PyPI - prowler-cloud - Versions diffs - 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl - Mend

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (298) hide show

prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json CHANGED Viewed

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "documentdb_cluster_cloudwatch_log_export",
-  "CheckTitle": "Check if DocumentDB clusters are using the log export feature.",
-  "CheckType": [],
+  "CheckTitle": "DocumentDB cluster exports audit and profiler logs to CloudWatch Logs",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "documentdb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if DocumentDB clusters are using the log export feature.",
-  "Risk": "Ensure that all your Amazon DocumentDB clusters are using the Log Exports feature in order to publish audit logs directly to CloudWatch Logs. The events recorded by Log Exports include events such as successful and failed authentication attempts, creating indexes, or dropping collections in DocumentDB databases.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-4",
+  "Description": "Amazon DocumentDB clusters are evaluated for exporting `audit` and `profiler` logs to **CloudWatch Logs**.\nClusters missing one or both log types are identified as lacking complete log export configuration.",
+  "Risk": "Missing **audit** and/or **profiler** exports reduces observability of authentication, authorization, and data definition activity.\nAttacks like brute-force logins, privilege abuse, or destructive schema changes can go unnoticed, degrading **confidentiality** and **integrity** and delaying incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-4",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DocumentDB/enable-profiler.html",
+    "https://docs.aws.amazon.com/cli/latest/reference/docdb/create-db-cluster.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws docdb modify-db-cluster --region <REGION> --db-cluster-identifier <DB_CLUSTER_ID> --db-cluster-parameter-group-name <DB_CLUSTER_PARAMETER_GROUP_NAME> --cloudwatch-logs-export-configuration '{EnableLogTypes:[profiler]}' --apply-immediately",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/enable-profiler.html",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/enable-profiler.html",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/enable-profiler.html"
+      "CLI": "aws docdb modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"audit\",\"profiler\"]}' --apply-immediately",
+      "NativeIaC": "```yaml\n# CloudFormation: enable DocumentDB log exports\nResources:\n  <example_resource_name>:\n    Type: AWS::DocDB::DBCluster\n    Properties:\n      EnableCloudwatchLogsExports:\n        - audit      # Critical: export audit logs to CloudWatch Logs\n        - profiler   # Critical: export profiler logs to CloudWatch Logs\n```",
+      "Other": "1. In AWS Console, go to Amazon DocumentDB > Clusters\n2. Select the cluster and choose Actions > Modify\n3. In Log exports, check Audit and Profiler\n4. Check Apply immediately and click Modify cluster",
+      "Terraform": "```hcl\n# Enable DocumentDB log exports\nresource \"aws_docdb_cluster\" \"<example_resource_name>\" {\n  enabled_cloudwatch_logs_exports = [\"audit\", \"profiler\"] # Critical: export both logs to CloudWatch Logs\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enabled DocumentDB Log export functionality to analyze, monitor, and archive auditing events for security and compliance requirements.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-4"
+      "Text": "Enable export of both `audit` and `profiler` logs to **CloudWatch Logs** for all clusters and centralize analysis.\nApply **least privilege** to log access, define retention and immutability, integrate with alerting, and use **separation of duties** to protect and regularly review logs for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/documentdb_cluster_cloudwatch_log_export"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json CHANGED Viewed

