PyPI - prowler-cloud - Versions diffs - 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl - Mend

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (298) hide show

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json CHANGED Viewed

@@ -1,31 +1,45 @@
 {
   "Provider": "aws",
   "CheckID": "cloudwatch_log_metric_filter_sign_in_without_mfa",
-  "CheckTitle": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA.",
+  "CheckTitle": "CloudWatch log metric filter and alarm exist for Management Console sign-in without MFA",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
+    "TTPs/Initial Access",
+    "Unusual Behaviors/User"
   ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCloudWatchAlarm",
-  "Description": "Ensure a log metric filter and alarm exist for Management Console sign-in without MFA.",
-  "Risk": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.",
-  "RelatedUrl": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
+  "Description": "**CloudTrail logs** in CloudWatch are assessed for a metric filter and alarm that detect console logins where `$.eventName = ConsoleLogin` and `$.additionalEventData.MFAUsed != \\\"Yes\\\"`.\n\nThis reflects whether alerting exists for sign-ins that occur without **MFA**.",
+  "Risk": "Without alerting on non-MFA console logins, successful use of stolen passwords can go **undetected**, enabling:\n- Unauthorized console access and IAM changes\n- Data exfiltration or deletion\n\nImpacts: loss of **confidentiality** and **integrity**, and potential **availability** disruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/console-sign-in-without-mfa.html",
+    "https://www.tenable.com/audits/items/CIS_Amazon_Web_Services_Foundations_v3.0.0_L1.audit:1957056ee174cc38502d5f5f1864333b",
+    "https://www.clouddefense.ai/compliance-rules/gdpr/data-protection/log-metric-filter-console-login-mfa",
+    "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-no-mfa",
+    "https://support.icompaas.com/support/solutions/articles/62000083605-ensure-a-log-metric-filter-and-alarm-exist-for-management-console-sign-in-without-mfa"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/monitoring-policies/monitoring_2",
-      "Terraform": "https://docs.prowler.com/checks/aws/monitoring-policies/monitoring_2#fix---buildtime"
+      "NativeIaC": "```yaml\n# CloudFormation: Create metric filter and alarm for console sign-in without MFA\nResources:\n  NoMFAConsoleSigninMetricFilter:\n    Type: AWS::Logs::MetricFilter\n    Properties:\n      LogGroupName: \"<example_resource_name>\"\n      FilterPattern: '{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }' # CRITICAL: detects ConsoleLogin events without MFA\n      MetricTransformations:\n        - MetricName: \"<example_resource_name>\"\n          MetricNamespace: \"<example_resource_name>\"\n          MetricValue: \"1\"  # CRITICAL: emits a metric on each match\n\n  NoMFAConsoleSigninAlarm:\n    Type: AWS::CloudWatch::Alarm\n    Properties:\n      MetricName: \"<example_resource_name>\"   # CRITICAL: alarm uses the metric from the filter\n      Namespace: \"<example_resource_name>\"\n      ComparisonOperator: GreaterThanOrEqualToThreshold\n      EvaluationPeriods: 1\n      Period: 300\n      Statistic: Sum\n      Threshold: 1  # CRITICAL: alarm on first occurrence\n```",
+      "Other": "1. In AWS Console, go to CloudWatch > Logs > Log groups and open the CloudTrail log group\n2. Go to Metric filters > Create metric filter\n3. Set Filter pattern to: { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }\n4. Next > set Filter name, Metric namespace, Metric name; set Metric value = 1; Create metric filter\n5. Select the new filter > Create alarm\n6. Set Statistic = Sum, Period = 5 minutes, Threshold type = Static, Threshold = 1, Whenever >= 1; Next\n7. Skip actions if not needed, Name the alarm, Create alarm",
+      "Terraform": "```hcl\n# Create metric filter for console sign-in without MFA\nresource \"aws_cloudwatch_log_metric_filter\" \"nomfa\" {\n  name           = \"<example_resource_name>\"\n  log_group_name = \"<example_resource_name>\"\n  pattern        = \"{ ($.eventName = \\\"ConsoleLogin\\\") && ($.additionalEventData.MFAUsed != \\\"Yes\\\") }\"  # CRITICAL: detects ConsoleLogin without MFA\n\n  metric_transformation {\n    name      = \"<example_resource_name>\"\n    namespace = \"<example_resource_name>\"\n    value     = \"1\"  # CRITICAL: emits a count per match\n  }\n}\n\n# Alarm on the emitted metric\nresource \"aws_cloudwatch_metric_alarm\" \"nomfa\" {\n  alarm_name          = \"<example_resource_name>\"\n  metric_name         = aws_cloudwatch_log_metric_filter.nomfa.metric_transformation[0].name  # CRITICAL: ties alarm to the metric\n  namespace           = aws_cloudwatch_log_metric_filter.nomfa.metric_transformation[0].namespace\n  comparison_operator = \"GreaterThanOrEqualToThreshold\"\n  evaluation_periods  = 1\n  period              = 300\n  statistic           = \"Sum\"\n  threshold           = 1  # CRITICAL: alarm on first event\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended that a metric filter and alarm be established for unauthorized requests.",
-      "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html"
+      "Text": "Enforce **MFA** for all console-capable identities and maintain alerts for `ConsoleLogin` with `MFAUsed != \\\"Yes\\\"`.\n\nApply **least privilege**, route alarms to monitored channels, and tune for SSO to reduce noise. Test alarms regularly and review coverage as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/cloudwatch_log_metric_filter_sign_in_without_mfa"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "threat-detection"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Logging and Monitoring"

