prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_project_uses_allowed_github_organizations",
-  "CheckTitle": "Ensure AWS CodeBuild projects using GitHub connect only to allowed organizations",
-  "CheckType": [],
+  "CheckTitle": "CodeBuild project using GitHub uses an allowed GitHub organization",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:codebuild:region:account-id:project:project-name",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsCodeBuildProject",
-  "Description": "Check for CodeBuild projects using GitHub repositories from untrusted organizations that could lead to backdoored IAM roles",
-  "Risk": "Attackers can use GitHub Actions in untrusted repositories to backdoor IAM roles used by CodeBuild projects, gaining persistent access to AWS accounts.",
-  "RelatedUrl": "https://medium.com/@adan.alvarez/gaining-long-term-aws-access-with-codebuild-and-github-873324638784",
+  "Description": "**CodeBuild projects** sourcing from **GitHub/GitHub Enterprise** with a service role that trusts CodeBuild are evaluated by deriving the repository's organization from its URL and comparing it to an **allowed organizations** list.",
+  "Risk": "Using repos from **untrusted GitHub orgs** can let external workflows assume the project role and obtain AWS credentials.\n- Confidentiality: data/secrets exfiltration\n- Integrity: unauthorized changes\n- Availability: build abuse or service disruption",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://medium.com/@adan.alvarez/gaining-long-term-aws-access-with-codebuild-and-github-873324638784",
+    "https://paul-hands-phd.medium.com/using-aws-codebuild-to-set-up-github-continuous-integration-19b92efbd094",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/connections-github-app.html",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html"
+  ],
   "Remediation": {
     "Code": {
-      "NativeIaC": "",
-      "Terraform": "",
-      "CLI": "",
-      "Other": ""
+      "CLI": "aws codebuild update-project --name <example_resource_name> --source type=GITHUB,location=https://github.com/<ALLOWED_GITHUB_ORG>/<REPO>",
+      "NativeIaC": "```yaml\n# CloudFormation: point CodeBuild project to a repo in an allowed GitHub org\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::Project\n    Properties:\n      ServiceRole: <example_resource_arn>\n      Artifacts:\n        Type: NO_ARTIFACTS\n      Environment:\n        Type: LINUX_CONTAINER\n        ComputeType: BUILD_GENERAL1_SMALL\n        Image: aws/codebuild/standard:7.0\n      Source:\n        Type: GITHUB\n        Location: https://github.com/<ALLOWED_GITHUB_ORG>/<REPO>  # FIX: repo org must be in the allowed list\n```",
+      "Other": "1. Open the AWS Console and go to CodeBuild > Build projects\n2. Select the project and click Edit\n3. In Source, set Repository URL to https://github.com/<ALLOWED_GITHUB_ORG>/<REPO>\n4. Click Update to save",
+      "Terraform": "```hcl\n# Terraform: set CodeBuild source to a repo under an allowed GitHub org\nresource \"aws_codebuild_project\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  service_role = \"<example_resource_arn>\"\n\n  artifacts { type = \"NO_ARTIFACTS\" }\n\n  environment {\n    compute_type = \"BUILD_GENERAL1_SMALL\"\n    image        = \"aws/codebuild/standard:7.0\"\n    type         = \"LINUX_CONTAINER\"\n  }\n\n  source {\n    type     = \"GITHUB\"\n    location = \"https://github.com/<ALLOWED_GITHUB_ORG>/<REPO>\" # FIX: use an allowed GitHub org\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Only use GitHub repositories from trusted organizations with CodeBuild projects. Configure the allowed GitHub organizations in your Prowler configuration.",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html"
+      "Text": "Limit sources to **approved GitHub organizations** via an explicit allowlist. Enforce **least privilege** on the CodeBuild service role and avoid admin rights. Apply **separation of duties** for allowlist changes and add **defense in depth** (branch protections, reviews, monitoring) to prevent workflow abuse.",
+      "Url": "https://hub.prowler.com/check/codebuild_project_uses_allowed_github_organizations"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "software-supply-chain",
+    "ci-cd"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json

@@ -1,26 +1,48 @@
 {
   "Provider": "aws",
   "CheckID": "codebuild_report_group_export_encrypted",
-  "CheckTitle": "CodeBuild report group exports are encrypted at rest",
-  "CheckType": [],
+  "CheckTitle": "CodeBuild report group exports to S3 are encrypted at rest",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Software and Configuration Checks/Industry and Regulatory Standards/HIPAA Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/ISO 27001 Controls",
+    "Software and Configuration Checks/Industry and Regulatory Standards/SOC 2"
+  ],
   "ServiceName": "codebuild",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Other",
-  "Description": "Ensure that CodeBuild report group exports are encrypted at rest.",
-  "Risk": "If CodeBuild report group exports are not encrypted, sensitive data could be exposed to unauthorized access.",
-  "RelatedUrl": "https://docs.aws.amazon.com/codebuild/latest/userguide/report-group-export-settings.html",
+  "ResourceType": "AwsCodeBuildProject",
+  "Description": "**CodeBuild report groups** with export type `S3` are evaluated to confirm their exported test results are encrypted at rest with a **KMS key**.\n\nReport groups configured with `NO_EXPORT` are out of scope.",
+  "Risk": "**Unencrypted S3 exports** leave report data in plaintext, weakening confidentiality.\n\nIf a bucket is misconfigured, compromised, or accessed by insiders, attackers can harvest test outputs for secrets, tokens, build paths, and system details, enabling credential theft and lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-7",
+    "https://www.pulumi.com/registry/packages/aws/api-docs/codebuild/reportgroup/",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/report-group-export-settings.html",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/security-encryption.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html",
+    "https://docs.amazonaws.cn/en_us/codebuild/latest/userguide/report-group-export-settings.html",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/test-report-group-create-console.html",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/update-report-group-console.html",
+    "https://docs.aws.amazon.com/codebuild/latest/userguide/report-group-create.html",
+    "https://docs.amazonaws.cn/en_us/codebuild/latest/userguide/test-report-group-create-console.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws codebuild update-report-group --arn <report-group-arn> --export-config \"exportConfigType=S3, s3Destination={bucket=, encryptionDisabled=true}\"",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html#codebuild-7",
-      "Terraform": ""
+      "CLI": "aws codebuild update-report-group --arn <report-group-arn> --export-config \"exportConfigType=S3,s3Destination={bucket=<bucket-name>,encryptionDisabled=false}\"",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable encryption for CodeBuild report group S3 exports\nResources:\n  <example_resource_name>:\n    Type: AWS::CodeBuild::ReportGroup\n    Properties:\n      Name: <example_resource_name>\n      Type: TEST\n      ExportConfig:\n        ExportConfigType: S3\n        S3Destination:\n          Bucket: <example_resource_name>\n          EncryptionDisabled: false  # Critical: ensures S3 exports are encrypted at rest\n          # Uses AWS managed key by default\n```",
+      "Other": "1. Open the AWS Console and go to CodeBuild > Report groups\n2. Select the report group and click Edit\n3. Ensure Export to Amazon S3 is enabled and a bucket is set\n4. Expand Additional configuration and enable encryption by choosing Default AWS managed key (or select a KMS key)\n5. Ensure Disable artifact encryption is NOT selected\n6. Save changes",
+      "Terraform": "```hcl\n# Enable encryption for CodeBuild report group S3 exports\nresource \"aws_codebuild_report_group\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n  type = \"TEST\"\n\n  export_config {\n    type = \"S3\"\n    s3_destination {\n      bucket              = \"<example_resource_name>\"\n      encryption_disabled = false  # Critical: ensures S3 exports are encrypted at rest\n      # Uses AWS managed key by default\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure CodeBuild report group exports to use encryption at rest. This can be done by specifying a KMS key ID when creating or updating the report group.",
-      "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/report-group-export-settings.html"
+      "Text": "Enable at-rest encryption for report exports using **KMS** (prefer **customer managed keys**).\n\nApply least privilege: restrict key usage to the CodeBuild role and required principals, enable rotation, and audit key usage. Combine with S3 bucket policies for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/codebuild_report_group_export_encrypted"
     }
   },
   "Categories": [

prowler/providers/aws/services/codepipeline/codepipeline_client.py

@@ -0,0 +1,6 @@
+from prowler.providers.aws.services.codepipeline.codepipeline_service import (
+    CodePipeline,
+)
+from prowler.providers.common.provider import Provider
+
+codepipeline_client = CodePipeline(Provider.get_global_provider())

prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "aws",
+  "CheckID": "codepipeline_project_repo_private",
+  "CheckTitle": "Ensure that CodePipeline projects do not use public GitHub or GitLab repositories as source.",
+  "CheckType": [],
+  "ServiceName": "codepipeline",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "Other",
+  "Description": "Ensure that CodePipeline projects do not use public GitHub or GitLab repositories as source.",
+  "Risk": "Using public Git repositories in CodePipeline projects could expose sensitive deployment configurations and increase the risk of supply chain attacks.",
+  "RelatedUrl": "https://docs.aws.amazon.com/codepipeline/latest/userguide/connections-github.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws codestar-connections create-connection --provider-type GitHub|GitLab --connection-name <connection-name>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Use private Git repositories for CodePipeline sources and ensure proper authentication is configured using AWS CodeStar Connections. Consider using AWS CodeCommit or other private repository solutions for sensitive code.",
+      "Url": "https://docs.aws.amazon.com/codepipeline/latest/userguide/connections"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check supports both GitHub and GitLab repositories through CodeStar Connections"
+}

prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py

@@ -0,0 +1,95 @@
+import ssl
+import urllib.error
+import urllib.request
+
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.codepipeline.codepipeline_client import (
+    codepipeline_client,
+)
+
+
+class codepipeline_project_repo_private(Check):
+    """Checks if AWS CodePipeline source repositories are configured as private.
+
+    This check verifies whether source repositories (GitHub or GitLab) connected to
+    CodePipeline are publicly accessible. It attempts to access the repositories
+    anonymously to determine their visibility status.
+
+    Attributes:
+        None
+    """
+
+    def execute(self) -> list:
+        """Executes the repository privacy check for all CodePipeline sources.
+
+        Iterates through all CodePipeline pipelines and checks if their source
+        repositories (GitHub/GitLab) are publicly accessible by attempting anonymous
+        access.
+
+        Returns:
+            list: List of Check_Report_AWS objects containing the findings for each
+                pipeline's source repository.
+        """
+        findings = []
+
+        for pipeline in codepipeline_client.pipelines.values():
+            if (
+                pipeline.source
+                and pipeline.source.type == "CodeStarSourceConnection"
+                and pipeline.source.repository_id
+            ):
+                report = Check_Report_AWS(self.metadata(), resource=pipeline)
+                report.region = pipeline.region
+                report.resource_id = pipeline.name
+                report.resource_arn = pipeline.arn
+                report.resource_tags = pipeline.tags
+
+                # Try both GitHub and GitLab URLs
+                github_url = f"https://github.com/{pipeline.source.repository_id}"
+                gitlab_url = f"https://gitlab.com/{pipeline.source.repository_id}"
+
+                is_public_github = self._is_public_repo(github_url)
+                is_public_gitlab = self._is_public_repo(gitlab_url)
+
+                if is_public_github:
+                    report.status = "FAIL"
+                    report.status_extended = f"CodePipeline {pipeline.name} source repository is public: {github_url}"
+                elif is_public_gitlab:
+                    report.status = "FAIL"
+                    report.status_extended = f"CodePipeline {pipeline.name} source repository is public: {gitlab_url}"
+                else:
+                    report.status = "PASS"
+                    report.status_extended = f"CodePipeline {pipeline.name} source repository {pipeline.source.repository_id} is private."
+
+                findings.append(report)
+
+        return findings
+
+    def _is_public_repo(self, repo_url: str) -> bool:
+        """Checks if a repository is publicly accessible.
+
+        Attempts to access the repository URL anonymously to determine if it's
+        public or private.
+
+        Args:
+            repo_url: String containing the repository URL to check.
+
+        Returns:
+            bool: True if the repository is public, False if private or inaccessible.
+
+        Note:
+            The method considers a repository private if:
+            - The URL redirects to a sign-in page
+            - The request fails with HTTP errors
+            - The URL is not accessible
+        """
+        if repo_url.endswith(".git"):
+            repo_url = repo_url[:-4]
+
+        try:
+            context = ssl._create_unverified_context()
+            req = urllib.request.Request(repo_url, method="HEAD")
+            response = urllib.request.urlopen(req, context=context)
+            return not response.geturl().endswith("sign_in")
+        except (urllib.error.HTTPError, urllib.error.URLError):
+            return False

prowler/providers/aws/services/codepipeline/codepipeline_service.py

@@ -0,0 +1,164 @@
+from typing import Optional
+
+from botocore.exceptions import ClientError
+from pydantic import BaseModel
+
+from prowler.lib.logger import logger
+from prowler.providers.aws.lib.service.service import AWSService
+
+
+class CodePipeline(AWSService):
+    """AWS CodePipeline service class for managing pipeline resources.
+
+    This class handles interactions with AWS CodePipeline service, including
+    listing pipelines and retrieving their states. It manages pipeline resources
+    and their associated metadata.
+
+    Attributes:
+        pipelines: Dictionary mapping pipeline ARNs to Pipeline objects.
+    """
+
+    def __init__(self, provider):
+        """Initializes the CodePipeline service class.
+
+        Args:
+            provider: AWS provider instance for making API calls.
+        """
+        super().__init__(__class__.__name__, provider)
+        self.pipelines = {}
+        self.__threading_call__(self._list_pipelines)
+        if self.pipelines:
+            self.__threading_call__(self._get_pipeline_state, self.pipelines.values())
+            self.__threading_call__(
+                self._list_tags_for_resource, self.pipelines.values()
+            )
+
+    def _list_pipelines(self, regional_client):
+        """Lists all CodePipeline pipelines in the specified region.
+
+        Retrieves all pipelines using pagination and creates Pipeline objects
+        for each pipeline found.
+
+        Args:
+            regional_client: AWS regional client for CodePipeline service.
+
+        Raises:
+            ClientError: If there is an AWS API error.
+        """
+        logger.info("CodePipeline - Listing pipelines...")
+        try:
+            list_pipelines_paginator = regional_client.get_paginator("list_pipelines")
+            for page in list_pipelines_paginator.paginate():
+                for pipeline in page["pipelines"]:
+                    pipeline_arn = f"arn:{self.audited_partition}:codepipeline:{regional_client.region}:{self.audited_account}:{pipeline['name']}"
+                    if self.pipelines is None:
+                        self.pipelines = {}
+                    self.pipelines[pipeline_arn] = Pipeline(
+                        name=pipeline["name"],
+                        arn=pipeline_arn,
+                        region=regional_client.region,
+                    )
+        except ClientError as error:
+            if error.response["Error"]["Code"] == "AccessDenied":
+                logger.error(
+                    f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+                if not self.pipelines:
+                    self.pipelines = None
+            else:
+                logger.error(
+                    f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _get_pipeline_state(self, pipeline):
+        """Retrieves the current state of a pipeline.
+
+        Gets detailed information about a pipeline including its source configuration.
+
+        Args:
+            pipeline: Pipeline object to retrieve state for.
+
+        Raises:
+            ClientError: If there is an AWS API error.
+        """
+        logger.info("CodePipeline - Getting pipeline state...")
+        try:
+            regional_client = self.regional_clients[pipeline.region]
+            pipeline_info = regional_client.get_pipeline(name=pipeline.name)
+            source_info = pipeline_info["pipeline"]["stages"][0]["actions"][0]
+            repository_id = source_info["configuration"].get("FullRepositoryId", "")
+            pipeline.source = Source(
+                type=source_info["actionTypeId"]["provider"],
+                repository_id=repository_id,
+                configuration=source_info["configuration"],
+            )
+        except ClientError as error:
+            logger.error(
+                f"{pipeline.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+        except Exception as error:
+            logger.error(
+                f"{pipeline.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _list_tags_for_resource(self, resource):
+        """Lists tags for a given resource.
+
+        Args:
+            resource: Resource object to retrieve tags for.
+        """
+        logger.info("CodePipeline - Listing Tags...")
+        try:
+            tags_response = self.regional_clients[
+                resource.region
+            ].list_tags_for_resource(resourceArn=resource.arn)
+            resource.tags = tags_response.get("tags", [])
+        except ClientError as error:
+            if error.response["Error"]["Code"] == "ResourceNotFoundException":
+                logger.warning(
+                    f"{resource.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+            else:
+                logger.error(
+                    f"{resource.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+        except Exception as error:
+            logger.error(
+                f"{resource.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+
+class Source(BaseModel):
+    """Model representing a pipeline source configuration.
+
+    Attributes:
+        type: The type of source provider.
+        location: The location/path of the source repository.
+        configuration: Optional dictionary containing additional source configuration.
+    """
+
+    type: str
+    repository_id: str
+    configuration: Optional[dict]
+
+
+class Pipeline(BaseModel):
+    """Model representing an AWS CodePipeline pipeline.
+
+    Attributes:
+        name: The name of the pipeline.
+        arn: The ARN (Amazon Resource Name) of the pipeline.
+        region: The AWS region where the pipeline exists.
+        source: Optional Source object containing source configuration.
+        tags: Optional list of pipeline tags.
+    """
+
+    name: str
+    arn: str
+    region: str
+    source: Optional[Source] = None
+    tags: Optional[list] = []

prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json

@@ -1,32 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "directconnect_connection_redundancy",
-  "CheckTitle": "Ensure Direct Connect connections are redundant",
+  "CheckTitle": "Direct Connect connections span at least two locations per region",
   "CheckType": [
-    "Resilience"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
   ],
   "ServiceName": "directconnect",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:directconnect:region:account-id:directconnect/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Checks the resilience of the AWS Direct Connect used to connect your on-premises.",
-  "Risk": "This check alerts you if any Direct Connect connections are not redundant and the connections are coming from two distinct Direct Connect locations. Lack of location resiliency can result in unexpected downtime during maintenance, a fiber cut, a device failure, or a complete location failure.",
-  "RelatedUrl": "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-direct-connect-location-resiliency",
+  "Description": "**AWS Direct Connect** connectivity is provisioned with **connection and location redundancy**-multiple connections spread across **at least two distinct Direct Connect locations** in each Region.",
+  "Risk": "Missing **connection/location redundancy** creates a **single point of failure**, degrading **availability**. A router, fiber, or site outage can sever private paths to AWS, stalling app traffic, data replication, and admin access, leading to timeouts or extended downtime until alternate paths are restored.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-direct-connect-location-resiliency",
+    "https://repost.aws/knowledge-center/direct-connect-physical-redundancy",
+    "https://aws.amazon.com/directconnect/resiliency-recommendation/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "aws directconnect create-connection --region <REGION> --location <NEW_DX_LOCATION_CODE> --bandwidth 1Gbps --connection-name <example_resource_name>",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In the AWS Console, go to Direct Connect > Connections\n2. Click Create connection\n3. Region: select the Region where the existing connection resides\n4. Name: enter <example_resource_name>\n5. Location: select a different Direct Connect location than your existing connection\n6. Bandwidth: choose a supported value (e.g., 1 Gbps)\n7. Click Create connection",
+      "Terraform": "```hcl\n# Create an additional Direct Connect connection in a different location\nresource \"aws_dx_connection\" \"example\" {\n  name      = \"<example_resource_name>\"\n  bandwidth = \"1Gbps\"\n  location  = \"<NEW_DX_LOCATION_CODE>\" # Critical: choose a different DX location in the same Region to achieve location redundancy\n}\n```"
     },
     "Recommendation": {
-      "Text": "To build Direct Connect location resiliency, you should have at least two connections from at least two distinct Direct Connect locations.",
-      "Url": "https://aws.amazon.com/directconnect/resiliency-recommendation/"
+      "Text": "Apply **redundancy** and **defense in depth**:\n- Deploy 2 Direct Connect connections across **two distinct locations**\n- Use **dynamic, active/active routing** for automatic failover\n- Ensure **provider/device diversity**\n- Size capacity so one link loss doesn't overload remaining paths\n- Consider a **VPN** as tertiary backup",
+      "Url": "https://hub.prowler.com/check/directconnect_connection_redundancy"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json

@@ -1,32 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "directconnect_virtual_interface_redundancy",
-  "CheckTitle": "Ensure Direct Connect virtual interface(s) are providing redundant connections",
+  "CheckTitle": "Direct Connect gateway or virtual private gateway has at least two virtual interfaces on different Direct Connect connections",
   "CheckType": [
-    "Resilience"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "directconnect",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:directconnect:region:account-id:directconnect/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Checks the resilience of the AWS Direct Connect used to connect your on-premises to each Direct Connect gateway or virtual private gateway.",
-  "Risk": "This check alerts you if any Direct Connect gateway or virtual private gateway isn't configured with virtual interfaces across at least two distinct Direct Connect locations. Lack of location resiliency can result in unexpected downtime during maintenance, a fiber cut, a device failure, or a complete location failure.",
-  "RelatedUrl": "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-direct-connect-location-resiliency",
+  "Description": "**Direct Connect gateways** and **virtual private gateways** are assessed for **interface redundancy**: multiple virtual interfaces (`VIFs`) distributed across more than one **Direct Connect connection**.\n\n*Gateways with only one VIF or with all VIFs on a single connection are identified.*",
+  "Risk": "Missing connection diversity undermines **availability**. A single device, fiber, or location failure can cut on-prem to VPC connectivity, causing **outages**, **packet loss**, or routing blackholes. Fallback to internet VPN can add latency and throttle throughput, delaying recovery and impacting operations.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-direct-connect-location-resiliency",
+    "https://repost.aws/knowledge-center/direct-connect-physical-redundancy",
+    "https://aws.amazon.com/directconnect/resiliency-recommendation/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "aws directconnect create-private-virtual-interface --connection-id <CONNECTION_ID_DIFFERENT_FROM_EXISTING_VIF> --new-private-virtual-interface '{\"virtualInterfaceName\":\"<NAME>\",\"vlan\":<VLAN>,\"asn\":<BGP_ASN>,\"addressFamily\":\"ipv4\",\"amazonAddress\":\"<AMAZON_IP/30>\",\"customerAddress\":\"<CUSTOMER_IP/30>\",\"directConnectGatewayId\":\"<DIRECT_CONNECT_GATEWAY_ID>\"}'",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In the AWS Console, open Direct Connect\n2. Go to Connections and select a different connection than the one used by your existing VIF\n3. Click Create virtual interface and choose Private\n4. For Gateway, select your Direct Connect gateway (or Virtual private gateway for VGW)\n5. Enter VLAN, BGP ASN, and IPv4 peer IPs (Amazon/Customer), then Create\n6. Verify the gateway now has at least two VIFs on different Direct Connect connections",
+      "Terraform": "```hcl\n# Create a second Private VIF on a different DX connection and attach to the gateway\nresource \"aws_dx_private_virtual_interface\" \"example\" {\n  connection_id   = \"<example_resource_id>\"      # CRITICAL: use a DIFFERENT Direct Connect connection than existing VIFs\n  dx_gateway_id   = \"<example_resource_id>\"      # CRITICAL: attaches the VIF to the Direct Connect gateway (use virtual_gateway_id for VGW)\n  name            = \"<NAME>\"\n  vlan            = 100\n  bgp_asn         = 65000\n  address_family  = \"ipv4\"\n  amazon_address  = \"169.254.100.1/30\"\n  customer_address = \"169.254.100.2/30\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "To build Direct Connect location resiliency, you can configure the Direct Connect gateway or virtual private gateway to connect to at least two distinct Direct Connect locations.",
-      "Url": "https://aws.amazon.com/directconnect/resiliency-recommendation/"
+      "Text": "Apply connectivity **defense in depth**:\n- Attach at least two `VIFs` per gateway on separate **Direct Connect connections** in distinct locations\n- Prefer active/active dynamic routing and size capacity to survive a link loss\n- *Optionally* add a **VPN/Transit Gateway** path to sustain operations during provider outages",
+      "Url": "https://hub.prowler.com/check/directconnect_virtual_interface_redundancy"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "documentdb_cluster_backup_enabled",
-  "CheckTitle": "Check if DocumentDB Clusters have backup enabled.",
-  "CheckType": [],
+  "CheckTitle": "DocumentDB cluster has automated backups enabled with retention period of at least 7 days",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
+  ],
   "ServiceName": "documentdb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if DocumentDB Clusters have backup enabled.",
-  "Risk": "Ensure that your Amazon DocumentDB database clusters have set a minimum backup retention period in order to achieve compliance requirements in your organization.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-2",
+  "Description": "**Amazon DocumentDB clusters** are evaluated for **automated backups** and an adequate **backup retention period**. Clusters should have `backup_retention_period` set to at least the configured minimum (default `7` days). Values of `0` indicate backups are disabled; values below the threshold are considered insufficient.",
+  "Risk": "Without adequate backups, clusters can't be reliably restored. Accidental deletes, logical corruption, or ransomware may cause irreversible data loss once a short retention window expires, leading to prolonged outages, missed RPO/RTO, and limited ability to roll back malicious or erroneous changes.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.amazonaws.cn/en_us/documentdb/latest/developerguide/what-is.html",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#",
+    "https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/aws-enabledocdbclusterbackupretentionperiod.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws docdb modify-db-cluster --region <REGION> --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7 --apply-immediately",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/sufficient-backup-retention-period.html#"
+      "CLI": "aws docdb modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7 --apply-immediately",
+      "NativeIaC": "```yaml\n# CloudFormation: Set DocumentDB backup retention to at least 7 days\nResources:\n  <example_resource_name>:\n    Type: AWS::DocDB::DBCluster\n    Properties:\n      BackupRetentionPeriod: 7  # CRITICAL: enables automated backups and sets retention to >=7 days\n```",
+      "Other": "1. Open the Amazon DocumentDB console\n2. Go to Clusters and select <example_resource_id>\n3. Click Modify\n4. Set Backup retention period to 7 (or higher)\n5. Check Apply immediately\n6. Click Continue and then Modify cluster",
+      "Terraform": "```hcl\n# Terraform: Ensure DocumentDB backup retention is at least 7 days\nresource \"aws_docdb_cluster\" \"<example_resource_name>\" {\n  cluster_identifier      = \"<example_resource_id>\"\n  backup_retention_period = 7  # CRITICAL: enables automated backups and sets retention to >=7 days\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-2"
+      "Text": "Enable **automated backups** and set retention to meet RPO/RTO (typically `7-35` days).\n- Regularly test point-in-time restores\n- Apply **least privilege** to backup/snapshot management\n- Protect backup artifacts and define stable backup windows\n- Include restores in a tested **disaster recovery** plan",
+      "Url": "https://hub.prowler.com/check/documentdb_cluster_backup_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""