prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json

@@ -1,32 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_table_cross_account_access",
-  "CheckTitle": "DynamoDB tables should not be accessible from other AWS accounts",
+  "CheckTitle": "DynamoDB table resource-based policy does not allow cross-account access",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:dynamodb:region:account-id:table/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsDynamoDbTable",
-  "Description": "This check determines if the DynamoDB table is accessible from other AWS accounts.",
-  "Risk": "If the DynamoDB table is accessible from other AWS accounts, it may lead to unauthorized access to the data stored in the table.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html",
+  "Description": "**DynamoDB tables** are evaluated for **resource-based policies** that permit cross-account or public principals.\n\nTables without a resource policy, or with policies restricted to the same account, are identified as isolated configurations.",
+  "Risk": "Allowing other accounts to access a table affects:\n- **Confidentiality**: unauthorized reads/data exfiltration\n- **Integrity**: writes or deletes by external principals\n- **Availability**: capacity exhaustion and throttling\n- **Cost**: owner pays for external requests\n\nIf public principals are allowed, exposure can be unrestricted.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000233614-ensure-dynamodb-tables-should-not-be-accessible-from-other-aws-accounts",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-bpa-rbp.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws dynamodb delete-resource-policy --resource-arn <resource-arn>",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Open the AWS Console and go to DynamoDB > Tables\n2. Select <example_resource_name> and open the Permissions tab\n3. In Resource-based policy, click Delete policy and confirm\n4. Save changes to remove any cross-account access",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure that the DynamoDB table is not accessible from other AWS accounts.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-bpa-rbp.html"
+      "Text": "Apply **least privilege**:\n- Avoid cross-account data access; *if required*, allow only named principals\n- Constrain with `aws:PrincipalOrgID`, `aws:SourceVpc`, `aws:PrincipalArn`; add `Deny` guardrails\n- Enable **Block Public Access** and monitor with **IAM Access Analyzer**",
+      "Url": "https://hub.prowler.com/check/dynamodb_table_cross_account_access"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_table_deletion_protection_enabled",
-  "CheckTitle": "Check if DynamoDB tables have deletion protection enabled.",
+  "CheckTitle": "DynamoDB table has deletion protection enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:dynamodb:region:account-id:table/table-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsDynamoDbTable",
-  "Description": "This control checks whether an Amazon DynamoDB table has deletion protection enabled to prevent accidental deletion during regular table management operations.",
-  "Risk": "If deletion protection is not enabled, a DynamoDB table could be accidentally deleted, leading to data loss and potential disruption of business operations.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection",
+  "Description": "**DynamoDB tables** have **deletion protection** enabled via the `deletion protection` setting, meaning delete operations require this setting to be disabled first",
+  "Risk": "Without **deletion protection**, tables can be removed by authorized actions or misconfigured automation, causing irrecoverable data loss and service outage. This impacts **integrity** and **availability**, and increases the blast radius of compromised credentials or mistaken runbooks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-6",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws dynamodb update-table --table-name <table-name> --deletion-protection-enabled",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-6",
-      "Terraform": ""
+      "CLI": "aws dynamodb update-table --table-name <TABLE_NAME> --deletion-protection-enabled",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::DynamoDB::Table\n    Properties:\n      DeletionProtectionEnabled: true  # CRITICAL: Enables deletion protection to prevent table deletion\n```",
+      "Other": "1. Open the AWS Management Console and go to DynamoDB\n2. Select the table\n3. Choose Additional settings\n4. Enable Deletion protection\n5. Save changes",
+      "Terraform": "```hcl\nresource \"aws_dynamodb_table\" \"<example_resource_name>\" {\n  name     = \"<example_resource_name>\"\n  hash_key = \"id\"\n\n  attribute {\n    name = \"id\"\n    type = \"S\"\n  }\n\n  deletion_protection_enabled = true  # CRITICAL: Prevents accidental table deletion\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable deletion protection for your DynamoDB tables to prevent accidental deletion.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection"
+      "Text": "Enable **deletion protection** on critical tables.\n- Enforce **least privilege** to restrict who can modify this setting\n- Require change control to disable it before planned deletes\n- Combine with **PITR** and backups for defense in depth\n- Use automation to make this the default for new tables",
+      "Url": "https://hub.prowler.com/check/dynamodb_table_deletion_protection_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json

@@ -1,32 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_table_protected_by_backup_plan",
-  "CheckTitle": "Check if DynamoDB tables are included in a backup plan.",
+  "CheckTitle": "DynamoDB table is protected by a backup plan",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:dynamodb:region:account-id:table/table-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsDynamoDbTable",
-  "Description": "This control checks whether an Amazon DynamoDB table is covered by a backup plan. The control fails if the DynamoDB table isn't included in a backup plan.",
-  "Risk": "If a DynamoDB table is not covered by a backup plan, data loss may occur due to accidental deletion, corruption, or unexpected failure, compromising the resilience of your application.",
-  "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html",
+  "Description": "**DynamoDB tables** are evaluated for inclusion in an **AWS Backup backup plan** through resource assignments, including explicit tables, resource-type wildcards, or all-resources coverage.\n\nThe result indicates whether a table is governed by scheduled backups and retention defined by the plan.",
+  "Risk": "Without a backup plan, table data lacks governed copies, harming **availability** and **integrity**. Accidental deletes, corrupt writes, or malicious actions can become unrecoverable, and RPO/RTO worsen. You also forfeit cross-Region/account copies and immutability features, increasing downtime and data loss.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/CreateBackupAWS.html",
+    "https://aws.amazon.com/blogs/database/set-up-scheduled-backups-for-amazon-dynamodb-using-aws-backup/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html#dynamodb-4",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Add DynamoDB tables to an AWS Backup plan\nResources:\n  BackupPlan:\n    Type: AWS::Backup::BackupPlan\n    Properties:\n      BackupPlan:\n        BackupPlanName: <example_resource_name>\n        BackupPlanRule:\n          - RuleName: r\n            TargetBackupVault: Default\n\n  BackupSelection:\n    Type: AWS::Backup::BackupSelection\n    Properties:\n      BackupPlanId: !Ref BackupPlan\n      BackupSelection:\n        SelectionName: <example_resource_name>\n        IamRoleArn: <example_role_arn>\n        Resources:\n          - arn:aws:dynamodb:*:*:table/*  # CRITICAL: adds all DynamoDB tables to the backup plan, making them protected\n```",
+      "Other": "1. In the AWS Backup console, go to Settings > Configure resources and enable DynamoDB, then Confirm\n2. Go to Backup plans > Create backup plan > Build a new plan\n3. Enter a plan name, set Rule name to any value, set Backup vault to Default, and Create plan\n4. On the plan page, choose Assign resources\n5. Enter a Resource assignment name, set IAM role to Default role, select your DynamoDB table, and choose Assign resources",
+      "Terraform": "```hcl\n# Terraform: Add DynamoDB tables to an AWS Backup plan\nresource \"aws_backup_plan\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n  rule {\n    rule_name         = \"r\"\n    target_vault_name = \"Default\"\n  }\n}\n\ndata \"aws_iam_role\" \"<example_resource_name>\" {\n  name = \"AWSServiceRoleForBackup\"\n}\n\nresource \"aws_backup_selection\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  plan_id      = aws_backup_plan.<example_resource_name>.id\n  iam_role_arn = data.aws_iam_role.<example_resource_name>.arn\n  resources    = [\n    \"arn:aws:dynamodb:*:*:table/*\" # CRITICAL: adds all DynamoDB tables to the backup plan, making them protected\n  ]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that all active DynamoDB tables are included in a backup plan to safeguard against data loss.",
-      "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html"
+      "Text": "Place all critical tables under an **AWS Backup backup plan** following **defense in depth** and **least privilege**:\n- Use tag-based assignments for coverage at scale\n- Define schedules, retention, and cross-Region/account copies\n- Enable **Vault Lock** for immutability\n- Regularly test restores and restrict backup deletion",
+      "Url": "https://hub.prowler.com/check/dynamodb_table_protected_by_backup_plan"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_tables_kms_cmk_encryption_enabled",
-  "CheckTitle": "Check if DynamoDB table has encryption at rest enabled using CMK KMS.",
+  "CheckTitle": "DynamoDB table is encrypted at rest with AWS KMS",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:dynamodb:region:account-id:table/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsDynamoDbTable",
-  "Description": "Check if DynamoDB table has encryption at rest enabled using CMK KMS.",
-  "Risk": "All user data stored in Amazon DynamoDB is fully encrypted at rest. This functionality helps reduce the operational burden and complexity involved in protecting sensitive data.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html",
+  "Description": "**DynamoDB tables** use **AWS KMS keys** (`KMS`) for encryption at rest instead of the default service-owned key",
+  "Risk": "Relying on the default service-owned key reduces control over **confidentiality**: no custom key policies, limited auditability, and no independent rotation or disablement. This weakens least-privilege enforcement and incident response, and can impede meeting mandates that require customer-controlled keys.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/aws/general-policies/ensure-that-dynamodb-tables-are-encrypted#terraform",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-dynamodb-tables-are-encrypted#terraform"
+      "CLI": "aws dynamodb update-table --table-name <example_resource_name> --sse-specification Enabled=true,SSEType=KMS",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable KMS encryption on a DynamoDB table\nResources:\n  <example_resource_name>:\n    Type: AWS::DynamoDB::Table\n    Properties:\n      AttributeDefinitions:\n        - AttributeName: id\n          AttributeType: S\n      KeySchema:\n        - AttributeName: id\n          KeyType: HASH\n      BillingMode: PAY_PER_REQUEST\n      SSESpecification:\n        SSEEnabled: true  # Critical: enables KMS-based encryption\n        SSEType: KMS      # Critical: switches from DEFAULT to AWS KMS\n```",
+      "Other": "1. Open the AWS Management Console and go to DynamoDB\n2. Select your table\n3. In Table details, find Encryption at rest and click Edit\n4. Select AWS KMS: choose AWS managed key (alias/aws/dynamodb) or a customer managed key\n5. Click Save",
+      "Terraform": "```hcl\nresource \"aws_dynamodb_table\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  billing_mode = \"PAY_PER_REQUEST\"\n  hash_key     = \"id\"\n\n  attribute {\n    name = \"id\"\n    type = \"S\"\n  }\n\n  server_side_encryption {\n    enabled = true  # Critical: enables AWS KMS encryption (uses AWS managed key if no key ARN provided)\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Specify an encryption key when you create a new table or switch the encryption keys on an existing table by using the AWS Management Console.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html"
+      "Text": "Encrypt tables with **KMS keys** in your account-prefer **customer-managed keys** for sensitive data.\n\n- Enforce least-privilege key policies and scope grants\n- Enable rotation and monitor key usage\n- Separate duties for key admins vs data users\n- Restrict which principals can use the key for DynamoDB",
+      "Url": "https://hub.prowler.com/check/dynamodb_tables_kms_cmk_encryption_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json

@@ -1,31 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "dynamodb_tables_pitr_enabled",
-  "CheckTitle": "Check if DynamoDB tables point-in-time recovery (PITR) is enabled.",
+  "CheckTitle": "DynamoDB table has point-in-time recovery (PITR) enabled",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
   ],
   "ServiceName": "dynamodb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:dynamodb:region:account-id:table/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsDynamoDbTable",
-  "Description": "Check if DynamoDB tables point-in-time recovery (PITR) is enabled.",
-  "Risk": "If the DynamoDB Table does not have point-in-time recovery enabled, it is vulnerable to accidental write or delete operations.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery_Howitworks.html",
+  "Description": "**DynamoDB tables** have **Point-in-Time Recovery** (`PITR`) enabled",
+  "Risk": "Without **PITR**, unintended or malicious writes/deletes cannot be precisely rolled back, leading to permanent data loss and corrupted state. Failures from buggy deployments, compromised credentials, or faulty batch jobs reduce data **integrity** and **availability**, and prolong incident recovery and forensic analysis.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery_Howitworks.html",
+    "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.Tutorial.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws dynamodb update-continuous-backups --table-name <table_name> --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_6#cloudformation--serverless",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_6#terraform"
+      "NativeIaC": "```yaml\n# CloudFormation: enable PITR on a DynamoDB table\nResources:\n  <example_resource_name>:\n    Type: AWS::DynamoDB::Table\n    Properties:\n      PointInTimeRecoverySpecification:\n        PointInTimeRecoveryEnabled: true  # Critical: enables Point-in-Time Recovery (PITR)\n```",
+      "Other": "1. Open the AWS Management Console and go to DynamoDB\n2. Select your table and open the Backups tab\n3. Click Edit in the Point-in-time recovery section and choose Turn on point-in-time recovery\n4. Click Save",
+      "Terraform": "```hcl\n# Enable PITR on a DynamoDB table\nresource \"aws_dynamodb_table\" \"<example_resource_name>\" {\n  name         = \"<example_resource_name>\"\n  billing_mode = \"PAY_PER_REQUEST\"\n  hash_key     = \"id\"\n\n  attribute {\n    name = \"id\"\n    type = \"S\"\n  }\n\n  point_in_time_recovery {\n    enabled = true  # Critical: enables PITR\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable point-in-time recovery, this is not enabled by default.",
-      "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery_Howitworks.html"
+      "Text": "Enable **PITR** on critical tables and set a recovery window aligned to your RPO (1-35 days). Enforce **least privilege** on who can modify backup settings. Regularly test restores and monitor backup status. Embed PITR in IaC and change control for consistency, and apply **defense in depth** with on-demand backups for key milestones.",
+      "Url": "https://hub.prowler.com/check/dynamodb_tables_pitr_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Data Protection"

prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json

@@ -1,32 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "ecr_registry_scan_images_on_push_enabled",
-  "CheckTitle": "Check if ECR Registry has scan on push enabled",
+  "CheckTitle": "ECR registry has image scanning on push enabled for all repositories",
   "CheckType": [
-    "Identify",
-    "Vulnerability, patch, and version management"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "ecr",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:ecr:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Check if ECR Registry has scan on push enabled",
-  "Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ",
+  "Description": "Amazon ECR registries with repositories are evaluated for image scanning configured as `scan on push` at the registry level, with scan rules that cover all repositories (no restrictive filters), for either **basic** or **enhanced** scanning.",
+  "Risk": "Absent or filtered `scan on push` lets **vulnerable images** be pushed and deployed without timely detection, enabling exploitation of known CVEs (RCE, privilege escalation), supply chain compromise, and lateral movement - threatening workload integrity and data confidentiality.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws ecr put-registry-scanning-configuration --rules 'scanFrequency=SCAN_ON_PUSH,repositoryFilters=[{filter=string,filterType=WILDCARD}]'",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Open the AWS Management Console and go to Amazon ECR\n2. In the left menu, click Account settings (or Settings), then find Registry scanning\n3. Click Edit\n4. Set Scanning type to Enhanced scanning\n5. Enable Scan on push\n6. Under Repository filters, set Filter type to WILDCARD and Filter to *\n7. Click Save",
+      "Terraform": "```hcl\nresource \"aws_ecr_registry_scanning_configuration\" \"<example_resource_name>\" {\n  scan_type = \"ENHANCED\"\n\n  rule {\n    scan_frequency = \"SCAN_ON_PUSH\"  # Ensures scan on push\n    repository_filter {\n      filter      = \"*\"               # Applies to all repositories\n      filter_type = \"WILDCARD\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.",
-      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
+      "Text": "Enable registry-wide `scan on push` and ensure rules apply to all repositories (no filters). Prefer **enhanced scanning** for broader coverage, and pair with continuous scans when available. Integrate findings into CI/CD gates and alerts to enforce **defense in depth** and block promotion of risky images.",
+      "Url": "https://hub.prowler.com/check/ecr_registry_scan_images_on_push_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "container-security"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json

@@ -1,32 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "ecr_repositories_lifecycle_policy_enabled",
-  "CheckTitle": "Check if ECR repositories have lifecycle policies enabled",
+  "CheckTitle": "ECR repository has a lifecycle policy configured",
   "CheckType": [
-    "Identify",
-    "Resource configuration"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Resource Consumption"
   ],
   "ServiceName": "ecr",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsEcrRepository",
-  "Description": "Check if ECR repositories have lifecycle policies enabled",
-  "Risk": "Amazon ECR repositories run the risk of retaining huge volumes of images, increasing unnecessary cost.",
+  "Description": "Amazon ECR repositories have a **lifecycle policy** configured to automatically expire container images based on age, count, or tags.",
+  "Risk": "Without **lifecycle policies**, images accumulate indefinitely, leading to:\n- **Availability** issues when quotas block pushes and CI/CD\n- **Integrity** risk from redeploying outdated, vulnerable images\n- **Cost** growth from unnecessary storage",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html",
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/lp_creation.html",
+    "https://aws.plainenglish.io/automation-deletion-untagged-container-image-in-amazon-ecr-using-ecr-lifecycle-policy-995eae2f5b8d",
+    "https://blog.stackademic.com/title-implementing-lifecycle-policies-in-aws-ecr-a-practical-guide-3860b612b477",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/lifecycle-policy-in-use.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws ecr put-lifecycle-policy --repository-name <REPOSITORY_NAME> --lifecycle-policy-text <LIFECYCLE_POLICY> [--registry-id <REGISTRY_ID>]",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/lifecycle-policy-in-use.html",
-      "Terraform": ""
+      "CLI": "aws ecr put-lifecycle-policy --repository-name <REPOSITORY_NAME> --lifecycle-policy-text '{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"untagged\",\"countType\":\"imageCountMoreThan\",\"countNumber\":1},\"action\":{\"type\":\"expire\"}}]}'",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::ECR::Repository\n    Properties:\n      # Critical: Adding a lifecycle policy makes the repo PASS this check\n      LifecyclePolicy:\n        # Critical: The policy content; any valid rule satisfies the requirement\n        LifecyclePolicyText: >-\n          {\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"untagged\",\"countType\":\"imageCountMoreThan\",\"countNumber\":1},\"action\":{\"type\":\"expire\"}}]}\n```",
+      "Other": "1. Open the AWS Console and go to Amazon ECR > Repositories\n2. Select the target repository\n3. From Actions, choose \"Lifecycle policies\"\n4. Click \"Create rule\"\n5. Set Image status: Untagged, Match criteria: Image count more than = 1, Action: Expire\n6. Click \"Save\" to apply the lifecycle policy",
+      "Terraform": "```hcl\nresource \"aws_ecr_lifecycle_policy\" \"<example_resource_name>\" {\n  repository = \"<example_resource_name>\"\n  # Critical: The policy ensures a lifecycle policy is configured for the repo\n  policy = <<POLICY\n{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"untagged\",\"countType\":\"imageCountMoreThan\",\"countNumber\":1},\"action\":{\"type\":\"expire\"}}]}\nPOLICY\n}\n```"
     },
     "Recommendation": {
-      "Text": "Open the Amazon ECR console. Create an ECR lifecycle policy.",
-      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html"
+      "Text": "Implement **lifecycle policies** per repository to expire untagged, old, or excess images and retain a small set of trusted releases. Validate outcomes before applying, review rules regularly, and apply consistently across Regions when replicating. This supports **defense in depth** by reducing image attack surface and operational risk.",
+      "Url": "https://hub.prowler.com/check/ecr_repositories_lifecycle_policy_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "container-security"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json

@@ -1,33 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "ecr_repositories_not_publicly_accessible",
-  "CheckTitle": "Ensure there are no ECR repositories set as Public",
+  "CheckTitle": "ECR repository is not publicly accessible",
   "CheckType": [
-    "Protect",
-    "Secure Access Management"
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "ecr",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsEcrRepository",
-  "Description": "Ensure there are no ECR repositories set as Public",
-  "Risk": "A repository policy that allows anonymous access may allow anonymous users to perform actions.",
+  "Description": "**Amazon ECR repositories** are evaluated for **public exposure** via repository policies that allow anonymous principals (e.g., `Principal: \"*\"`) to access the repo, including image listing, pulling, or modification.",
+  "Risk": "**Public access to ECR repositories** weakens **confidentiality** and **integrity**.\n\nAnyone can pull images, exposing proprietary code or embedded secrets; if pushes are allowed, attackers can poison images, enabling supply-chain compromise. Uncontrolled pulls can raise **egress costs** and leak repository metadata.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/public-policies/public_1-ecr-repositories-not-public#cloudformation",
-      "Other": "https://docs.prowler.com/checks/aws/public-policies/public_1-ecr-repositories-not-public#aws-console",
-      "Terraform": ""
+      "CLI": "aws ecr delete-repository-policy --repository-name <example_resource_name>",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::ECR::Repository\n    Properties:\n      RepositoryPolicyText:\n        Version: \"2012-10-17\"\n        Statement:\n          - Effect: Allow\n            Principal:\n              AWS: \"arn:aws:iam::<example_resource_id>:root\"  # Critical: restricts access to a specific AWS account; removes public (*) access\n            Action: \"ecr:*\"\n```",
+      "Other": "1. In the AWS Console, go to Amazon ECR > Repositories\n2. Select the repository\n3. Open the Permissions tab and click Edit\n4. Remove any statement with Principal set to \"*\", or replace it with specific AWS ARN(s) (e.g., arn:aws:iam::<example_resource_id>:root)\n5. Save changes",
+      "Terraform": "```hcl\nresource \"aws_ecr_repository_policy\" \"<example_resource_name>\" {\n  repository = \"<example_resource_name>\"\n  policy     = jsonencode({\n    Version   = \"2012-10-17\"\n    Statement = [{\n      Effect    = \"Allow\"\n      Principal = { AWS = \"arn:aws:iam::<example_resource_id>:root\" } # Critical: restricts access to a specific AWS principal; removes public (*) access\n      Action    = \"ecr:*\"\n    }]\n  })\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure the repository and its contents are not publicly accessible",
-      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html"
+      "Text": "Apply **least privilege** to repository policies:\n- Avoid `Principal:\"*\"` and block anonymous access\n- Grant minimal actions to specific accounts/roles\n- Require authenticated pulls/pushes via IAM\n- Use **private connectivity** (e.g., VPC endpoints)\n- Add **defense in depth** with image scanning and signing",
+      "Url": "https://hub.prowler.com/check/ecr_repositories_not_publicly_accessible"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "container-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json

@@ -1,32 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "ecr_repositories_scan_images_on_push_enabled",
-  "CheckTitle": "[DEPRECATED] Check if ECR image scan on push is enabled",
+  "CheckTitle": "[DEPRECATED] ECR repository has image scanning on push enabled",
   "CheckType": [
-    "Identify",
-    "Vulnerability, patch, and version management"
+    "Software and Configuration Checks/Vulnerabilities/CVE",
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "ecr",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsEcrRepository",
-  "Description": "[DEPRECATED] Check if ECR image scan on push is enabled",
-  "Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ",
+  "Description": "[DEPRECATED]\n**Amazon ECR repositories** are evaluated for **image scanning on push**; when configured, new image uploads automatically trigger a vulnerability scan (`scan_on_push`).",
+  "Risk": "Without **scan on push**, images with known CVEs can enter registries and reach runtime unnoticed, undermining **integrity** and **confidentiality** through exploitable packages. Attackers may achieve code execution and lateral movement. Delayed detection increases operational risk and extends remediation timelines.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/scan-on-push.html",
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic-enabling.html",
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws ecr create-repository --repository-name <repo_name> --image-scanning-configuration scanOnPush=true--region <region_name>",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_8#cli-command",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_8#fix---buildtime"
+      "CLI": "aws ecr put-image-scanning-configuration --repository-name <repo_name> --image-scanning-configuration scanOnPush=true",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::ECR::Repository\n    Properties:\n      ImageScanningConfiguration:\n        ScanOnPush: true  # Critical: enables image scanning on push for this repository\n```",
+      "Other": "1. Open the AWS Console and go to Amazon ECR\n2. Click Repositories and select the target repository\n3. Click Edit\n4. Enable the Scan on push toggle\n5. Click Save",
+      "Terraform": "```hcl\nresource \"aws_ecr_repository\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n\n  image_scanning_configuration {\n    scan_on_push = true # Critical: enables scanning on image push\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.",
-      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
+      "Text": "Enable **image scanning on push** (`scan_on_push`) for all repositories and use findings as promotion gates. Prefer **continuous/enhanced scanning** for defense in depth, set severity thresholds, and block or quarantine noncompliant images. Integrate results with CI/CD and adopt **shift-left** vulnerability management.",
+      "Url": "https://hub.prowler.com/check/ecr_repositories_scan_images_on_push_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "container-security"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json

@@ -1,32 +1,42 @@
 {
   "Provider": "aws",
   "CheckID": "ecr_repositories_scan_vulnerabilities_in_latest_image",
-  "CheckTitle": "Check if ECR image scan found vulnerabilities in the newest image version",
+  "CheckTitle": "ECR repository latest image is scanned with no vulnerabilities at or above the configured minimum severity",
   "CheckType": [
-    "Identify",
-    "Vulnerability, patch, and version management"
+    "Software and Configuration Checks/Vulnerabilities/CVE",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "ecr",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsEcrRepository",
-  "Description": "Check if ECR image scan found vulnerabilities in the newest image version",
-  "Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.",
+  "Description": "**Amazon ECR repositories** are assessed on the most recent pushed image to confirm a vulnerability scan exists, completed successfully, and that no results meet or exceed the configured minimum severity (e.g., `CRITICAL`, `HIGH`, `MEDIUM`).",
+  "Risk": "Unscanned or high-severity findings in container images expose workloads to exploitation of known CVEs.\n\nAttackers can gain code execution, exfiltrate data, alter services, or disrupt operations, enabling **lateral movement** and supply-chain compromise-impacting **confidentiality**, **integrity**, and **availability**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.geeksforgeeks.org/devops/how-to-manage-image-security-and-vulnerabilities-in-ecr/",
+    "https://aws.amazon.com/blogs/aws/amazon-inspector-enhances-container-security-by-mapping-amazon-ecr-images-to-running-containers/",
+    "https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html",
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html",
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html",
+    "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# Enable scan on push so the latest image is automatically scanned\nResources:\n  EcrRepository:\n    Type: AWS::ECR::Repository\n    Properties:\n      RepositoryName: <example_resource_name>\n      ImageScanningConfiguration:\n        ScanOnPush: true  # CRITICAL: ensures each pushed image is scanned so the latest has scan results\n```",
+      "Other": "1. In the AWS Console, go to ECR > Repositories > <example_resource_name>\n2. Click Edit and enable Scan on push, then Save\n3. Rebuild the container image to remove vulnerabilities and push a new tag to the repository\n4. Open the image details and click Scan image (if not auto-scanned)\n5. Confirm Findings show 0 vulnerabilities at or above the required severity",
+      "Terraform": "```hcl\n# Enable scan on push so the latest image is automatically scanned\nresource \"aws_ecr_repository\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n\n  image_scanning_configuration {\n    scan_on_push = true  # CRITICAL: ensures each pushed image is scanned so the latest has scan results\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Open the Amazon ECR console. Then look for vulnerabilities and fix them.",
-      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings"
+      "Text": "Enable **continuous scanning** for repositories and enforce deployment gates at your policy threshold (e.g., `MEDIUM`+).\n\nRebuild images with patched components and updated bases, keep images minimal, and apply **least privilege**. Use **image signing** and CI/CD checks so only scanned, compliant images can run.",
+      "Url": "https://hub.prowler.com/check/ecr_repositories_scan_vulnerabilities_in_latest_image"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "container-security"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""