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json CHANGED Viewed

@@ -1,31 +1,44 @@
 {
   "Provider": "aws",
   "CheckID": "cloudwatch_log_metric_filter_unauthorized_api_calls",
-  "CheckTitle": "Ensure a log metric filter and alarm exist for unauthorized API calls.",
+  "CheckTitle": "CloudWatch Logs metric filter and alarm exist for unauthorized API calls",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "TTPs/Initial Access/Unauthorized Access"
   ],
   "ServiceName": "cloudwatch",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCloudWatchAlarm",
-  "Description": "Ensure a log metric filter and alarm exist for unauthorized API calls.",
-  "Risk": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.",
-  "RelatedUrl": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
+  "Description": "**CloudWatch Logs** for CloudTrail include a metric filter that matches unauthorized API errors (`$.errorCode=\"*UnauthorizedOperation\"` or `$.errorCode=\"AccessDenied*\"`) and a linked alarm that triggers when events match the filter.",
+  "Risk": "Without alerting on **unauthorized API calls**, permission probing and failed access by compromised identities can go unnoticed. Attackers can enumerate services, pivot, and attempt privilege escalation, threatening data **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
+    "https://asecure.cloud/a/unauthorized_api_calls/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchLogs/authorization-failures-alarm.html",
+    "https://www.tenable.com/policies/[type]/AC_AWS_0559",
+    "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-unauthorized-api-calls",
+    "https://support.icompaas.com/support/solutions/articles/62000083561-ensure-a-log-metric-filter-and-alarm-exist-for-unauthorized-api-calls"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/monitoring-policies/monitoring_1",
-      "Terraform": "https://docs.prowler.com/checks/aws/monitoring-policies/monitoring_1#fix---buildtime"
+      "NativeIaC": "```yaml\n# CloudFormation: Create metric filter and alarm for unauthorized API calls\nResources:\n  MetricFilterUnauthorized:\n    Type: AWS::Logs::MetricFilter\n    Properties:\n      LogGroupName: <example_resource_name>\n      FilterPattern: '{($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")}'  # Critical: detects unauthorized/denied API calls\n      MetricTransformations:\n        - MetricName: unauthorized_api_calls_metric\n          MetricNamespace: CISBenchmark\n          MetricValue: \"1\"\n\n  AlarmUnauthorized:\n    Type: AWS::CloudWatch::Alarm\n    Properties:\n      ComparisonOperator: GreaterThanOrEqualToThreshold\n      EvaluationPeriods: 1\n      MetricName: unauthorized_api_calls_metric  # Critical: alarm on the metric from the filter\n      Namespace: CISBenchmark\n      Period: 300\n      Statistic: Sum\n      Threshold: 1\n```",
+      "Other": "1. In the AWS Console, open CloudWatch > Logs > Log groups and select the CloudTrail log group\n2. Go to Metric filters > Create metric filter\n3. Set Filter pattern to: {($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")}\n4. Name the metric unauthorized_api_calls_metric, set Namespace to CISBenchmark, Value to 1, then create\n5. Select the new metric filter and click Create alarm\n6. Set Statistic: Sum, Period: 5 minutes, Threshold type: Static, Threshold: 1, Evaluation periods: 1\n7. Create the alarm",
+      "Terraform": "```hcl\n# Terraform: Metric filter and alarm for unauthorized API calls\nresource \"aws_cloudwatch_log_metric_filter\" \"unauthorized\" {\n  name           = \"unauthorized_api_calls_metric\"\n  log_group_name = \"<example_resource_name>\"\n  pattern        = \"{($.errorCode = \\\"*UnauthorizedOperation\\\") || ($.errorCode = \\\"AccessDenied*\\\")}\"  # Critical: detects unauthorized/denied API calls\n\n  metric_transformation {\n    name      = \"unauthorized_api_calls_metric\"\n    namespace = \"CISBenchmark\"\n    value     = \"1\"\n  }\n}\n\nresource \"aws_cloudwatch_metric_alarm\" \"unauthorized\" {\n  comparison_operator = \"GreaterThanOrEqualToThreshold\"\n  evaluation_periods  = 1\n  metric_name         = \"unauthorized_api_calls_metric\"   # Critical: alarm on the metric from the filter\n  namespace           = \"CISBenchmark\"\n  period              = 300\n  statistic           = \"Sum\"\n  threshold           = 1\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended that a metric filter and alarm be established for unauthorized requests.",
-      "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html"
+      "Text": "Enable real-time **alerting** by adding a CloudWatch Logs metric filter for unauthorized errors (`*UnauthorizedOperation`, `AccessDenied*`) and associating it with an alarm that notifies responders.\n- Enforce **least privilege** to reduce noise\n- Integrate with IR tooling for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/cloudwatch_log_metric_filter_unauthorized_api_calls"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "threat-detection",
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Logging and Monitoring"

prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json CHANGED Viewed

@@ -1,30 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "codeartifact_packages_external_public_publishing_disabled",
-  "CheckTitle": "Ensure CodeArtifact internal packages do not allow external public source publishing.",
-  "CheckType": [],
+  "CheckTitle": "Internal CodeArtifact package does not allow publishing versions already present in external public sources",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Initial Access"
+  ],
   "ServiceName": "codeartifact",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:codeartifact:region:account-id:repository/repository-name",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "Other",
-  "Description": "Ensure CodeArtifact internal packages do not allow external public source publishing.",
-  "Risk": "Allowing package versions of a package to be added both by direct publishing and ingesting from public repositories makes you vulnerable to a dependency substitution attack.",
-  "RelatedUrl": "https://docs.aws.amazon.com/codeartifact/latest/ug/package-origin-controls.html",
+  "Description": "**AWS CodeArtifact packages** with an **internal or unknown origin** are evaluated for their **package origin controls**. The check identifies packages where the `upstream` setting allows ingesting versions from external or upstream repositories.",
+  "Risk": "Allowing upstream on internal packages enables **dependency confusion**: public repos can supply higher versions to builds, leading to malicious code execution and package tampering. This threatens **integrity**, exposes secrets and data (**confidentiality**), and may disrupt pipelines and services (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://noise.getoto.net/2022/07/15/tighten-your-package-security-with-codeartifact-package-origin-control-toolkit/",
+    "https://docs.aws.amazon.com/codeartifact/latest/ug/package-origin-controls.html",
+    "https://newstar.cloud/blog/improve-the-security-of-your-software-supply-chain-with-amazon-codeartifact-package-group-configuration/",
+    "https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws codeartifact put-package-origin-configuration --package 'MyPackage' --namespace 'MyNamespace' --domain 'MyDomain' --repository 'MyRepository' --domain-owner 'MyOwnerAccount' --format 'MyFormat' --restrictions 'publish=ALLOW,upstream=BLOCK'",
+      "CLI": "aws codeartifact put-package-origin-configuration --domain <DOMAIN> --repository <REPOSITORY> --format <FORMAT> --package <PACKAGE_NAME> --restrictions publish=ALLOW,upstream=BLOCK",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In the AWS Console, go to CodeArtifact > Repositories and select <REPOSITORY>\n2. In Packages, open the internal package <PACKAGE_NAME>\n3. Under Origin controls, choose Edit\n4. Set Upstream to Block (leave Publish as Allow if required)\n5. Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Configure package origin controls on a package in a repository to limit how versions of that package can be added to the repository.",
-      "Url": "https://docs.aws.amazon.com/codeartifact/latest/ug/package-origin-controls.html"
+      "Text": "Enforce **Package Origin Controls** so internal packages use `upstream=BLOCK` and only trusted publish paths. Apply **least privilege** with package groups and private namespaces, pin versions, and prefer private endpoints. Add artifact signing and CI isolation, and monitor package events for unexpected source changes.",
+      "Url": "https://hub.prowler.com/check/codeartifact_packages_external_public_publishing_disabled"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "software-supply-chain"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json CHANGED Viewed

