\",\\\"Rules\\\":[{\\\"RuleName\\\":\\\"<example_resource_name>\\\",\\\"TargetBackupVaultName\\\":\\\"Default\\\"}]}\"",
+      "NativeIaC": "```yaml\n# CloudFormation: create a minimal AWS Backup Plan to pass the check\nResources:\n  <example_resource_name>:\n    Type: AWS::Backup::BackupPlan\n    Properties:\n      BackupPlan:\n        BackupPlanName: <example_resource_name>  # Critical: ensures at least one Backup Plan exists\n        Rules:\n          - RuleName: <example_resource_name>     # Critical: minimal required rule\n            TargetBackupVault: Default            # Critical: required vault for the rule\n```",
+      "Other": "1. In the AWS Console, go to AWS Backup\n2. Click Backup plans > Create backup plan\n3. Choose Build a new plan\n4. Enter Plan name: <example_resource_name>\n5. Under Backup rule, set Rule name: <example_resource_name> and Target backup vault: Default\n6. Click Create plan",
+      "Terraform": "```hcl\n# Terraform: minimal AWS Backup Plan to satisfy the check\nresource \"aws_backup_plan\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"  # Critical: creates the Backup Plan so the check passes\n\n  rule {\n    rule_name         = \"<example_resource_name>\"  # Critical: minimal rule\n    target_vault_name = \"Default\"                  # Critical: required vault\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use AWS Backup to create backup plans for your critical data and services.",
-      "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/about-backup-plans.html"
+      "Text": "Establish and enforce **backup plans** for critical workloads:\n- Define schedules, retention, and lifecycle to meet RPO/RTO\n- Use tagging to include all required resources by policy\n- Enable cross-Region/account copies and immutability where feasible\n- Apply least privilege to backup roles\n- Regularly test restores and review reports",
+      "Url": "https://hub.prowler.com/check/backup_plans_exist"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/backup/backup_recovery_point_encrypted/backup_recovery_point_encrypted.metadata.json

@@ -1,28 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "backup_recovery_point_encrypted",
-  "CheckTitle": "Check if AWS Backup recovery points are encrypted at rest.",
+  "CheckTitle": "AWS Backup recovery point is encrypted at rest",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "backup",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:backup:region:account-id:recovery-point/recovery-point-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsBackupRecoveryPoint",
-  "Description": "This control checks if an AWS Backup recovery point is encrypted at rest. The control fails if the recovery point isn't encrypted at rest.",
-  "Risk": "Without encryption at rest, AWS Backup recovery points are vulnerable to unauthorized access, which could compromise the confidentiality and integrity of the backed-up data.",
-  "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html",
+  "Description": "**AWS Backup recovery points** are evaluated for **encryption at rest** using the backup vault's KMS configuration. Items lacking vault-level encryption are highlighted, regardless of the source resource's encryption.",
+  "Risk": "Unencrypted recovery points can be read or copied if vault access is obtained, enabling offline analysis and data theft (**confidentiality**). Snapshots or restores may be altered (**integrity**), and unsafe restores can disrupt recovery operations (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/backup-controls.html#backup-1",
+    "https://readmedium.com/how-would-you-desgin-a-solution-for-autmated-backup-and-recovery-of-data-and-services-in-aws-311662f5a43e",
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html",
+    "https://medium.com/cloud-devops-security-ai-career-talk/how-would-you-desgin-a-solution-for-autmated-backup-and-recovery-of-data-and-services-in-aws-311662f5a43e",
+    "https://github.com/turbot/steampipe-mod-aws-compliance/issues/598"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws backup update-backup-vault --backup-vault-name <backup_vault_name> --encryption-key-arn <kms_key_arn>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/backup-controls.html#backup-1",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Encrypted AWS Backup Vault\nResources:\n  <example_resource_name>:\n    Type: AWS::Backup::BackupVault\n    Properties:\n      BackupVaultName: <example_resource_name>\n      EncryptionKeyArn: <kms_key_arn>  # Critical: vault uses this KMS key so recovery points stored here are encrypted at rest\n```",
+      "Other": "1. In AWS Backup, go to Backup vaults > Create backup vault\n2. Enter a name and select a KMS key (aws/backup or a customer-managed key)\n3. Save the vault\n4. Go to Backup plans > select your plan > Edit and set the Target backup vault to the encrypted vault > Save\n5. To remediate existing unencrypted recovery points: Recovery points > select the item > Copy > choose the encrypted vault > Start copy, then delete the original unencrypted recovery point",
+      "Terraform": "```hcl\n# Encrypted AWS Backup Vault\nresource \"aws_backup_vault\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  kms_key_arn = \"<kms_key_arn>\" # Critical: ensures recovery points in this vault are encrypted at rest\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that AWS Backup recovery points are encrypted at rest by using an AWS KMS key when creating backups.",
-      "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html"
+      "Text": "Encrypt all recovery points with **KMS**, preferring **customer-managed keys** for rotation and control. Apply **least privilege** to keys and vaults, require encrypted copies across accounts/Regions, and continuously monitor for unencrypted artifacts. Use `aws/backup` or `CMEK` consistently.",
+      "Url": "https://hub.prowler.com/check/backup_recovery_point_encrypted"
     }
   },
   "Categories": [