prowler-cloud 5.13.1__py3-none-any.whl → 5.14.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/__main__.py +2 -1
- dashboard/compliance/c5_azure.py +43 -0
- dashboard/compliance/fedramp_20x_ksi_low_aws.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_azure.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_gcp.py +46 -0
- dashboard/compliance/hipaa_gcp.py +25 -0
- dashboard/compliance/nist_csf_2_0_aws.py +24 -0
- dashboard/compliance/prowler_threatscore_kubernetes.py +28 -0
- prowler/AGENTS.md +366 -0
- prowler/CHANGELOG.md +85 -2
- prowler/__main__.py +54 -7
- prowler/compliance/aws/ens_rd2022_aws.json +1 -1
- prowler/compliance/aws/fedramp_20x_ksi_low_aws.json +347 -0
- prowler/compliance/aws/nis2_aws.json +1 -1
- prowler/compliance/aws/nist_csf_2.0_aws.json +1781 -0
- prowler/compliance/azure/c5_azure.json +9471 -0
- prowler/compliance/azure/ens_rd2022_azure.json +1 -1
- prowler/compliance/azure/fedramp_20x_ksi_low_azure.json +358 -0
- prowler/compliance/azure/nis2_azure.json +1 -1
- prowler/compliance/gcp/c5_gcp.json +9401 -0
- prowler/compliance/gcp/ens_rd2022_gcp.json +1 -1
- prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json +293 -0
- prowler/compliance/gcp/hipaa_gcp.json +415 -0
- prowler/compliance/gcp/nis2_gcp.json +1 -1
- prowler/compliance/github/cis_1.0_github.json +6 -2
- prowler/compliance/kubernetes/prowler_threatscore_kubernetes.json +1269 -0
- prowler/compliance/m365/prowler_threatscore_m365.json +6 -6
- prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json} +1 -1
- prowler/config/config.py +59 -5
- prowler/config/config.yaml +3 -0
- prowler/lib/check/check.py +1 -9
- prowler/lib/check/checks_loader.py +65 -1
- prowler/lib/check/models.py +12 -2
- prowler/lib/check/utils.py +1 -7
- prowler/lib/cli/parser.py +17 -7
- prowler/lib/mutelist/mutelist.py +15 -7
- prowler/lib/outputs/compliance/c5/c5_azure.py +92 -0
- prowler/lib/outputs/compliance/c5/c5_gcp.py +92 -0
- prowler/lib/outputs/compliance/c5/models.py +54 -0
- prowler/lib/outputs/compliance/cis/{cis_oci.py → cis_oraclecloud.py} +7 -7
- prowler/lib/outputs/compliance/cis/models.py +3 -3
- prowler/lib/outputs/compliance/prowler_threatscore/models.py +29 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_kubernetes.py +98 -0
- prowler/lib/outputs/finding.py +16 -5
- prowler/lib/outputs/html/html.py +10 -8
- prowler/lib/outputs/outputs.py +1 -1
- prowler/lib/outputs/summary_table.py +1 -1
- prowler/lib/powershell/powershell.py +12 -11
- prowler/lib/scan/scan.py +105 -24
- prowler/lib/utils/utils.py +1 -1
- prowler/providers/aws/aws_regions_by_service.json +73 -15
- prowler/providers/aws/lib/quick_inventory/quick_inventory.py +1 -1
- prowler/providers/aws/lib/security_hub/security_hub.py +1 -1
- prowler/providers/aws/services/account/account_service.py +1 -1
- prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +1 -3
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +24 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +17 -11
- prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.metadata.json +22 -17
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json +27 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +25 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.metadata.json +17 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +27 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +26 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +25 -12
- prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json +20 -11
- prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +28 -12
- prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json +15 -10
- prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json +19 -11
- prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json +21 -12
- prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json +19 -12
- prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json +24 -13
- prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json +35 -13
- prowler/providers/aws/services/codepipeline/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_client.py +6 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json +30 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py +95 -0
- prowler/providers/aws/services/codepipeline/codepipeline_service.py +164 -0
- prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json +23 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json +19 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json +20 -10
- prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json +26 -13
- prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json +20 -10
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json +18 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json +16 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json +20 -12
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +17 -10
- prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json +19 -12
- prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json +16 -11
- prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json +22 -13
- prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json +19 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json +21 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json +22 -12
- prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json +20 -12
- prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.metadata.json +21 -11
- prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.metadata.json +20 -11
- prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.metadata.json +20 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.metadata.json +21 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.metadata.json +26 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.metadata.json +19 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json +16 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json +21 -14
- prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json +20 -14
- prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json +22 -13
- prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json +21 -12
- prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json +20 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json +22 -14
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.metadata.json +20 -11
- prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json +17 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json +17 -11
- prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json +22 -13
- prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json +24 -13
- prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json +20 -10
- prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json +20 -12
- prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json +19 -12
- prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json +19 -11
- prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.metadata.json +21 -13
- prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.metadata.json +19 -11
- prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.metadata.json +21 -12
- prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json +17 -10
- prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.metadata.json +22 -13
- prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.metadata.json +16 -11
- prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.metadata.json +21 -13
- prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.metadata.json +24 -11
- prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.metadata.json +18 -11
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +26 -13
- prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json +21 -11
- prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json +24 -13
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +26 -14
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.metadata.json +26 -15
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +15 -16
- prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json +23 -11
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json +19 -12
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json +17 -12
- prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json +22 -13
- prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json +21 -12
- prowler/providers/aws/services/iam/lib/policy.py +24 -16
- prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json +21 -13
- prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json +22 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +7 -2
- prowler/providers/azure/services/defender/defender_service.py +4 -2
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/__init__.py +0 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +36 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py +43 -0
- prowler/providers/azure/services/postgresql/postgresql_service.py +66 -9
- prowler/providers/azure/services/storage/storage_service.py +13 -4
- prowler/providers/azure/services/vm/vm_service.py +4 -7
- prowler/providers/common/arguments.py +19 -16
- prowler/providers/common/provider.py +2 -18
- prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json +16 -15
- prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +30 -4
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py +61 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json +12 -9
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +10 -3
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py +40 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py +31 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json +35 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py +55 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py +30 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +48 -2
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +35 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py +36 -0
- prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +14 -8
- prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +30 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py +106 -0
- prowler/providers/github/services/organization/organization_service.py +84 -10
- prowler/providers/iac/iac_provider.py +279 -55
- prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json +16 -12
- prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json +16 -10
- prowler/providers/m365/lib/powershell/m365_powershell.py +80 -93
- prowler/providers/m365/m365_provider.py +1 -6
- prowler/providers/mongodbatlas/exceptions/exceptions.py +16 -0
- prowler/providers/mongodbatlas/mongodbatlas_provider.py +15 -3
- prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json +20 -9
- prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json +14 -9
- prowler/providers/oraclecloud/lib/arguments/arguments.py +4 -13
- prowler/providers/oraclecloud/lib/service/service.py +3 -3
- prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py} +15 -15
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +20 -16
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +17 -17
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +17 -19
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +18 -18
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +17 -18
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +1 -1
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +1 -1
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.0.dist-info}/METADATA +17 -16
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.0.dist-info}/RECORD +295 -246
- /prowler/compliance/{oci → oraclecloud}/__init__.py +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.0.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.0.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.0.dist-info}/entry_points.txt +0 -0
prowler/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,83 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to the **Prowler SDK** are documented in this file.
