prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl

prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.metadata.json

@@ -1,33 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "backup_reportplans_exist",
-  "CheckTitle": "Ensure that there is at least one AWS Backup report plan",
+  "CheckTitle": "At least one AWS Backup report plan exists",
   "CheckType": [
-    "Recover",
-    "Resilience",
-    "Backup"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "backup",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:backup-report-plan:backup-report-plan-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsBackupBackupPlan",
-  "Description": "This check ensures that there is at least one backup report plan in place.",
-  "Risk": "Without a backup report plan, an organization may lack visibility into the success or failure of backup operations.",
-  "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-console.html",
+  "Description": "**AWS Backup** environments with existing backup plans are assessed for the presence of at least one **report plan** that generates `jobs` or `compliance` reports.",
+  "Risk": "Without a report plan, backup failures and missed restores may go unnoticed, harming **availability** and recovery objectives. Gaps in retention, scheduling, or encryption controls can persist unreported, weakening **integrity** and auditability across accounts and Regions, increasing the chance of SLA breaches.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-console.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws backup create-report-plan --report-plan-name <report-plan-name> --report-delivery-channel <value> --report-setting <value>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws backup create-report-plan --report-plan-name <REPORT_PLAN_NAME> --report-delivery-channel s3BucketName=<S3_BUCKET_NAME>,formats=CSV --report-setting reportTemplate=BACKUP_JOB_REPORT",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::Backup::ReportPlan\n    Properties:\n      ReportPlanName: <example_resource_name> # Critical: creates the report plan required to pass the check\n      ReportDeliveryChannel:\n        S3BucketName: <example_resource_name> # Critical: destination bucket for reports\n        Formats:\n          - CSV # Critical: valid report file format\n      ReportSetting:\n        ReportTemplate: BACKUP_JOB_REPORT # Critical: minimal template to enable job reports\n```",
+      "Other": "1. Open the AWS Backup console and go to Reports\n2. Click Create report plan\n3. Select the Backup jobs (job report) template\n4. Enter a Report plan name and choose an S3 bucket\n5. Select CSV as the file format\n6. Click Create report plan",
+      "Terraform": "```hcl\nresource \"aws_backup_report_plan\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\" # Critical: creates at least one report plan\n\n  report_delivery_channel {\n    s3_bucket_name = \"<example_resource_name>\" # Critical: destination bucket for reports\n    formats        = [\"CSV\"] # Critical: valid report file format\n  }\n\n  report_setting {\n    report_template = \"BACKUP_JOB_REPORT\" # Critical: minimal job report template\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use AWS Backup to create backup report plans that provide visibility into the success or failure of backup operations.",
-      "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-console.html"
+      "Text": "Establish and maintain **report plans** to continuously monitor backup activity and policy adherence.\n- Apply least privilege to report storage\n- Include relevant accounts and Regions for coverage\n- Review reports routinely and alert on anomalies\n- Enforce separation of duties between backup admins and auditors",
+      "Url": "https://hub.prowler.com/check/backup_reportplans_exist"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.metadata.json

@@ -1,31 +1,42 @@
 {
   "Provider": "aws",
   "CheckID": "backup_vaults_encrypted",
-  "CheckTitle": "Ensure that AWS Backup vaults are encrypted with AWS KMS",
+  "CheckTitle": "AWS Backup vault is encrypted at rest",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Software and Configuration Checks/Industry and Regulatory Standards/ISO 27001 Controls",
+    "Software and Configuration Checks/Industry and Regulatory Standards/HIPAA Controls (USA)"
   ],
   "ServiceName": "backup",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:backup-vault:backup-vault-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsBackupBackupVault",
-  "Description": "This check ensures that AWS Backup vaults are encrypted with AWS KMS.",
-  "Risk": "Without encryption using AWS KMS, an organization's backup data may be at risk of unauthorized access, which can lead to data breaches and other security incidents.",
-  "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html",
+  "Description": "**AWS Backup vaults** are evaluated for **encryption at rest** with **AWS KMS**. The finding highlights vaults without a configured KMS key protecting stored recovery points.",
+  "Risk": "Unencrypted vaults allow recovery points to be read if storage or credentials are compromised, undermining **confidentiality** and enabling data exfiltration. Missing KMS controls also weaken **integrity** guarantees and impede forensic **auditability** during investigations.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Athena/encrypted-with-cmk.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws backup update-backup-vault --backup-vault-name <backup_vault_name> --encryption-key-arn <kms_key_arn>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Athena/encrypted-with-cmk.html",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Encrypted AWS Backup Vault\nResources:\n  <example_resource_name>:\n    Type: AWS::Backup::BackupVault\n    Properties:\n      BackupVaultName: <example_resource_name>\n      EncryptionKeyArn: <kms_key_arn>  # CRITICAL: sets KMS key to encrypt the vault at rest\n```",
+      "Other": "1. In the AWS Console, go to AWS Backup > Backup vaults\n2. Click Create backup vault\n3. Set Name to <example_resource_name>\n4. Under Encryption key, select a customer managed KMS key (<kms_key_arn>)\n5. Click Create backup vault\n6. Update any Backup plans to use the new vault (Plans > select plan > Edit > change Target vault name)\n7. Delete the old unencrypted vault after it is empty (select vault > Delete backup vault)",
+      "Terraform": "```hcl\n# Encrypted AWS Backup Vault\nresource \"aws_backup_vault\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  kms_key_arn = \"<kms_key_arn>\"  # CRITICAL: enables encryption at rest for the vault\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use AWS KMS to encrypt your AWS Backup vaults and backup data.",
-      "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html"
+      "Text": "Encrypt every backup vault with **customer-managed KMS keys** (`CMK`). Enforce **least privilege** in key policies, enable rotation, and separate key admins from backup operators. Add **defense-in-depth** with vault lock and logging. *For copies*, ensure destination vaults use appropriate KMS keys.",
+      "Url": "https://hub.prowler.com/check/backup_vaults_encrypted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.metadata.json

@@ -1,33 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "backup_vaults_exist",
-  "CheckTitle": "Ensure AWS Backup vaults exist",
+  "CheckTitle": "At least one AWS Backup vault exists",
   "CheckType": [
-    "Recover",
-    "Resilience",
-    "Backup"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "backup",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:backup-vault:backup-vault-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsBackupBackupVault",
-  "Description": "This check ensures that AWS Backup vaults exist to provide a secure and durable storage location for backup data.",
-  "Risk": "Without an AWS Backup vault, an organization's critical data may be at risk of being lost in the event of an accidental deletion, system failures, or natural disasters.",
-  "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html",
+  "Description": "**AWS Backup** in the account/region includes at least one **backup vault** that stores and organizes recovery points for use by backup plans and copies.",
+  "Risk": "Without a vault, recovery points cannot be created or retained in AWS Backup, degrading **availability** and **integrity**. Data may be irrecoverable after deletion, ransomware, or misconfiguration, and RPO/RTO targets may be missed during incidents.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws backup create-backup-vault --backup-vault-name <backup_vault_name>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws backup create-backup-vault --backup-vault-name <example_resource_name>",
+      "NativeIaC": "```yaml\n# CloudFormation: create a Backup Vault\nResources:\n  BackupVault:\n    Type: AWS::Backup::BackupVault\n    Properties:\n      VaultName: <example_resource_name>  # Critical: creates a backup vault to satisfy the check\n```",
+      "Other": "1. Sign in to the AWS Management Console and open the AWS Backup console\n2. In the left navigation pane, select Backup vaults\n3. Click Create backup vault\n4. Enter a name (e.g., <example_resource_name>)\n5. Click Create backup vault",
+      "Terraform": "```hcl\n# Create a Backup Vault\nresource \"aws_backup_vault\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\" # Critical: ensures at least one backup vault exists\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use AWS Backup to create backup vaults for your critical data and services.",
-      "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/vaults.html"
+      "Text": "Create and maintain a **backup vault** in each required region. Enforce **least privilege** access, encrypt with **KMS CMKs**, and enable **Vault Lock** to prevent tampering. Use lifecycle rules and cross-region/cross-account copies, and regularly test restores for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/backup_vaults_exist"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/cloudformation/cloudformation_stack_cdktoolkit_bootstrap_version/cloudformation_stack_cdktoolkit_bootstrap_version.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "cloudformation_stack_cdktoolkit_bootstrap_version",
-  "CheckTitle": "Ensure that CDKToolkit stacks have a Bootstrap version of 21 or higher to mitigate security risks.",
-  "CheckType": [],
+  "CheckTitle": "CDKToolkit CloudFormation stack has Bootstrap version 21 or higher",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Patch Management"
+  ],
   "ServiceName": "cloudformation",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudformation:region:account-id:stack/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCloudFormationStack",
-  "Description": "Ensure that CDKToolkit stacks have a Bootstrap version of 21 or higher to mitigate security risks.",
-  "Risk": "Using outdated CDKToolkit Bootstrap versions can expose accounts to risks such as bucket takeover or privilege escalation.",
-  "RelatedUrl": "https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html",
+  "Description": "**CloudFormation CDKToolkit** stack's `BootstrapVersion` is compared to a recommended minimum (default `21`). A lower value indicates the environment uses legacy bootstrap resources and IAM roles from older templates.",
+  "Risk": "**Outdated bootstrap stacks** can lack recent hardening. Asset buckets or ECR repos may be easier to misuse, and deployment roles may have broader trust.\n\nAdversaries could tamper artifacts or assume privileged roles, compromising integrity/confidentiality and enabling privilege escalation.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://towardsthecloud.com/blog/aws-cdk-bootstrap",
+    "https://support.icompaas.com/support/solutions/articles/62000233694-ensure-that-cdktoolkit-stacks-have-a-bootstrap-version-of-21-or-higher-to-mitigate-security-risks",
+    "https://docs.aws.amazon.com/cdk/v2/guide/ref-cli-cmd-bootstrap.html",
+    "https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-customizing.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "cdk bootstrap aws://<ACCOUNT_ID>/<REGION>",
+      "NativeIaC": "```yaml\n# Minimal CloudFormation to expose BootstrapVersion >= 21 for CDKToolkit\n# Deploy this template as a stack named \"CDKToolkit\"\nResources:\n  CdkBootstrapVersion:\n    Type: AWS::SSM::Parameter\n    Properties:\n      Type: String\n      Name: /cdk-bootstrap/hnb659fds/version  # critical: stores the bootstrap version used by CDK\n      Value: \"21\"                              # critical: set to 21 (or higher) to satisfy the check\nOutputs:\n  BootstrapVersion:\n    Value: !GetAtt CdkBootstrapVersion.Value   # critical: exposes the version in stack outputs so the check passes\n```",
+      "Other": "1. Sign in to the AWS Console and open CloudShell\n2. Run: cdk bootstrap aws://<ACCOUNT_ID>/<REGION>\n3. In the console, go to CloudFormation > Stacks > CDKToolkit > Outputs\n4. Confirm Output \"BootstrapVersion\" is 21 or higher",
+      "Terraform": "```hcl\n# Create/Update the CDKToolkit stack with BootstrapVersion >= 21\nresource \"aws_cloudformation_stack\" \"cdktoolkit\" {\n  name          = \"CDKToolkit\"\n  # critical: template sets the BootstrapVersion output to 21 (or higher) so the check passes\n  template_body = <<YAML\nResources:\n  CdkBootstrapVersion:\n    Type: AWS::SSM::Parameter\n    Properties:\n      Type: String\n      Name: /cdk-bootstrap/hnb659fds/version  # critical: stores the bootstrap version\n      Value: \"21\"                              # critical: version must be >= 21\nOutputs:\n  BootstrapVersion:\n    Value: !GetAtt CdkBootstrapVersion.Value   # critical: exposes version via stack output\nYAML\n}\n```"
     },
     "Recommendation": {
-      "Text": "Update the CDKToolkit stack Bootstrap version to 21 or later by running the cdk bootstrap command with the latest CDK version.",
-      "Url": "https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html"
+      "Text": "Standardize on the modern bootstrap at or above the recommended version (e.g., `>= 21`) in every account and Region.\n\nApply **least privilege** to bootstrap roles, limit trusted accounts, enable termination protection, and periodically review for version drift to strengthen **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/cloudformation_stack_cdktoolkit_bootstrap_version"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.metadata.json

@@ -1,26 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "cloudformation_stack_outputs_find_secrets",
-  "CheckTitle": "Find secrets in CloudFormation outputs",
-  "CheckType": [],
+  "CheckTitle": "CloudFormation stack outputs do not contain secrets",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Sensitive Data Identifications/Passwords",
+    "Sensitive Data Identifications/Security",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "cloudformation",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudformation:region:account-id:stack/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsCloudFormationStack",
-  "Description": "Find secrets in CloudFormation outputs",
-  "Risk": "Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html",
+  "Description": "**CloudFormation stack Outputs** are analyzed for hardcoded secrets-passwords, API keys, tokens-using pattern-based detection across output values. A finding indicates potential secret strings present within `Outputs` of the template or stack.",
+  "Risk": "**Secrets in Outputs** are readable to anyone with stack metadata access, enabling credential theft, unauthorized API calls, and lateral movement. Exposure via consoles, exports, or CI logs undermines confidentiality and can lead to privilege escalation and data exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html",
+    "https://support.icompaas.com/support/solutions/articles/62000127093-ensure-no-secrets-are-found-in-cloudformation-outputs",
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_2",
-      "Terraform": ""
+      "CLI": "aws cloudformation update-stack --stack-name <STACK_NAME> --template-body file://<TEMPLATE_WITHOUT_SENSITIVE_OUTPUTS>.yaml",
+      "NativeIaC": "```yaml\nAWSTemplateFormatVersion: '2010-09-09'\nOutputs:\n  # Critical: remove outputs that expose secrets (passwords/tokens/keys)\n  # Keeping only non-sensitive values in Outputs remediates the finding\n  SafeInfo:\n    Value: \"non-sensitive\"\n```",
+      "Other": "1. In the AWS Console, go to CloudFormation > Stacks and select the stack\n2. Click Update > Replace current template\n3. Upload or paste the template with any secret-bearing Outputs removed (do not output passwords/tokens/keys)\n4. Click Next through the wizard and choose Submit to apply the change set\n5. Verify the stack Outputs tab no longer shows sensitive values",
+      "Terraform": "```hcl\n# Critical: the embedded CloudFormation template removes secret outputs\nresource \"aws_cloudformation_stack\" \"<example_resource_name>\" {\n  name          = \"<example_resource_name>\"\n  template_body = <<-YAML\n    AWSTemplateFormatVersion: '2010-09-09'\n    # Critical: delete Outputs that expose secrets; keep only non-sensitive values\n    Outputs:\n      SafeInfo:\n        Value: \"non-sensitive\"  # Avoids exposing secrets in stack outputs\n  YAML\n}\n```"
     },
     "Recommendation": {
-      "Text": "Implement automated detective control to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets.",
-      "Url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html"
+      "Text": "Remove secrets from `Outputs`. Store credentials in **Secrets Manager** or **Parameter Store** and reference them via dynamic references; set `NoEcho` for sensitive parameters. Apply **least privilege** to view stack metadata, avoid exporting sensitive values, and add automated IaC secret scanning for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/cloudformation_stack_outputs_find_secrets"
     }
   },
   "Categories": [

prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "cloudformation_stacks_termination_protection_enabled",
-  "CheckTitle": "Enable termination protection for Cloudformation Stacks",
-  "CheckType": [],
+  "CheckTitle": "CloudFormation stack has termination protection enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Destruction"
+  ],
   "ServiceName": "cloudformation",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudformation:region:account-id:stack/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCloudFormationStack",
-  "Description": "Enable termination protection for Cloudformation Stacks",
-  "Risk": "Without termination protection enabled, a critical cloudformation stack can be accidently deleted.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html",
+  "Description": "**AWS CloudFormation root stacks** are evaluated for **termination protection**. The detection identifies whether `termination protection` is enabled to block stack deletions on non-nested stacks.",
+  "Risk": "Without **termination protection**, human error or automation can delete entire stacks, causing immediate **availability** loss and potential **data destruction** of managed resources.\n\nAttackers with delete rights can more easily trigger outages and hinder recovery.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFormation/stack-termination-protection.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws cloudformation update-termination-protection --region <REGION_NAME> --stack-name <STACK_NAME> --enable-termination-protection",
+      "CLI": "aws cloudformation update-termination-protection --stack-name <STACK_NAME> --enable-termination-protection",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Open the AWS CloudFormation console\n2. Select the target stack\n3. Choose Stack actions > Edit termination protection\n4. Select Enable and Save",
+      "Terraform": "```hcl\nresource \"aws_cloudformation_stack\" \"<example_resource_name>\" {\n  name                           = \"<example_resource_name>\"\n  template_url                   = \"https://s3.amazonaws.com/<bucket>/<template>.json\"\n  enable_termination_protection  = true # Critical: enables termination protection to prevent stack deletion\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure termination protection is enabled for the cloudformation stacks.",
-      "Url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html"
+      "Text": "Enable **termination protection** on root stacks for critical workloads. Enforce **least privilege** on who can alter this setting or delete stacks, require **change review** via change sets, and apply **stack policies** plus `DeletionPolicy: Retain` for data stores for defense in depth.",
+      "Url": "https://hub.prowler.com/check/cloudformation_stacks_termination_protection_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Infrastructure Protection"

prowler/providers/aws/services/cloudfront/cloudfront_distributions_custom_ssl_certificate/cloudfront_distributions_custom_ssl_certificate.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_custom_ssl_certificate",
-  "CheckTitle": "CloudFront distributions should use custom SSL/TLS certificates.",
-  "CheckType": [],
+  "CheckTitle": "CloudFront distribution uses a custom SSL/TLS certificate",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCloudFrontDistribution",
-  "Description": "Ensure that your Amazon CloudFront distributions are configured to use a custom SSL/TLS certificate instead of the default one.",
-  "Risk": "Using the default SSL/TLS certificate provided by CloudFront can limit your ability to use custom domain names and may not align with your organization's security policies or branding requirements.",
-  "RelatedUrl": "https://aws.amazon.com/what-is/ssl-certificate/",
+  "Description": "CloudFront distributions are configured with a **custom SSL/TLS certificate** rather than the default `*.cloudfront.net` certificate for viewer connections.",
+  "Risk": "Using the default certificate prevents HTTPS on your own hostnames, breaking hostname validation. Clients may face errors or avoid TLS, impacting **authentication** and **availability**. Control over TLS posture and domain-bound security headers is reduced, weakening **confidentiality** and user trust.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-distro-custom-tls.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-7",
+    "https://support.icompaas.com/support/solutions/articles/62000233491-ensure-cloudfront-distributions-use-custom-ssl-tls-certificates",
+    "https://reintech.io/blog/configure-https-ssl-certificates-cloudfront-distributions"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/networking-policies/ensure-aws-cloudfront-distribution-uses-custom-ssl-certificate/",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-7",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-distro-custom-tls.html"
+      "CLI": "aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add Aliases and ViewerCertificate fields, then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query \"ETag\" --output text)'",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CloudFront::Distribution\n    Properties:\n      DistributionConfig:\n        Enabled: true\n        Origins:\n          - Id: origin1\n            DomainName: <example_origin_domain>\n            S3OriginConfig: {}\n        DefaultCacheBehavior:\n          TargetOriginId: origin1\n          ViewerProtocolPolicy: redirect-to-https\n          ForwardedValues:\n            QueryString: false\n        Aliases:\n          - <example_domain>  # CRITICAL: add an alternate domain name (CNAME) covered by the certificate\n        ViewerCertificate:\n          AcmCertificateArn: <example_certificate_arn>  # CRITICAL: attach custom ACM cert (must be in us-east-1)\n          SslSupportMethod: sni-only  # CRITICAL: required when using ACM cert\n```",
+      "Other": "1. Open the CloudFront console and select your distribution\n2. Go to the Settings/General tab and click Edit\n3. In Alternate domain name (CNAME), add <example_domain>\n4. In SSL certificate, choose Custom SSL certificate and select your ACM certificate (issued in us-east-1 and covering <example_domain>)\n5. Click Save/Yes, Edit and wait for the distribution to deploy",
+      "Terraform": "```hcl\nresource \"aws_cloudfront_distribution\" \"<example_resource_name>\" {\n  enabled = true\n\n  origin {\n    domain_name = \"<example_origin_domain>\"\n    origin_id   = \"origin1\"\n    s3_origin_config {}\n  }\n\n  default_cache_behavior {\n    target_origin_id       = \"origin1\"\n    viewer_protocol_policy = \"redirect-to-https\"\n    forwarded_values { query_string = false }\n  }\n\n  aliases = [\"<example_domain>\"]  # CRITICAL: add CNAME covered by the cert\n\n  viewer_certificate {\n    acm_certificate_arn = \"<example_certificate_arn>\"  # CRITICAL: custom ACM cert (in us-east-1)\n    ssl_support_method  = \"sni-only\"                    # CRITICAL: required with ACM cert\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your CloudFront distributions to use a custom SSL/TLS certificate to enable secure access via your own domain names and meet specific security and branding needs. This allows for more control over encryption and authentication settings.",
-      "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#CreatingCNAME"
+      "Text": "- Use a **custom SSL/TLS certificate** covering your domains and configure aliases.\n- Enforce modern TLS policy, **SNI**, and **HSTS**; disable legacy protocols.\n- Apply **least privilege** to certificate lifecycle and rotate/monitor keys.",
+      "Url": "https://hub.prowler.com/check/cloudfront_distributions_custom_ssl_certificate"
     }
   },
   "Categories": [

prowler/providers/aws/services/cloudfront/cloudfront_distributions_default_root_object/cloudfront_distributions_default_root_object.metadata.json

@@ -1,26 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_default_root_object",
-  "CheckTitle": "Check if CloudFront distributions have a default root object.",
-  "CheckType": [],
+  "CheckTitle": "CloudFront distribution has a default root object configured",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCloudFrontDistribution",
-  "Description": "Check if CloudFront distributions have a default root object.",
-  "Risk": "Without a default root object, requests to the root URL may result in an error or expose unintended content, leading to potential security risks and a poor user experience.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html#DefaultRootObjectHow",
+  "Description": "CloudFront distributions are evaluated for a configured **default root object** that maps `/` requests to a specific file such as `index.html`, rather than forwarding root requests directly to the origin.",
+  "Risk": "Without a **default root object**, root requests can reveal **origin listings** or unintended files, exposing data (**confidentiality**) and aiding reconnaissance. They may also return errors, lowering uptime (**availability**), or route unpredictably, risking wrong content delivery (**integrity**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-default-object.html",
+    "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws cloudfront update-distribution --id <distribution-id> --default-root-object <new-root-object>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-default-object.html"
+      "CLI": "aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add DefaultRootObject: \"index.html\", then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query \"ETag\" --output text)'",
+      "NativeIaC": "```yaml\n# CloudFormation: Set a default root object on a CloudFront distribution\nResources:\n  CloudFrontDistribution:\n    Type: AWS::CloudFront::Distribution\n    Properties:\n      DistributionConfig:\n        Enabled: true\n        DefaultRootObject: index.html  # CRITICAL: ensures a default root object is configured\n        Origins:\n          - Id: <example_origin_id>\n            DomainName: <example_origin_domain>\n            S3OriginConfig: {}\n        DefaultCacheBehavior:\n          TargetOriginId: <example_origin_id>\n          ViewerProtocolPolicy: allow-all\n          ForwardedValues:\n            QueryString: false\n```",
+      "Other": "1. Open the AWS Console and go to CloudFront\n2. Select the target distribution and choose Settings > General > Edit\n3. In Default root object, enter index.html (do not start with a /)\n4. Save changes and wait for deployment to complete",
+      "Terraform": "```hcl\n# Terraform: Set a default root object on a CloudFront distribution\nresource \"aws_cloudfront_distribution\" \"<example_resource_name>\" {\n  enabled             = true\n  default_root_object = \"index.html\" # CRITICAL: ensures a default root object is configured\n\n  origin {\n    domain_name = \"<example_origin_domain>\"\n    origin_id   = \"<example_origin_id>\"\n\n    s3_origin_config {}\n  }\n\n  default_cache_behavior {\n    target_origin_id       = \"<example_origin_id>\"\n    viewer_protocol_policy = \"allow-all\"\n    forwarded_values {\n      query_string = false\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure a default root object for your CloudFront distribution to ensure that a specific file (such as index.html) is returned when users access the root URL. This improves user experience and ensures that sensitive content isn't accidentally exposed.",
-      "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html#DefaultRootObjectHowToDefine"
+      "Text": "Set a **default root object** that returns a safe landing page (e.g., `index.html`). Apply **defense in depth**: restrict direct origin access, define explicit error pages, and standardize redirects. Test root and subdirectory requests for predictable responses. Align origin permissions with **least privilege**.",
+      "Url": "https://hub.prowler.com/check/cloudfront_distributions_default_root_object"
     }
   },
   "Categories": [],

prowler/providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.metadata.json

@@ -1,26 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_field_level_encryption_enabled",
-  "CheckTitle": "Check if CloudFront distributions have Field Level Encryption enabled.",
-  "CheckType": [],
+  "CheckTitle": "CloudFront distribution has Field Level Encryption enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsCloudFrontDistribution",
-  "Description": "Check if CloudFront distributions have Field Level Encryption enabled.",
-  "Risk": "Allows you protect specific data throughout system processing so that only certain applications can see it.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html",
+  "Description": "CloudFront distributions have the default cache behavior associated with **Field-Level Encryption** via `field_level_encryption_id`, targeting specified request fields for edge encryption.",
+  "Risk": "Absent **field-level encryption**, sensitive inputs (PII, payment data, credentials) may surface in origin paths, logs, or middleware in plaintext. This undermines **confidentiality**, enables data exfiltration and insider misuse, and can lead to session or account compromise if tokens are captured.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/field-level-encryption-enabled.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/field-level-encryption-enabled.html",
-      "Terraform": ""
+      "CLI": "aws cloudfront create-field-level-encryption-config --field-level-encryption-config file://fle-config.json && aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add FieldLevelEncryptionId to DefaultCacheBehavior, then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query \"ETag\" --output text)'",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Field Level Encryption on Default Cache Behavior\nResources:\n  FLEConfig:\n    Type: AWS::CloudFront::FieldLevelEncryptionConfig\n    Properties:\n      FieldLevelEncryptionConfig:\n        CallerReference: !Ref AWS::StackName\n        ContentTypeProfileConfig:\n          ForwardWhenContentTypeIsUnknown: true\n          ContentTypeProfiles:\n            Quantity: 0\n\n  <example_resource_name>:\n    Type: AWS::CloudFront::Distribution\n    Properties:\n      DistributionConfig:\n        Enabled: true\n        Origins:\n          - DomainName: \"<example_resource_name>.s3.amazonaws.com\"\n            Id: \"<example_resource_id>\"\n            S3OriginConfig: {}\n        DefaultCacheBehavior:\n          TargetOriginId: \"<example_resource_id>\"\n          ViewerProtocolPolicy: redirect-to-https\n          CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6\n          FieldLevelEncryptionId: !Ref FLEConfig  # Critical: enables FLE on the default cache behavior\n```",
+      "Other": "1. In the AWS Console, go to CloudFront\n2. If you don't have a Field-level encryption configuration:\n   - In the left menu, click Public keys > Add public key (paste your RSA public key)\n   - Click Field-level encryption > Create profile (choose the public key and add fields to encrypt)\n   - Click Field-level encryption > Create configuration (set the profile as Default profile)\n3. Attach it to your distribution:\n   - Go to Distributions > select <example_resource_id>\n   - Choose Behaviors > select Default (*) > Edit\n   - Set Field-level encryption configuration to your created configuration\n   - Click Save changes and wait for deployment",
+      "Terraform": "```hcl\n# Enable Field Level Encryption on Default Cache Behavior\nresource \"aws_cloudfront_field_level_encryption_config\" \"fle\" {\n  content_type_profile_config {\n    forward_when_content_type_is_unknown = true\n  }\n}\n\nresource \"aws_cloudfront_distribution\" \"<example_resource_name>\" {\n  enabled = true\n\n  origin {\n    domain_name = \"<example_resource_name>.s3.amazonaws.com\"\n    origin_id   = \"<example_resource_id>\"\n  }\n\n  default_cache_behavior {\n    target_origin_id       = \"<example_resource_id>\"\n    viewer_protocol_policy = \"redirect-to-https\"\n    cache_policy_id        = \"658327ea-f89d-4fab-a63d-7e88639e58f6\"\n    field_level_encryption_id = aws_cloudfront_field_level_encryption_config.fle.id # Critical: enables FLE\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Check if applicable to any sensitive data. This encryption ensures that only applications that need the data—and have the credentials to decrypt it - are able to do so.",
-      "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html"
+      "Text": "Enable **Field-Level Encryption** for sensitive request fields and bind it to relevant cache behaviors. Apply **least privilege** to decryption keys, rotate and monitor keys, and separate duties. As **defense in depth**, minimize data collection, avoid logging secrets, require HTTPS end-to-end, and validate inputs.",
+      "Url": "https://hub.prowler.com/check/cloudfront_distributions_field_level_encryption_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "cloudfront_distributions_geo_restrictions_enabled",
-  "CheckTitle": "Check if Geo restrictions are enabled in CloudFront distributions.",
-  "CheckType": [],
+  "CheckTitle": "CloudFront distribution has Geo restrictions enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+  ],
   "ServiceName": "cloudfront",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsCloudFrontDistribution",
-  "Description": "Check if Geo restrictions are enabled in CloudFront distributions.",
-  "Risk": "Consider countries where service should not be accessed, by legal or compliance requirements. Additionally if not restricted the attack vector is increased.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html",
+  "Description": "**CloudFront distributions** have **geographic restrictions** configured to limit access by country using an allowlist or blocklist (`RestrictionType` not `none`).",
+  "Risk": "Absent geo restrictions, content is globally reachable, enabling:\n- Access from sanctioned or unlicensed regions (confidentiality/compliance)\n- Broader bot abuse, scraping, and DDoS staging (availability)\n- More credential-stuffing and fraud attempts against apps",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://repost.aws/knowledge-center/cloudfront-geo-restriction",
+    "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/geo-restriction.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/geo-restriction.html",
-      "Terraform": ""
+      "CLI": "aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add Restrictions.GeoRestriction with RestrictionType: \"whitelist\" and Locations: [\"US\"], then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query \"ETag\" --output text)'",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CloudFront::Distribution\n    Properties:\n      DistributionConfig:\n        Enabled: true\n        Origins:\n          - DomainName: \"<example_origin_domain>\"\n            Id: \"<example_origin_id>\"\n        DefaultCacheBehavior:\n          TargetOriginId: \"<example_origin_id>\"\n          ViewerProtocolPolicy: allow-all\n          CachePolicyId: \"<example_cache_policy_id>\"\n        Restrictions:\n          GeoRestriction:\n            RestrictionType: whitelist  # CRITICAL: enables geo restrictions\n            Locations:                  # CRITICAL: at least one allowed country\n              - US\n```",
+      "Other": "1. In the AWS Console, go to CloudFront > Distributions\n2. Select the target distribution\n3. Open the Security tab > Geographic restrictions > Edit\n4. Choose Allow list (or Block list)\n5. Add at least one country to the list\n6. Save changes",
+      "Terraform": "```hcl\nresource \"aws_cloudfront_distribution\" \"<example_resource_name>\" {\n  enabled = true\n\n  origins {\n    domain_name = \"<example_origin_domain>\"\n    origin_id   = \"<example_origin_id>\"\n  }\n\n  default_cache_behavior {\n    target_origin_id       = \"<example_origin_id>\"\n    viewer_protocol_policy = \"allow-all\"\n    cache_policy_id        = \"<example_cache_policy_id>\"\n  }\n\n  restrictions {\n    geo_restriction {\n      restriction_type = \"whitelist\" # CRITICAL: enables geo restrictions\n      locations        = [\"US\"]      # CRITICAL: at least one allowed country\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "If possible, define and enable Geo restrictions for this service.",
-      "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html"
+      "Text": "Apply **least privilege** to distribution scope: enable geo restrictions with a country **allowlist** where feasible, or maintain a precise blocklist aligned to legal, licensing, and threat models.\n\nLayer **defense in depth**: use WAF/bot controls, signed URLs or cookies, and monitoring to detect abuse and configuration drift.",
+      "Url": "https://hub.prowler.com/check/cloudfront_distributions_geo_restrictions_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Infrastructure Security"