@@ -1,29 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "documentdb_cluster_deletion_protection",
-  "CheckTitle": "Check if DocumentDB Clusters has deletion protection enabled.",
-  "CheckType": [],
+  "CheckTitle": "DocumentDB cluster has deletion protection enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "documentdb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if DocumentDB Clusters has deletion protection enabled.",
-  "Risk": "Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. A DocumentDB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5",
+  "Description": "**Amazon DocumentDB clusters** are evaluated for the `deletion_protection` setting on the cluster configuration.\n\nThe finding highlights clusters where this protection is not enabled.",
+  "Risk": "Without **deletion protection**, clusters can be deleted by mistake or misuse, causing sudden outage and loss of recovery points, impacting **availability** and **data integrity**.\n\nCompromised accounts or faulty automation can remove databases or skip final snapshots, hindering restoration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000233689-ensure-documentdb-clusters-has-deletion-protection-enabled",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DocumentDB/deletion-protection.html",
+    "https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-delete.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws aws docdb modify-db-cluster --region <REGION> --db-cluster-identifier <DB_CLUSTER_ID> --deletion-protection --apply-immediately",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DocumentDB/deletion-protection.html#"
+      "CLI": "aws docdb modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --deletion-protection --apply-immediately",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable deletion protection on a DocumentDB cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::DocDB::DBCluster\n    Properties:\n      MasterUsername: \"<MASTER_USERNAME>\"\n      MasterUserPassword: \"<MASTER_USER_PASSWORD>\"\n      DeletionProtection: true  # CRITICAL: Prevents cluster deletion until disabled\n```",
+      "Other": "1. In the AWS Console, go to Amazon DocumentDB > Clusters\n2. Select the target cluster and click Modify\n3. Enable Deletion protection\n4. Check Apply immediately and click Save changes",
+      "Terraform": "```hcl\n# Terraform: Enable deletion protection on a DocumentDB cluster\nresource \"aws_docdb_cluster\" \"<example_resource_name>\" {\n  master_username     = \"<MASTER_USERNAME>\"\n  master_password     = \"<MASTER_USER_PASSWORD>\"\n  deletion_protection = true  # CRITICAL: Prevents cluster deletion until disabled\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable deletion protection for production DocumentDB Clusters.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-5"
+      "Text": "Enable **deletion protection** on all non-ephemeral clusters, prioritizing production.\n\nEnforce **least privilege** for delete and modify actions, require change control to toggle protection, and implement **defense in depth** with automation that continuously enforces this setting. *Before decommissioning*, take a final snapshot.",
+      "Url": "https://hub.prowler.com/check/documentdb_cluster_deletion_protection"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json CHANGED Viewed

@@ -1,30 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "documentdb_cluster_multi_az_enabled",
-  "CheckTitle": "Ensure DocumentDB Cluster have Multi-AZ enabled.",
-  "CheckType": [],
+  "CheckTitle": "DocumentDB cluster has Multi-AZ enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "documentdb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Ensure DocumentDB Cluster have Multi-AZ enabled.",
-  "Risk": "Ensure that your Amazon DocumentDB Clusters are using Multi-AZ deployment configurations to provide High Availability (HA) through automatic failover to standby replicas in the event of a failure such as an Availability Zone (AZ) outage, an internal hardware or network outage, a software failure or in case of a planned maintenance session.",
-  "RelatedUrl": "https://docs.aws.amazon.com/documentdb/latest/developerguide/failover.html",
+  "Description": "**Amazon DocumentDB clusters** with **Multi-AZ** (`multi_az`) indicate deployment of a primary and one or more replicas across Availability Zones.",
+  "Risk": "Without Multi-AZ, the cluster depends on a single AZ/instance. An AZ or node failure-or maintenance-can stop reads and writes, causing downtime, timeouts, and SLA breaches. Availability degrades, RTO rises, and applications may experience failed or retried transactions until replacement capacity is created.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/documentdb/latest/developerguide/failover.html",
+    "https://support.icompaas.com/support/solutions/articles/62000233690-ensure-documentdb-cluster-have-multi-az-enabled"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws docdb create-db-instance --db-instance-identifier <example_resource_id> --db-cluster-identifier <example_resource_id> --db-instance-class <INSTANCE_CLASS> --engine docdb --availability-zone <OTHER_AZ>",
+      "NativeIaC": "```yaml\n# CloudFormation: add a replica to enable Multi-AZ for an existing DocumentDB cluster\nResources:\n  DocDBReplica:\n    Type: AWS::DocDB::DBInstance\n    Properties:\n      DBClusterIdentifier: \"<example_resource_id>\"  # CRITICAL: adds a new instance to the cluster to achieve Multi-AZ\n      DBInstanceClass: \"<INSTANCE_CLASS>\"\n      AvailabilityZone: \"<OTHER_AZ>\"                # CRITICAL: place in a different AZ to provide Multi-AZ failover\n```",
+      "Other": "1. In the AWS Console, go to Amazon DocumentDB and open your cluster\n2. Click Create instance\n3. Set Instance class and choose an Availability Zone different from the primary\n4. Click Create to add the replica\n5. Verify the cluster now shows Multi-AZ enabled",
+      "Terraform": "```hcl\n# Add a replica to enable Multi-AZ for an existing DocumentDB cluster\nresource \"aws_docdb_cluster_instance\" \"<example_resource_name>\" {\n  cluster_identifier = \"<example_resource_id>\"  # CRITICAL: adds a new instance to the cluster to achieve Multi-AZ\n  instance_class     = \"<INSTANCE_CLASS>\"\n  availability_zone  = \"<OTHER_AZ>\"             # CRITICAL: different AZ ensures Multi-AZ failover\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Multi-AZ for all DocumentDB Clusters.",
-      "Url": "https://docs.aws.amazon.com/documentdb/latest/developerguide/failover.html"
+      "Text": "Enable **Multi-AZ** for DocumentDB and distribute instances across distinct AZs.\n- Maintain at least one replica\n- Set promotion priorities to guide failover\n- Test failover regularly and use resilient client retries\n\nThis builds **fault tolerance** and preserves service availability.",
+      "Url": "https://hub.prowler.com/check/documentdb_cluster_multi_az_enabled"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json CHANGED Viewed

@@ -1,26 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "documentdb_cluster_public_snapshot",
-  "CheckTitle": "Check if DocumentDB manual cluster snapshot is public.",
-  "CheckType": [],
+  "CheckTitle": "DocumentDB manual cluster snapshot is not shared publicly",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure",
+    "TTPs/Initial Access"
+  ],
   "ServiceName": "documentdb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsRdsDbClusterSnapshot",
-  "Description": "Check if DocumentDB manual cluster snapshot is public.",
-  "Risk": "If you share an unencrypted manual snapshot as public, the snapshot is available to all AWS accounts. Public snapshots may result in unintended data exposure.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-snapshot-public-prohibited.html",
+  "Description": "**Amazon DocumentDB** manual cluster snapshot visibility is evaluated to detect snapshots marked as **public** instead of limited to specified AWS accounts.",
+  "Risk": "**Public snapshots** weaken **confidentiality**: any AWS account can restore and read database contents, enabling data exfiltration.\n\nThey also aid **lateral movement** by revealing embedded secrets/config and reduce accountability when restores occur outside your account.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-share_cluster_snapshots.html#backup_restore-share_snapshots",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-3",
+    "https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-snapshot-public-prohibited.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws docdb modify-db-snapshot-attribute --db-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all",
+      "CLI": "aws docdb modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-3",
+      "Other": "1. Open the Amazon DocumentDB console and go to Snapshots\n2. Select the public manual cluster snapshot\n3. Click Actions > Share\n4. Set DB snapshot visibility to Private (remove \"all\" if listed)\n5. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "To remove public access from a manual snapshot, follow the Sharing a snapshot tutorial.",
-      "Url": "https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-share_cluster_snapshots.html#backup_restore-share_snapshots"
+      "Text": "Keep snapshot visibility `Private` and share only with trusted accounts under **least privilege**. Prefer **CMEK encryption** to enforce key-based access and prevent public sharing. Periodically review sharing lists, restrict IAM permissions that alter visibility, and monitor for exposure as **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/documentdb_cluster_public_snapshot"
     }
   },
   "Categories": [

prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json CHANGED Viewed

@@ -1,31 +1,44 @@
 {
   "Provider": "aws",
   "CheckID": "documentdb_cluster_storage_encrypted",
-  "CheckTitle": "Check if DocumentDB cluster storage is encrypted.",
+  "CheckTitle": "DocumentDB cluster storage is encrypted at rest",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Software and Configuration Checks/Industry and Regulatory Standards/HIPAA Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/ISO 27001 Controls",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "documentdb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if DocumentDB cluster storage is encrypted.",
-  "Risk": "Ensure that encryption of data at rest is enabled for your Amazon DocumentDB (with MongoDB compatibility) database clusters for additional data security and regulatory compliance.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-1",
+  "Description": "**Amazon DocumentDB clusters** are assessed for **storage encryption at rest** via the cluster's `encrypted` setting.\n\nIt identifies clusters where data volumes, automated backups, and snapshots aren't protected by AWS KMS-managed encryption.",
+  "Risk": "Without at-rest encryption, cluster data, snapshots, and backups can be read in plaintext if copies are leaked, mis-shared, or underlying storage is accessed. This harms **confidentiality**, enables offline analysis and data exfiltration, and widens the blast radius of insider or backup repository compromise.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-1",
+    "https://docs.aws.amazon.com/documentdb/latest/developerguide/elastic-encryption.html",
+    "https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws docdb create-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --port <PORT> --engine docdb --master-username <MASTER_USERNAME> --master-user-password <MASTER_PASSWORD> --storage-encrypted",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_28/",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_28#fix-buildtime"
+      "CLI": "aws docdb create-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --engine docdb --master-username <MASTER_USERNAME> --master-user-password <MASTER_PASSWORD> --storage-encrypted",
+      "NativeIaC": "```yaml\n# CloudFormation: Create an encrypted DocumentDB cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::DocDB::DBCluster\n    Properties:\n      Engine: docdb\n      MasterUsername: <MASTER_USERNAME>\n      MasterUserPassword: <MASTER_PASSWORD>\n      StorageEncrypted: true  # Critical: enables encryption at rest to pass the check\n```",
+      "Other": "1. In the AWS Console, go to Amazon DocumentDB\n2. Click Create cluster\n3. Expand Show advanced settings\n4. In Encryption-at-rest, select Enable encryption\n5. Choose or keep the default KMS key\n6. Click Create cluster\n\nTo replace an existing unencrypted cluster:\n1. Select the unencrypted cluster > Actions > Take snapshot\n2. After the snapshot completes, select it > Actions > Restore snapshot\n3. In Encryption-at-rest, select Enable encryption and restore as a new cluster\n4. Update your applications to use the new cluster endpoint",
+      "Terraform": "```hcl\n# Terraform: Encrypted DocumentDB cluster\nresource \"aws_docdb_cluster\" \"<example_resource_name>\" {\n  master_username   = \"<MASTER_USERNAME>\"\n  master_password   = \"<MASTER_PASSWORD>\"\n  storage_encrypted = true  # Critical: enables encryption at rest to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html#documentdb-1"
+      "Text": "Enable **storage encryption at rest** for all DocumentDB clusters and prefer **customer-managed KMS keys** for control over access, rotation, and revocation. Apply **least privilege** to key usage, enforce **separation of duties**, and monitor key and snapshot access. *If a cluster isn't encrypted*, migrate to a new encrypted cluster.",
+      "Url": "https://hub.prowler.com/check/documentdb_cluster_storage_encrypted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json CHANGED Viewed

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "drs_job_exist",
-  "CheckTitle": "Ensure DRS is enabled with jobs.",
-  "CheckType": [],
+  "CheckTitle": "Region has AWS Elastic Disaster Recovery (DRS) enabled with at least one recovery job",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "drs",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:drs:region:account-id:job/job-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Ensure DRS is enabled with jobs.",
-  "Risk": "If DRS is not enabled with jobs, then it may not be able to recover from a disaster.",
-  "RelatedUrl": "https://docs.aws.amazon.com/drs/latest/userguide/what-is-drs.html",
+  "Description": "**AWS Elastic Disaster Recovery** is assessed per Region to verify the service is **initialized** and that at least one **recovery or drill job** exists, demonstrating that failover has been exercised.",
+  "Risk": "Without DRS enabled or any prior jobs, workloads are **unprotected and untested**, undermining **availability**.\nDuring outages or ransomware, recovery may be delayed or fail, increasing RTO/RPO, causing **data loss** and prolonged downtime.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/blogs/storage/cross-region-disaster-recovery-using-aws-elastic-disaster-recovery/",
+    "https://docs.aws.amazon.com/drs/latest/userguide/quick-start-guide-gs.html",
+    "https://aws.amazon.com/disaster-recovery/",
+    "https://docs.aws.amazon.com/drs/latest/userguide/recovery-job.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In the AWS Console, switch to the target Region\n2. Open Elastic Disaster Recovery (DRS)\n3. Click \"Set default replication settings\" (or Settings > Initialize) and choose \"Configure and initialize\" to enable DRS in this Region\n4. Go to \"Source servers\" > \"Add server\", copy the install command, run it on one server, and wait until it shows Data replication status = Healthy and Ready for recovery\n5. Select that server, choose \"Initiate recovery drill\" (or \"Initiate recovery\") and confirm to create a job\n6. Verify under \"Recovery job history\" that the job completes",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure DRS is enabled with jobs.",
-      "Url": "https://docs.aws.amazon.com/drs/latest/userguide/what-is-drs.html"
+      "Text": "Enable DRS in required Regions and protect critical workloads. Define RTO/RPO and run **regular recovery drills** to validate launch settings and dependencies. Apply **least privilege**, monitor replication health, and document failover procedures to ensure consistent, repeatable recovery.",
+      "Url": "https://hub.prowler.com/check/drs_job_exist"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json CHANGED Viewed

@@ -1,28 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_accelerator_cluster_encryption_enabled",
-  "CheckTitle": "Check if DynamoDB DAX Clusters are encrypted at rest.",
+  "CheckTitle": "DynamoDB DAX cluster has encryption at rest enabled",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:dax:region:account-id:cache/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Check if DynamoDB DAX Clusters are encrypted at rest.",
-  "Risk": "Encryption at rest provides an additional layer of data protection by securing your data from unauthorized access to the underlying storage.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html",
+  "Description": "**Amazon DynamoDB Accelerator (DAX) clusters** are evaluated for **server-side `encryption at rest`**. The finding indicates whether the cluster's on-disk cache, configuration, and logs are encrypted using service-managed keys.",
+  "Risk": "Without **encryption at rest**, DAX on-disk cache and logs can be extracted from underlying storage by those with low-level access, compromising **confidentiality** and enabling offline data mining.\n\nThreats:\n- Compromised host or admin\n- Lost/retired media\n- Unauthorized backups or snapshots",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/DAX/encryption-enabled.html",
+    "https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/dynamodb.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws dax create-cluster --cluster-name <cluster_name> --node-type <node_type> --replication-factor <nodes_number> --iam-role-arn <role_arn> --sse-specification Enabled=true",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_23#cloudformation",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_23#terraform"
+      "CLI": "aws dax create-cluster --cluster-name <example_resource_name> --node-type <NODE_TYPE> --replication-factor 1 --iam-role-arn <example_resource_id> --sse-specification Enabled=true",
+      "NativeIaC": "```yaml\nResources:\n  DaxCluster:\n    Type: AWS::DAX::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      NodeType: <NODE_TYPE>\n      ReplicationFactor: 1\n      IAMRoleARN: <example_resource_id>\n      SSESpecification:           # Critical: enables encryption at rest\n        SSEEnabled: true          # Encrypts DAX cluster data at rest\n```",
+      "Other": "1. In the AWS console, open **DynamoDB** > under **DAX**, choose **Clusters** > **Create cluster**\n2. Enter a name and choose a node type\n3. In **Encryption**, select **Enable encryption**\n4. Choose the IAM role and required networking, then click **Launch cluster**\n5. If replacing an existing unencrypted cluster: point your application to the new cluster endpoint, then delete the old cluster",
+      "Terraform": "```hcl\nresource \"aws_dax_cluster\" \"example\" {\n  cluster_name       = \"<example_resource_name>\"\n  node_type          = \"<NODE_TYPE>\"\n  replication_factor = 1\n  iam_role_arn       = \"<example_resource_id>\"\n\n  # Critical: enables encryption at rest\n  server_side_encryption {\n    enabled = true  # Encrypts DAX cluster data at rest\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Re-create the cluster to enable encryption at rest if it was not enabled at creation.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html"
+      "Text": "Provision DAX clusters with **`encryption at rest`** enabled. Apply **least privilege** for DAX administration and data access, and monitor with logging.\n\nAdopt **defense in depth**: enable encryption in transit, restrict network exposure, and avoid caching highly sensitive data. Re-create unencrypted clusters to enforce this setting.",
+      "Url": "https://hub.prowler.com/check/dynamodb_accelerator_cluster_encryption_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json CHANGED Viewed

@@ -1,28 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_accelerator_cluster_in_transit_encryption_enabled",
-  "CheckTitle": "Check if DynamoDB Accelerator (DAX) clusters are encrypted in transit.",
+  "CheckTitle": "DynamoDB Accelerator (DAX) cluster has encryption in transit enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:dynamodb:region:account-id:table/table-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "This control checks whether an Amazon DynamoDB Accelerator (DAX) cluster is encrypted in transit, with the endpoint encryption type set to TLS. The control fails if the DAX cluster isn't encrypted in transit.",
-  "Risk": "Without encryption in transit, DAX clusters are vulnerable to person-in-the-middle attacks or eavesdropping on network traffic, which could lead to unauthorized access or manipulation of sensitive data.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionInTransit.html",
+  "Description": "**DAX clusters** have endpoint encryption set to `TLS`, enforcing **encryption in transit** for client connections to the cluster",
+  "Risk": "Missing **TLS** enables interception and manipulation of DAX traffic, impacting:\n- Confidentiality: exposure of queries, data, or credentials\n- Integrity: tampered requests/responses and cache poisoning\n- Availability: session hijacking or replay causing service disruption",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-7",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionInTransit.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws dax create-cluster --cluster-name <cluster-name> --node-type <node-type> --replication-factor <replication-factor> --cluster-endpoint-encryption-type TLS",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-7",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Create DAX cluster with TLS (encryption in transit)\nResources:\n  <example_resource_name>:\n    Type: AWS::DAX::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      IAMRoleARN: <example_resource_id>\n      NodeType: <example_node_type>\n      ReplicationFactor: 1\n      ClusterEndpointEncryptionType: TLS  # Critical: Enables TLS for in-transit encryption\n```",
+      "Other": "1. In the AWS Console, go to DynamoDB > DAX\n2. Click Create cluster\n3. Set Cluster name, Node type, Replication factor, and IAM role\n4. Enable Encryption in transit (TLS)\n5. Create the cluster and wait until ACTIVE\n6. Update your application to use the new DAX cluster endpoint\n7. Delete the old non-TLS DAX cluster",
+      "Terraform": "```hcl\n# DAX cluster with encryption in transit enabled\nresource \"aws_dax_cluster\" \"<example_resource_name>\" {\n  cluster_name                      = \"<example_resource_name>\"\n  node_type                         = \"<example_node_type>\"\n  replication_factor                = 1\n  iam_role_arn                      = \"<example_resource_id>\"\n  cluster_endpoint_encryption_type  = \"TLS\"  # Critical: Enables TLS for in-transit encryption\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that DynamoDB Accelerator (DAX) clusters are encrypted in transit by enabling TLS during cluster creation.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionInTransit.html"
+      "Text": "Enforce **TLS** for all DAX endpoints and clients (`encryption in transit`). If an existing cluster lacks it, create a new TLS-enabled cluster and migrate.\n\nApply **defense in depth**: restrict network paths, keep access private, and use **least privilege** IAM to reduce blast radius.",
+      "Url": "https://hub.prowler.com/check/dynamodb_accelerator_cluster_in_transit_encryption_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json CHANGED Viewed

@@ -1,30 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_accelerator_cluster_multi_az",
-  "CheckTitle": "Check if DynamoDB Accelerator (DAX) clusters have nodes in multiple availability zones.",
-  "CheckType": [],
+  "CheckTitle": "DynamoDB Accelerator (DAX) cluster has nodes in multiple Availability Zones",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service"
+  ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:dax:region:account-id:cache/table-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "This control checks whether an Amazon DynamoDB Accelerator (DAX) cluster has nodes in multiple availability zones.",
-  "Risk": "Without DAX nodes in multiple availability zones (AZ) the nodes are at risk of interruption if an AZ disruption occurs.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.concepts.cluster.html#DAX.concepts.regions-and-azs",
+  "Description": "**Amazon DynamoDB Accelerator (DAX)** cluster node placement across **Availability Zones** is evaluated. Clusters with nodes in more than one AZ within the Region are recognized as multi-AZ; clusters whose nodes reside in a single AZ are recognized as single-AZ.",
+  "Risk": "Without **multi-AZ DAX nodes**, an AZ outage or primary node failure can render the cache **unavailable**, harming **availability** and causing **latency spikes** and **throttling** as load shifts to DynamoDB. Loss of caching can drive higher costs and trigger **timeout cascades** in read-heavy workloads.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000233618-ensure-dynamodb-accelerator-dax-clusters-have-nodes-in-multiple-availability-zones",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.concepts.cluster.html#DAX.concepts.regions-and-azs",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.console.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws dax increase-replication-factor --cluster-name <example_resource_name> --new-replication-factor 2 --availability-zones <AZ_1> <AZ_2>",
+      "NativeIaC": "```yaml\nResources:\n  DAXCluster:\n    Type: AWS::DAX::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      IAMRoleARN: <example_resource_id>\n      NodeType: <NODE_TYPE>\n      ReplicationFactor: 2  # CRITICAL: at least 2 nodes so nodes can be placed in multiple AZs\n      SubnetGroupName: <example_resource_name>\n      AvailabilityZones:     # CRITICAL: specify multiple AZs to ensure multi-AZ placement\n        - <AZ_1>\n        - <AZ_2>\n```",
+      "Other": "1. In AWS Console, go to DynamoDB > DAX > Subnet groups and ensure the subnet group used by the cluster includes subnets from at least two Availability Zones; save if you add one.\n2. Go to DynamoDB > DAX > Clusters, select <example_resource_name>, and choose Modify.\n3. Set Cluster size to 2 or more.\n4. In Availability Zones (or node placement), select at least two different AZs.\n5. Save changes and wait until status is Available, then confirm nodes show multiple AZs in Cluster details.",
+      "Terraform": "```hcl\nresource \"aws_dax_cluster\" \"example\" {\n  cluster_name       = \"<example_resource_name>\"\n  node_type          = \"<NODE_TYPE>\"\n  replication_factor = 2  # CRITICAL: at least 2 nodes to allow multi-AZ\n  iam_role_arn       = \"<example_resource_id>\"\n  subnet_group_name  = \"<example_resource_name>\"\n  availability_zones = [\"<AZ_1>\", \"<AZ_2>\"]  # CRITICAL: ensures nodes are in multiple AZs\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create a DAX cluster with nodes in multiple availability zones.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.concepts.cluster.html#DAX.concepts.regions-and-azs"
+      "Text": "Deploy **DAX clusters** with at least `3` nodes spread across distinct **Availability Zones** to ensure fault tolerance. Use subnet groups spanning multiple AZs, access via the cluster endpoint, and validate **failover** regularly. Monitor capacity to avoid single-AZ or single-node dependencies.",
+      "Url": "https://hub.prowler.com/check/dynamodb_accelerator_cluster_multi_az"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json CHANGED Viewed

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_table_autoscaling_enabled",
-  "CheckTitle": "Check if DynamoDB tables automatically scale capacity with demand.",
+  "CheckTitle": "DynamoDB table uses on-demand capacity or has auto scaling enabled for read and write capacity units",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service",
+    "Effects/Resource Consumption"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:dynamodb:region:account-id:table/table-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsDynamoDbTable",
-  "Description": "This check ensures that DynamoDB tables can scale their read and write capacity as needed, either using on-demand capacity mode or provisioned mode with auto scaling configured.",
-  "Risk": "If DynamoDB tables do not automatically scale capacity with demand, they may experience throttling exceptions, leading to reduced availability and performance of applications.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.Console.html#AutoScaling.Console.ExistingTable",
+  "Description": "**DynamoDB tables** use **automatic capacity scaling** via `on-demand` mode or `PROVISIONED` mode with **auto scaling** enabled for both `read` and `write` capacity units.\n\nProvisioned tables are evaluated for scaling on both dimensions.",
+  "Risk": "**Insufficient capacity scaling** causes throttling that degrades **availability** and increases latency.\n\nSustained throttling can trigger retry storms, timeouts, and backlogs, risking missed writes or out-of-order processing that impacts **data integrity** and drives **operational costs**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-1",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.Console.html#AutoScaling.Console.ExistingTable"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws dynamodb update-table --table-name <table-name> --billing-mode PAY_PER_REQUEST",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-1",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Set table to on-demand capacity\nResources:\n  <example_resource_name>:\n    Type: AWS::DynamoDB::Table\n    Properties:\n      AttributeDefinitions:\n        - AttributeName: id\n          AttributeType: S\n      KeySchema:\n        - AttributeName: id\n          KeyType: HASH\n      BillingMode: PAY_PER_REQUEST  # Critical: enables on-demand capacity to pass the control\n```",
+      "Other": "1. Open the AWS console and go to DynamoDB\n2. Click Tables and select your table\n3. Open the Additional settings tab and click Edit in Read/write capacity\n4. Set Capacity mode to On-demand (PAY_PER_REQUEST)\n5. Click Save",
+      "Terraform": "```hcl\n# DynamoDB table with on-demand capacity\nresource \"aws_dynamodb_table\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  hash_key = \"id\"\n\n  attribute {\n    name = \"id\"\n    type = \"S\"\n  }\n\n  billing_mode = \"PAY_PER_REQUEST\" # Critical: enables on-demand capacity to pass the control\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable DynamoDB automatic scaling on existing tables by configuring on-demand capacity mode or provisioned mode with auto scaling.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AutoScaling.Console.html#AutoScaling.Console.ExistingTable"
+      "Text": "Adopt **elastic capacity**: prefer `on-demand` for unpredictable traffic, or use `PROVISIONED` with **auto scaling** on both reads and writes.\n\nDefine safe utilization targets and bounds, monitor consumption, and plan for bursts to maintain **availability** and **resilience** over manual fixed throughput.",
+      "Url": "https://hub.prowler.com/check/dynamodb_table_autoscaling_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl