prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/assets/markdown-styles.css +34 -0
- dashboard/compliance/c5_aws.py +43 -0
- dashboard/compliance/ccc_aws.py +36 -0
- dashboard/compliance/ccc_azure.py +36 -0
- dashboard/compliance/ccc_gcp.py +36 -0
- dashboard/compliance/cis_3_0_oci.py +41 -0
- dashboard/pages/overview.py +66 -16
- prowler/CHANGELOG.md +60 -0
- prowler/__main__.py +128 -14
- prowler/compliance/aws/aws_account_security_onboarding_aws.json +1 -0
- prowler/compliance/aws/aws_audit_manager_control_tower_guardrails_aws.json +1 -0
- prowler/compliance/aws/aws_foundational_security_best_practices_aws.json +2 -1
- prowler/compliance/aws/aws_foundational_technical_review_aws.json +1 -0
- prowler/compliance/aws/aws_well_architected_framework_reliability_pillar_aws.json +1 -0
- prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json +1 -0
- prowler/compliance/aws/c5_aws.json +10744 -0
- prowler/compliance/aws/ccc_aws.json +6206 -0
- prowler/compliance/aws/cis_1.4_aws.json +1 -0
- prowler/compliance/aws/cis_1.5_aws.json +1 -0
- prowler/compliance/aws/cis_2.0_aws.json +1 -0
- prowler/compliance/aws/cis_3.0_aws.json +1 -0
- prowler/compliance/aws/cis_4.0_aws.json +1 -0
- prowler/compliance/aws/cis_5.0_aws.json +1 -0
- prowler/compliance/aws/cisa_aws.json +1 -0
- prowler/compliance/aws/ens_rd2022_aws.json +1 -0
- prowler/compliance/aws/fedramp_low_revision_4_aws.json +1 -0
- prowler/compliance/aws/fedramp_moderate_revision_4_aws.json +1 -0
- prowler/compliance/aws/ffiec_aws.json +1 -0
- prowler/compliance/aws/gdpr_aws.json +1 -0
- prowler/compliance/aws/gxp_21_cfr_part_11_aws.json +1 -0
- prowler/compliance/aws/gxp_eu_annex_11_aws.json +1 -0
- prowler/compliance/aws/hipaa_aws.json +1 -0
- prowler/compliance/aws/iso27001_2013_aws.json +1 -0
- prowler/compliance/aws/iso27001_2022_aws.json +1 -0
- prowler/compliance/aws/kisa_isms_p_2023_aws.json +1 -0
- prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json +1 -0
- prowler/compliance/aws/mitre_attack_aws.json +287 -11
- prowler/compliance/aws/nis2_aws.json +1 -0
- prowler/compliance/aws/nist_800_171_revision_2_aws.json +1 -0
- prowler/compliance/aws/nist_800_53_revision_4_aws.json +1 -0
- prowler/compliance/aws/nist_800_53_revision_5_aws.json +1 -0
- prowler/compliance/aws/nist_csf_1.1_aws.json +1 -0
- prowler/compliance/aws/pci_3.2.1_aws.json +2 -1
- prowler/compliance/aws/pci_4.0_aws.json +1 -0
- prowler/compliance/aws/prowler_threatscore_aws.json +1 -0
- prowler/compliance/aws/rbi_cyber_security_framework_aws.json +1 -0
- prowler/compliance/aws/soc2_aws.json +1 -0
- prowler/compliance/azure/ccc_azure.json +6147 -0
- prowler/compliance/azure/cis_2.0_azure.json +1 -0
- prowler/compliance/azure/cis_2.1_azure.json +1 -0
- prowler/compliance/azure/cis_3.0_azure.json +1 -0
- prowler/compliance/azure/cis_4.0_azure.json +1 -0
- prowler/compliance/azure/ens_rd2022_azure.json +1 -0
- prowler/compliance/azure/iso27001_2022_azure.json +1 -0
- prowler/compliance/azure/mitre_attack_azure.json +131 -5
- prowler/compliance/azure/nis2_azure.json +1 -0
- prowler/compliance/azure/pci_4.0_azure.json +1 -0
- prowler/compliance/azure/prowler_threatscore_azure.json +1 -0
- prowler/compliance/azure/soc2_azure.json +1 -0
- prowler/compliance/gcp/ccc_gcp.json +6077 -0
- prowler/compliance/gcp/cis_2.0_gcp.json +1 -0
- prowler/compliance/gcp/cis_3.0_gcp.json +1 -0
- prowler/compliance/gcp/cis_4.0_gcp.json +1 -0
- prowler/compliance/gcp/ens_rd2022_gcp.json +1 -0
- prowler/compliance/gcp/iso27001_2022_gcp.json +1 -0
- prowler/compliance/gcp/mitre_attack_gcp.json +287 -11
- prowler/compliance/gcp/nis2_gcp.json +1 -0
- prowler/compliance/gcp/pci_4.0_gcp.json +1 -0
- prowler/compliance/gcp/prowler_threatscore_gcp.json +1 -0
- prowler/compliance/gcp/soc2_gcp.json +1 -0
- prowler/compliance/github/cis_1.0_github.json +1 -0
- prowler/compliance/kubernetes/cis_1.10_kubernetes.json +1 -0
- prowler/compliance/kubernetes/cis_1.11_kubernetes.json +1 -0
- prowler/compliance/kubernetes/cis_1.8_kubernetes.json +1 -0
- prowler/compliance/kubernetes/iso27001_2022_kubernetes.json +1 -0
- prowler/compliance/kubernetes/pci_4.0_kubernetes.json +1 -0
- prowler/compliance/llm/__init__.py +0 -0
- prowler/compliance/m365/cis_4.0_m365.json +1 -0
- prowler/compliance/m365/iso27001_2022_m365.json +1 -0
- prowler/compliance/m365/prowler_threatscore_m365.json +1 -0
- prowler/compliance/nhn/iso27001_2022_nhn.json +1 -0
- prowler/compliance/oci/__init__.py +0 -0
- prowler/compliance/oci/cis_3.0_oci.json +1141 -0
- prowler/config/config.py +5 -1
- prowler/config/llm_config.yaml +175015 -0
- prowler/config/oraclecloud_mutelist_example.yaml +61 -0
- prowler/lib/check/check.py +9 -1
- prowler/lib/check/compliance.py +1 -0
- prowler/lib/check/compliance_models.py +33 -3
- prowler/lib/check/models.py +96 -8
- prowler/lib/check/utils.py +8 -2
- prowler/lib/cli/parser.py +6 -4
- prowler/lib/outputs/compliance/aws_well_architected/aws_well_architected.py +4 -0
- prowler/lib/outputs/compliance/aws_well_architected/models.py +2 -0
- prowler/lib/outputs/compliance/c5/__init__.py +0 -0
- prowler/lib/outputs/compliance/c5/c5.py +98 -0
- prowler/lib/outputs/compliance/c5/c5_aws.py +92 -0
- prowler/lib/outputs/compliance/c5/models.py +30 -0
- prowler/lib/outputs/compliance/ccc/__init__.py +0 -0
- prowler/lib/outputs/compliance/ccc/ccc_aws.py +95 -0
- prowler/lib/outputs/compliance/ccc/ccc_azure.py +95 -0
- prowler/lib/outputs/compliance/ccc/ccc_gcp.py +95 -0
- prowler/lib/outputs/compliance/ccc/models.py +90 -0
- prowler/lib/outputs/compliance/cis/cis_aws.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_azure.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_gcp.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_github.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_kubernetes.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_m365.py +4 -0
- prowler/lib/outputs/compliance/cis/cis_oci.py +106 -0
- prowler/lib/outputs/compliance/cis/models.py +56 -0
- prowler/lib/outputs/compliance/compliance.py +10 -0
- prowler/lib/outputs/compliance/compliance_output.py +4 -1
- prowler/lib/outputs/compliance/ens/ens_aws.py +4 -0
- prowler/lib/outputs/compliance/ens/ens_azure.py +4 -0
- prowler/lib/outputs/compliance/ens/ens_gcp.py +4 -0
- prowler/lib/outputs/compliance/ens/models.py +6 -0
- prowler/lib/outputs/compliance/generic/generic.py +4 -0
- prowler/lib/outputs/compliance/generic/models.py +2 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_aws.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_azure.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_gcp.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_kubernetes.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_m365.py +4 -0
- prowler/lib/outputs/compliance/iso27001/iso27001_nhn.py +4 -0
- prowler/lib/outputs/compliance/iso27001/models.py +12 -0
- prowler/lib/outputs/compliance/kisa_ismsp/kisa_ismsp_aws.py +4 -0
- prowler/lib/outputs/compliance/kisa_ismsp/models.py +2 -0
- prowler/lib/outputs/compliance/mitre_attack/mitre_attack_aws.py +4 -0
- prowler/lib/outputs/compliance/mitre_attack/mitre_attack_azure.py +4 -0
- prowler/lib/outputs/compliance/mitre_attack/mitre_attack_gcp.py +4 -0
- prowler/lib/outputs/compliance/mitre_attack/models.py +6 -0
- prowler/lib/outputs/compliance/prowler_threatscore/models.py +8 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore.py +46 -4
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_aws.py +4 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_azure.py +4 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_gcp.py +4 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_m365.py +4 -0
- prowler/lib/outputs/csv/csv.py +3 -0
- prowler/lib/outputs/finding.py +22 -0
- prowler/lib/outputs/html/html.py +192 -7
- prowler/lib/outputs/jira/jira.py +284 -47
- prowler/lib/outputs/ocsf/ocsf.py +1 -4
- prowler/lib/outputs/outputs.py +6 -0
- prowler/lib/outputs/summary_table.py +10 -0
- prowler/providers/aws/aws_regions_by_service.json +221 -44
- prowler/providers/aws/lib/quick_inventory/quick_inventory.py +3 -0
- prowler/providers/aws/lib/security_hub/security_hub.py +12 -2
- prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.metadata.json +27 -13
- prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.metadata.json +32 -13
- prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.metadata.json +23 -11
- prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json +24 -12
- prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.metadata.json +19 -11
- prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.metadata.json +14 -10
- prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.metadata.json +17 -9
- prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.metadata.json +16 -12
- prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.metadata.json +21 -12
- prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json +23 -16
- prowler/providers/aws/services/apigateway/apigateway_restapi_cache_encrypted/apigateway_restapi_cache_encrypted.metadata.json +22 -12
- prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json +26 -18
- prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json +30 -19
- prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.metadata.json +24 -16
- prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.metadata.json +31 -18
- prowler/providers/aws/services/apigateway/apigateway_restapi_tracing_enabled/apigateway_restapi_tracing_enabled.metadata.json +20 -12
- prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json +24 -18
- prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.metadata.json +21 -12
- prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.metadata.json +23 -15
- prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.metadata.json +15 -12
- prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.metadata.json +17 -14
- prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.metadata.json +20 -15
- prowler/providers/aws/services/appsync/appsync_field_level_logging_enabled/appsync_field_level_logging_enabled.metadata.json +21 -12
- prowler/providers/aws/services/appsync/appsync_graphql_api_no_api_key_authentication/appsync_graphql_api_no_api_key_authentication.metadata.json +20 -13
- prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.metadata.json +24 -12
- prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.metadata.json +20 -13
- prowler/providers/aws/services/athena/athena_workgroup_logging_enabled/athena_workgroup_logging_enabled.metadata.json +21 -12
- prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.metadata.json +15 -10
- prowler/providers/aws/services/autoscaling/autoscaling_group_capacity_rebalance_enabled/autoscaling_group_capacity_rebalance_enabled.metadata.json +20 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_elb_health_check_enabled/autoscaling_group_elb_health_check_enabled.metadata.json +20 -12
- prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_no_public_ip/autoscaling_group_launch_configuration_no_public_ip.metadata.json +20 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_requires_imdsv2/autoscaling_group_launch_configuration_requires_imdsv2.metadata.json +26 -14
- prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.metadata.json +22 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.metadata.json +21 -13
- prowler/providers/aws/services/autoscaling/autoscaling_group_using_ec2_launch_template/autoscaling_group_using_ec2_launch_template.metadata.json +19 -12
- prowler/providers/aws/services/autoscaling/autoscaling_service.py +1 -1
- prowler/providers/aws/services/awslambda/awslambda_function_inside_vpc/awslambda_function_inside_vpc.metadata.json +26 -13
- prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.metadata.json +20 -13
- prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.metadata.json +18 -9
- prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.metadata.json +20 -12
- prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json +21 -12
- prowler/providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.metadata.json +24 -13
- prowler/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.metadata.json +22 -12
- prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +24 -13
- prowler/providers/aws/services/awslambda/awslambda_function_vpc_multi_az/awslambda_function_vpc_multi_az.metadata.json +23 -13
- prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.metadata.json +22 -15
- prowler/providers/aws/services/backup/backup_recovery_point_encrypted/backup_recovery_point_encrypted.metadata.json +21 -12
- prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.metadata.json +19 -15
- prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.metadata.json +24 -13
- prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.metadata.json +19 -15
- prowler/providers/aws/services/cloudformation/cloudformation_stack_cdktoolkit_bootstrap_version/cloudformation_stack_cdktoolkit_bootstrap_version.metadata.json +24 -13
- prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.metadata.json +22 -12
- prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_custom_ssl_certificate/cloudfront_distributions_custom_ssl_certificate.metadata.json +21 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_default_root_object/cloudfront_distributions_default_root_object.metadata.json +19 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.metadata.json +19 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_multiple_origin_failover_configured/cloudfront_distributions_multiple_origin_failover_configured.metadata.json +21 -16
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.metadata.json +27 -14
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_access_control/cloudfront_distributions_s3_origin_access_control.metadata.json +24 -14
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.metadata.json +18 -11
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.metadata.json +20 -12
- prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.metadata.json +21 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.metadata.json +16 -11
- prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.metadata.json +19 -15
- prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.metadata.json +19 -14
- prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.metadata.json +19 -14
- prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.metadata.json +20 -13
- prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.metadata.json +18 -13
- prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.metadata.json +24 -16
- prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.metadata.json +17 -13
- prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.metadata.json +19 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.metadata.json +22 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.metadata.json +21 -11
- prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.metadata.json +22 -11
- prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.metadata.json +25 -12
- prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.metadata.json +18 -10
- prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.metadata.json +20 -12
- prowler/providers/aws/services/config/config_recorder_using_aws_service_role/config_recorder_using_aws_service_role.metadata.json +20 -13
- prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.metadata.json +20 -11
- prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.metadata.json +19 -11
- prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.metadata.json +19 -10
- prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.metadata.json +20 -11
- prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.metadata.json +23 -12
- prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.metadata.json +23 -12
- prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.metadata.json +19 -13
- prowler/providers/aws/services/dms/dms_endpoint_mongodb_authentication_enabled/dms_endpoint_mongodb_authentication_enabled.metadata.json +20 -13
- prowler/providers/aws/services/dms/dms_endpoint_neptune_iam_authorization_enabled/dms_endpoint_neptune_iam_authorization_enabled.metadata.json +19 -12
- prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.metadata.json +23 -13
- prowler/providers/aws/services/dms/dms_endpoint_ssl_enabled/dms_endpoint_ssl_enabled.metadata.json +27 -19
- prowler/providers/aws/services/dms/dms_instance_minor_version_upgrade_enabled/dms_instance_minor_version_upgrade_enabled.metadata.json +22 -12
- prowler/providers/aws/services/dms/dms_instance_multi_az_enabled/dms_instance_multi_az_enabled.metadata.json +20 -13
- prowler/providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.metadata.json +22 -11
- prowler/providers/aws/services/dms/dms_replication_task_source_logging_enabled/dms_replication_task_source_logging_enabled.metadata.json +21 -13
- prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.metadata.json +22 -13
- prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.py +39 -37
- prowler/providers/aws/services/dms/dms_service.py +0 -1
- prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.py +11 -10
- prowler/providers/aws/services/ec2/ec2_instance_with_outdated_ami/__init__.py +0 -0
- prowler/providers/aws/services/ec2/ec2_instance_with_outdated_ami/ec2_instance_with_outdated_ami.metadata.json +30 -0
- prowler/providers/aws/services/ec2/ec2_instance_with_outdated_ami/ec2_instance_with_outdated_ami.py +52 -0
- prowler/providers/aws/services/ec2/ec2_service.py +26 -14
- prowler/providers/aws/services/efs/efs_access_point_enforce_root_directory/efs_access_point_enforce_root_directory.metadata.json +19 -13
- prowler/providers/aws/services/efs/efs_access_point_enforce_user_identity/efs_access_point_enforce_user_identity.metadata.json +23 -13
- prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.metadata.json +23 -13
- prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.metadata.json +20 -14
- prowler/providers/aws/services/efs/efs_mount_target_not_publicly_accessible/efs_mount_target_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/aws/services/efs/efs_multi_az_enabled/efs_multi_az_enabled.metadata.json +21 -13
- prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.metadata.json +17 -13
- prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py +4 -0
- prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.py +8 -2
- prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json +23 -13
- prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json +18 -14
- prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json +23 -14
- prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json +25 -13
- prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json +22 -14
- prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json +20 -12
- prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json +18 -10
- prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json +16 -10
- prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json +22 -13
- prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json +20 -12
- prowler/providers/aws/services/rds/rds_service.py +9 -2
- prowler/providers/aws/services/vpc/vpc_service.py +1 -1
- prowler/providers/azure/services/entra/entra_service.py +54 -25
- prowler/providers/common/arguments.py +16 -2
- prowler/providers/common/provider.py +34 -2
- prowler/providers/gcp/services/cloudsql/cloudsql_service.py +3 -3
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/cloudstorage_bucket_lifecycle_management_enabled.metadata.json +34 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_lifecycle_management_enabled/cloudstorage_bucket_lifecycle_management_enabled.py +48 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +10 -0
- prowler/providers/gcp/services/compute/compute_project_os_login_enabled/compute_project_os_login_enabled.py +5 -0
- prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.py +5 -0
- prowler/providers/gcp/services/iam/iam_role_kms_enforce_separation_of_duties/iam_role_kms_enforce_separation_of_duties.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.py +5 -0
- prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.py +5 -0
- prowler/providers/gcp/services/monitoring/monitoring_service.py +30 -2
- prowler/providers/iac/iac_provider.py +1 -1
- prowler/providers/llm/__init__.py +0 -0
- prowler/providers/llm/lib/__init__.py +0 -0
- prowler/providers/llm/lib/arguments/__init__.py +0 -0
- prowler/providers/llm/lib/arguments/arguments.py +13 -0
- prowler/providers/llm/llm_provider.py +518 -0
- prowler/providers/llm/models.py +27 -0
- prowler/providers/m365/exceptions/exceptions.py +0 -55
- prowler/providers/m365/lib/arguments/arguments.py +8 -4
- prowler/providers/m365/lib/powershell/m365_powershell.py +14 -156
- prowler/providers/m365/m365_provider.py +19 -117
- prowler/providers/m365/models.py +0 -3
- prowler/providers/m365/services/admincenter/admincenter_service.py +52 -23
- prowler/providers/m365/services/entra/entra_admin_users_phishing_resistant_mfa_enabled/entra_admin_users_phishing_resistant_mfa_enabled.py +19 -2
- prowler/providers/m365/services/entra/entra_service.py +58 -30
- prowler/providers/m365/services/sharepoint/sharepoint_service.py +24 -3
- prowler/providers/oraclecloud/__init__.py +0 -0
- prowler/providers/oraclecloud/config.py +61 -0
- prowler/providers/oraclecloud/exceptions/__init__.py +0 -0
- prowler/providers/oraclecloud/exceptions/exceptions.py +197 -0
- prowler/providers/oraclecloud/lib/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/arguments/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/arguments/arguments.py +123 -0
- prowler/providers/oraclecloud/lib/mutelist/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/mutelist/mutelist.py +176 -0
- prowler/providers/oraclecloud/lib/service/__init__.py +0 -0
- prowler/providers/oraclecloud/lib/service/service.py +213 -0
- prowler/providers/oraclecloud/models.py +96 -0
- prowler/providers/oraclecloud/oci_provider.py +1038 -0
- prowler/providers/oraclecloud/services/__init__.py +0 -0
- prowler/providers/oraclecloud/services/analytics/__init__.py +0 -0
- prowler/providers/oraclecloud/services/analytics/analytics_client.py +6 -0
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/__init__.py +0 -0
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +36 -0
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.py +48 -0
- prowler/providers/oraclecloud/services/analytics/analytics_service.py +99 -0
- prowler/providers/oraclecloud/services/audit/__init__.py +0 -0
- prowler/providers/oraclecloud/services/audit/audit_client.py +4 -0
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +37 -0
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.py +46 -0
- prowler/providers/oraclecloud/services/audit/audit_service.py +57 -0
- prowler/providers/oraclecloud/services/blockstorage/__init__.py +0 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +37 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.py +39 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +36 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.py +35 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_client.py +6 -0
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_service.py +182 -0
- prowler/providers/oraclecloud/services/cloudguard/__init__.py +0 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_client.py +6 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +36 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.py +39 -0
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_service.py +63 -0
- prowler/providers/oraclecloud/services/compute/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_client.py +4 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.py +38 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.py +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.py +39 -0
- prowler/providers/oraclecloud/services/compute/compute_service.py +136 -0
- prowler/providers/oraclecloud/services/database/__init__.py +0 -0
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/__init__.py +0 -0
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +36 -0
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.py +40 -0
- prowler/providers/oraclecloud/services/database/database_client.py +6 -0
- prowler/providers/oraclecloud/services/database/database_service.py +79 -0
- prowler/providers/oraclecloud/services/events/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_client.py +4 -0
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.py +53 -0
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +36 -0
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.py +90 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.py +67 -0
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +38 -0
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.py +63 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.py +88 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.py +68 -0
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.py +68 -0
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.py +68 -0
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.py +69 -0
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +37 -0
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.py +65 -0
- prowler/providers/oraclecloud/services/events/events_service.py +215 -0
- prowler/providers/oraclecloud/services/events/lib/__init__.py +0 -0
- prowler/providers/oraclecloud/services/events/lib/helpers.py +116 -0
- prowler/providers/oraclecloud/services/filestorage/__init__.py +0 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_client.py +6 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +36 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.py +39 -0
- prowler/providers/oraclecloud/services/filestorage/filestorage_service.py +96 -0
- prowler/providers/oraclecloud/services/identity/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_client.py +4 -0
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.py +107 -0
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.py +70 -0
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +32 -0
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.py +51 -0
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +32 -0
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.py +39 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.py +67 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.py +97 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.py +77 -0
- prowler/providers/oraclecloud/services/identity/identity_service.py +828 -0
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +32 -0
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.py +81 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.py +81 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.py +49 -0
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +37 -0
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.py +73 -0
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.py +52 -0
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.py +49 -0
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.py +49 -0
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.py +43 -0
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/__init__.py +0 -0
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +36 -0
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.py +38 -0
- prowler/providers/oraclecloud/services/integration/__init__.py +0 -0
- prowler/providers/oraclecloud/services/integration/integration_client.py +8 -0
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/__init__.py +0 -0
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +36 -0
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.py +48 -0
- prowler/providers/oraclecloud/services/integration/integration_service.py +92 -0
- prowler/providers/oraclecloud/services/kms/__init__.py +0 -0
- prowler/providers/oraclecloud/services/kms/kms_client.py +4 -0
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +36 -0
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.py +37 -0
- prowler/providers/oraclecloud/services/kms/kms_service.py +136 -0
- prowler/providers/oraclecloud/services/logging/__init__.py +0 -0
- prowler/providers/oraclecloud/services/logging/logging_client.py +6 -0
- prowler/providers/oraclecloud/services/logging/logging_service.py +189 -0
- prowler/providers/oraclecloud/services/network/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_client.py +4 -0
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.py +99 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.py +65 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +37 -0
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.py +70 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.py +62 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +37 -0
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.py +67 -0
- prowler/providers/oraclecloud/services/network/network_service.py +321 -0
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +36 -0
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.py +66 -0
- prowler/providers/oraclecloud/services/objectstorage/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +37 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.py +40 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +32 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.py +68 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +37 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.py +43 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/__init__.py +0 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +37 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.py +38 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_client.py +6 -0
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_service.py +138 -0
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/METADATA +9 -33
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/RECORD +528 -280
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.12.3.dist-info → prowler_cloud-5.13.0.dist-info}/entry_points.txt +0 -0
prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.metadata.json
CHANGED
|
@@ -1,33 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "efs_have_backup_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "EFS file system has backup enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"
|
|
7
|
-
"
|
|
8
|
-
"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Effects/Data Destruction"
|
|
9
9
|
],
|
|
10
10
|
"ServiceName": "efs",
|
|
11
11
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
13
|
"Severity": "medium",
|
|
14
14
|
"ResourceType": "AwsEfsFileSystem",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
15
|
+
"Description": "**Amazon EFS file systems** are assessed for automated backups configured via the `backup policy`. The finding highlights file systems where backups are not enabled or are being disabled.",
|
|
16
|
+
"Risk": "Absence of EFS backups degrades **availability** and **integrity**. Accidental deletion, ransomware, or misconfiguration can wipe or corrupt data with no recovery path. Without point-in-time copies, RPO/RTO suffer and localized incidents can become prolonged outages and irreversible loss.",
|
|
17
17
|
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html",
|
|
20
|
+
"https://docs.aws.amazon.com/efs/latest/ug/automatic-backups.html"
|
|
21
|
+
],
|
|
18
22
|
"Remediation": {
|
|
19
23
|
"Code": {
|
|
20
|
-
"CLI": "",
|
|
21
|
-
"NativeIaC": "",
|
|
22
|
-
"Other": "",
|
|
23
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "aws efs put-backup-policy --file-system-id <FILE_SYSTEM_ID> --backup-policy Status=ENABLED",
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: Enable automatic backups for EFS\nResources:\n <example_resource_name>:\n Type: AWS::EFS::FileSystem\n Properties:\n BackupPolicy:\n Status: ENABLED # Critical: turns on EFS automatic backups via AWS Backup\n```",
|
|
26
|
+
"Other": "1. In the AWS Console, go to Amazon EFS > File systems\n2. Select the target file system\n3. Click Edit (or Update)\n4. Set Automatic backups to Enabled\n5. Save changes",
|
|
27
|
+
"Terraform": "```hcl\n# Enable automatic backups for EFS\nresource \"aws_efs_file_system\" \"<example_resource_name>\" {\n backup_policy {\n status = \"ENABLED\" # Critical: turns on EFS automatic backups\n }\n}\n```"
|
|
24
28
|
},
|
|
25
29
|
"Recommendation": {
|
|
26
|
-
"Text": "Enable automated backup
|
|
27
|
-
"Url": "https://
|
|
30
|
+
"Text": "Enable automated EFS backups by setting the file system `backup policy` to `ENABLED` and applying defense-in-depth:\n- Schedule frequent jobs with tiered retention\n- Use immutable vaults and cross-Region copies\n- Restrict delete/restore via **least privilege** and **separation of duties**\n- Regularly test restores and document DR objectives",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/efs_have_backup_enabled"
|
|
28
32
|
}
|
|
29
33
|
},
|
|
30
|
-
"Categories": [
|
|
34
|
+
"Categories": [
|
|
35
|
+
"resilience"
|
|
36
|
+
],
|
|
31
37
|
"DependsOn": [],
|
|
32
38
|
"RelatedTo": [],
|
|
33
39
|
"Notes": ""
|
|
@@ -1,28 +1,34 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "efs_mount_target_not_publicly_accessible",
|
|
4
|
-
"CheckTitle": "EFS
|
|
4
|
+
"CheckTitle": "EFS file system has no publicly accessible mount targets",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"TTPs/Initial Access",
|
|
8
|
+
"Effects/Data Exposure"
|
|
7
9
|
],
|
|
8
10
|
"ServiceName": "efs",
|
|
9
11
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
11
13
|
"Severity": "medium",
|
|
12
14
|
"ResourceType": "AwsEfsFileSystem",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "**EFS mount targets** associated with VPC subnets that auto-assign public IPv4 addresses (`mapPublicIpOnLaunch=true`) are identified per file system.\n\nThe evaluation focuses on the subnet attribute linked to each mount target.",
|
|
16
|
+
"Risk": "Publicly addressable mount targets expose NFS to Internet scanning and exploit attempts.\n- **Confidentiality**: unauthorized reads\n- **Integrity**: illicit writes or deletion\n- **Availability**: DDoS/resource exhaustion\n\n*Even with tight rules*, a public IP weakens isolation and eases recon.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html#efs-6",
|
|
20
|
+
"https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html"
|
|
21
|
+
],
|
|
16
22
|
"Remediation": {
|
|
17
23
|
"Code": {
|
|
18
|
-
"CLI": "
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "",
|
|
25
|
+
"NativeIaC": "```yaml\n# Create an EFS mount target in a private subnet\nResources:\n <example_resource_name>:\n Type: AWS::EFS::MountTarget\n Properties:\n FileSystemId: <example_resource_id>\n SubnetId: <example_resource_id> # FIX: Use a private subnet (no route to an Internet Gateway)\n SecurityGroups:\n - <example_resource_id> # Required SG for the mount target\n```",
|
|
26
|
+
"Other": "1. Open the AWS Console > EFS > File systems > select your file system\n2. Go to Networking and click Create mount target\n3. Choose a subnet that is private (no route to an Internet Gateway) and select a security group\n4. Click Create\n5. In Networking, select any mount targets in public subnets and click Delete to remove them",
|
|
27
|
+
"Terraform": "```hcl\n# Create an EFS mount target in a private subnet\nresource \"aws_efs_mount_target\" \"<example_resource_name>\" {\n file_system_id = \"<example_resource_id>\"\n subnet_id = \"<example_resource_id>\" # FIX: Use a private subnet (no route to an Internet Gateway)\n security_groups = [\"<example_resource_id>\"]\n}\n```"
|
|
22
28
|
},
|
|
23
29
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
30
|
+
"Text": "Place mount targets in **private subnets** that do not auto-assign public IPs (`mapPublicIpOnLaunch=false`). Apply **least privilege**: restrict NFS via security groups to known sources, avoid Internet routes, and use **defense in depth** with NACLs. Prefer private connectivity (VPN/Direct Connect or peering) for access.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/efs_mount_target_not_publicly_accessible"
|
|
26
32
|
}
|
|
27
33
|
},
|
|
28
34
|
"Categories": [
|
|
@@ -1,30 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "efs_multi_az_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "EFS file system is Multi-AZ with more than one mount target",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Effects/Denial of Service"
|
|
8
|
+
],
|
|
6
9
|
"ServiceName": "efs",
|
|
7
10
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
9
12
|
"Severity": "medium",
|
|
10
13
|
"ResourceType": "AwsEfsFileSystem",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
14
|
+
"Description": "**Amazon EFS** file systems are assessed for **multi-AZ resilience**: Regional type (no `availability_zone_id`) with mount targets in more than one Availability Zone. Single-AZ (One Zone) or Regional with only one mount target is identified for attention.",
|
|
15
|
+
"Risk": "Concentrating access through a single AZ or a lone mount target reduces **availability**. An AZ outage can sever client connectivity, causing downtime and I/O errors. A single mount target also forces cross-AZ traffic, increasing latency and costs and undermining **resilience** and seamless failover.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/efs/latest/ug/creating-using-create-fs.html#availabiltydurability",
|
|
19
|
+
"https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html",
|
|
20
|
+
"https://ops.tips/gists/how-aws-efs-multiple-availability-zones-terraform/"
|
|
21
|
+
],
|
|
14
22
|
"Remediation": {
|
|
15
23
|
"Code": {
|
|
16
|
-
"CLI": "",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"Other": "",
|
|
19
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "aws efs create-mount-target --file-system-id <FILE_SYSTEM_ID> --subnet-id <SUBNET_ID>",
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: add an extra EFS mount target to another AZ\nResources:\n <example_resource_name>:\n Type: AWS::EFS::MountTarget\n Properties:\n FileSystemId: fs-<example_resource_id> # FIX: adds another mount target for this EFS\n SubnetId: subnet-<example_resource_id> # FIX: choose a subnet in a different AZ\n SecurityGroups:\n - <example_security_group_id> # Required by CFN\n```",
|
|
26
|
+
"Other": "1. In AWS Console, go to EFS > File systems > select your file system\n2. If File system type shows Regional: open the Network tab > Mount targets > Manage mount targets > Add mount target\n3. Select a subnet in a different Availability Zone and save\n4. If File system type shows One Zone: create a new EFS with File system type = Regional and create mount targets in at least two AZs; remount clients to the new file system and decommission the old one",
|
|
27
|
+
"Terraform": "```hcl\n# Add an extra EFS mount target in a different AZ/subnet\nresource \"aws_efs_mount_target\" \"<example_resource_name>\" {\n file_system_id = \"<example_resource_id>\" # FIX: target EFS\n subnet_id = \"<example_resource_id>\" # FIX: subnet in another AZ to make targets > 1\n}\n```"
|
|
20
28
|
},
|
|
21
29
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
30
|
+
"Text": "Use **Regional EFS** and create mount targets in each required **Availability Zone** to remove single points of failure and keep clients local to their AZ. Avoid One Zone for critical data. Periodically review mount target distribution to uphold **high availability** and **fault tolerance**.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/efs_multi_az_enabled"
|
|
24
32
|
}
|
|
25
33
|
},
|
|
26
34
|
"Categories": [
|
|
27
|
-
"
|
|
35
|
+
"resilience"
|
|
28
36
|
],
|
|
29
37
|
"DependsOn": [],
|
|
30
38
|
"RelatedTo": [],
|
|
@@ -1,33 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "efs_not_publicly_accessible",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "EFS file system policy does not allow access to any client within the VPC",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"
|
|
7
|
-
"Data
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Effects/Data Exposure"
|
|
8
8
|
],
|
|
9
9
|
"ServiceName": "efs",
|
|
10
10
|
"SubServiceName": "",
|
|
11
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
12
12
|
"Severity": "medium",
|
|
13
13
|
"ResourceType": "AwsEfsFileSystem",
|
|
14
|
-
"Description": "
|
|
15
|
-
"Risk": "
|
|
14
|
+
"Description": "**Amazon EFS** file system policy is assessed for **public or VPC-wide access**. Policies with broad `Principal` values or that permit any client in the VPC without the `elasticfilesystem:AccessedViaMountTarget` condition are identified.\n\n*An absent or empty policy is treated as open to VPC clients.*",
|
|
15
|
+
"Risk": "Broad EFS access lets any VPC client-or a compromised workload-mount the share, impacting CIA:\n- Confidentiality: bulk data exfiltration\n- Integrity: unauthorized writes or ransomware\n- Availability: deletion or lockout via elevated client access\nAlso facilitates lateral movement within the VPC.",
|
|
16
16
|
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html",
|
|
19
|
+
"https://support.icompaas.com/support/solutions/articles/62000233324-efs-should-not-have-policies-allowing-unrestricted-access-within-vpc"
|
|
20
|
+
],
|
|
17
21
|
"Remediation": {
|
|
18
22
|
"Code": {
|
|
19
|
-
"CLI": "",
|
|
20
|
-
"NativeIaC": "",
|
|
21
|
-
"Other": "",
|
|
22
|
-
"Terraform": ""
|
|
23
|
+
"CLI": "aws efs put-file-system-policy --file-system-id <example_resource_id> --policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"elasticfilesystem:ClientMount\",\"Condition\":{\"Bool\":{\"elasticfilesystem:AccessedViaMountTarget\":\"true\"}}}]}'",
|
|
24
|
+
"NativeIaC": "```yaml\n# CloudFormation: attach a non-public EFS file system policy\nResources:\n EFSFileSystemPolicy:\n Type: AWS::EFS::FileSystemPolicy\n Properties:\n FileSystemId: <example_resource_id>\n Policy:\n Version: \"2012-10-17\"\n Statement:\n - Effect: Allow\n Principal: \"*\"\n Action: elasticfilesystem:ClientMount\n Condition:\n Bool:\n elasticfilesystem:AccessedViaMountTarget: \"true\" # Critical: restrict access to mount targets only to avoid public access\n```",
|
|
25
|
+
"Other": "1. In the AWS Console, go to EFS > File systems and select <example_resource_id>\n2. Open the File system policy tab and click Edit\n3. Replace the policy with one that requires access via mount targets only:\n ```json\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": \"*\",\n \"Action\": \"elasticfilesystem:ClientMount\",\n \"Condition\": {\"Bool\": {\"elasticfilesystem:AccessedViaMountTarget\": \"true\"}}\n }\n ]\n }\n ```\n4. Save changes",
|
|
26
|
+
"Terraform": "```hcl\n# Attach a non-public EFS file system policy\nresource \"aws_efs_file_system_policy\" \"<example_resource_name>\" {\n file_system_id = \"<example_resource_id>\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = \"*\"\n Action = \"elasticfilesystem:ClientMount\"\n Condition = {\n Bool = {\n \"elasticfilesystem:AccessedViaMountTarget\" = \"true\" # Critical: require mount target to make policy non-public\n }\n }\n }]\n })\n}\n```"
|
|
23
27
|
},
|
|
24
28
|
"Recommendation": {
|
|
25
|
-
"Text": "
|
|
26
|
-
"Url": "https://
|
|
29
|
+
"Text": "Apply **least privilege** to EFS resource policies:\n- Avoid wildcard `Principal` or `*`\n- Require `elasticfilesystem:AccessedViaMountTarget=true`\n- Constrain with `aws:SourceVpc`, `aws:SourceAccount`, or org IDs\n- Use EFS access points per app/role\n- Enable EFS **Block Public Access** for defense in depth",
|
|
30
|
+
"Url": "https://hub.prowler.com/check/efs_not_publicly_accessible"
|
|
27
31
|
}
|
|
28
32
|
},
|
|
29
33
|
"Categories": [
|
|
30
|
-
"
|
|
34
|
+
"identity-access"
|
|
31
35
|
],
|
|
32
36
|
"DependsOn": [],
|
|
33
37
|
"RelatedTo": [],
|
|
@@ -16,6 +16,10 @@ class eks_cluster_uses_a_supported_version(Check):
|
|
|
16
16
|
for cluster in eks_client.clusters:
|
|
17
17
|
report = Check_Report_AWS(metadata=self.metadata(), resource=cluster)
|
|
18
18
|
|
|
19
|
+
# Handle case where cluster.version might be None (edge case during cluster creation/deletion)
|
|
20
|
+
if not cluster.version:
|
|
21
|
+
continue
|
|
22
|
+
|
|
19
23
|
cluster_version_major, cluster_version_minor = map(
|
|
20
24
|
int, cluster.version.split(".")
|
|
21
25
|
)
|
|
@@ -15,8 +15,14 @@ class elb_ssl_listeners_use_acm_certificate(Check):
|
|
|
15
15
|
if (
|
|
16
16
|
listener.certificate_arn
|
|
17
17
|
and listener.protocol in secure_protocols
|
|
18
|
-
and
|
|
19
|
-
|
|
18
|
+
and (
|
|
19
|
+
listener.certificate_arn not in acm_client.certificates
|
|
20
|
+
or (
|
|
21
|
+
acm_client.certificates.get(listener.certificate_arn)
|
|
22
|
+
and acm_client.certificates[listener.certificate_arn].type
|
|
23
|
+
!= "AMAZON_ISSUED"
|
|
24
|
+
)
|
|
25
|
+
)
|
|
20
26
|
):
|
|
21
27
|
report.status = "FAIL"
|
|
22
28
|
report.status_extended = f"ELB {lb.name} has HTTPS/SSL listeners that are using certificates not managed by ACM."
|
|
@@ -1,29 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "neptune_cluster_backup_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "Neptune cluster has automated backups enabled with retention period equal to or greater than the configured minimum",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
7
|
+
],
|
|
6
8
|
"ServiceName": "neptune",
|
|
7
9
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
10
|
+
"ResourceIdTemplate": "",
|
|
9
11
|
"Severity": "medium",
|
|
10
12
|
"ResourceType": "AwsRdsDbCluster",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
13
|
+
"Description": "Neptune DB cluster automated backup is enabled and retention days are more than the required minimum retention period (default to `7` days).",
|
|
14
|
+
"Risk": "**Insufficient backup retention** reduces the ability to recover from data corruption, accidental deletion, or ransomware, impacting **availability** and **integrity**.\n\n- Prevents point-in-time recovery to required dates\n- Increases downtime, irreversible data loss, and compliance violations",
|
|
15
|
+
"RelatedUrl": "",
|
|
16
|
+
"AdditionalURLs": [
|
|
17
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5",
|
|
18
|
+
"https://trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html",
|
|
19
|
+
"https://support.icompaas.com/support/solutions/articles/62000233327-check-for-neptune-clusters-backup-retention-period",
|
|
20
|
+
"https://asecure.cloud/a/p_configrule_neptune_cluster_backup_retention_check/"
|
|
21
|
+
],
|
|
14
22
|
"Remediation": {
|
|
15
23
|
"Code": {
|
|
16
|
-
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7",
|
|
17
|
-
"NativeIaC": "
|
|
18
|
-
"
|
|
19
|
-
"
|
|
24
|
+
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7 --apply-immediately",
|
|
25
|
+
"NativeIaC": "```yaml\nParameters:\n DBClusterId:\n Type: String\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: !Ref DBClusterId\n BackupRetentionPeriod: 7 # Enable automated backups with 7-day retention minimum\n```",
|
|
26
|
+
"Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = var.cluster_id\n backup_retention_period = 7 # Enable automated backups with 7-day retention minimum\n}\n```",
|
|
27
|
+
"Other": "1. Sign in to the AWS Management Console\n2. Services → Amazon Neptune → Databases\n3. Select the DB cluster and click Modify\n4. In Backup retention period set the value to 7 (or higher)\n5. Choose Apply immediately and click Modify cluster"
|
|
20
28
|
},
|
|
21
29
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
30
|
+
"Text": "Ensure automated backups are enabled and retention aligns with your **RPO/RTO** and regulatory requirements (at least `7` days).\n\n- Define backup lifecycle and storage retention policies\n- Regularly test restore procedures and monitor backup health\n- Incorporate backups into Disaster Recovery and retention governance",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/neptune_cluster_backup_enabled"
|
|
24
32
|
}
|
|
25
33
|
},
|
|
26
|
-
"Categories": [
|
|
34
|
+
"Categories": [
|
|
35
|
+
"resilience"
|
|
36
|
+
],
|
|
27
37
|
"DependsOn": [],
|
|
28
38
|
"RelatedTo": [],
|
|
29
39
|
"Notes": ""
|
|
@@ -1,33 +1,37 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "neptune_cluster_copy_tags_to_snapshots",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Neptune DB cluster is configured to copy tags to snapshots.",
|
|
5
5
|
"CheckType": [
|
|
6
6
|
"Software and Configuration Checks/AWS Security Best Practices"
|
|
7
7
|
],
|
|
8
8
|
"ServiceName": "neptune",
|
|
9
9
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
10
|
+
"ResourceIdTemplate": "",
|
|
11
11
|
"Severity": "low",
|
|
12
12
|
"ResourceType": "AwsRdsDbCluster",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
13
|
+
"Description": "Neptune DB cluster is configured to copy all tags to snapshots when snapshots are created.",
|
|
14
|
+
"Risk": "**Missing snapshot tags** weakens governance across confidentiality, integrity, and availability.\n\n- **Access control**: Tag-based IAM conditions may not apply to snapshots, enabling unauthorized restore or copy\n- **Operational**: Recovery, retention, and cost tracking can fail due to unidentifiable or orphaned snapshots",
|
|
15
|
+
"RelatedUrl": "",
|
|
16
|
+
"AdditionalURLs": [
|
|
17
|
+
"https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview",
|
|
18
|
+
"https://www.cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_copy_tags_to_snapshot_enabled",
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-8",
|
|
20
|
+
"https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60"
|
|
21
|
+
],
|
|
16
22
|
"Remediation": {
|
|
17
23
|
"Code": {
|
|
18
|
-
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"
|
|
21
|
-
"
|
|
24
|
+
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --copy-tags-to-snapshot --apply-immediately",
|
|
25
|
+
"NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::RDS::DBCluster\n Properties:\n DBClusterIdentifier: <DB_CLUSTER_ID>\n EngineVersion: neptune\n CopyTagsToSnapshot: true # Inherit tags for snapshot governance and access control\n```",
|
|
26
|
+
"Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"<DB_CLUSTER_ID>\"\n copy_tags_to_snapshot = true # Inherit tags for snapshot governance and access control\n}\n```",
|
|
27
|
+
"Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Click Clusters and select the cluster\n3. Click Modify\n4. In Backup, enable \"Copy tags to snapshots\"\n5. Check \"Apply immediately\"\n6. Click Modify Cluster"
|
|
22
28
|
},
|
|
23
29
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
30
|
+
"Text": "Preserve metadata by enabling tag inheritance for snapshots and enforcing a consistent tagging strategy.\n\n- Adopt a standardized tag taxonomy\n- Use tag-based access controls and apply least privilege\n- Automate tagging and policy checks in provisioning to prevent untagged snapshots",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/neptune_cluster_copy_tags_to_snapshots"
|
|
26
32
|
}
|
|
27
33
|
},
|
|
28
|
-
"Categories": [
|
|
29
|
-
"trustboundaries"
|
|
30
|
-
],
|
|
34
|
+
"Categories": [],
|
|
31
35
|
"DependsOn": [],
|
|
32
36
|
"RelatedTo": [],
|
|
33
37
|
"Notes": ""
|
|
@@ -1,29 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "neptune_cluster_deletion_protection",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "Neptune cluster has deletion protection enabled",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Effects/Data Destruction"
|
|
9
|
+
],
|
|
6
10
|
"ServiceName": "neptune",
|
|
7
11
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
9
13
|
"Severity": "medium",
|
|
10
|
-
"ResourceType": "
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
14
|
+
"ResourceType": "Other",
|
|
15
|
+
"Description": "Neptune DB cluster has **deletion protection** enabled.",
|
|
16
|
+
"Risk": "Absence of **deletion protection** weakens **availability** and **integrity**: clusters can be removed by accidental admin actions, rogue automation, or compromised credentials.\n\nCluster deletion causes immediate service outage, potential permanent data loss, and extended recovery time if backups or restores are insufficient.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4"
|
|
20
|
+
],
|
|
14
21
|
"Remediation": {
|
|
15
22
|
"Code": {
|
|
16
|
-
"CLI": "",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"
|
|
19
|
-
"
|
|
23
|
+
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_IDENTIFIER> --deletion-protection --apply-immediately",
|
|
24
|
+
"NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: <CLUSTER_ID>\n DeletionProtection: true # Prevent accidental or malicious cluster deletion\n```",
|
|
25
|
+
"Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"<CLUSTER_ID>\"\n deletion_protection = true # Prevent accidental or malicious cluster deletion\n}\n```",
|
|
26
|
+
"Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In the navigation pane, choose Databases\n3. Select the DB cluster and choose Modify\n4. Enable Deletion protection\n5. Choose Apply immediately (if shown) and then Modify DB cluster"
|
|
20
27
|
},
|
|
21
28
|
"Recommendation": {
|
|
22
|
-
"Text": "Enable deletion protection for production Neptune
|
|
23
|
-
"Url": "https://
|
|
29
|
+
"Text": "Enable **deletion protection** for production Neptune clusters and apply the principles of **least privilege** and **separation of duties** for delete operations.\n\nEnforce change-control approvals, restrict delete permissions to audited roles, and limit automated workflows that can perform destructive actions to prevent accidental or malicious deletions.",
|
|
30
|
+
"Url": "https://hub.prowler.com/check/neptune_cluster_deletion_protection"
|
|
24
31
|
}
|
|
25
32
|
},
|
|
26
|
-
"Categories": [
|
|
33
|
+
"Categories": [
|
|
34
|
+
"resilience"
|
|
35
|
+
],
|
|
27
36
|
"DependsOn": [],
|
|
28
37
|
"RelatedTo": [],
|
|
29
38
|
"Notes": ""
|
|
@@ -1,29 +1,41 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "neptune_cluster_iam_authentication_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "Neptune cluster has IAM authentication enabled",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"TTPs/Credential Access"
|
|
9
|
+
],
|
|
6
10
|
"ServiceName": "neptune",
|
|
7
11
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
9
13
|
"Severity": "medium",
|
|
10
14
|
"ResourceType": "AwsRdsDbCluster",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "Neptune DB clusters are evaluated for **IAM database authentication**. \n\nIf this setting is enabled, the cluster supports IAM-based authentication.\nIf disabled, the cluster requires traditional database credentials instead.",
|
|
16
|
+
"Risk": "**Disabled IAM database authentication** weakens confidentiality and integrity of the database.\n\n- Static or embedded DB credentials can be stolen or reused, enabling unauthorized queries and data exfiltration\n- Attackers may bypass centralized access controls, escalate privileges, and move laterally without IAM-based audit trails",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7",
|
|
20
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-iam-database-authentication.html",
|
|
21
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#",
|
|
22
|
+
"https://hub.steampipe.io/plugins/turbot/terraform/queries/neptune/neptune_cluster_iam_authentication_enabled"
|
|
23
|
+
],
|
|
14
24
|
"Remediation": {
|
|
15
25
|
"Code": {
|
|
16
|
-
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --enable-iam-database-authentication",
|
|
17
|
-
"NativeIaC": "
|
|
18
|
-
"
|
|
19
|
-
"
|
|
26
|
+
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --enable-iam-database-authentication --apply-immediately",
|
|
27
|
+
"NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: <DB_CLUSTER_ID>\n IamAuthEnabled: true # Enable IAM authentication instead of static DB credentials\n```",
|
|
28
|
+
"Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"<DB_CLUSTER_ID>\"\n iam_database_authentication_enabled = true # Enable IAM authentication instead of static DB credentials\n}\n```",
|
|
29
|
+
"Other": "1. Sign in to the AWS Management Console and open Amazon Neptune > Databases\n2. Select the DB cluster and choose **Actions** > **Modify**\n3. In **Authentication**, enable **IAM DB authentication** and check **Apply immediately**\n4. Click **Continue** then **Modify DB cluster**"
|
|
20
30
|
},
|
|
21
31
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
32
|
+
"Text": "Adopt **IAM database authentication** and centralized identity management to remove static DB credentials and improve auditability.\n\n- Enforce **least privilege** for database roles\n- Use short-lived credentials, centralized rotation and logging\n- Apply defense-in-depth and integrate DB access with IAM for accountability",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/neptune_cluster_iam_authentication_enabled"
|
|
24
34
|
}
|
|
25
35
|
},
|
|
26
|
-
"Categories": [
|
|
36
|
+
"Categories": [
|
|
37
|
+
"identity-access"
|
|
38
|
+
],
|
|
27
39
|
"DependsOn": [],
|
|
28
40
|
"RelatedTo": [],
|
|
29
41
|
"Notes": ""
|
|
@@ -1,32 +1,40 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "neptune_cluster_integration_cloudwatch_logs",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Neptune cluster has CloudWatch audit logs enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
7
8
|
],
|
|
8
9
|
"ServiceName": "neptune",
|
|
9
10
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
11
12
|
"Severity": "medium",
|
|
12
|
-
"ResourceType": "
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
13
|
+
"ResourceType": "Other",
|
|
14
|
+
"Description": "Neptune DB cluster is inspected for CloudWatch export of **audit** events. The finding indicates whether the cluster publishes `audit` logs to CloudWatch; a failed status in the report means the `audit` export is not enabled and audit records are not being forwarded to CloudWatch for centralized logging and review.",
|
|
15
|
+
"Risk": "Missing **audit logs** reduces **detectability** and **accountability**: \n\n- Investigators cannot reconstruct queries, client origins, or timeline\n- Unauthorized queries, data exfiltration, or privilege misuse may go undetected\n\nThis degrades confidentiality and integrity and slows incident response.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html",
|
|
19
|
+
"https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html",
|
|
20
|
+
"https://cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_cloudwatch_log_export_enabled_remediation",
|
|
21
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-2"
|
|
22
|
+
],
|
|
16
23
|
"Remediation": {
|
|
17
24
|
"Code": {
|
|
18
|
-
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"
|
|
21
|
-
"
|
|
25
|
+
"CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_IDENTIFIER> --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"audit\"]}'",
|
|
26
|
+
"NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \"<DB_CLUSTER_IDENTIFIER>\"\n EnableCloudwatchLogsExports:\n - audit # Export audit logs to CloudWatch for monitoring and forensics\n```",
|
|
27
|
+
"Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"<db_cluster_identifier>\"\n enabled_cloudwatch_logs_exports = [\"audit\"] # Export audit logs to CloudWatch for monitoring and forensics\n}\n```",
|
|
28
|
+
"Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Go to Databases and select the Neptune DB cluster\n3. Actions > Modify\n4. In Log exports, check \"Audit\"\n5. Continue > Modify DB Cluster"
|
|
22
29
|
},
|
|
23
30
|
"Recommendation": {
|
|
24
|
-
"Text": "Enable audit
|
|
25
|
-
"Url": "https://
|
|
31
|
+
"Text": "Enable and centralize **audit logging** for Neptune by exporting `audit` events to CloudWatch Logs and integrating with monitoring or SIEM.\n\n- Enforce **least privilege** on log access\n- Configure retention, encryption, and alerting for anomalous queries\n\nThis supports proactive detection and forensic readiness.",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/neptune_cluster_integration_cloudwatch_logs"
|
|
26
33
|
}
|
|
27
34
|
},
|
|
28
35
|
"Categories": [
|
|
29
|
-
"logging"
|
|
36
|
+
"logging",
|
|
37
|
+
"forensics-ready"
|
|
30
38
|
],
|
|
31
39
|
"DependsOn": [],
|
|
32
40
|
"RelatedTo": [],
|