|
|
4
4
|
|
|
5
|
+
## [v5.14.0] (Prowler v5.14.0)
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
- GitHub provider check `organization_default_repository_permission_strict` [(#8785)](https://github.com/prowler-cloud/prowler/pull/8785)
|
|
9
|
+
- Add OCI mapping to scan and check classes [(#8927)](https://github.com/prowler-cloud/prowler/pull/8927)
|
|
10
|
+
- `codepipeline_project_repo_private` check for AWS provider [(#5915)](https://github.com/prowler-cloud/prowler/pull/5915)
|
|
11
|
+
- `cloudstorage_bucket_versioning_enabled` check for GCP provider [(#9014)](https://github.com/prowler-cloud/prowler/pull/9014)
|
|
12
|
+
- `cloudstorage_bucket_soft_delete_enabled` check for GCP provider [(#9028)](https://github.com/prowler-cloud/prowler/pull/9028)
|
|
13
|
+
- `cloudstorage_bucket_logging_enabled` check for GCP provider [(#9091)](https://github.com/prowler-cloud/prowler/pull/9091)
|
|
14
|
+
- `cloudstorage_audit_logs_enabled` check for GCP provider [(#9220)](https://github.com/prowler-cloud/prowler/pull/9220)
|
|
15
|
+
- `cloudstorage_bucket_sufficient_retention_period` check for GCP provider [(#9149)](https://github.com/prowler-cloud/prowler/pull/9149)
|
|
16
|
+
- C5 compliance framework for Azure provider [(#9081)](https://github.com/prowler-cloud/prowler/pull/9081)
|
|
17
|
+
- C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
|
|
18
|
+
- `organization_repository_creation_limited` check for GitHub provider [(#8844)](https://github.com/prowler-cloud/prowler/pull/8844)
|
|
19
|
+
- HIPAA compliance framework for the GCP provider [(#8955)](https://github.com/prowler-cloud/prowler/pull/8955)
|
|
20
|
+
- Support PDF reporting for ENS compliance framework [(#9158)](https://github.com/prowler-cloud/prowler/pull/9158)
|
|
21
|
+
- PDF reporting for NIS2 compliance framework [(#9170)](https://github.com/prowler-cloud/prowler/pull/9170)
|
|
22
|
+
- Add organization ID parameter for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167)
|
|
23
|
+
- Add multiple compliance improvements [(#9145)](https://github.com/prowler-cloud/prowler/pull/9145)
|
|
24
|
+
- Added validation for invalid checks, services, and categories in `load_checks_to_execute` function [(#8971)](https://github.com/prowler-cloud/prowler/pull/8971)
|
|
25
|
+
- NIST CSF 2.0 compliance framework for the AWS provider [(#9185)](https://github.com/prowler-cloud/prowler/pull/9185)
|
|
26
|
+
- Add FedRAMP 20x KSI Low for AWS, Azure and GCP [(#9198)](https://github.com/prowler-cloud/prowler/pull/9198)
|
|
27
|
+
- Add verification for provider ID in MongoDB Atlas provider [(#9211)](https://github.com/prowler-cloud/prowler/pull/9211)
|
|
28
|
+
- Add Prowler ThreatScore for the K8S provider [(#9235)](https://github.com/prowler-cloud/prowler/pull/9235)
|
|
29
|
+
- Add `postgresql_flexible_server_entra_id_authentication_enabled` check for Azure provider [(#8764)](https://github.com/prowler-cloud/prowler/pull/8764)
|
|
30
|
+
- Add branch name to IaC provider region [(#9296)](https://github.com/prowler-cloud/prowler/pull/9295)
|
|
31
|
+
|
|
32
|
+
### Changed
|
|
33
|
+
- Update AWS Direct Connect service metadata to new format [(#8855)](https://github.com/prowler-cloud/prowler/pull/8855)
|
|
34
|
+
- Update AWS DRS service metadata to new format [(#8870)](https://github.com/prowler-cloud/prowler/pull/8870)
|
|
35
|
+
- Update AWS DynamoDB service metadata to new format [(#8871)](https://github.com/prowler-cloud/prowler/pull/8871)
|
|
36
|
+
- Update AWS CloudWatch service metadata to new format [(#8848)](https://github.com/prowler-cloud/prowler/pull/8848)
|
|
37
|
+
- Update AWS EMR service metadata to new format [(#9002)](https://github.com/prowler-cloud/prowler/pull/9002)
|
|
38
|
+
- Update AWS EKS service metadata to new format [(#8890)](https://github.com/prowler-cloud/prowler/pull/8890)
|
|
39
|
+
- Update AWS Elastic Beanstalk service metadata to new format [(#8934)](https://github.com/prowler-cloud/prowler/pull/8934)
|
|
40
|
+
- Update AWS ElastiCache service metadata to new format [(#8933)](https://github.com/prowler-cloud/prowler/pull/8933)
|
|
41
|
+
- Update Kubernetes etcd service metadata to new format [(#9096)](https://github.com/prowler-cloud/prowler/pull/9096)
|
|
42
|
+
- Update MongoDB Atlas projects service metadata to new format [(#9093)](https://github.com/prowler-cloud/prowler/pull/9093)
|
|
43
|
+
- Update GitHub Organization service metadata to new format [(#9094)](https://github.com/prowler-cloud/prowler/pull/9094)
|
|
44
|
+
- Update AWS CodeBuild service metadata to new format [(#8851)](https://github.com/prowler-cloud/prowler/pull/8851)
|
|
45
|
+
- Update GCP Artifact Registry service metadata to new format [(#9088)](https://github.com/prowler-cloud/prowler/pull/9088)
|
|
46
|
+
- Update AWS EFS service metadata to new format [(#8889)](https://github.com/prowler-cloud/prowler/pull/8889)
|
|
47
|
+
- Update AWS EventBridge service metadata to new format [(#9003)](https://github.com/prowler-cloud/prowler/pull/9003)
|
|
48
|
+
- Update AWS Firehose service metadata to new format [(#9004)](https://github.com/prowler-cloud/prowler/pull/9004)
|
|
49
|
+
- Update AWS FMS service metadata to new format [(#9005)](https://github.com/prowler-cloud/prowler/pull/9005)
|
|
50
|
+
- Update AWS FSx service metadata to new format [(#9006)](https://github.com/prowler-cloud/prowler/pull/9006)
|
|
51
|
+
- Update AWS Glacier service metadata to new format [(#9007)](https://github.com/prowler-cloud/prowler/pull/9007)
|
|
52
|
+
- Update oraclecloud analytics service metadata to new format [(#9114)](https://github.com/prowler-cloud/prowler/pull/9114)
|
|
53
|
+
- Update AWS ELB service metadata to new format [(#8935)](https://github.com/prowler-cloud/prowler/pull/8935)
|
|
54
|
+
- Update AWS CodeArtifact service metadata to new format [(#8850)](https://github.com/prowler-cloud/prowler/pull/8850)
|
|
55
|
+
- Rename OCI provider to oraclecloud with oci alias [(#9126)](https://github.com/prowler-cloud/prowler/pull/9126)
|
|
56
|
+
- Remove unnecessary tests for M365_PowerShell module [(#9204)](https://github.com/prowler-cloud/prowler/pull/9204)
|
|
57
|
+
- Update AWS ELB v2 service metadata to new format [(#9001)](https://github.com/prowler-cloud/prowler/pull/9001)
|
|
58
|
+
- Update oraclecloud cloudguard service metadata to new format [(#9223)](https://github.com/prowler-cloud/prowler/pull/9223)
|
|
59
|
+
- Update oraclecloud blockstorage service metadata to new format [(#9222)](https://github.com/prowler-cloud/prowler/pull/9222)
|
|
60
|
+
- Update oraclecloud audit service metadata to new format [(#9221)](https://github.com/prowler-cloud/prowler/pull/9221)
|
|
61
|
+
- Raise ASFF output error for non-AWS providers [(#9225)](https://github.com/prowler-cloud/prowler/pull/9225)
|
|
62
|
+
- Update AWS ECR service metadata to new format [(#8872)](https://github.com/prowler-cloud/prowler/pull/8872)
|
|
63
|
+
- Update AWS ECS service metadata to new format [(#8888)](https://github.com/prowler-cloud/prowler/pull/8888)
|
|
64
|
+
- Update AWS Kinesis service metadata to new format [(#9262)](https://github.com/prowler-cloud/prowler/pull/9262)
|
|
65
|
+
- Update AWS DocumentDB service metadata to new format [(#8862)](https://github.com/prowler-cloud/prowler/pull/8862)
|
|
66
|
+
|
|
67
|
+
### Fixed
|
|
68
|
+
- Check `check_name` has no `resource_name` error for GCP provider [(#9169)](https://github.com/prowler-cloud/prowler/pull/9169)
|
|
69
|
+
- Depth Truncation and parsing error in PowerShell queries [(#9181)](https://github.com/prowler-cloud/prowler/pull/9181)
|
|
70
|
+
- False negative in `iam_role_cross_service_confused_deputy_prevention` check [(#9213)](https://github.com/prowler-cloud/prowler/pull/9213)
|
|
71
|
+
- Fix M365 Teams `--sp-env-auth` connection error and enhanced timeout logging [(#9191)](https://github.com/prowler-cloud/prowler/pull/9191)
|
|
72
|
+
- Rename `get_oci_assessment_summary` to `get_oraclecloud_assessment_summary` in HTML output [(#9200)](https://github.com/prowler-cloud/prowler/pull/9200)
|
|
73
|
+
- Fix Validation and other errors in Azure provider [(#8915)](https://github.com/prowler-cloud/prowler/pull/8915)
|
|
74
|
+
- Update documentation URLs from docs.prowler.cloud to docs.prowler.com [(#9240)](https://github.com/prowler-cloud/prowler/pull/9240)
|
|
75
|
+
- Refresh output report timestamps for each scan [(#9272)](https://github.com/prowler-cloud/prowler/pull/9272)
|
|
76
|
+
- Fix file name parsing for checks on Windows [(#9268)](https://github.com/prowler-cloud/prowler/pull/9268)
|
|
77
|
+
- Remove typo for Prowler ThreatScore - M365 [(#9274)](https://github.com/prowler-cloud/prowler/pull/9274)
|
|
78
|
+
- Point HTML logo to the one present in the Github repository [(#9282)](https://github.com/prowler-cloud/prowler/pull/9282)
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
5
82
|
## [v5.13.1] (Prowler v5.13.1)
|
|
6
83
|
|
|
7
84
|
### Fixed
|
|
@@ -9,6 +86,12 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
|
|
9
86
|
- Fix `ec2_instance_with_outdated_ami` check to handle None AMIs [(#9046)](https://github.com/prowler-cloud/prowler/pull/9046)
|
|
10
87
|
- Handle timestamp when transforming compliance findings in CCC [(#9042)](https://github.com/prowler-cloud/prowler/pull/9042)
|
|
11
88
|
- Update `resource_id` for admincenter service and avoid unnecessary msgraph requests [(#9019)](https://github.com/prowler-cloud/prowler/pull/9019)
|
|
89
|
+
- Fix `firehose_stream_encrypted_at_rest` description and findings clarity [(#9142)](https://github.com/prowler-cloud/prowler/pull/9142)
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
### Changed
|
|
94
|
+
- Adapt IaC provider to be used in the Prowler App [(#8751)](https://github.com/prowler-cloud/prowler/pull/8751)
|
|
12
95
|
|
|
13
96
|
---
|
|
14
97
|
|
|
@@ -54,7 +137,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
|
|
54
137
|
- Update AWS Directory Service service metadata to new format [(#8859)](https://github.com/prowler-cloud/prowler/pull/8859)
|
|
55
138
|
- Update AWS CloudFront service metadata to new format [(#8829)](https://github.com/prowler-cloud/prowler/pull/8829)
|
|
56
139
|
- Deprecate user authentication for M365 provider [(#8865)](https://github.com/prowler-cloud/prowler/pull/8865)
|
|
57
|
-
|
|
140
|
+
|
|
58
141
|
|
|
59
142
|
### Fixed
|
|
60
143
|
- Fix SNS topics showing empty AWS_ResourceID in Quick Inventory output [(#8762)](https://github.com/prowler-cloud/prowler/issues/8762)
|
|
@@ -320,7 +403,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
|
|
320
403
|
|
|
321
404
|
---
|
|
322
405
|
|
|
323
|
-
## [v5.7.5] (Prowler
|
|
406
|
+
## [v5.7.5] (Prowler v5.7.5)
|
|
324
407
|
|
|
325
408
|
### Fixed
|
|
326
409
|
- Use unified timestamp for all requirements [(#8059)](https://github.com/prowler-cloud/prowler/pull/8059)
|
prowler/__main__.py
CHANGED
|
@@ -49,17 +49,19 @@ from prowler.lib.outputs.asff.asff import ASFF
|
|
|
49
49
|
from prowler.lib.outputs.compliance.aws_well_architected.aws_well_architected import (
|
|
50
50
|
AWSWellArchitected,
|
|
51
51
|
)
|
|
52
|
+
from prowler.lib.outputs.compliance.c5.c5_aws import AWSC5
|
|
53
|
+
from prowler.lib.outputs.compliance.c5.c5_azure import AzureC5
|
|
54
|
+
from prowler.lib.outputs.compliance.c5.c5_gcp import GCPC5
|
|
52
55
|
from prowler.lib.outputs.compliance.ccc.ccc_aws import CCC_AWS
|
|
53
56
|
from prowler.lib.outputs.compliance.ccc.ccc_azure import CCC_Azure
|
|
54
57
|
from prowler.lib.outputs.compliance.ccc.ccc_gcp import CCC_GCP
|
|
55
|
-
from prowler.lib.outputs.compliance.c5.c5_aws import AWSC5
|
|
56
58
|
from prowler.lib.outputs.compliance.cis.cis_aws import AWSCIS
|
|
57
59
|
from prowler.lib.outputs.compliance.cis.cis_azure import AzureCIS
|
|
58
60
|
from prowler.lib.outputs.compliance.cis.cis_gcp import GCPCIS
|
|
59
61
|
from prowler.lib.outputs.compliance.cis.cis_github import GithubCIS
|
|
60
62
|
from prowler.lib.outputs.compliance.cis.cis_kubernetes import KubernetesCIS
|
|
61
63
|
from prowler.lib.outputs.compliance.cis.cis_m365 import M365CIS
|
|
62
|
-
from prowler.lib.outputs.compliance.cis.
|
|
64
|
+
from prowler.lib.outputs.compliance.cis.cis_oraclecloud import OracleCloudCIS
|
|
63
65
|
from prowler.lib.outputs.compliance.compliance import display_compliance_table
|
|
64
66
|
from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS
|
|
65
67
|
from prowler.lib.outputs.compliance.ens.ens_azure import AzureENS
|
|
@@ -88,6 +90,9 @@ from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_azur
|
|
|
88
90
|
from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_gcp import (
|
|
89
91
|
ProwlerThreatScoreGCP,
|
|
90
92
|
)
|
|
93
|
+
from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_kubernetes import (
|
|
94
|
+
ProwlerThreatScoreKubernetes,
|
|
95
|
+
)
|
|
91
96
|
from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore_m365 import (
|
|
92
97
|
ProwlerThreatScoreM365,
|
|
93
98
|
)
|
|
@@ -332,7 +337,7 @@ def prowler():
|
|
|
332
337
|
output_options = IACOutputOptions(args, bulk_checks_metadata)
|
|
333
338
|
elif provider == "llm":
|
|
334
339
|
output_options = LLMOutputOptions(args, bulk_checks_metadata)
|
|
335
|
-
elif provider == "
|
|
340
|
+
elif provider == "oraclecloud":
|
|
336
341
|
output_options = OCIOutputOptions(
|
|
337
342
|
args, bulk_checks_metadata, global_provider.identity
|
|
338
343
|
)
|
|
@@ -357,6 +362,12 @@ def prowler():
|
|
|
357
362
|
else:
|
|
358
363
|
# Original behavior for IAC or non-verbose LLM
|
|
359
364
|
findings = global_provider.run()
|
|
365
|
+
# Note: IaC doesn't support granular progress tracking since Trivy runs as a black box
|
|
366
|
+
# and returns all findings at once. Progress tracking would just be 0% → 100%.
|
|
367
|
+
|
|
368
|
+
# Filter findings by status if specified
|
|
369
|
+
if hasattr(args, "status") and args.status:
|
|
370
|
+
findings = [f for f in findings if f.status in args.status]
|
|
360
371
|
# Report findings for verbose output
|
|
361
372
|
report(findings, global_provider, output_options)
|
|
362
373
|
elif len(checks_to_execute):
|
|
@@ -422,7 +433,7 @@ def prowler():
|
|
|
422
433
|
else:
|
|
423
434
|
# Refactor(CLI)
|
|
424
435
|
logger.critical(
|
|
425
|
-
"Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_NAME environment variables (see more in https://docs.prowler.
|
|
436
|
+
"Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_NAME environment variables (see more in https://docs.prowler.com/user-guide/cli/tutorials/integrations#configuration-of-the-integration-with-slack)."
|
|
426
437
|
)
|
|
427
438
|
sys.exit(1)
|
|
428
439
|
|
|
@@ -565,7 +576,6 @@ def prowler():
|
|
|
565
576
|
generated_outputs["compliance"].append(prowler_threatscore)
|
|
566
577
|
prowler_threatscore.batch_write_data_to_file()
|
|
567
578
|
elif compliance_name.startswith("ccc_"):
|
|
568
|
-
|
|
569
579
|
filename = (
|
|
570
580
|
f"{output_options.output_directory}/compliance/"
|
|
571
581
|
f"{output_options.output_filename}_{compliance_name}.csv"
|
|
@@ -682,6 +692,18 @@ def prowler():
|
|
|
682
692
|
)
|
|
683
693
|
generated_outputs["compliance"].append(ccc_azure)
|
|
684
694
|
ccc_azure.batch_write_data_to_file()
|
|
695
|
+
elif compliance_name == "c5_azure":
|
|
696
|
+
filename = (
|
|
697
|
+
f"{output_options.output_directory}/compliance/"
|
|
698
|
+
f"{output_options.output_filename}_{compliance_name}.csv"
|
|
699
|
+
)
|
|
700
|
+
c5_azure = AzureC5(
|
|
701
|
+
findings=finding_outputs,
|
|
702
|
+
compliance=bulk_compliance_frameworks[compliance_name],
|
|
703
|
+
file_path=filename,
|
|
704
|
+
)
|
|
705
|
+
generated_outputs["compliance"].append(c5_azure)
|
|
706
|
+
c5_azure.batch_write_data_to_file()
|
|
685
707
|
else:
|
|
686
708
|
filename = (
|
|
687
709
|
f"{output_options.output_directory}/compliance/"
|
|
@@ -773,6 +795,18 @@ def prowler():
|
|
|
773
795
|
)
|
|
774
796
|
generated_outputs["compliance"].append(ccc_gcp)
|
|
775
797
|
ccc_gcp.batch_write_data_to_file()
|
|
798
|
+
elif compliance_name == "c5_gcp":
|
|
799
|
+
filename = (
|
|
800
|
+
f"{output_options.output_directory}/compliance/"
|
|
801
|
+
f"{output_options.output_filename}_{compliance_name}.csv"
|
|
802
|
+
)
|
|
803
|
+
c5_gcp = GCPC5(
|
|
804
|
+
findings=finding_outputs,
|
|
805
|
+
compliance=bulk_compliance_frameworks[compliance_name],
|
|
806
|
+
file_path=filename,
|
|
807
|
+
)
|
|
808
|
+
generated_outputs["compliance"].append(c5_gcp)
|
|
809
|
+
c5_gcp.batch_write_data_to_file()
|
|
776
810
|
else:
|
|
777
811
|
filename = (
|
|
778
812
|
f"{output_options.output_directory}/compliance/"
|
|
@@ -814,6 +848,19 @@ def prowler():
|
|
|
814
848
|
)
|
|
815
849
|
generated_outputs["compliance"].append(iso27001)
|
|
816
850
|
iso27001.batch_write_data_to_file()
|
|
851
|
+
elif compliance_name == "prowler_threatscore_kubernetes":
|
|
852
|
+
# Generate Prowler ThreatScore Finding Object
|
|
853
|
+
filename = (
|
|
854
|
+
f"{output_options.output_directory}/compliance/"
|
|
855
|
+
f"{output_options.output_filename}_{compliance_name}.csv"
|
|
856
|
+
)
|
|
857
|
+
prowler_threatscore = ProwlerThreatScoreKubernetes(
|
|
858
|
+
findings=finding_outputs,
|
|
859
|
+
compliance=bulk_compliance_frameworks[compliance_name],
|
|
860
|
+
file_path=filename,
|
|
861
|
+
)
|
|
862
|
+
generated_outputs["compliance"].append(prowler_threatscore)
|
|
863
|
+
prowler_threatscore.batch_write_data_to_file()
|
|
817
864
|
else:
|
|
818
865
|
filename = (
|
|
819
866
|
f"{output_options.output_directory}/compliance/"
|
|
@@ -937,7 +984,7 @@ def prowler():
|
|
|
937
984
|
generated_outputs["compliance"].append(generic_compliance)
|
|
938
985
|
generic_compliance.batch_write_data_to_file()
|
|
939
986
|
|
|
940
|
-
elif provider == "
|
|
987
|
+
elif provider == "oraclecloud":
|
|
941
988
|
for compliance_name in input_compliance_frameworks:
|
|
942
989
|
if compliance_name.startswith("cis_"):
|
|
943
990
|
# Generate CIS Finding Object
|
|
@@ -945,7 +992,7 @@ def prowler():
|
|
|
945
992
|
f"{output_options.output_directory}/compliance/"
|
|
946
993
|
f"{output_options.output_filename}_{compliance_name}.csv"
|
|
947
994
|
)
|
|
948
|
-
cis =
|
|
995
|
+
cis = OracleCloudCIS(
|
|
949
996
|
findings=finding_outputs,
|
|
950
997
|
compliance=bulk_compliance_frameworks[compliance_name],
|
|
951
998
|
file_path=filename,
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Framework": "ENS",
|
|
3
|
-
"Name": "ENS RD 311/2022",
|
|
3
|
+
"Name": "ENS RD 311/2022 - Categoría Alta",
|
|
4
4
|
"Version": "RD2022",
|
|
5
5
|
"Provider": "AWS",
|
|
6
6
|
"Description": "The accreditation scheme of the ENS (National Security Scheme) has been developed by the Ministry of Finance and Public Administrations and the CCN (National Cryptological Center). This includes the basic principles and minimum requirements necessary for the adequate protection of information.",
|
|
@@ -0,0 +1,347 @@
|
|
|
1
|
+
{
|
|
2
|
+
"Framework": "FedRAMP-20x-KSI-Low",
|
|
3
|
+
"Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
|
|
4
|
+
"Version": "25.05C",
|
|
5
|
+
"Provider": "AWS",
|
|
6
|
+
"Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
|
|
7
|
+
"Requirements": [
|
|
8
|
+
{
|
|
9
|
+
"Id": "ksi-cmt",
|
|
10
|
+
"Name": "KSI-CMT: Change Management",
|
|
11
|
+
"Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
|
|
12
|
+
"Attributes": [
|
|
13
|
+
{
|
|
14
|
+
"ItemId": "ksi-cmt",
|
|
15
|
+
"Section": "Change Management",
|
|
16
|
+
"Service": "aws"
|
|
17
|
+
}
|
|
18
|
+
],
|
|
19
|
+
"Checks": [
|
|
20
|
+
"cloudtrail_multi_region_enabled",
|
|
21
|
+
"cloudtrail_log_file_validation_enabled",
|
|
22
|
+
"cloudtrail_s3_dataevents_read_enabled",
|
|
23
|
+
"cloudtrail_s3_dataevents_write_enabled",
|
|
24
|
+
"cloudwatch_changes_to_network_acls_alarm_configured",
|
|
25
|
+
"cloudwatch_changes_to_network_gateways_alarm_configured",
|
|
26
|
+
"cloudwatch_changes_to_network_route_tables_alarm_configured",
|
|
27
|
+
"cloudwatch_changes_to_vpcs_alarm_configured",
|
|
28
|
+
"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled",
|
|
29
|
+
"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled",
|
|
30
|
+
"cloudwatch_log_metric_filter_aws_organizations_changes",
|
|
31
|
+
"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes",
|
|
32
|
+
"cloudwatch_log_metric_filter_policy_changes",
|
|
33
|
+
"cloudwatch_log_metric_filter_security_group_changes",
|
|
34
|
+
"config_recorder_all_regions_enabled",
|
|
35
|
+
"ec2_instance_managed_by_ssm",
|
|
36
|
+
"ec2_instance_older_than_specific_days",
|
|
37
|
+
"ssm_managed_compliant_patching",
|
|
38
|
+
"ssm_managed_instance_compliance_association_compliant",
|
|
39
|
+
"ssm_managed_instance_compliance_patch_compliant"
|
|
40
|
+
]
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
"Id": "ksi-cna",
|
|
44
|
+
"Name": "KSI-CNA: Cloud Native Architecture",
|
|
45
|
+
"Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
|
|
46
|
+
"Attributes": [
|
|
47
|
+
{
|
|
48
|
+
"ItemId": "ksi-cna",
|
|
49
|
+
"Section": "Cloud Native Architecture",
|
|
50
|
+
"Service": "aws"
|
|
51
|
+
}
|
|
52
|
+
],
|
|
53
|
+
"Checks": [
|
|
54
|
+
"autoscaling_group_multiple_az",
|
|
55
|
+
"autoscaling_group_multiple_instance_types",
|
|
56
|
+
"autoscaling_group_capacity_rebalance_enabled",
|
|
57
|
+
"dynamodb_tables_pitr_enabled",
|
|
58
|
+
"dynamodb_tables_deletion_protection_enabled",
|
|
59
|
+
"ec2_instance_imdsv2_enabled",
|
|
60
|
+
"ec2_networkacl_allow_ingress_any_port",
|
|
61
|
+
"ec2_securitygroup_default_restrict_traffic",
|
|
62
|
+
"ec2_securitygroup_allow_ingress_from_internet_to_any_port",
|
|
63
|
+
"eks_cluster_network_policy_enabled",
|
|
64
|
+
"eks_cluster_not_publicly_accessible",
|
|
65
|
+
"eks_cluster_private_nodes_enabled",
|
|
66
|
+
"eks_cluster_uses_a_supported_version",
|
|
67
|
+
"elb_cross_zone_load_balancing_enabled",
|
|
68
|
+
"elbv2_alb_multi_az_scheme",
|
|
69
|
+
"elbv2_waf_acl_attached",
|
|
70
|
+
"rds_instance_multi_az",
|
|
71
|
+
"rds_cluster_multi_az",
|
|
72
|
+
"vpc_subnet_auto_assign_public_ip_disabled",
|
|
73
|
+
"vpc_default_security_group_restricts_traffic",
|
|
74
|
+
"vpc_peering_connection_routing_tables_with_least_privilege"
|
|
75
|
+
]
|
|
76
|
+
},
|
|
77
|
+
{
|
|
78
|
+
"Id": "ksi-iam",
|
|
79
|
+
"Name": "KSI-IAM: Identity and Access Management",
|
|
80
|
+
"Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
|
|
81
|
+
"Attributes": [
|
|
82
|
+
{
|
|
83
|
+
"ItemId": "ksi-iam",
|
|
84
|
+
"Section": "Identity and Access Management",
|
|
85
|
+
"Service": "aws"
|
|
86
|
+
}
|
|
87
|
+
],
|
|
88
|
+
"Checks": [
|
|
89
|
+
"iam_administrator_access_with_mfa",
|
|
90
|
+
"iam_aws_attached_policy_no_administrative_privileges",
|
|
91
|
+
"iam_customer_attached_policy_no_administrative_privileges",
|
|
92
|
+
"iam_inline_policy_no_administrative_privileges",
|
|
93
|
+
"iam_no_custom_policy_permissive_role_assumption",
|
|
94
|
+
"iam_no_root_access_key",
|
|
95
|
+
"iam_password_policy_expires_passwords_within_90_days_or_less",
|
|
96
|
+
"iam_password_policy_lowercase",
|
|
97
|
+
"iam_password_policy_minimum_length_14",
|
|
98
|
+
"iam_password_policy_number",
|
|
99
|
+
"iam_password_policy_reuse_24",
|
|
100
|
+
"iam_password_policy_symbol",
|
|
101
|
+
"iam_password_policy_uppercase",
|
|
102
|
+
"iam_policy_attached_only_to_group_or_roles",
|
|
103
|
+
"iam_policy_no_full_access_to_cloudtrail",
|
|
104
|
+
"iam_policy_no_full_access_to_kms",
|
|
105
|
+
"iam_root_hardware_mfa_enabled",
|
|
106
|
+
"iam_root_mfa_enabled",
|
|
107
|
+
"iam_rotate_access_key_90_days",
|
|
108
|
+
"iam_user_accesskey_unused",
|
|
109
|
+
"iam_user_console_access_unused",
|
|
110
|
+
"iam_user_hardware_mfa_enabled",
|
|
111
|
+
"iam_user_mfa_enabled_console_access",
|
|
112
|
+
"iam_user_two_active_access_key",
|
|
113
|
+
"organizations_scp_check_deny_regions",
|
|
114
|
+
"organizations_opt_out_ai_services_policy"
|
|
115
|
+
]
|
|
116
|
+
},
|
|
117
|
+
{
|
|
118
|
+
"Id": "ksi-inr",
|
|
119
|
+
"Name": "KSI-INR: Incident Response",
|
|
120
|
+
"Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
|
|
121
|
+
"Attributes": [
|
|
122
|
+
{
|
|
123
|
+
"ItemId": "ksi-inr",
|
|
124
|
+
"Section": "Incident Response",
|
|
125
|
+
"Service": "aws"
|
|
126
|
+
}
|
|
127
|
+
],
|
|
128
|
+
"Checks": [
|
|
129
|
+
"guardduty_centrally_managed",
|
|
130
|
+
"guardduty_ec2_malware_protection_enabled",
|
|
131
|
+
"guardduty_eks_audit_log_enabled",
|
|
132
|
+
"guardduty_eks_protection_enabled",
|
|
133
|
+
"guardduty_eks_runtime_monitoring_enabled",
|
|
134
|
+
"guardduty_is_enabled",
|
|
135
|
+
"guardduty_lambda_protection_enabled",
|
|
136
|
+
"guardduty_malware_protection_enabled",
|
|
137
|
+
"guardduty_no_high_severity_findings",
|
|
138
|
+
"guardduty_rds_protection_enabled",
|
|
139
|
+
"guardduty_s3_protection_enabled",
|
|
140
|
+
"inspector2_is_enabled",
|
|
141
|
+
"inspector2_active_findings_exist",
|
|
142
|
+
"securityhub_enabled",
|
|
143
|
+
"sns_topics_kms_encryption_at_rest_enabled"
|
|
144
|
+
]
|
|
145
|
+
},
|
|
146
|
+
{
|
|
147
|
+
"Id": "ksi-mla",
|
|
148
|
+
"Name": "KSI-MLA: Monitoring, Logging, and Auditing",
|
|
149
|
+
"Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
|
|
150
|
+
"Attributes": [
|
|
151
|
+
{
|
|
152
|
+
"ItemId": "ksi-mla",
|
|
153
|
+
"Section": "Monitoring, Logging, and Auditing",
|
|
154
|
+
"Service": "aws"
|
|
155
|
+
}
|
|
156
|
+
],
|
|
157
|
+
"Checks": [
|
|
158
|
+
"apigateway_restapi_logging_enabled",
|
|
159
|
+
"cloudtrail_cloudwatch_logging_enabled",
|
|
160
|
+
"cloudtrail_kms_encryption_enabled",
|
|
161
|
+
"cloudtrail_log_file_validation_enabled",
|
|
162
|
+
"cloudtrail_multi_region_enabled",
|
|
163
|
+
"cloudtrail_s3_dataevents_read_enabled",
|
|
164
|
+
"cloudtrail_s3_dataevents_write_enabled",
|
|
165
|
+
"cloudwatch_log_group_kms_encryption_enabled",
|
|
166
|
+
"cloudwatch_log_group_retention_policy_specific_days_enabled",
|
|
167
|
+
"ecs_cluster_container_insights_enabled",
|
|
168
|
+
"eks_cluster_control_plane_audit_logging_enabled",
|
|
169
|
+
"elb_logging_enabled",
|
|
170
|
+
"elbv2_logging_enabled",
|
|
171
|
+
"inspector2_is_enabled",
|
|
172
|
+
"opensearch_service_domains_cloudwatch_logging_enabled",
|
|
173
|
+
"rds_instance_enhanced_monitoring_enabled",
|
|
174
|
+
"rds_instance_integration_cloudwatch_logs",
|
|
175
|
+
"redshift_cluster_audit_logging",
|
|
176
|
+
"s3_bucket_server_access_logging_enabled",
|
|
177
|
+
"vpc_flow_logs_enabled",
|
|
178
|
+
"wafv2_webacl_logging_enabled"
|
|
179
|
+
]
|
|
180
|
+
},
|
|
181
|
+
{
|
|
182
|
+
"Id": "ksi-piy",
|
|
183
|
+
"Name": "KSI-PIY: Policy and Inventory",
|
|
184
|
+
"Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
|
|
185
|
+
"Attributes": [
|
|
186
|
+
{
|
|
187
|
+
"ItemId": "ksi-piy",
|
|
188
|
+
"Section": "Policy and Inventory",
|
|
189
|
+
"Service": "aws"
|
|
190
|
+
}
|
|
191
|
+
],
|
|
192
|
+
"Checks": [
|
|
193
|
+
"config_recorder_all_regions_enabled",
|
|
194
|
+
"config_recorder_using_aws_service_role",
|
|
195
|
+
"ec2_instance_managed_by_ssm",
|
|
196
|
+
"organizations_account_part_of_organizations",
|
|
197
|
+
"organizations_delegated_administrators",
|
|
198
|
+
"organizations_scp_check_deny_regions",
|
|
199
|
+
"organizations_tags_policies_enabled_and_attached",
|
|
200
|
+
"resourceexplorer_indexes_found",
|
|
201
|
+
"ssm_managed_instance_compliance_association_compliant",
|
|
202
|
+
"trustedadvisor_premium_support_plan_subscribed"
|
|
203
|
+
]
|
|
204
|
+
},
|
|
205
|
+
{
|
|
206
|
+
"Id": "ksi-rpl",
|
|
207
|
+
"Name": "KSI-RPL: Recovery Planning",
|
|
208
|
+
"Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
|
|
209
|
+
"Attributes": [
|
|
210
|
+
{
|
|
211
|
+
"ItemId": "ksi-rpl",
|
|
212
|
+
"Section": "Recovery Planning",
|
|
213
|
+
"Service": "aws"
|
|
214
|
+
}
|
|
215
|
+
],
|
|
216
|
+
"Checks": [
|
|
217
|
+
"backup_plans_exist",
|
|
218
|
+
"backup_reportplans_exist",
|
|
219
|
+
"backup_vaults_exist",
|
|
220
|
+
"backup_vaults_encrypted",
|
|
221
|
+
"backup_recovery_point_encrypted",
|
|
222
|
+
"backup_recovery_point_manual_deletion_disabled",
|
|
223
|
+
"backup_recovery_point_minimum_retention_days",
|
|
224
|
+
"dlm_ebs_snapshot_lifecycle_policy_exists",
|
|
225
|
+
"dynamodb_tables_pitr_enabled",
|
|
226
|
+
"dynamodb_tables_deletion_protection_enabled",
|
|
227
|
+
"efs_have_backup_enabled",
|
|
228
|
+
"fsx_file_system_copy_tags_to_backups",
|
|
229
|
+
"rds_instance_backup_enabled",
|
|
230
|
+
"rds_instance_backup_retention_policy",
|
|
231
|
+
"rds_instance_deletion_protection",
|
|
232
|
+
"rds_cluster_deletion_protection",
|
|
233
|
+
"rds_snapshots_encrypted",
|
|
234
|
+
"redshift_cluster_automated_snapshot"
|
|
235
|
+
]
|
|
236
|
+
},
|
|
237
|
+
{
|
|
238
|
+
"Id": "ksi-svc",
|
|
239
|
+
"Name": "KSI-SVC: Service Configuration",
|
|
240
|
+
"Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
|
|
241
|
+
"Attributes": [
|
|
242
|
+
{
|
|
243
|
+
"ItemId": "ksi-svc",
|
|
244
|
+
"Section": "Service Configuration",
|
|
245
|
+
"Service": "aws"
|
|
246
|
+
}
|
|
247
|
+
],
|
|
248
|
+
"Checks": [
|
|
249
|
+
"acm_certificates_expiration_check",
|
|
250
|
+
"apigateway_restapi_cache_encrypted",
|
|
251
|
+
"cloudtrail_kms_encryption_enabled",
|
|
252
|
+
"dax_cluster_encryption_enabled",
|
|
253
|
+
"dynamodb_table_encryption_enabled",
|
|
254
|
+
"dynamodb_table_encryption_uses_cmks",
|
|
255
|
+
"ebs_volume_encryption_enabled",
|
|
256
|
+
"ec2_ebs_default_encryption",
|
|
257
|
+
"ec2_instance_ebs_optimized",
|
|
258
|
+
"efs_encryption_at_rest_enabled",
|
|
259
|
+
"eks_cluster_envelope_encryption_enabled",
|
|
260
|
+
"elasticache_redis_cluster_encryption_at_rest_enabled",
|
|
261
|
+
"elasticache_redis_cluster_encryption_at_transit_enabled",
|
|
262
|
+
"elbv2_ssl_listeners",
|
|
263
|
+
"fsx_file_system_encryption_at_rest_enabled",
|
|
264
|
+
"kinesis_stream_encrypted_at_rest",
|
|
265
|
+
"kms_cmk_rotation_enabled",
|
|
266
|
+
"kms_cmk_not_scheduled_for_deletion",
|
|
267
|
+
"kms_key_not_publicly_accessible",
|
|
268
|
+
"rds_instance_storage_encrypted",
|
|
269
|
+
"rds_instance_storage_encrypted_with_cmk",
|
|
270
|
+
"rds_cluster_storage_encrypted",
|
|
271
|
+
"redshift_cluster_encryption_at_rest",
|
|
272
|
+
"redshift_cluster_encryption_in_transit",
|
|
273
|
+
"s3_bucket_server_side_encryption_enabled",
|
|
274
|
+
"s3_bucket_default_encryption",
|
|
275
|
+
"s3_bucket_secure_transport_policy",
|
|
276
|
+
"sagemaker_notebook_instance_encryption_enabled",
|
|
277
|
+
"sns_topics_kms_encryption_at_rest_enabled",
|
|
278
|
+
"sqs_queue_server_side_encryption_enabled"
|
|
279
|
+
]
|
|
280
|
+
},
|
|
281
|
+
{
|
|
282
|
+
"Id": "ksi-tpr",
|
|
283
|
+
"Name": "KSI-TPR: Third-Party Information Resources",
|
|
284
|
+
"Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
|
|
285
|
+
"Attributes": [
|
|
286
|
+
{
|
|
287
|
+
"ItemId": "ksi-tpr",
|
|
288
|
+
"Section": "Third-Party Information Resources",
|
|
289
|
+
"Service": "aws"
|
|
290
|
+
}
|
|
291
|
+
],
|
|
292
|
+
"Checks": [
|
|
293
|
+
"ecr_registry_scan_images_on_push_enabled",
|
|
294
|
+
"ecr_repositories_lifecycle_policy_enabled",
|
|
295
|
+
"ecr_repositories_not_publicly_accessible",
|
|
296
|
+
"ecr_repositories_scan_on_push_enabled",
|
|
297
|
+
"ecr_repositories_scan_vulnerabilities_in_latest_image",
|
|
298
|
+
"ecr_repositories_tag_immutability",
|
|
299
|
+
"inspector2_active_findings_exist",
|
|
300
|
+
"inspector2_is_enabled",
|
|
301
|
+
"awslambda_function_using_supported_runtimes",
|
|
302
|
+
"ssm_managed_compliant_patching",
|
|
303
|
+
"trustedadvisor_premium_support_plan_subscribed",
|
|
304
|
+
"guardduty_no_high_severity_findings"
|
|
305
|
+
]
|
|
306
|
+
},
|
|
307
|
+
{
|
|
308
|
+
"Id": "ksi-iam-07",
|
|
309
|
+
"Name": "KSI-IAM-07: Account Lifecycle Management",
|
|
310
|
+
"Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
|
|
311
|
+
"Attributes": [
|
|
312
|
+
{
|
|
313
|
+
"ItemId": "ksi-iam-07",
|
|
314
|
+
"Section": "Identity and Access Management",
|
|
315
|
+
"Service": "aws"
|
|
316
|
+
}
|
|
317
|
+
],
|
|
318
|
+
"Checks": [
|
|
319
|
+
"iam_no_root_access_key",
|
|
320
|
+
"iam_policy_attached_only_to_group_or_roles",
|
|
321
|
+
"iam_rotate_access_key_90_days",
|
|
322
|
+
"iam_user_accesskey_unused",
|
|
323
|
+
"iam_user_console_access_unused",
|
|
324
|
+
"organizations_delegated_administrators"
|
|
325
|
+
]
|
|
326
|
+
},
|
|
327
|
+
{
|
|
328
|
+
"Id": "ksi-mla-07",
|
|
329
|
+
"Name": "KSI-MLA-07: Monitoring and Logging Inventory",
|
|
330
|
+
"Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
|
|
331
|
+
"Attributes": [
|
|
332
|
+
{
|
|
333
|
+
"ItemId": "ksi-mla-07",
|
|
334
|
+
"Section": "Monitoring, Logging, and Auditing",
|
|
335
|
+
"Service": "aws"
|
|
336
|
+
}
|
|
337
|
+
],
|
|
338
|
+
"Checks": [
|
|
339
|
+
"cloudtrail_multi_region_enabled",
|
|
340
|
+
"cloudwatch_log_group_retention_policy_specific_days_enabled",
|
|
341
|
+
"config_recorder_all_regions_enabled",
|
|
342
|
+
"inspector2_is_enabled",
|
|
343
|
+
"resourceexplorer_indexes_found"
|
|
344
|
+
]
|
|
345
|
+
}
|
|
346
|
+
]
|
|
347
|
+
}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Framework": "NIS2",
|
|
3
|
-
"Name": "Network and Information Security Directive (Directive (EU) 2022/2555)",
|
|
3
|
+
"Name": "NIS2 - Network and Information Security Directive (Directive (EU) 2022/2555)",
|
|
4
4
|
"Version": "",
|
|
5
5
|
"Provider": "AWS",
|
|
6
6
|
"Description": "ANNEX to the Commission Implementing Regulation laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers",
|