@@ -1,26 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_logging_enabled",
-  "CheckTitle": "Ensure that CodeBuild projects have S3 or CloudWatch logging enabled",
-  "CheckType": [],
+  "CheckTitle": "CodeBuild project has CloudWatch Logs or S3 logging enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "Ensure that CodeBuild projects have S3 or CloudWatch logging enabled.",
-  "Risk": "Without logging, tracking and investigating security incidents in CodeBuild projects becomes challenging, reducing confidence in threat detections.",
-  "RelatedUrl": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs",
+  "Description": "**CodeBuild projects** are assessed for **logging configuration** to Amazon **CloudWatch Logs** or **S3**, identifying when at least one destination is `enabled` for build logs and events.",
+  "Risk": "Absence of **build logging** creates blind spots for **integrity** and **accountability**. Attackers or misconfigurations can alter artifacts, exfiltrate data, or misuse credentials with little trace, hindering **forensics** and **incident response**. Missing telemetry impedes correlation with other alerts, risking source code and secret **confidentiality**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs",
+    "https://codefresh.io/learn/devops-tools/aws-codebuild-the-basics-and-a-quick-tutorial/",
+    "https://asecure.cloud/a/cfgrule_codebuild-project-logging-enabled/",
+    "https://support.icompaas.com/support/solutions/articles/62000233680-ensure-that-codebuild-projects-have-s3-or-cloudwatch-logging-enabled",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws codebuild update-project --name <project-name> --logs-config \"cloudWatchLogs={status=ENABLED},s3Logs={status=ENABLED\"}",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-4",
-      "Terraform": ""
+      "CLI": "aws codebuild update-project --name <project-name> --logs-config \"cloudWatchLogs={status=ENABLED}\"",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable logging on a CodeBuild project\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::Project\n    Properties:\n      Name: <example_resource_name>\n      ServiceRole: <example_resource_id>\n      Artifacts:\n        Type: NO_ARTIFACTS\n      Environment:\n        Type: LINUX_CONTAINER\n        ComputeType: BUILD_GENERAL1_SMALL\n        Image: aws/codebuild/standard:5.0\n      Source:\n        Type: NO_SOURCE\n      LogsConfig:\n        CloudWatchLogs:\n          Status: ENABLED  # Critical: Enables CloudWatch logging to pass the check\n```",
+      "Other": "1. In the AWS Console, go to CodeBuild > Build projects and open your project\n2. Under Logs, click Edit\n3. Check CloudWatch logs and save (or enable S3 logs instead)\n4. Confirm the project now shows logging enabled",
+      "Terraform": "```hcl\n# Terraform: Enable logging on a CodeBuild project\nresource \"aws_codebuild_project\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  service_role = \"<example_resource_id>\"\n\n  artifacts { type = \"NO_ARTIFACTS\" }\n\n  environment {\n    compute_type = \"BUILD_GENERAL1_SMALL\"\n    image        = \"aws/codebuild/standard:5.0\"\n    type         = \"LINUX_CONTAINER\"\n  }\n\n  source { type = \"NO_SOURCE\" }\n\n  logs_config {\n    cloudwatch_logs {\n      status = \"ENABLED\"  # Critical: Enables CloudWatch logging to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable logging for CodeBuild projects to capture build events and logs for future analysis and incident response.",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs"
+      "Text": "Enable a log destination for every project-**CloudWatch Logs** or **S3** (preferably both). Enforce **defense in depth**: encrypt logs, set retention, and restrict access on a least-privilege basis. Centralize and monitor logs, alert on anomalies, and avoid sensitive data in output. Use immutable retention to preserve **auditability**.",
+      "Url": "https://hub.prowler.com/check/codebuild_project_logging_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json CHANGED Viewed

@@ -1,31 +1,47 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_no_secrets_in_variables",
-  "CheckTitle": "Ensure CodeBuild projects do not contain secrets on plaintext environment variables",
+  "CheckTitle": "CodeBuild project has no sensitive credentials in plaintext environment variables",
   "CheckType": [
-    "Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Credential Access",
+    "Effects/Data Exposure",
+    "Sensitive Data Identifications/Security"
   ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "This check ensures that AWS CodeBuild projects do not contain secrets in environment variables.",
-  "Risk": "Using plaintext AWS credentials in CodeBuild project environment variables can expose these sensitive keys, leading to unauthorized access and potential security breaches.",
-  "RelatedUrl": "https://docs.aws.amazon.com/codebuild/latest/userguide/how-to-create-project-console.html",
+  "Description": "**AWS CodeBuild projects** are inspected for **plaintext environment variables** (`PLAINTEXT`) that resemble **secrets** (keys, tokens, passwords).\n\nSuch values indicate sensitive data is stored directly in environment variables instead of being sourced securely.",
+  "Risk": "Plaintext secrets in environment variables reduce confidentiality: values can be viewed in consoles/CLI and may leak into build logs or public outputs. Compromised credentials enable unauthorized AWS actions, artifact tampering, and lateral movement, causing data exfiltration and CI/CD supply-chain compromise.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html",
+    "https://www.learnaws.org/2022/11/18/aws-codebuild-secrets-manager/",
+    "https://www.learnaws.org/2023/08/23/codebuild-env-vars/",
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-environmentvariable.html",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-2",
+    "https://pasmichal.medium.com/how-to-handle-secrets-in-aws-codebuild-6e1b96013712",
+    "https://medium.com/@odofing/aws-codepipeline-how-to-securely-store-environment-variables-in-ssm-paramater-store-and-aws-9a96d7083b3c"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-2",
-      "Terraform": ""
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::Project\n    Properties:\n      Name: <example_resource_name>\n      ServiceRole: <example_resource_arn>\n      Source:\n        Type: NO_SOURCE\n      Artifacts:\n        Type: NO_ARTIFACTS\n      Environment:\n        Type: LINUX_CONTAINER\n        ComputeType: BUILD_GENERAL1_SMALL\n        Image: aws/codebuild/standard:5.0\n        EnvironmentVariables:\n          - Name: <SENSITIVE_VAR_NAME>\n            Type: SECRETS_MANAGER  # CRITICAL: store secret in Secrets Manager to avoid PLAINTEXT\n            Value: <example_secret_name>  # Secret name or ARN (optionally include json-key)\n```",
+      "Other": "1. In AWS Console, go to CodeBuild > Build projects and open your project\n2. Click Edit in the Environment section\n3. Under Environment variables, for each sensitive variable with Type = Plaintext, change Type to Secrets Manager (or Parameter store)\n4. Select the secret (or parameter) that holds the value, then Save\n5. If the secret/parameter does not exist, create it in Secrets Manager or Systems Manager Parameter Store first, then repeat steps 3-4",
+      "Terraform": "```hcl\nresource \"aws_codebuild_project\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  service_role = \"<example_resource_arn>\"\n\n  source {\n    type = \"NO_SOURCE\"\n  }\n\n  artifacts {\n    type = \"NO_ARTIFACTS\"\n  }\n\n  environment {\n    compute_type = \"BUILD_GENERAL1_SMALL\"\n    image        = \"aws/codebuild/standard:5.0\"\n    type         = \"LINUX_CONTAINER\"\n\n    environment_variable {\n      name  = \"<SENSITIVE_VAR_NAME>\"\n      type  = \"SECRETS_MANAGER\"  # CRITICAL: use Secrets Manager so value isn't plaintext\n      value = \"<example_secret_name>\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Do not store secrets in plaintext environment variables. Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve sensitive information.",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html"
+      "Text": "Store secrets outside the build and reference them via **AWS Secrets Manager** or **AWS Systems Manager Parameter Store** instead of `PLAINTEXT` variables.\n- Enforce **least privilege** on the build role\n- Rotate secrets; prefer short-lived credentials\n- Avoid logging or exporting secret values and never embed them in artifacts",
+      "Url": "https://hub.prowler.com/check/codebuild_project_no_secrets_in_variables"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets",
+    "ci-cd"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json CHANGED Viewed

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_not_publicly_accessible",
-  "CheckTitle": "Ensure AWS CodeBuild projects are not public",
-  "CheckType": [],
+  "CheckTitle": "CodeBuild project visibility is private",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:codebuild:region:account-id:project:project-name",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "Check for CodeBuild projects ensuring that the project visibility is appropriate",
-  "Risk": "Public CodeBuild Project ensures all build logs and artifacts are available to the public. Environment variables, source code, and other sensitive information may have been output to the build logs and artifacts. You must be careful about what information is output to the build logs.",
+  "Description": "**AWS CodeBuild project visibility** is assessed to identify projects exposed to the public. Projects with `project_visibility` set to `PUBLIC_READ` (or not `PRIVATE`) allow anyone to access build results, logs, and artifacts.",
+  "Risk": "Public visibility degrades CIA:\n- Logs may leak secrets, tokens, and source details\n- Artifacts are downloadable, enabling tampering and supply-chain malware\n- Adversaries gain CI/CD insights for reconnaissance and lateral movement",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html",
+    "https://docs.aws.amazon.com/cli/latest/reference/codebuild/update-project-visibility.html"
+  ],
   "Remediation": {
     "Code": {
-      "NativeIaC": "",
-      "Terraform": "",
-      "CLI": "aws codebuild update-project --name <project-name> --project-visibility PRIVATE",
-      "Other": ""
+      "CLI": "aws codebuild update-project-visibility --project-arn <PROJECT_ARN> --project-visibility PRIVATE",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::Project\n    Properties:\n      Name: <example_resource_name>\n      ServiceRole: <example_role_arn>\n      Artifacts:\n        Type: NO_ARTIFACTS\n      Environment:\n        Type: LINUX_CONTAINER\n        Image: aws/codebuild/standard:5.0\n        ComputeType: BUILD_GENERAL1_SMALL\n      Source:\n        Type: NO_SOURCE\n      Visibility: PRIVATE  # Critical: makes the project private so builds aren't publicly accessible\n```",
+      "Other": "1. Open the AWS Console and go to CodeBuild\n2. Select your build project\n3. Click Edit\n4. Set Project visibility to Private\n5. Save changes",
+      "Terraform": "```hcl\nresource \"aws_codebuild_project\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  service_role = \"<example_role_arn>\"\n\n  artifacts { type = \"NO_ARTIFACTS\" }\n\n  environment {\n    compute_type = \"BUILD_GENERAL1_SMALL\"\n    image        = \"aws/codebuild/standard:5.0\"\n    type         = \"LINUX_CONTAINER\"\n  }\n\n  source { type = \"NO_SOURCE\" }\n\n  project_visibility = \"PRIVATE\" # Critical: ensures the project is not publicly accessible\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that all CodeBuild projects are private to avoid fact gathering about builds from an Attacker.",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html"
+      "Text": "Set visibility to `PRIVATE` and share only with trusted principals using narrowly scoped policies. Apply **least privilege** to logs and artifacts, keeping them private. Manage secrets via **Secrets Manager** or **Parameter Store**, avoid printing them, and validate artifacts (e.g., checksums).",
+      "Url": "https://hub.prowler.com/check/codebuild_project_not_publicly_accessible"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed",
+    "ci-cd"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json CHANGED Viewed

@@ -1,32 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_older_90_days",
-  "CheckTitle": "Ensure CodeBuild Project has been invoked in the last 90 days",
+  "CheckTitle": "CodeBuild project has been invoked in the last 90 days",
   "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "Ensure CodeBuild Project has been invoked in the last 90 days",
-  "Risk": "Older CodeBuild projects can be checked to see if they are currently in use.",
+  "Description": "**AWS CodeBuild projects** are assessed for recent activity using the last build invocation timestamp. Projects not invoked within `90 days` or never built are treated as **inactive**.",
+  "Risk": "**Inactive projects** increase **attack surface**. Dormant webhooks or **source credentials** can be abused, and attached **IAM roles** may retain excessive permissions. Stale configs can expose **secrets** in env vars or logs, threatening build **integrity** and data **confidentiality**, while adding avoidable cost and operational sprawl.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/delete-project.html",
+    "https://support.icompaas.com/support/solutions/articles/62000233684-ensure-codebuild-project-has-been-invoked-in-the-last-90-days"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Open the AWS Console and go to CodeBuild\n2. In Build projects, select the project\n3. Click Start build, then confirm Start build\n4. Wait for the build to start to update the last invoked time",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Check if CodeBuild project are really in use and remove the stale ones",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/delete-project.html"
+      "Text": "Implement lifecycle management: review projects idle over `90 days`, confirm ownership and need, then delete or archive. Revoke unused webhooks, tokens, and service roles; rotate any secrets. Enforce **least privilege**, tagging, and periodic audits to reduce **attack surface** and keep the build environment tidy and defensible.",
+      "Url": "https://hub.prowler.com/check/codebuild_project_older_90_days"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "ci-cd"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json CHANGED Viewed

@@ -1,28 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_s3_logs_encrypted",
-  "CheckTitle": "Ensure S3 Logs for CodeBuild Projects are encrypted at rest.",
+  "CheckTitle": "CodeBuild project S3 logs are encrypted at rest",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Effects/Data Exposure"
   ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "Ensure that the S3 logs for CodeBuild projects are encrypted at rest.",
-  "Risk": "If the logs are not encrypted, sensitive information could be exposed to unauthorized users.",
-  "RelatedUrl": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs",
+  "Description": "**CodeBuild projects** with **S3 log delivery** are evaluated for **encryption at rest** on their S3 log objects. Only projects that write logs to S3 are in scope.",
+  "Risk": "Unencrypted build logs jeopardize **confidentiality**. Logs can include secrets, environment data, and error traces. If the bucket is misconfigured or storage is accessed, attackers can harvest credentials and map the pipeline, enabling **lateral movement** and build tampering that impacts **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-3",
+    "https://support.icompaas.com/support/solutions/articles/62000233685-ensure-s3-logs-for-codebuild-projects-are-encrypted-at-rest",
+    "https://hub.powerpipe.io/mods/turbot/steampipe-mod-aws-compliance/benchmarks/control.codebuild_project_s3_logs_encryption_enabled"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws codebuild update-project --name <project-name> --logs-config \"s3Logs={status=ENABLED, location=<bucket-name>/<path>, encryptionDisabled=false\"}",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-3",
-      "Terraform": ""
+      "CLI": "aws codebuild update-project --name <project-name> --logs-config s3Logs={status=ENABLED,location=<bucket-name>/<path>,encryptionDisabled=false}",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::Project\n    Properties:\n      Name: <example_resource_name>\n      ServiceRole: <example_role_arn>\n      Artifacts:\n        Type: NO_ARTIFACTS\n      Environment:\n        Type: LINUX_CONTAINER\n        ComputeType: BUILD_GENERAL1_SMALL\n        Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0\n      Source:\n        Type: NO_SOURCE\n      LogsConfig:\n        S3Logs:\n          Status: ENABLED\n          Location: <bucket-name>/<path>\n          EncryptionDisabled: false  # Critical: ensures S3 logs are encrypted at rest\n```",
+      "Other": "1. Open the AWS CodeBuild console and select your project\n2. Choose Edit, then open the Logs section\n3. Under S3 logs, select Enabled and choose the Bucket/Path\n4. Ensure Disable S3 log encryption is unchecked (encryption enabled)\n5. Save changes",
+      "Terraform": "```hcl\nresource \"aws_codebuild_project\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  service_role = \"<example_role_arn>\"\n\n  artifacts { type = \"NO_ARTIFACTS\" }\n\n  environment {\n    compute_type = \"BUILD_GENERAL1_SMALL\"\n    image        = \"aws/codebuild/amazonlinux2-x86_64-standard:5.0\"\n    type         = \"LINUX_CONTAINER\"\n  }\n\n  source { type = \"NO_SOURCE\" }\n\n  logs_config {\n    s3_logs {\n      status              = \"ENABLED\"\n      location            = \"<bucket-name>/<path>\"\n      encryption_disabled = false  # Critical: enables encryption for S3 logs\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that the CodeBuild project's S3 logs are encrypted at rest by setting the `encryptionDisabled` parameter to `false` in the `s3Logs` configuration.",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html#change-project-console-logs"
+      "Text": "Enable encryption at rest for S3 logs on CodeBuild projects. Prefer `SSE-KMS` with customer-managed keys to control access and rotation. Enforce encryption via bucket policy, apply **least privilege** to log access, and monitor access patterns. *If needed*, segregate logs and keep them private.",
+      "Url": "https://hub.prowler.com/check/codebuild_project_s3_logs_encrypted"
     }
   },
   "Categories": [

prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json CHANGED Viewed

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_source_repo_url_no_sensitive_credentials",
-  "CheckTitle": "Ensure CodeBuild project source repository URLs do not contain sensitive credentials",
+  "CheckTitle": "CodeBuild project source repository URLs do not contain sensitive credentials",
   "CheckType": [
-    "Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Sensitive Data Identifications/Passwords",
+    "Sensitive Data Identifications/Security",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "This check ensures an AWS CodeBuild project source repository URL doesn't contain personal access tokens or a user name and password. The check fails if the source repository URL contains personal access tokens or a user name and password.",
-  "Risk": "Storing or transmitting sign-in credentials in clear text or including them in the source repository URL can lead to unintended data exposure or unauthorized access, potentially compromising the security of the system.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html",
+  "Description": "**AWS CodeBuild projects** with **Bitbucket sources** are assessed to confirm repository URLs do not embed credentials (for example, `x-token-auth:<token>@` or `user:password@`). The assessment includes both the primary source and all secondary sources.",
+  "Risk": "Credentials in URLs are **plainly exposed** in configs and logs, enabling unauthorized repo access. This can lead to:\n- **Source code theft** (C)\n- **Malicious commits/CI changes** (I)\n- **Supply-chain compromise** and lateral movement via token reuse",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-1",
+    "https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-1",
-      "Terraform": ""
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::Project\n    Properties:\n      Name: <example_resource_name>\n      ServiceRole: <example_role_arn>\n      Artifacts:\n        Type: NO_ARTIFACTS\n      Environment:\n        Type: LINUX_CONTAINER\n        Image: aws/codebuild/standard:5.0\n        ComputeType: BUILD_GENERAL1_SMALL\n      Source:\n        Type: BITBUCKET\n        Location: https://bitbucket.org/<example_owner>/<example_repo>.git  # FIX: remove embedded credentials; keep only the repo URL\n        # This removes tokens/user:pass from the URL, eliminating exposed secrets\n```",
+      "Other": "1. In the AWS Console, go to CodeBuild and open your project\n2. Click Edit > Source\n3. Replace the repository URL with only the Bitbucket path (no credentials):\n   - https://bitbucket.org/<workspace>/<repo>.git\n4. If prompted for access, choose Connect using OAuth and authorize Bitbucket\n5. Save changes\n6. If you use Secondary sources, edit each one and remove any embedded credentials from their URLs",
+      "Terraform": "```hcl\nresource \"aws_codebuild_project\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  service_role = \"<example_role_arn>\"\n\n  artifacts {\n    type = \"NO_ARTIFACTS\"\n  }\n\n  environment {\n    compute_type = \"BUILD_GENERAL1_SMALL\"\n    image        = \"aws/codebuild/standard:5.0\"\n    type         = \"LINUX_CONTAINER\"\n  }\n\n  source {\n    type     = \"BITBUCKET\"\n    location = \"https://bitbucket.org/<example_owner>/<example_repo>.git\" # FIX: sanitized URL without credentials\n    # Removing credentials from the URL prevents sensitive data exposure\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Update your CodeBuild project to use OAuth instead of personal access tokens or basic authentication in your repository URLs.",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/use-case-based-samples.html"
+      "Text": "Use **OAuth/CodeStar Connections** or store tokens in **Secrets Manager/SSM**, never in the URL. Enforce **least privilege**, scope to needed repos, set short lifetimes, and rotate regularly. Audit configs and logs to remove leaked secrets. *Apply to primary and secondary sources.*",
+      "Url": "https://hub.prowler.com/check/codebuild_project_source_repo_url_no_sensitive_credentials"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json CHANGED Viewed

@@ -1,32 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_user_controlled_buildspec",
-  "CheckTitle": "Ensure CodeBuild Project uses a controlled buildspec",
+  "CheckTitle": "CodeBuild project does not use a user-controlled buildspec file",
   "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "Ensure CodeBuild Project uses a controlled buildspec",
-  "Risk": "The CodeBuild projects with user controlled buildspec",
+  "Description": "AWS CodeBuild projects are evaluated for use of a **user-controlled buildspec**, identified when the project references a repository file like `*.yml` or `*.yaml`. Projects using non file-based build instructions are treated as centrally managed.",
+  "Risk": "Repository-controlled buildspecs let unreviewed changes run in CI, endangering **integrity** (tampered artifacts), **confidentiality** (secret leakage), and **availability** (resource abuse). Attackers can weaponize PRs to execute code and pivot via the build role.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/security.html",
+    "https://support.icompaas.com/support/solutions/articles/62000229579-ensure-codebuild-project-with-an-user-controlled-buildspec",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::Project\n    Properties:\n      ServiceRole: <example_role_arn>\n      Artifacts:\n        Type: NO_ARTIFACTS\n      Environment:\n        Type: LINUX_CONTAINER\n        ComputeType: BUILD_GENERAL1_SMALL\n        Image: <IMAGE>\n      Source:\n        Type: CODEPIPELINE\n        BuildSpec: |  # Critical: Inline buildspec avoids using a user-controlled file path\n          version: 0.2\n```",
+      "Other": "1. In the AWS Console, go to CodeBuild > Projects and open the target project\n2. Click Edit\n3. In Source, under Buildspec, select Insert build commands (not Use a buildspec file)\n4. Paste minimal inline YAML:\n   ```\n   version: 0.2\n   ```\n5. Save",
+      "Terraform": "```hcl\nresource \"aws_codebuild_project\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  service_role = \"<example_role_arn>\"\n\n  artifacts {\n    type = \"NO_ARTIFACTS\"\n  }\n\n  environment {\n    compute_type = \"BUILD_GENERAL1_SMALL\"\n    image        = \"<IMAGE>\"\n    type         = \"LINUX_CONTAINER\"\n  }\n\n  source {\n    type      = \"CODEPIPELINE\"\n    buildspec = <<EOT\nversion: 0.2\nEOT\n    # Critical: Inline buildspec avoids using a user-controlled buildspec file\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use buildspec.yml from a trusted source which user cant interfere with",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/security.html"
+      "Text": "Adopt a **centrally managed buildspec** that contributors cannot modify.\n- Enforce protected branches and required reviews for build instructions\n- Apply **least privilege** to the build role and minimize secrets\n- Separate duties for pipeline admins vs code authors\n\nUse vetted, versioned templates for defense in depth.",
+      "Url": "https://hub.prowler.com/check/codebuild_project_user_controlled_buildspec"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "software-supply-chain",
+    "ci-cd"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl