prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/assets/markdown-styles.css +34 -0
- dashboard/compliance/c5_aws.py +43 -0
- dashboard/compliance/ccc_aws.py +36 -0
- dashboard/compliance/ccc_azure.py +36 -0
- dashboard/compliance/ccc_gcp.py +36 -0
- dashboard/compliance/cis_3_0_oci.py +41 -0
- dashboard/pages/overview.py +66 -16
- prowler/CHANGELOG.md +60 -0
- prowler/__main__.py +128 -14
- prowler/compliance/aws/aws_account_security_onboarding_aws.json +1 -0
- prowler/compliance/aws/aws_audit_manager_control_tower_guardrails_aws.json +1 -0
- prowler/compliance/aws/aws_foundational_security_best_practices_aws.json +2 -1
- prowler/compliance/aws/aws_foundational_technical_review_aws.json +1 -0
- prowler/compliance/aws/aws_well_architected_framework_reliability_pillar_aws.json +1 -0
- prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json +1 -0
- prowler/compliance/aws/c5_aws.json +10744 -0
- prowler/compliance/aws/ccc_aws.json +6206 -0
- prowler/compliance/aws/cis_1.4_aws.json +1 -0
- prowler/compliance/aws/cis_1.5_aws.json +1 -0
- prowler/compliance/aws/cis_2.0_aws.json +1 -0
- prowler/compliance/aws/cis_3.0_aws.json +1 -0
- prowler/compliance/aws/cis_4.0_aws.json +1 -0
- prowler/compliance/aws/cis_5.0_aws.json +1 -0
- prowler/compliance/aws/cisa_aws.json +1 -0
- prowler/compliance/aws/ens_rd2022_aws.json +1 -0
- prowler/compliance/aws/fedramp_low_revision_4_aws.json +1 -0
- prowler/compliance/aws/fedramp_moderate_revision_4_aws.json +1 -0
- prowler/compliance/aws/ffiec_aws.json +1 -0
- prowler/compliance/aws/gdpr_aws.json +1 -0
- prowler/compliance/aws/gxp_21_cfr_part_11_aws.json +1 -0
- prowler/compliance/aws/gxp_eu_annex_11_aws.json +1 -0
- prowler/compliance/aws/hipaa_aws.json +1 -0
- prowler/compliance/aws/iso27001_2013_aws.json +1 -0
- prowler/compliance/aws/iso27001_2022_aws.json +1 -0
- prowler/compliance/aws/kisa_isms_p_2023_aws.json +1 -0
- prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json +1 -0
- prowler/compliance/aws/mitre_attack_aws.json +287 -11
- prowler/compliance/aws/nis2_aws.json +1 -0
- prowler/compliance/aws/nist_800_171_revision_2_aws.json +1 -0
- prowler/compliance/aws/nist_800_53_revision_4_aws.json +1 -0
- prowler/compliance/aws/nist_800_53_revision_5_aws.json +1 -0
- prowler/compliance/aws/nist_csf_1.1_aws.json +1 -0
- prowler/compliance/aws/pci_3.2.1_aws.json +2 -1
- prowler/compliance/aws/pci_4.0_aws.json +1 -0
- prowler/compliance/aws/prowler_threatscore_aws.json +1 -0
- prowler/compliance/aws/rbi_cyber_security_framework_aws.json +1 -0
- prowler/compliance/aws/soc2_aws.json +1 -0
- prowler/compliance/azure/ccc_azure.json +6147 -0
- prowler/compliance/azure/cis_2.0_azure.json +1 -0
- prowler/compliance/azure/cis_2.1_azure.json +1 -0
- prowler/compliance/azure/cis_3.0_azure.json +1 -0
- prowler/compliance/azure/cis_4.0_azure.json +1 -0
- prowler/compliance/azure/ens_rd2022_azure.json +1 -0
- prowler/compliance/azure/iso27001_2022_azure.json +1 -0
- prowler/compliance/azure/mitre_attack_azure.json +131 -5
- prowler/compliance/azure/nis2_azure.json +1 -0
- prowler/compliance/azure/pci_4.0_azure.json +1 -0
- prowler/compliance/azure/prowler_threatscore_azure.json +1 -0
- prowler/compliance/azure/soc2_azure.json +1 -0
- prowler/compliance/gcp/ccc_gcp.json +6077 -0
- prowler/compliance/gcp/cis_2.0_gcp.json +1 -0
- prowler/compliance/gcp/cis_3.0_gcp.json +1 -0
- prowler/compliance/gcp/cis_4.0_gcp.json +1 -0
- prowler/compliance/gcp/ens_rd2022_gcp.json +1 -0
- prowler/compliance/gcp/iso27001_2022_gcp.json +1 -0
- prowler/compliance/gcp/mitre_attack_gcp.json +287 -11
- prowler/compliance/gcp/nis2_gcp.json +1 -0
- prowler/compliance/gcp/pci_4.0_gcp.json +1 -0
- prowler/compliance/gcp/prowler_threatscore_gcp.json +1 -0
- prowler/compliance/gcp/soc2_gcp.json +1 -0
- prowler/compliance/github/cis_1.0_github.json +1 -0
- prowler/compliance/kubernetes/cis_1.10_kubernetes.json +1 -0
- prowler/compliance/kubernetes/cis_1.11_kubernetes.json +1 -0
- prowler/compliance/kubernetes/cis_1.8_kubernetes.json +1 -0
- prowler/compliance/kubernetes/iso27001_2022_kubernetes.json +1 -0
- prowler/compliance/kubernetes/pci_4.0_kubernetes.json +1 -0
- prowler/compliance/llm/__init__.py +0 -0
- prowler/compliance/m365/cis_4.0_m365.json +1 -0
- prowler/compliance/m365/iso27001_2022_m365.json +1 -0
- prowler/compliance/m365/prowler_threatscore_m365.json +1 -0
- prowler/compliance/nhn/iso27001_2022_nhn.json +1 -0
- prowler/compliance/oci/__init__.py +0 -0
- prowler/compliance/oci/cis_3.0_oci.json +1141 -0
- prowler/config/config.py +5 -1
- prowler/config/llm_config.yaml +175015 -0
- prowler/config/oraclecloud_mutelist_example.yaml +61 -0
- prowler/lib/check/check.py +9 -1
- prowler/lib/check/compliance.py +1 -0
- prowler/lib/check/compliance_models.py +33 -3
- prowler/lib/check/models.py +96 -8
- prowler/lib/check/utils.py +8 -2
- prowler/lib/cli/parser.py +6 -4
- prowler/lib/outputs/compliance/aws_well_architected/aws_well_architected.py +4 -0
- prowler/lib/outputs/compliance/aws_well_architected/models.py +2 -0
- prowler/lib/outputs/compliance/c5/__init__.py +0 -0
- prowler/lib/outputs/compliance/c5/c5.py +98 -0
- prowler/lib/outputs/compliance/c5/c5_aws.py +92 -0
- prowler/lib/outputs/compliance/c5/models.py +30 -0
- prowler/lib/outputs/compliance/ccc/__init__.py +0 -0
- prowler/lib/outputs/compliance/ccc/ccc_aws.py +95 -0
- prowler/lib/outputs/compliance/ccc/ccc_azure.py +95 -0
- prowler/lib/outputs/compliance/ccc/ccc_gcp.py +95 -0
- prowler/lib/outputs/compliance/ccc/models.py +90 -0
- prowler/lib/outputs/compliance/cis/cis_aws.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_azure.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_gcp.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_github.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_kubernetes.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_m365.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_oci.py +106 -0
- prowler/lib/outputs/compliance/cis/models.py +56 -0
- prowler/lib/outputs/compliance/compliance.py +10 -0
- prowler/lib/outputs/compliance/compliance_output.py +4 -1
- prowler/lib/outputs/compliance/ens/ens_aws.py +4 -0
- prowler/lib/outputs/compliance/ens/ens_azure.py +4 -0
- prowler/lib/outputs/compliance/ens/ens_gcp.py +4 -0
- prowler/lib/outputs/compliance/ens/models.py +6 -0
- prowler/lib/outputs/compliance/generic/generic.py +4 -0
- prowler/lib/outputs/compliance/generic/models.py +2 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_aws.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_azure.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_gcp.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_kubernetes.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_m365.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_nhn.py +4 -0
- prowler/lib/outputs/compliance/iso27001/models.py +12 -0
- prowler/lib/outputs/compliance/kisa_ismsp/kisa_ismsp_aws.py +4 -0
- prowler/lib/outputs/compliance/kisa_ismsp/models.py +2 -0
- prowler/lib/outputs/compliance/mitre_attack/mitre_attack_aws.py +4 -0
- prowler/lib/outputs/compliance/mitre_attack/mitre_attack_azure.py +4 -0
- prowler/lib/outputs/compliance/mitre_attack/mitre_attack_gcp.py +4 -0
- prowler/lib/outputs/compliance/mitre_attack/models.py +6 -0
- prowler/lib/outputs/compliance/prowler_threatscore/models.py +8 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore.py +46 -4
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_aws.py +4 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_azure.py +4 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_gcp.py +4 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_m365.py +4 -0
- prowler/lib/outputs/csv/csv.py +3 -0
- prowler/lib/outputs/finding.py +22 -0
- prowler/lib/outputs/html/html.py +192 -7
- prowler/lib/outputs/jira/jira.py +284 -47
- prowler/lib/outputs/ocsf/ocsf.py +1 -4
- prowler/lib/outputs/outputs.py +6 -0
- prowler/lib/outputs/summary_table.py +10 -0
- prowler/providers/aws/aws_regions_by_service.json +221 -44
- prowler/providers/aws/lib/quick_inventory/quick_inventory.py +3 -0
- prowler/providers/aws/lib/security_hub/security_hub.py +12 -2
- prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.metadata.json +27 -13
- prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.metadata.json +32 -13
- prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.metadata.json +23 -11
- prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json +24 -12
- prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.metadata.json +19 -11
- prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.metadata.json +14 -10
- prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.metadata.json +17 -9
- prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.metadata.json +16 -12
- prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.metadata.json +21 -12
- prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json +23 -16
- prowler/providers/aws/services/apigateway/apigateway_restapi_cache_encrypted/apigateway_restapi_cache_encrypted.metadata.json +22 -12
- prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json +26 -18
- prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json +30 -19
- prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.metadata.json +24 -16
- prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.metadata.json +31 -18
- prowler/providers/aws/services/apigateway/apigateway_restapi_tracing_enabled/apigateway_restapi_tracing_enabled.metadata.json +20 -12
- prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json +24 -18
- prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.metadata.json +21 -12
- prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.metadata.json +23 -15
- prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.metadata.json +15 -12
- prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.metadata.json +17 -14
- prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.metadata.json +20 -15
- prowler/providers/aws/services/appsync/appsync_field_level_logging_enabled/appsync_field_level_logging_enabled.metadata.json +21 -12
- prowler/providers/aws/services/appsync/appsync_graphql_api_no_api_key_authentication/appsync_graphql_api_no_api_key_authentication.metadata.json +20 -13
- prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.metadata.json +24 -12
- prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.metadata.json +20 -13
- prowler/providers/aws/services/athena/athena_workgroup_logging_enabled/athena_workgroup_logging_enabled.metadata.json +21 -12
- prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.metadata.json +15 -10
- prowler/providers/aws/services/autoscaling/autoscaling_group_capacity_rebalance_enabled/autoscaling_group_capacity_rebalance_enabled.metadata.json +20 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_elb_health_check_enabled/autoscaling_group_elb_health_check_enabled.metadata.json +20 -12
- prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_no_public_ip/autoscaling_group_launch_configuration_no_public_ip.metadata.json +20 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_requires_imdsv2/autoscaling_group_launch_configuration_requires_imdsv2.metadata.json +26 -14
- prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.metadata.json +22 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.metadata.json +21 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_using_ec2_launch_template/autoscaling_group_using_ec2_launch_template.metadata.json +19 -12
- prowler/providers/aws/services/autoscaling/autoscaling_service.py +1 -1
- prowler/providers/aws/services/awslambda/awslambda_function_inside_vpc/awslambda_function_inside_vpc.metadata.json +26 -13
- prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.metadata.json +20 -13
- prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.metadata.json +18 -9
- prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.metadata.json +20 -12
- prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json +21 -12
- prowler/providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.metadata.json +24 -13
- prowler/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.metadata.json +22 -12
- prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +24 -13
- prowler/providers/aws/services/awslambda/awslambda_function_vpc_multi_az/awslambda_function_vpc_multi_az.metadata.json +23 -13
- prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.metadata.json +22 -15
- prowler/providers/aws/services/backup/backup_recovery_point_encrypted/backup_recovery_point_encrypted.metadata.json +21 -12
- prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.metadata.json +19 -15
- prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.metadata.json +24 -13
- prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.metadata.json +19 -15
- prowler/providers/aws/services/cloudformation/cloudformation_stack_cdktoolkit_bootstrap_version/cloudformation_stack_cdktoolkit_bootstrap_version.metadata.json +24 -13
- prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.metadata.json +22 -12
- prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_custom_ssl_certificate/cloudfront_distributions_custom_ssl_certificate.metadata.json +21 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_default_root_object/cloudfront_distributions_default_root_object.metadata.json +19 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.metadata.json +19 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_multiple_origin_failover_configured/cloudfront_distributions_multiple_origin_failover_configured.metadata.json +21 -16
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.metadata.json +27 -14
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_access_control/cloudfront_distributions_s3_origin_access_control.metadata.json +24 -14
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.metadata.json +18 -11
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.metadata.json +20 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.metadata.json +21 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.metadata.json +16 -11
- prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.metadata.json +19 -15
- prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.metadata.json +19 -14
- prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.metadata.json +19 -14
- prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.metadata.json +20 -13
- prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.metadata.json +18 -13
- prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.metadata.json +24 -16
- prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.metadata.json +17 -13
- prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.metadata.json +19 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.metadata.json +22 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.metadata.json +21 -11
- prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.metadata.json +22 -11
- prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.metadata.json +25 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.metadata.json +18 -10
- prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.metadata.json +20 -12
- prowler/providers/aws/services/config/config_recorder_using_aws_service_role/config_recorder_using_aws_service_role.metadata.json +20 -13
- prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.metadata.json +20 -11
- prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.metadata.json +19 -11
- prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.metadata.json +19 -10
- prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.metadata.json +20 -11
- prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.metadata.json +23 -12
- prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.metadata.json +23 -12
- prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.metadata.json +19 -13
- prowler/providers/aws/services/dms/dms_endpoint_mongodb_authentication_enabled/dms_endpoint_mongodb_authentication_enabled.metadata.json +20 -13
- prowler/providers/aws/services/dms/dms_endpoint_neptune_iam_authorization_enabled/dms_endpoint_neptune_iam_authorization_enabled.metadata.json +19 -12
- prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.metadata.json +23 -13
- prowler/providers/aws/services/dms/dms_endpoint_ssl_enabled/dms_endpoint_ssl_enabled.metadata.json +27 -19
- prowler/providers/aws/services/dms/dms_instance_minor_version_upgrade_enabled/dms_instance_minor_version_upgrade_enabled.metadata.json +22 -12
- prowler/providers/aws/services/dms/dms_instance_multi_az_enabled/dms_instance_multi_az_enabled.metadata.json +20 -13
- prowler/providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.metadata.json +22 -11
- prowler/providers/aws/services/dms/dms_replication_task_source_logging_enabled/dms_replication_task_source_logging_enabled.metadata.json +21 -13
- prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.metadata.json +22 -13
- prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.py +39 -37
- prowler/providers/aws/services/dms/dms_service.py +0 -1
- prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.py +11 -10
- prowler/providers/aws/services/ec2/ec2_instance_with_outdated_ami/__init__.py +0 -0
- prowler/providers/aws/services/ec2/ec2_instance_with_outdated_ami/ec2_instance_with_outdated_ami.metadata.json +30 -0
- prowler/providers/aws/services/ec2/ec2_instance_with_outdated_ami/ec2_instance_with_outdated_ami.py +52 -0
- prowler/providers/aws/services/ec2/ec2_service.py +26 -14
- prowler/providers/aws/services/efs/efs_access_point_enforce_root_directory/efs_access_point_enforce_root_directory.metadata.json +19 -13
- prowler/providers/aws/services/efs/efs_access_point_enforce_user_identity/efs_access_point_enforce_user_identity.metadata.json +23 -13
- prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.metadata.json +23 -13
- prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.metadata.json +20 -14
- prowler/providers/aws/services/efs/efs_mount_target_not_publicly_accessible/efs_mount_target_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/aws/services/efs/efs_multi_az_enabled/efs_multi_az_enabled.metadata.json +21 -13
- prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.metadata.json +17 -13
- prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py +4 -0
- prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.py +8 -2
- prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json +23 -13
- prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json +18 -14
- prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json +23 -14
- prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json +25 -13
- prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json +22 -14
- prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json +20 -12
- prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json +18 -10
- prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json +16 -10
- prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json +22 -13
- prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json +20 -12
- prowler/providers/aws/services/rds/rds_service.py +9 -2
- prowler/providers/aws/services/vpc/vpc_service.py +1 -1
- prowler/providers/azure/services/entra/entra_service.py +54 -25
- prowler/providers/common/arguments.py +16 -2
- prowler/providers/common/provider.py +34 -2
- prowler/providers/gcp/services/cloudsql/cloudsql_service.py +3 -3
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/cloudstorage_bucket_lifecycle_management_enabled.metadata.json +34 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/cloudstorage_bucket_lifecycle_management_enabled.py +48 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +10 -0
- prowler/providers/gcp/services/compute/compute_project_os_login_enabled/compute_project_os_login_enabled.py +5 -0
- prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.py +5 -0
- prowler/providers/gcp/services/iam/iam_role_kms_enforce_separation_of_duties/iam_role_kms_enforce_separation_of_duties.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.py +5 -0
- prowler/providers/gcp/services/monitoring/monitoring_service.py +30 -2
- prowler/providers/iac/iac_provider.py +1 -1
- prowler/providers/llm/__init__.py +0 -0
- prowler/providers/llm/lib/__init__.py +0 -0
- prowler/providers/llm/lib/arguments/__init__.py +0 -0
- prowler/providers/llm/lib/arguments/arguments.py +13 -0
- prowler/providers/llm/llm_provider.py +518 -0
- prowler/providers/llm/models.py +27 -0
- prowler/providers/m365/exceptions/exceptions.py +0 -55
- prowler/providers/m365/lib/arguments/arguments.py +8 -4
- prowler/providers/m365/lib/powershell/m365_powershell.py +14 -156
- prowler/providers/m365/m365_provider.py +19 -117
- prowler/providers/m365/models.py +0 -3
- prowler/providers/m365/services/admincenter/admincenter_service.py +52 -23
- prowler/providers/m365/services/entra/entra_admin_users_phishing_resistant_mfa_enabled/entra_admin_users_phishing_resistant_mfa_enabled.py +19 -2
- prowler/providers/m365/services/entra/entra_service.py +58 -30
- prowler/providers/m365/services/sharepoint/sharepoint_service.py +24 -3
- prowler/providers/oraclecloud/__init__.py +0 -0
- prowler/providers/oraclecloud/config.py +61 -0
- prowler/providers/oraclecloud/exceptions/__init__.py +0 -0
- prowler/providers/oraclecloud/exceptions/exceptions.py +197 -0
- prowler/providers/oraclecloud/lib/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/arguments/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/arguments/arguments.py +123 -0
- prowler/providers/oraclecloud/lib/mutelist/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/mutelist/mutelist.py +176 -0
- prowler/providers/oraclecloud/lib/service/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/service/service.py +213 -0
- prowler/providers/oraclecloud/models.py +96 -0
- prowler/providers/oraclecloud/oci_provider.py +1038 -0
- prowler/providers/oraclecloud/services/__init__.py +0 -0
- prowler/providers/oraclecloud/services/analytics/__init__.py +0 -0
- prowler/providers/oraclecloud/services/analytics/analytics_client.py +6 -0
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/__init__.py +0 -0
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +36 -0
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.py +48 -0
- prowler/providers/oraclecloud/services/analytics/analytics_service.py +99 -0
- prowler/providers/oraclecloud/services/audit/__init__.py +0 -0
- prowler/providers/oraclecloud/services/audit/audit_client.py +4 -0
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +37 -0
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.py +46 -0
- prowler/providers/oraclecloud/services/audit/audit_service.py +57 -0
- prowler/providers/oraclecloud/services/blockstorage/__init__.py +0 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +37 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.py +39 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +36 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.py +35 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_client.py +6 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_service.py +182 -0
- prowler/providers/oraclecloud/services/cloudguard/__init__.py +0 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_client.py +6 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +36 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.py +39 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_service.py +63 -0
- prowler/providers/oraclecloud/services/compute/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_client.py +4 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.py +38 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.py +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.py +39 -0
- prowler/providers/oraclecloud/services/compute/compute_service.py +136 -0
- prowler/providers/oraclecloud/services/database/__init__.py +0 -0
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/__init__.py +0 -0
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +36 -0
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.py +40 -0
- prowler/providers/oraclecloud/services/database/database_client.py +6 -0
- prowler/providers/oraclecloud/services/database/database_service.py +79 -0
- prowler/providers/oraclecloud/services/events/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_client.py +4 -0
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.py +53 -0
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +36 -0
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.py +90 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +38 -0
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.py +63 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.py +88 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.py +68 -0
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.py +68 -0
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.py +68 -0
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.py +69 -0
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.py +65 -0
- prowler/providers/oraclecloud/services/events/events_service.py +215 -0
- prowler/providers/oraclecloud/services/events/lib/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/lib/helpers.py +116 -0
- prowler/providers/oraclecloud/services/filestorage/__init__.py +0 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_client.py +6 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +36 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.py +39 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_service.py +96 -0
- prowler/providers/oraclecloud/services/identity/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_client.py +4 -0
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.py +107 -0
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.py +70 -0
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +32 -0
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.py +51 -0
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +32 -0
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.py +39 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.py +67 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.py +97 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.py +77 -0
- prowler/providers/oraclecloud/services/identity/identity_service.py +828 -0
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +32 -0
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.py +81 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.py +81 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.py +49 -0
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +37 -0
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.py +73 -0
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.py +52 -0
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.py +49 -0
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.py +49 -0
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.py +43 -0
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.py +38 -0
- prowler/providers/oraclecloud/services/integration/__init__.py +0 -0
- prowler/providers/oraclecloud/services/integration/integration_client.py +8 -0
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/__init__.py +0 -0
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +36 -0
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.py +48 -0
- prowler/providers/oraclecloud/services/integration/integration_service.py +92 -0
- prowler/providers/oraclecloud/services/kms/__init__.py +0 -0
- prowler/providers/oraclecloud/services/kms/kms_client.py +4 -0
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +36 -0
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.py +37 -0
- prowler/providers/oraclecloud/services/kms/kms_service.py +136 -0
- prowler/providers/oraclecloud/services/logging/__init__.py +0 -0
- prowler/providers/oraclecloud/services/logging/logging_client.py +6 -0
- prowler/providers/oraclecloud/services/logging/logging_service.py +189 -0
- prowler/providers/oraclecloud/services/network/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_client.py +4 -0
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.py +99 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.py +65 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +37 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.py +70 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.py +62 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +37 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.py +67 -0
- prowler/providers/oraclecloud/services/network/network_service.py +321 -0
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.py +66 -0
- prowler/providers/oraclecloud/services/objectstorage/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +37 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.py +40 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +32 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.py +68 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +37 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.py +43 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.py +38 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_client.py +6 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_service.py +138 -0
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/METADATA +9 -33
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/RECORD +528 -280
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/entry_points.txt +0 -0
|
@@ -1,33 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_bucket_requires_mfa_delete",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail S3 bucket has MFA delete enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "cloudtrail",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "medium",
|
|
14
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "**CloudTrail log buckets** for actively logging trails are evaluated for **MFA Delete** on the associated S3 bucket. The assessment determines whether `MFA Delete` is configured on the in-account log bucket; *if the bucket resides in another account, its configuration should be verified separately*.",
|
|
16
|
+
"Risk": "Without **MFA Delete**, stolen or over-privileged credentials can permanently delete log versions or change versioning, compromising log **integrity** and **availability**. This enables attacker cover-ups, hinders **forensics**, and weakens evidence for investigations.",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html",
|
|
20
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-bucket-mfa-delete-enabled.html"
|
|
21
|
+
],
|
|
18
22
|
"Remediation": {
|
|
19
23
|
"Code": {
|
|
20
|
-
"CLI": "aws s3api put-bucket-versioning --bucket
|
|
24
|
+
"CLI": "aws s3api put-bucket-versioning --bucket <CLOUDTRAIL_BUCKET_NAME> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa \"<MFA_SERIAL> <MFA_CODE>\"",
|
|
21
25
|
"NativeIaC": "",
|
|
22
|
-
"Other": "",
|
|
26
|
+
"Other": "1. Sign in to the AWS Management Console as the root user with MFA enabled\n2. Open AWS CloudShell (from the top navigation bar)\n3. Run:\n ```bash\n aws s3api put-bucket-versioning --bucket <CLOUDTRAIL_BUCKET_NAME> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa \"<MFA_SERIAL> <MFA_CODE>\"\n ```",
|
|
23
27
|
"Terraform": ""
|
|
24
28
|
},
|
|
25
29
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "https://
|
|
30
|
+
"Text": "Enable `MFA Delete` on the CloudTrail log bucket with versioning enabled. Enforce **least privilege** so only tightly controlled identities can delete or alter logs, and require MFA for such actions. Apply **defense in depth** using a dedicated logging account and log file integrity validation.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_bucket_requires_mfa_delete"
|
|
28
32
|
}
|
|
29
33
|
},
|
|
30
34
|
"Categories": [
|
|
35
|
+
"identity-access",
|
|
31
36
|
"forensics-ready"
|
|
32
37
|
],
|
|
33
38
|
"DependsOn": [],
|
|
@@ -1,35 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_cloudwatch_logging_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail has delivered logs to CloudWatch Logs in the last 24 hours",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "cloudtrail",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "low",
|
|
14
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "**CloudTrail trails** are configured to send events to **CloudWatch Logs**, and show recent delivery within the last `24h`. Trails without integration or without recent CloudWatch delivery are identified, across single-Region and multi-Region trails.",
|
|
16
|
+
"Risk": "Missing or stale CloudWatch delivery weakens visibility and delays detection, impacting confidentiality and integrity. Adversaries can:\n- Hide **privilege escalation**\n- Perform unauthorized **resource changes**\n- Exfiltrate data via API misuse",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.prowler.com/checks/aws/logging-policies/logging_4#aws-console",
|
|
20
|
+
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html"
|
|
21
|
+
],
|
|
18
22
|
"Remediation": {
|
|
19
23
|
"Code": {
|
|
20
|
-
"CLI": "aws cloudtrail update-trail --name <trail_name> --
|
|
21
|
-
"NativeIaC": "",
|
|
22
|
-
"Other": "
|
|
23
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "aws cloudtrail update-trail --name <trail_name> --cloud-watch-logs-log-group-arn <cloudwatch_log_group_arn> --cloud-watch-logs-role-arn <cloudwatch_logs_role_arn>",
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: enable CloudTrail delivery to CloudWatch Logs\nResources:\n <example_resource_name>:\n Type: AWS::CloudTrail::Trail\n Properties:\n S3BucketName: \"<example_resource_name>\"\n CloudWatchLogsLogGroupArn: \"<cloudwatch_log_group_arn>\" # CRITICAL: sends CloudTrail events to CloudWatch Logs\n CloudWatchLogsRoleArn: \"<cloudwatch_logs_role_arn>\" # CRITICAL: role CloudTrail assumes to deliver events\n```",
|
|
26
|
+
"Other": "1. In AWS Console, go to CloudTrail > Trails and select the trail\n2. In the CloudWatch Logs section, click Edit\n3. Set CloudWatch Logs to Enabled\n4. Choose an existing Log group (or create new) and select an IAM role with permissions for CreateLogStream/PutLogEvents\n5. Click Save changes\n6. After a few minutes, verify events appear in the chosen CloudWatch Logs log group",
|
|
27
|
+
"Terraform": "```hcl\n# Terraform: enable CloudTrail delivery to CloudWatch Logs\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n s3_bucket_name = \"<example_resource_name>\"\n cloud_watch_logs_group_arn = \"<cloudwatch_log_group_arn>\" # CRITICAL: sends CloudTrail events to CloudWatch Logs\n cloud_watch_logs_role_arn = \"<cloudwatch_logs_role_arn>\" # CRITICAL: role CloudTrail assumes to deliver events\n}\n```"
|
|
24
28
|
},
|
|
25
29
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "https://
|
|
30
|
+
"Text": "Integrate every trail with **CloudWatch Logs** and maintain continuous, near-real-time delivery. Enforce **least privilege** on the delivery role, prefer **multi-Region** coverage, and implement **metric filters and alerts** for sensitive actions. Centralize retention to support **defense in depth**.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_cloudwatch_logging_enabled"
|
|
28
32
|
}
|
|
29
33
|
},
|
|
30
34
|
"Categories": [
|
|
31
|
-
"
|
|
32
|
-
"
|
|
35
|
+
"logging",
|
|
36
|
+
"forensics-ready"
|
|
33
37
|
],
|
|
34
38
|
"DependsOn": [],
|
|
35
39
|
"RelatedTo": [],
|
|
@@ -1,34 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_insights_exist",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail has Insights enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "cloudtrail",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "low",
|
|
14
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "**CloudTrail trails** that are logging are evaluated for **Insights** via `insight selectors`, which enable anomaly detection on management-event patterns (API call and error rates). The finding pinpoints logging trails where these selectors are missing.",
|
|
16
|
+
"Risk": "Without **Insights**, abnormal API call or error rates can go unnoticed, delaying detection of credential abuse, privilege escalation, or runaway automation. Attackers may rapidly alter policies, delete resources, or exfiltrate data before response, impacting confidentiality and availability.",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html",
|
|
20
|
+
"https://awscli.amazonaws.com/v2/documentation/api/2.18.18/reference/cloudtrail/put-insight-selectors.html",
|
|
21
|
+
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail"
|
|
22
|
+
],
|
|
18
23
|
"Remediation": {
|
|
19
24
|
"Code": {
|
|
20
|
-
"CLI": "",
|
|
21
|
-
"NativeIaC": "",
|
|
22
|
-
"Other": "",
|
|
23
|
-
"Terraform": ""
|
|
25
|
+
"CLI": "aws cloudtrail put-insight-selectors --trail-name <TRAIL_NAME> --insight-selectors '[{\"InsightType\":\"ApiCallRateInsight\"}]'",
|
|
26
|
+
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::CloudTrail::Trail\n Properties:\n TrailName: <example_resource_name>\n S3BucketName: <example_resource_name>\n IsLogging: true\n InsightSelectors:\n - InsightType: ApiCallRateInsight # Critical fix: enables CloudTrail Insights on the trail\n```",
|
|
27
|
+
"Other": "1. In the AWS Console, go to CloudTrail > Trails\n2. Select the trail that is logging\n3. Click Edit on the CloudTrail Insights section\n4. Enable Insights and select API call rate (or Error rate)\n5. Save changes",
|
|
28
|
+
"Terraform": "```hcl\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n s3_bucket_name = \"<example_resource_name>\"\n enable_logging = true\n\n insight_selector {\n insight_type = \"ApiCallRateInsight\" # Critical fix: enables CloudTrail Insights on the trail\n }\n}\n```"
|
|
24
29
|
},
|
|
25
30
|
"Recommendation": {
|
|
26
|
-
"Text": "Enable CloudTrail
|
|
27
|
-
"Url": "https://
|
|
31
|
+
"Text": "Enable **CloudTrail Insights** on all logging trails (ideally all-Region or organization trails). Activate both `ApiCallRateInsight` and `ApiErrorRateInsight`. Integrate alerts with monitoring and review anomalies regularly. Apply **defense in depth** and least privilege to reduce potential blast radius.",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_insights_exist"
|
|
28
33
|
}
|
|
29
34
|
},
|
|
30
35
|
"Categories": [
|
|
31
|
-
"
|
|
36
|
+
"threat-detection"
|
|
32
37
|
],
|
|
33
38
|
"DependsOn": [],
|
|
34
39
|
"RelatedTo": [],
|
|
@@ -1,34 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_kms_encryption_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail logs are encrypted at rest with a KMS key",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "cloudtrail",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "medium",
|
|
14
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "**AWS CloudTrail trails** are evaluated for use of **SSE-KMS** with a customer-managed KMS key to encrypt delivered log files at rest in S3. Trails without a configured KMS key are identified. *Applies to single-Region and multi-Region trails.*",
|
|
16
|
+
"Risk": "Absent a **customer-managed KMS key**, log protection relies only on storage permissions. Bucket misconfigurations or stolen credentials can expose audit data, aiding evasion and lateral movement. Missing key-level controls, rotation, and usage audit weaken **confidentiality** and **forensic integrity**.",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html",
|
|
20
|
+
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-logs-encrypted.html",
|
|
21
|
+
"https://www.stream.security/rules/ensure-cloudtrail-logs-are-encrypted-at-rest",
|
|
22
|
+
"https://www.clouddefense.ai/compliance-rules/cis-v130/logging/cis-v130-3-7"
|
|
23
|
+
],
|
|
18
24
|
"Remediation": {
|
|
19
25
|
"Code": {
|
|
20
|
-
"CLI": "aws cloudtrail update-trail --name <trail_name> --kms-
|
|
21
|
-
"NativeIaC": "
|
|
22
|
-
"Other": "",
|
|
23
|
-
"Terraform": ""
|
|
26
|
+
"CLI": "aws cloudtrail update-trail --name <trail_name> --kms-key-id <kms_key_arn_or_id>",
|
|
27
|
+
"NativeIaC": "```yaml\n# CloudFormation: enable KMS encryption for an existing/new CloudTrail\nResources:\n <example_resource_name>:\n Type: AWS::CloudTrail::Trail\n Properties:\n S3BucketName: <example_resource_name>\n KmsKeyId: <example_resource_id> # Critical: sets the KMS key to encrypt CloudTrail logs at rest\n```",
|
|
28
|
+
"Other": "1. In the AWS Console, go to CloudTrail > Trails\n2. Select the trail <trail_name>, click Edit\n3. Under Log file encryption, choose Use a KMS key and select <cloudtrail_kms_key>\n4. Click Save changes",
|
|
29
|
+
"Terraform": "```hcl\n# Enable KMS encryption for CloudTrail\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n s3_bucket_name = \"<example_resource_name>\"\n kms_key_id = \"<example_resource_id>\" # Critical: uses this KMS key to encrypt CloudTrail logs\n}\n```"
|
|
24
30
|
},
|
|
25
31
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "https://
|
|
32
|
+
"Text": "Enable **SSE-KMS** on every trail using a **customer-managed KMS key**. Apply **least privilege** so only authorized roles can `Decrypt`, and enforce **separation of duties** between key admins and log readers. Rotate keys and monitor key usage to provide **defense in depth** for CloudTrail data.",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_kms_encryption_enabled"
|
|
28
34
|
}
|
|
29
35
|
},
|
|
30
36
|
"Categories": [
|
|
31
|
-
"forensics-ready",
|
|
32
37
|
"encryption"
|
|
33
38
|
],
|
|
34
39
|
"DependsOn": [],
|
|
@@ -1,33 +1,40 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_log_file_validation_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail has log file validation enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "cloudtrail",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "medium",
|
|
14
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "**AWS CloudTrail trails** are evaluated for **log file integrity validation** being enabled (`LogFileValidationEnabled`).\n\nWhen enabled, CloudTrail generates signed digest files to verify that S3-delivered log files remain unchanged.",
|
|
16
|
+
"Risk": "Without validation, adversaries can alter, forge, or delete audit entries without detection, compromising log **integrity** and non-repudiation.\n\nThis impairs investigations, enables alert evasion, and obscures unauthorized changes across regions or accounts.",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html",
|
|
20
|
+
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html",
|
|
21
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-log-file-integrity-validation.html",
|
|
22
|
+
"https://deepwiki.com/acantril/learn-cantrill-io-labs/7.1-cloudtrail-log-file-integrity"
|
|
23
|
+
],
|
|
18
24
|
"Remediation": {
|
|
19
25
|
"Code": {
|
|
20
|
-
"CLI": "aws cloudtrail update-trail --name <trail_name>
|
|
21
|
-
"NativeIaC": "
|
|
22
|
-
"Other": "",
|
|
23
|
-
"Terraform": "
|
|
26
|
+
"CLI": "aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation",
|
|
27
|
+
"NativeIaC": "```yaml\n# CloudFormation: Enable log file validation on a CloudTrail trail\nResources:\n <example_resource_name>:\n Type: AWS::CloudTrail::Trail\n Properties:\n S3BucketName: <example_resource_name>\n EnableLogFileValidation: true # Critical: enables integrity validation for delivered log files\n```",
|
|
28
|
+
"Other": "1. Open the AWS Console and go to CloudTrail\n2. Click Trails and select <trail_name>\n3. Click Edit\n4. In Additional/Advanced settings, check Enable log file validation\n5. Click Save changes",
|
|
29
|
+
"Terraform": "```hcl\n# Enable log file validation on a CloudTrail trail\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n s3_bucket_name = \"<example_resource_name>\"\n enable_log_file_validation = true # Critical: ensures CloudTrail writes signed digests to detect tampering\n}\n```"
|
|
24
30
|
},
|
|
25
31
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "
|
|
32
|
+
"Text": "Enable **log file integrity validation** on all trails (`LogFileValidationEnabled=true`).\n\nEnforce **least privilege** on the logs bucket, retain and protect digest files (e.g., S3 Object Lock/MFA Delete), and monitor validation results to support **defense in depth**.",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_log_file_validation_enabled"
|
|
28
34
|
}
|
|
29
35
|
},
|
|
30
36
|
"Categories": [
|
|
37
|
+
"logging",
|
|
31
38
|
"forensics-ready"
|
|
32
39
|
],
|
|
33
40
|
"DependsOn": [],
|
|
@@ -1,33 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_logs_s3_bucket_access_logging_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail destination S3 bucket has access logging enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "cloudtrail",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "medium",
|
|
14
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "CloudTrail trails deliver logs to an S3 bucket; this evaluates whether that bucket has **S3 server access logging** enabled to record requests against it.\n\n*If the destination bucket is outside the account or audit scope, a manual review is indicated.*",
|
|
16
|
+
"Risk": "Without access logging on the CloudTrail logs bucket, access and changes to log files lack an independent audit trail. Attackers could read, delete, or replace logs without attribution, undermining **log confidentiality** and **integrity**, and slowing **incident response**.",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
|
|
21
|
+
],
|
|
18
22
|
"Remediation": {
|
|
19
23
|
"Code": {
|
|
20
|
-
"CLI": "",
|
|
21
|
-
"NativeIaC": "",
|
|
22
|
-
"Other": "
|
|
23
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "aws s3api put-bucket-logging --bucket <CLOUDTRAIL_BUCKET_NAME> --bucket-logging-status \"{\\\"LoggingEnabled\\\":{\\\"TargetBucket\\\":\\\"<TARGET_BUCKET_NAME>\\\"}}\"",
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: enable S3 access logging on the CloudTrail destination bucket\nResources:\n <example_log_bucket_name>:\n Type: AWS::S3::Bucket\n\n <example_cloudtrail_bucket>:\n Type: AWS::S3::Bucket\n Properties:\n LoggingConfiguration:\n DestinationBucketName: !Ref <example_log_bucket_name> # Critical: turns on server access logging to this destination bucket\n # This enables access logging so the check passes\n```",
|
|
26
|
+
"Other": "1. In the AWS Console, go to S3 and open the bucket used by your CloudTrail trail\n2. Select the Properties tab\n3. In Server access logging, click Edit\n4. Enable logging and choose a different destination S3 bucket for the logs\n5. Click Save changes",
|
|
27
|
+
"Terraform": "```hcl\n# Enable access logging on the CloudTrail S3 bucket\nresource \"aws_s3_bucket\" \"<example_log_bucket_name>\" {\n bucket = \"<example_log_bucket_name>\"\n}\n\nresource \"aws_s3_bucket\" \"<example_bucket_name>\" {\n bucket = \"<example_bucket_name>\"\n}\n\nresource \"aws_s3_bucket_logging\" \"<example_resource_name>\" {\n bucket = aws_s3_bucket.<example_bucket_name>.id\n target_bucket = aws_s3_bucket.<example_log_bucket_name>.id # Critical: enables server access logging to the target bucket\n}\n```"
|
|
24
28
|
},
|
|
25
29
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "https://
|
|
30
|
+
"Text": "Enable **S3 server access logging** on the CloudTrail logs bucket and write logs to a separate, tightly controlled bucket. Apply **least privilege**, enable **versioning**, and consider **Object Lock** to deter tampering. Centralize monitoring to support defense-in-depth and rapid investigation.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_logs_s3_bucket_access_logging_enabled"
|
|
28
32
|
}
|
|
29
33
|
},
|
|
30
34
|
"Categories": [
|
|
35
|
+
"logging",
|
|
31
36
|
"forensics-ready"
|
|
32
37
|
],
|
|
33
38
|
"DependsOn": [],
|
|
@@ -1,37 +1,45 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_logs_s3_bucket_is_not_publicly_accessible",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail S3 bucket is not publicly accessible",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
|
|
9
|
+
"Effects/Data Exposure"
|
|
9
10
|
],
|
|
10
11
|
"ServiceName": "cloudtrail",
|
|
11
12
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
13
|
+
"ResourceIdTemplate": "",
|
|
13
14
|
"Severity": "critical",
|
|
14
|
-
"ResourceType": "
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"ResourceType": "AwsS3Bucket",
|
|
16
|
+
"Description": "CloudTrail log destination **S3 buckets** are inspected for ACL grants that expose data to the public `AllUsers` group.\n\nBuckets hosted in other accounts are flagged for out-of-scope review.",
|
|
17
|
+
"Risk": "Exposed CloudTrail logs erode **confidentiality** and **integrity**.\n\nAdversaries can harvest API activity to map accounts, roles, and keys, enabling **reconnaissance** and evasion. If write is allowed, logs can be **poisoned** or deleted, thwarting investigations and compromising incident timelines.",
|
|
17
18
|
"RelatedUrl": "",
|
|
19
|
+
"AdditionalURLs": [
|
|
20
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-bucket-publicly-accessible.html",
|
|
21
|
+
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
|
|
22
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-bucket-public-access-prohibited.html",
|
|
23
|
+
"https://docs.panther.com/alerts/alert-runbooks/built-in-policies/aws-cloudtrail-logs-s3-bucket-not-publicly-accessible"
|
|
24
|
+
],
|
|
18
25
|
"Remediation": {
|
|
19
26
|
"Code": {
|
|
20
|
-
"CLI": "",
|
|
21
|
-
"NativeIaC": "",
|
|
22
|
-
"Other": "
|
|
23
|
-
"Terraform": ""
|
|
27
|
+
"CLI": "aws s3api put-bucket-acl --bucket <example_resource_name> --acl private",
|
|
28
|
+
"NativeIaC": "```yaml\n# CloudFormation: ensure the CloudTrail S3 bucket ACL is not public\nResources:\n CloudTrailLogsBucket:\n Type: AWS::S3::Bucket\n Properties:\n BucketName: <example_resource_name>\n AccessControl: Private # CRITICAL: sets bucket ACL to private, removing any AllUsers (public) grants\n```",
|
|
29
|
+
"Other": "1. Open the AWS S3 Console\n2. Select the bucket used by CloudTrail\n3. Go to Permissions > Access control list (ACL)\n4. Click Edit under Public access, remove any grants to \"Everyone (public access)\" (uncheck Read/Write)\n5. Save changes",
|
|
30
|
+
"Terraform": "```hcl\n# Ensure the CloudTrail S3 bucket ACL is private\nresource \"aws_s3_bucket_acl\" \"fix_cloudtrail_logs_bucket\" {\n bucket = \"<example_resource_name>\"\n acl = \"private\" # CRITICAL: removes any public (AllUsers) ACL grants\n}\n```"
|
|
24
31
|
},
|
|
25
32
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "https://
|
|
33
|
+
"Text": "Apply **least privilege** to the log bucket:\n- Enable S3 `Block Public Access` (account and bucket)\n- Remove `AllUsers`/`AuthenticatedUsers` ACLs; avoid wildcard principals\n- Permit only CloudTrail and constrain with `aws:SourceArn`\n\nUse a dedicated private bucket and monitor for permission changes.",
|
|
34
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_logs_s3_bucket_is_not_publicly_accessible"
|
|
28
35
|
}
|
|
29
36
|
},
|
|
30
37
|
"Categories": [
|
|
31
|
-
"forensics-ready",
|
|
32
38
|
"internet-exposed"
|
|
33
39
|
],
|
|
34
|
-
"DependsOn": [
|
|
40
|
+
"DependsOn": [
|
|
41
|
+
"s3_bucket_public_access"
|
|
42
|
+
],
|
|
35
43
|
"RelatedTo": [],
|
|
36
44
|
"Notes": ""
|
|
37
45
|
}
|
|
@@ -1,33 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_multi_region_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Region has at least one CloudTrail trail logging",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks",
|
|
7
|
-
"Industry and Regulatory Standards",
|
|
8
|
-
"CIS AWS Foundations Benchmark"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "cloudtrail",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "high",
|
|
14
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "**AWS CloudTrail** has at least one trail with `logging` enabled in every region. A **multi-region trail** or a regional trail counts for coverage in that region.",
|
|
16
|
+
"Risk": "Missing coverage in any region creates **visibility gaps**.\n\nAttackers can use lesser-monitored regions to run API actions, hide **unauthorized changes**, and exfiltrate data without audit trails, weakening **detective controls**, hindering **forensics**, and delaying response (confidentiality and integrity).",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events"
|
|
20
|
+
],
|
|
18
21
|
"Remediation": {
|
|
19
22
|
"Code": {
|
|
20
|
-
"CLI": "
|
|
21
|
-
"NativeIaC": "
|
|
22
|
-
"Other": "
|
|
23
|
-
"Terraform": "
|
|
23
|
+
"CLI": "",
|
|
24
|
+
"NativeIaC": "```yaml\n# CloudFormation: Create a multi-region CloudTrail and start logging\nResources:\n <example_resource_name>:\n Type: AWS::CloudTrail::Trail\n Properties:\n TrailName: <example_resource_name>\n S3BucketName: <example_resource_name>\n IsMultiRegionTrail: true # Critical: applies the trail to all regions\n IsLogging: true # Critical: ensures the trail is logging\n```",
|
|
25
|
+
"Other": "1. In the AWS Console, go to CloudTrail > Trails\n2. If no trail exists: Click Create trail, enter a name, choose an S3 bucket, set Apply trail to all regions = Yes, then Create (logging starts)\n3. If a trail exists: Select it, click Edit, set Apply trail to all regions = Yes, Save\n4. If Status shows Not logging, click Start logging",
|
|
26
|
+
"Terraform": "```hcl\n# Terraform: Multi-region CloudTrail with logging enabled\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n s3_bucket_name = \"<example_resource_name>\"\n\n is_multi_region_trail = true # Critical: applies the trail to all regions\n enable_logging = true # Critical: ensures the trail is logging\n}\n```"
|
|
24
27
|
},
|
|
25
28
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "https://
|
|
29
|
+
"Text": "Use a **multi-region CloudTrail trail** or per-region trails so `logging` is active in every region, including unused ones.\n\nCentralize logs, enforce **least privilege** to log stores, and add **defense-in-depth** with encryption, integrity validation, and retention. Continuously monitor trail health to catch gaps.",
|
|
30
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_multi_region_enabled"
|
|
28
31
|
}
|
|
29
32
|
},
|
|
30
33
|
"Categories": [
|
|
34
|
+
"logging",
|
|
31
35
|
"forensics-ready"
|
|
32
36
|
],
|
|
33
37
|
"DependsOn": [],
|
|
@@ -1,31 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_multi_region_enabled_logging_management_events",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail logs management events for read and write operations",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
7
9
|
],
|
|
8
10
|
"ServiceName": "cloudtrail",
|
|
9
11
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
11
13
|
"Severity": "low",
|
|
12
14
|
"ResourceType": "AwsCloudTrailTrail",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "**CloudTrail trails** record **management events** (`read` and `write`) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.",
|
|
16
|
+
"Risk": "Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.\n\nAdversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining **integrity**, **confidentiality**, and incident response.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.prowler.com/checks/aws/logging-policies/logging_14#terraform",
|
|
20
|
+
"https://docs.prowler.com/checks/aws/logging-policies/logging_14"
|
|
21
|
+
],
|
|
16
22
|
"Remediation": {
|
|
17
23
|
"Code": {
|
|
18
|
-
"CLI": "
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": "
|
|
24
|
+
"CLI": "",
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: enable multi-region and log management events (read & write)\nResources:\n <example_resource_name>:\n Type: AWS::CloudTrail::Trail\n Properties:\n S3BucketName: <example_resource_name>\n IsMultiRegionTrail: true # CRITICAL: apply the trail to all regions\n EventSelectors:\n - IncludeManagementEvents: true # CRITICAL: log management events\n ReadWriteType: All # CRITICAL: log both read and write\n```",
|
|
26
|
+
"Other": "1. In the AWS Console, go to CloudTrail > Trails and select your trail\n2. Click Edit\n3. Set Apply trail to all regions to Yes\n4. Under Management events, set Read/write events to All\n5. Click Save changes\n6. If Logging is Off, click Start logging",
|
|
27
|
+
"Terraform": "```hcl\n# Terraform: enable multi-region and log management events (read & write)\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n s3_bucket_name = \"<example_resource_name>\"\n\n is_multi_region_trail = true # CRITICAL: apply the trail to all regions\n\n event_selector {\n include_management_events = true # CRITICAL: log management events\n read_write_type = \"All\" # CRITICAL: log both read & write\n }\n}\n```"
|
|
22
28
|
},
|
|
23
29
|
"Recommendation": {
|
|
24
|
-
"Text": "Enable CloudTrail
|
|
25
|
-
"Url": "https://
|
|
30
|
+
"Text": "Enable a **multi-region CloudTrail** that logs **management events** for `read` and `write` in all regions.\n\nCentralize logs in a separate, locked-down account; apply **least privilege**, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for **defense-in-depth**.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_multi_region_enabled_logging_management_events"
|
|
26
32
|
}
|
|
27
33
|
},
|
|
28
34
|
"Categories": [
|
|
35
|
+
"logging",
|
|
29
36
|
"forensics-ready"
|
|
30
37
|
],
|
|
31
38
|
"DependsOn": [],
|
|
@@ -1,31 +1,41 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "cloudtrail_s3_dataevents_read_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "CloudTrail trail records S3 object-level read events for all S3 buckets",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
7
8
|
],
|
|
8
9
|
"ServiceName": "cloudtrail",
|
|
9
10
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
11
12
|
"Severity": "low",
|
|
12
13
|
"ResourceType": "AwsCloudTrailTrail",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
14
|
+
"Description": "**CloudTrail trails** log **S3 object-level read data events** for all buckets, capturing object access (for example `GetObject`) via selectors targeting `AWS::S3::Object`",
|
|
15
|
+
"Risk": "Without **object-level read logging**, S3 access is opaque. Attackers or insiders can exfiltrate data via `GetObject` without audit trails, eroding **confidentiality** and hindering **forensics**, anomaly detection, and incident response.",
|
|
15
16
|
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://awswala.medium.com/enable-cloudtrail-data-events-logging-for-objects-in-an-s3-bucket-33cade51ae2b",
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-23",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html",
|
|
21
|
+
"https://www.plerion.com/cloud-knowledge-base/ensure-object-level-logging-for-read-events-enabled-for-s3-bucket"
|
|
22
|
+
],
|
|
16
23
|
"Remediation": {
|
|
17
24
|
"Code": {
|
|
18
|
-
"CLI": "aws cloudtrail put-event-selectors --trail-name <
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
25
|
+
"CLI": "aws cloudtrail put-event-selectors --trail-name <example_resource_name> --event-selectors '[{\"ReadWriteType\":\"ReadOnly\",\"DataResources\":[{\"Type\":\"AWS::S3::Object\",\"Values\":[\"arn:aws:s3\"]}]}]'",
|
|
26
|
+
"NativeIaC": "```yaml\n# CloudFormation: enable S3 object-level READ data events for all buckets on a trail\nResources:\n <example_resource_name>:\n Type: AWS::CloudTrail::Trail\n Properties:\n S3BucketName: <example_resource_name>\n EventSelectors:\n - ReadWriteType: ReadOnly # CRITICAL: log read-only data events\n DataResources:\n - Type: AWS::S3::Object # CRITICAL: target S3 object-level events\n Values:\n - arn:aws:s3 # CRITICAL: applies to all S3 buckets/objects\n```",
|
|
27
|
+
"Other": "1. In the AWS Console, open CloudTrail and select Trails\n2. Open your trail and go to the Data events section\n3. Add data event for S3 and choose All current and future S3 buckets\n4. Select only Read events (or All if Read-only is unavailable)\n5. Save changes",
|
|
28
|
+
"Terraform": "```hcl\n# Terraform: enable S3 object-level READ data events for all buckets on a trail\nresource \"aws_cloudtrail\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n s3_bucket_name = \"<example_resource_name>\"\n\n event_selector {\n read_write_type = \"ReadOnly\" # CRITICAL: log read-only data events\n data_resource {\n type = \"AWS::S3::Object\" # CRITICAL: target S3 object-level events\n values = [\"arn:aws:s3\"] # CRITICAL: apply to all S3 buckets/objects\n }\n }\n}\n```"
|
|
22
29
|
},
|
|
23
30
|
"Recommendation": {
|
|
24
|
-
"Text": "Enable
|
|
25
|
-
"Url": "https://
|
|
31
|
+
"Text": "Enable CloudTrail **data events** for S3 objects with `ReadOnly` (or `All`) across all current and future buckets. Use a multi-Region trail, centralize logs in an encrypted bucket with lifecycle retention, and integrate monitoring/alerts to support **defense in depth** and accountable access.",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/cloudtrail_s3_dataevents_read_enabled"
|
|
26
33
|
}
|
|
27
34
|
},
|
|
28
|
-
"Categories": [
|
|
35
|
+
"Categories": [
|
|
36
|
+
"logging",
|
|
37
|
+
"forensics-ready"
|
|
38
|
+
],
|
|
29
39
|
"DependsOn": [],
|
|
30
40
|
"RelatedTo": [],
|
|
31
41
|
"Notes": ""
|