prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/__main__.py +2 -1
- dashboard/compliance/c5_azure.py +43 -0
- dashboard/compliance/fedramp_20x_ksi_low_aws.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_azure.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_gcp.py +46 -0
- dashboard/compliance/hipaa_gcp.py +25 -0
- dashboard/compliance/nist_csf_2_0_aws.py +24 -0
- dashboard/compliance/prowler_threatscore_kubernetes.py +28 -0
- prowler/AGENTS.md +366 -0
- prowler/CHANGELOG.md +93 -2
- prowler/__main__.py +54 -7
- prowler/compliance/aws/ens_rd2022_aws.json +1 -1
- prowler/compliance/aws/fedramp_20x_ksi_low_aws.json +347 -0
- prowler/compliance/aws/nis2_aws.json +1 -1
- prowler/compliance/aws/nist_csf_2.0_aws.json +1781 -0
- prowler/compliance/azure/c5_azure.json +9471 -0
- prowler/compliance/azure/ens_rd2022_azure.json +1 -1
- prowler/compliance/azure/fedramp_20x_ksi_low_azure.json +358 -0
- prowler/compliance/azure/nis2_azure.json +1 -1
- prowler/compliance/gcp/c5_gcp.json +9401 -0
- prowler/compliance/gcp/ens_rd2022_gcp.json +1 -1
- prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json +293 -0
- prowler/compliance/gcp/hipaa_gcp.json +415 -0
- prowler/compliance/gcp/nis2_gcp.json +1 -1
- prowler/compliance/github/cis_1.0_github.json +6 -2
- prowler/compliance/kubernetes/prowler_threatscore_kubernetes.json +1269 -0
- prowler/compliance/m365/prowler_threatscore_m365.json +6 -6
- prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json} +1 -1
- prowler/config/config.py +59 -5
- prowler/config/config.yaml +3 -0
- prowler/lib/check/check.py +1 -9
- prowler/lib/check/checks_loader.py +65 -1
- prowler/lib/check/models.py +12 -2
- prowler/lib/check/utils.py +1 -7
- prowler/lib/cli/parser.py +17 -7
- prowler/lib/mutelist/mutelist.py +15 -7
- prowler/lib/outputs/compliance/c5/c5_azure.py +92 -0
- prowler/lib/outputs/compliance/c5/c5_gcp.py +92 -0
- prowler/lib/outputs/compliance/c5/models.py +54 -0
- prowler/lib/outputs/compliance/cis/{cis_oci.py → cis_oraclecloud.py} +7 -7
- prowler/lib/outputs/compliance/cis/models.py +3 -3
- prowler/lib/outputs/compliance/prowler_threatscore/models.py +29 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_kubernetes.py +98 -0
- prowler/lib/outputs/finding.py +16 -5
- prowler/lib/outputs/html/html.py +10 -8
- prowler/lib/outputs/outputs.py +1 -1
- prowler/lib/outputs/summary_table.py +1 -1
- prowler/lib/powershell/powershell.py +12 -11
- prowler/lib/scan/scan.py +105 -24
- prowler/lib/utils/utils.py +1 -1
- prowler/providers/aws/aws_regions_by_service.json +73 -15
- prowler/providers/aws/lib/quick_inventory/quick_inventory.py +1 -1
- prowler/providers/aws/lib/security_hub/security_hub.py +1 -1
- prowler/providers/aws/services/account/account_service.py +1 -1
- prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +1 -3
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +24 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +17 -11
- prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.metadata.json +22 -17
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json +27 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +25 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.metadata.json +17 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +27 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +26 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +25 -12
- prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json +20 -11
- prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +28 -12
- prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json +15 -10
- prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json +19 -11
- prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json +21 -12
- prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json +19 -12
- prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json +24 -13
- prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json +35 -13
- prowler/providers/aws/services/codepipeline/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_client.py +6 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json +30 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py +95 -0
- prowler/providers/aws/services/codepipeline/codepipeline_service.py +164 -0
- prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json +23 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json +19 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json +20 -10
- prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json +26 -13
- prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json +20 -10
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json +18 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json +16 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json +20 -12
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +17 -10
- prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json +19 -12
- prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json +16 -11
- prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json +22 -13
- prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json +19 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json +21 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json +22 -12
- prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json +20 -12
- prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.metadata.json +21 -11
- prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.metadata.json +20 -11
- prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.metadata.json +20 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.metadata.json +21 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.metadata.json +26 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.metadata.json +19 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json +16 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json +21 -14
- prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json +20 -14
- prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json +22 -13
- prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json +21 -12
- prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json +20 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json +22 -14
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.metadata.json +20 -11
- prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json +17 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json +17 -11
- prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json +22 -13
- prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json +24 -13
- prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json +20 -10
- prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json +20 -12
- prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json +19 -12
- prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json +19 -11
- prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.metadata.json +21 -13
- prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.metadata.json +19 -11
- prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.metadata.json +21 -12
- prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json +17 -10
- prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.metadata.json +22 -13
- prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.metadata.json +16 -11
- prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.metadata.json +21 -13
- prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.metadata.json +24 -11
- prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.metadata.json +18 -11
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +26 -13
- prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json +21 -11
- prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json +24 -13
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +26 -14
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.metadata.json +26 -15
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +15 -16
- prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json +23 -11
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json +19 -12
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json +17 -12
- prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json +22 -13
- prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json +21 -12
- prowler/providers/aws/services/iam/lib/policy.py +24 -16
- prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json +21 -13
- prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json +22 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +7 -2
- prowler/providers/azure/services/defender/defender_service.py +4 -2
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/__init__.py +0 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +36 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py +43 -0
- prowler/providers/azure/services/postgresql/postgresql_service.py +66 -9
- prowler/providers/azure/services/storage/storage_service.py +13 -4
- prowler/providers/azure/services/vm/vm_service.py +4 -7
- prowler/providers/common/arguments.py +19 -16
- prowler/providers/common/provider.py +2 -18
- prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json +16 -15
- prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +30 -4
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py +61 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json +12 -9
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +10 -3
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py +40 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py +31 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json +35 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py +55 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py +30 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +48 -2
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +35 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py +36 -0
- prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +14 -8
- prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +30 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py +106 -0
- prowler/providers/github/services/organization/organization_service.py +84 -10
- prowler/providers/iac/iac_provider.py +279 -55
- prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json +16 -12
- prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json +16 -10
- prowler/providers/m365/lib/powershell/m365_powershell.py +80 -93
- prowler/providers/m365/m365_provider.py +1 -6
- prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.py +17 -21
- prowler/providers/m365/services/exchange/exchange_service.py +18 -12
- prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py +9 -7
- prowler/providers/mongodbatlas/exceptions/exceptions.py +16 -0
- prowler/providers/mongodbatlas/mongodbatlas_provider.py +15 -3
- prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json +20 -9
- prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json +14 -9
- prowler/providers/oraclecloud/lib/arguments/arguments.py +4 -13
- prowler/providers/oraclecloud/lib/service/service.py +3 -3
- prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py} +15 -15
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +20 -16
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +17 -17
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +17 -19
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +18 -18
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +17 -18
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +1 -1
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +1 -1
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/METADATA +17 -16
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/RECORD +298 -249
- /prowler/compliance/{oci → oraclecloud}/__init__.py +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/entry_points.txt +0 -0
|
@@ -1,31 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecr_repositories_tag_immutability",
|
|
4
|
-
"CheckTitle": "ECR
|
|
4
|
+
"CheckTitle": "ECR repository has image tag immutability enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
7
8
|
],
|
|
8
9
|
"ServiceName": "ecr",
|
|
9
10
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
11
12
|
"Severity": "medium",
|
|
12
13
|
"ResourceType": "AwsEcrRepository",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
14
|
+
"Description": "Amazon ECR repositories are assessed for **image tag immutability**. Repositories permitting tag updates (`MUTABLE`) are identified; those enforcing immutable tags (such as `IMMUTABLE`) are recognized.",
|
|
15
|
+
"Risk": "Mutable tags allow replacing the image behind a trusted tag, undermining release **integrity**. This enables supply-chain injection, unintended rollouts, and backdoored deployments, harming **availability**. Malicious images can exfiltrate data, impacting **confidentiality**.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecr-private-tag-immutability-enabled.html",
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-2",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html"
|
|
21
|
+
],
|
|
16
22
|
"Remediation": {
|
|
17
23
|
"Code": {
|
|
18
24
|
"CLI": "aws ecr put-image-tag-mutability --repository-name <repository-name> --image-tag-mutability IMMUTABLE",
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
25
|
+
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECR::Repository\n Properties:\n ImageTagMutability: IMMUTABLE # Critical: enables tag immutability to prevent tag overwrites\n```",
|
|
26
|
+
"Other": "1. Open the Amazon ECR console\n2. Go to Repositories (Private) and select the repository\n3. Click Actions > Edit\n4. Set Image tag immutability to Immutable\n5. Click Save",
|
|
27
|
+
"Terraform": "```hcl\nresource \"aws_ecr_repository\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n image_tag_mutability = \"IMMUTABLE\" # Critical: enables tag immutability to prevent tag overwrites\n}\n```"
|
|
22
28
|
},
|
|
23
29
|
"Recommendation": {
|
|
24
|
-
"Text": "Enable tag immutability
|
|
25
|
-
"Url": "https://
|
|
30
|
+
"Text": "Enable **tag immutability** so tags map to a single artifact. Use **versioned tags** per build, block retagging in CI/CD, and apply **least privilege** for push actions. Layer **image signing** and admission controls to run only trusted images. *If exceptions are needed, keep them narrow and monitored.*",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/ecr_repositories_tag_immutability"
|
|
26
32
|
}
|
|
27
33
|
},
|
|
28
|
-
"Categories": [
|
|
34
|
+
"Categories": [
|
|
35
|
+
"container-security"
|
|
36
|
+
],
|
|
29
37
|
"DependsOn": [],
|
|
30
38
|
"RelatedTo": [],
|
|
31
39
|
"Notes": ""
|
|
@@ -1,28 +1,38 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_cluster_container_insights_enabled",
|
|
4
|
-
"CheckTitle": "ECS
|
|
4
|
+
"CheckTitle": "ECS cluster has Container Insights enabled or enhanced",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis"
|
|
7
8
|
],
|
|
8
9
|
"ServiceName": "ecs",
|
|
9
10
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
11
12
|
"Severity": "medium",
|
|
12
13
|
"ResourceType": "AwsEcsCluster",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "Without Container Insights
|
|
15
|
-
"RelatedUrl": "
|
|
14
|
+
"Description": "**ECS clusters** have CloudWatch **Container Insights** configured via the `containerInsights` setting, accepting `enabled` or `enhanced` values to emit cluster, service, task, and container telemetry.",
|
|
15
|
+
"Risk": "Without **Container Insights**, ECS operations lack **telemetry** to spot failures and anomalies. Missed CPU/memory/network spikes and restart loops degrade **availability** and delay response. Absent baselines impede detecting abuse (e.g., **cryptomining** or data egress bursts), risking **confidentiality** and unexpected **costs**.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-12",
|
|
19
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-container-insights.html",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-metrics-ECS.html",
|
|
21
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-container-insights-enabled.html",
|
|
22
|
+
"https://aws.amazon.com/blogs/aws/container-insights-with-enhanced-observability-now-available-in-amazon-ecs/",
|
|
23
|
+
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html",
|
|
24
|
+
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html"
|
|
25
|
+
],
|
|
16
26
|
"Remediation": {
|
|
17
27
|
"Code": {
|
|
18
28
|
"CLI": "aws ecs update-cluster-settings --cluster <cluster-name> --settings name=containerInsights,value=enabled",
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
29
|
+
"NativeIaC": "```yaml\n# CloudFormation: Enable Container Insights on an ECS cluster\nResources:\n <example_resource_name>:\n Type: AWS::ECS::Cluster\n Properties:\n ClusterSettings:\n - Name: containerInsights # Critical: enables CloudWatch Container Insights for the cluster\n Value: enabled # Critical: setting that passes the check\n```",
|
|
30
|
+
"Other": "1. Open the Amazon ECS console\n2. Go to Clusters and select the target cluster\n3. Click Update cluster\n4. Under CloudWatch Container Insights, enable Container Insights (or Enhanced)\n5. Click Save changes",
|
|
31
|
+
"Terraform": "```hcl\n# Terraform: Enable Container Insights on an ECS cluster\nresource \"aws_ecs_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n setting {\n name = \"containerInsights\" # Critical: enables CloudWatch Container Insights for the cluster\n value = \"enabled\" # Critical: setting that passes the check\n }\n}\n```"
|
|
22
32
|
},
|
|
23
33
|
"Recommendation": {
|
|
24
|
-
"Text": "Enable Container Insights for
|
|
25
|
-
"Url": "https://
|
|
34
|
+
"Text": "Enable **Container Insights** on all clusters-prefer `enhanced` for deeper visibility. Apply at account level for new clusters and enforce via automation.\n\nUse **least privilege** for access to metrics/logs, encrypt logs, and set **alarms** on critical metrics. Correlate with app logs and tracing for **defense in depth** and faster incident detection.",
|
|
35
|
+
"Url": "https://hub.prowler.com/check/ecs_cluster_container_insights_enabled"
|
|
26
36
|
}
|
|
27
37
|
},
|
|
28
38
|
"Categories": [
|
|
@@ -1,32 +1,41 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_service_fargate_latest_platform_version",
|
|
4
|
-
"CheckTitle": "ECS Fargate
|
|
4
|
+
"CheckTitle": "ECS Fargate service uses the latest Fargate platform version",
|
|
5
5
|
"CheckType": [
|
|
6
6
|
"Software and Configuration Checks/AWS Security Best Practices"
|
|
7
7
|
],
|
|
8
8
|
"ServiceName": "ecs",
|
|
9
9
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
10
|
+
"ResourceIdTemplate": "",
|
|
11
11
|
"Severity": "medium",
|
|
12
12
|
"ResourceType": "AwsEcsService",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
13
|
+
"Description": "**ECS Fargate services** use the **latest Fargate platform version** via `platformVersion`=`LATEST` or an explicit value matching the current release for their `platformFamily` (Linux/Windows).",
|
|
14
|
+
"Risk": "Running on an outdated platform leaves known CVEs in the kernel/runtime unpatched, risking:\n- **Confidentiality**: data exposure via container escape\n- **Integrity**: privilege escalation and tampering\n- **Availability**: crashes/DoS and instability under load",
|
|
15
|
+
"RelatedUrl": "",
|
|
16
|
+
"AdditionalURLs": [
|
|
17
|
+
"https://servian.dev/setting-up-fargate-for-ecs-exec-8f5cc8d7d80e",
|
|
18
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform-fargate.html",
|
|
19
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECS/platform-version.html",
|
|
20
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-fargate-latest-platform-version.html",
|
|
21
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html",
|
|
22
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-10"
|
|
23
|
+
],
|
|
16
24
|
"Remediation": {
|
|
17
25
|
"Code": {
|
|
18
26
|
"CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --platform-version LATEST",
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
27
|
+
"NativeIaC": "```yaml\n# CloudFormation: set ECS Fargate service to latest platform version\nResources:\n <example_resource_name>:\n Type: AWS::ECS::Service\n Properties:\n Cluster: <example_resource_id>\n TaskDefinition: <example_resource_name>\n LaunchType: FARGATE\n PlatformVersion: LATEST # Critical: use the latest Fargate platform version\n NetworkConfiguration:\n AwsvpcConfiguration:\n Subnets:\n - <example_resource_id>\n```",
|
|
28
|
+
"Other": "1. In the AWS Console, go to Amazon ECS\n2. Open your cluster and select the service\n3. Click Update\n4. Set Platform version to LATEST\n5. Click Update service (or Deploy) to apply",
|
|
29
|
+
"Terraform": "```hcl\n# ECS Fargate service using the latest platform version\nresource \"aws_ecs_service\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n cluster = \"<example_resource_id>\"\n task_definition = \"<example_resource_name>\"\n launch_type = \"FARGATE\"\n platform_version = \"LATEST\" # Critical: ensures the latest Fargate platform version\n\n network_configuration {\n subnets = [\"<example_resource_id>\"]\n }\n}\n```"
|
|
22
30
|
},
|
|
23
31
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
32
|
+
"Text": "- Prefer `platformVersion` `LATEST` to receive patches.\n- If pinning, monitor releases and redeploy quickly to the current version.\n- Automate updates with staged rollouts in CI/CD.\n- Apply **defense in depth** and **least privilege** to limit runtime exploit impact.",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/ecs_service_fargate_latest_platform_version"
|
|
26
34
|
}
|
|
27
35
|
},
|
|
28
36
|
"Categories": [
|
|
29
|
-
"vulnerabilities"
|
|
37
|
+
"vulnerabilities",
|
|
38
|
+
"container-security"
|
|
30
39
|
],
|
|
31
40
|
"DependsOn": [],
|
|
32
41
|
"RelatedTo": [],
|
|
@@ -1,28 +1,34 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_service_no_assign_public_ip",
|
|
4
|
-
"CheckTitle": "ECS
|
|
4
|
+
"CheckTitle": "ECS service does not have automatic public IP assignment",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
|
|
7
7
|
],
|
|
8
8
|
"ServiceName": "ecs",
|
|
9
9
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
10
|
+
"ResourceIdTemplate": "",
|
|
11
11
|
"Severity": "high",
|
|
12
12
|
"ResourceType": "AwsEcsService",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
13
|
+
"Description": "**ECS services** are assessed for automatic public IP assignment via the `assignPublicIp` setting in their network configuration.\n\nThe finding indicates whether tasks launched by the service receive a public IP or are limited to private addressing.",
|
|
14
|
+
"Risk": "Automatic **public IPs** make tasks directly reachable from the Internet, enabling:\n- Port scanning and remote exploitation\n- Brute-force against admin endpoints\n- Data exfiltration via exposed APIs\nThis jeopardizes **confidentiality**, **integrity**, and **availability**, and can facilitate lateral movement within the VPC.",
|
|
15
|
+
"RelatedUrl": "",
|
|
16
|
+
"AdditionalURLs": [
|
|
17
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-2",
|
|
18
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security.html",
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html"
|
|
21
|
+
],
|
|
16
22
|
"Remediation": {
|
|
17
23
|
"Code": {
|
|
18
|
-
"CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --network-configuration
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --network-configuration \"awsvpcConfiguration={subnets=[<subnet-id>],assignPublicIp=DISABLED}\"",
|
|
25
|
+
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECS::Service\n Properties:\n Cluster: <example_resource_id>\n TaskDefinition: <example_resource_id>\n NetworkConfiguration:\n AwsvpcConfiguration:\n Subnets:\n - <example_resource_id>\n AssignPublicIp: DISABLED # Critical: disables automatic public IP assignment for the service\n```",
|
|
26
|
+
"Other": "1. In the AWS Console, go to ECS > Clusters and open your cluster\n2. Select the service and click Update\n3. Under Networking (awsvpc), set Assign public IP to Disabled\n4. Click Update service to apply",
|
|
27
|
+
"Terraform": "```hcl\nresource \"aws_ecs_service\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n cluster = \"<example_resource_id>\"\n task_definition = \"<example_resource_id>\"\n\n network_configuration {\n subnets = [\"<example_resource_id>\"]\n assign_public_ip = false # Critical: disables automatic public IP assignment\n }\n}\n```"
|
|
22
28
|
},
|
|
23
29
|
"Recommendation": {
|
|
24
|
-
"Text": "Disable
|
|
25
|
-
"Url": "https://
|
|
30
|
+
"Text": "Disable `assignPublicIp` to keep tasks private. Expose services through **load balancers** or **private endpoints**, restrict ingress with **least-privilege** security groups, and route egress via **NAT**. Apply **defense in depth** (WAF, TLS, monitoring) and segment networks to minimize blast radius.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/ecs_service_no_assign_public_ip"
|
|
26
32
|
}
|
|
27
33
|
},
|
|
28
34
|
"Categories": [
|
|
@@ -1,32 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_task_definitions_containers_readonly_access",
|
|
4
|
-
"CheckTitle": "ECS
|
|
4
|
+
"CheckTitle": "ECS task definition has all containers with read-only root filesystems",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks"
|
|
7
9
|
],
|
|
8
10
|
"ServiceName": "ecs",
|
|
9
|
-
"SubServiceName": "
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"SubServiceName": "",
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
11
13
|
"Severity": "high",
|
|
12
14
|
"ResourceType": "AwsEcsTaskDefinition",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "Amazon ECS task definitions specify whether container root filesystems are **read-only** via `readonlyRootFilesystem`. Containers where this setting is absent or set to `false` effectively have write access to the root filesystem.",
|
|
16
|
+
"Risk": "A **writable root filesystem** enables runtime tampering and persistence. Attackers can modify binaries or configs, drop implants, or delete critical files, degrading **integrity** and **availability**. Access to writable paths can also expose secrets and logs, eroding **confidentiality** and complicating incident response.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-readonly-access.html",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_definition_parameters.html#container_definition_readonly",
|
|
21
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-5"
|
|
22
|
+
],
|
|
16
23
|
"Remediation": {
|
|
17
24
|
"Code": {
|
|
18
25
|
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"readonlyRootFilesystem\":true}]'",
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
26
|
+
"NativeIaC": "```yaml\n# CloudFormation: ECS task definition with read-only root filesystem\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n ReadonlyRootFilesystem: true # Critical: enforces read-only root FS for the container\n```",
|
|
27
|
+
"Other": "1. In the AWS Console, go to Amazon ECS > Task Definitions\n2. Select the task family <task-family> and click Create new revision\n3. For each container, edit and enable Read-only root filesystem (readonlyRootFilesystem = true)\n4. Click Create to register the new revision\n5. (If needed) Update services to use the new revision",
|
|
28
|
+
"Terraform": "```hcl\n# ECS task definition with read-only root filesystem\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n readonlyRootFilesystem = true # Critical: enforces read-only root FS for the container\n }\n ])\n}\n```"
|
|
22
29
|
},
|
|
23
30
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
31
|
+
"Text": "Enforce `readonlyRootFilesystem: true` for containers.\n- Grant write access only via specific volumes required by the app\n- Apply **least privilege** and **defense in depth**: run as non-root, drop unnecessary capabilities, and keep images immutable so runtime writes aren't needed",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/ecs_task_definitions_containers_readonly_access"
|
|
26
33
|
}
|
|
27
34
|
},
|
|
28
35
|
"Categories": [
|
|
29
|
-
"
|
|
36
|
+
"container-security"
|
|
30
37
|
],
|
|
31
38
|
"DependsOn": [],
|
|
32
39
|
"RelatedTo": [],
|
|
@@ -1,32 +1,40 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_task_definitions_host_namespace_not_shared",
|
|
4
|
-
"CheckTitle": "ECS task
|
|
4
|
+
"CheckTitle": "ECS task definition does not share the host's process namespace with its containers",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks",
|
|
8
|
+
"TTPs/Privilege Escalation",
|
|
9
|
+
"TTPs/Discovery"
|
|
7
10
|
],
|
|
8
11
|
"ServiceName": "ecs",
|
|
9
12
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
13
|
+
"ResourceIdTemplate": "",
|
|
11
14
|
"Severity": "high",
|
|
12
15
|
"ResourceType": "AwsEcsTaskDefinition",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
16
|
+
"Description": "**ECS task definitions** where `pidMode` is `host` are configured to share the host's **process namespace** with containers, rather than using isolated task or private namespaces.",
|
|
17
|
+
"Risk": "**Host PID sharing** lets containers view and interact with host processes, eroding isolation.\n- Confidentiality: process enumeration and metadata leakage\n- Integrity/Availability: signal or `ptrace` tampering, killing services\n\nEnables lateral movement and privilege escalation from a compromised container.",
|
|
18
|
+
"RelatedUrl": "",
|
|
19
|
+
"AdditionalURLs": [
|
|
20
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-3",
|
|
21
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-pid-mode-check.html",
|
|
22
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_definition_parameters.html#container_definition_pid_mode"
|
|
23
|
+
],
|
|
16
24
|
"Remediation": {
|
|
17
25
|
"Code": {
|
|
18
|
-
"CLI": "aws ecs register-task-definition --family <
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
26
|
+
"CLI": "aws ecs register-task-definition --family <example_resource_name> --pid-mode task --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\"}]'",
|
|
27
|
+
"NativeIaC": "```yaml\n# CloudFormation: ECS Task Definition without host PID namespace\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <container-name>\n Image: <image>\n PidMode: task # Critical: ensures containers use task PID namespace, not host\n```",
|
|
28
|
+
"Other": "1. In the AWS Console, go to Amazon ECS > Task Definitions\n2. Select the task definition and click Create new revision\n3. Set Process namespace sharing (PID mode) to Task (not Host)\n4. Save the new revision\n5. (If the previous Host PID revision remains active) Select that revision and click Deregister",
|
|
29
|
+
"Terraform": "```hcl\n# ECS Task Definition without host PID namespace\nresource \"aws_ecs_task_definition\" \"example\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([{ name = \"<container-name>\", image = \"<image>\" }])\n pid_mode = \"task\" # Critical: prevents sharing the host's process namespace\n}\n```"
|
|
22
30
|
},
|
|
23
31
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
32
|
+
"Text": "Prefer **isolated PID namespaces**: set `pidMode=task` or use the default per-container namespace. Avoid `host` PID sharing except for tightly controlled diagnostics.\n\nApply **least privilege**: non-root users, minimal capabilities, read-only filesystems; and **defense in depth** with network and runtime controls.",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/ecs_task_definitions_host_namespace_not_shared"
|
|
26
34
|
}
|
|
27
35
|
},
|
|
28
36
|
"Categories": [
|
|
29
|
-
"
|
|
37
|
+
"container-security"
|
|
30
38
|
],
|
|
31
39
|
"DependsOn": [],
|
|
32
40
|
"RelatedTo": [],
|
|
@@ -1,32 +1,45 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_task_definitions_host_networking_mode_users",
|
|
4
|
-
"CheckTitle": "Amazon ECS task
|
|
4
|
+
"CheckTitle": "Amazon ECS task definition does not use host network mode, or non-privileged containers specify a non-root user",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
9
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks",
|
|
10
|
+
"TTPs/Privilege Escalation",
|
|
11
|
+
"TTPs/Lateral Movement"
|
|
7
12
|
],
|
|
8
13
|
"ServiceName": "ecs",
|
|
9
14
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
15
|
+
"ResourceIdTemplate": "",
|
|
11
16
|
"Severity": "high",
|
|
12
17
|
"ResourceType": "AwsEcsTaskDefinition",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
18
|
+
"Description": "**Amazon ECS task definitions** in `host` network mode are assessed for containers where `privileged=false` and the container `user` is `root` or unset.",
|
|
19
|
+
"Risk": "Sharing the host network lets containers reach host interfaces directly. Running as **root** (or with no user set) increases the chance to bind low ports, sniff traffic, or impersonate services, and makes kernel flaws more exploitable-enabling data exfiltration, tampering, and outages, impacting **confidentiality**, **integrity**, and **availability**.",
|
|
20
|
+
"RelatedUrl": "",
|
|
21
|
+
"AdditionalURLs": [
|
|
22
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html",
|
|
23
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-6",
|
|
24
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html",
|
|
25
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html",
|
|
26
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html"
|
|
27
|
+
],
|
|
16
28
|
"Remediation": {
|
|
17
29
|
"Code": {
|
|
18
|
-
"CLI": "
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
30
|
+
"CLI": "",
|
|
31
|
+
"NativeIaC": "```yaml\n# CloudFormation: ECS task definition not using host network mode\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n NetworkMode: awsvpc # CRITICAL: avoids host mode to pass the check\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n```",
|
|
32
|
+
"Other": "1. Open the Amazon ECS console and go to Task definitions\n2. Select the task definition and choose the latest revision\n3. Click Create new revision\n4. Set Network mode to awsvpc (not host)\n5. Save the revision and, if used by a service, update the service to this new revision\n6. If you must keep host mode: edit each non-privileged container and set User to a non-root value (e.g., 1000) and save a new revision",
|
|
33
|
+
"Terraform": "```hcl\n# ECS task definition not using host network mode\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n network_mode = \"awsvpc\" # CRITICAL: avoids host mode to pass the check\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"nginx\"\n }\n ])\n}\n```"
|
|
22
34
|
},
|
|
23
35
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
36
|
+
"Text": "Prefer **`awsvpc`** for isolation. If `host` is required, enforce **least privilege**:\n- Run as a non-root `user`\n- Avoid `privileged` unless strictly justified\n- Limit capabilities and exposed ports\n\nApply **defense in depth** with network segmentation and minimal IAM permissions.",
|
|
37
|
+
"Url": "https://hub.prowler.com/check/ecs_task_definitions_host_networking_mode_users"
|
|
26
38
|
}
|
|
27
39
|
},
|
|
28
40
|
"Categories": [
|
|
29
|
-
"
|
|
41
|
+
"container-security",
|
|
42
|
+
"trust-boundaries"
|
|
30
43
|
],
|
|
31
44
|
"DependsOn": [],
|
|
32
45
|
"RelatedTo": [],
|
|
@@ -1,32 +1,39 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_task_definitions_logging_block_mode",
|
|
4
|
-
"CheckTitle": "ECS task
|
|
4
|
+
"CheckTitle": "ECS task definition has container logging in non-blocking mode",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
|
7
|
+
"Effects/Denial of Service"
|
|
7
8
|
],
|
|
8
9
|
"ServiceName": "ecs",
|
|
9
10
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
11
12
|
"Severity": "low",
|
|
12
13
|
"ResourceType": "AwsEcsTaskDefinition",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
14
|
+
"Description": "**ECS task definition containers** use **non-blocking logging mode** via the `logConfiguration.mode` option on the latest active revision",
|
|
15
|
+
"Risk": "**Blocking log mode** can stall writes to stdout/stderr, making containers unresponsive, failing health checks, and causing task restarts or startup failures if log groups/streams can't be created. This reduces **availability** and may trigger cascading instability across dependent services.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html",
|
|
19
|
+
"https://www.amazonaws.cn/en/blog-selection/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#specify-log-config"
|
|
21
|
+
],
|
|
16
22
|
"Remediation": {
|
|
17
23
|
"Code": {
|
|
18
24
|
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"<log-group>\",\"awslogs-region\":\"<region>\",\"awslogs-stream-prefix\":\"ecs\",\"mode\":\"non-blocking\"}}}]'",
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: ECS Task Definition with non-blocking container logging\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n LogConfiguration:\n LogDriver: awslogs\n Options:\n awslogs-group: <log-group>\n awslogs-region: <region>\n awslogs-stream-prefix: ecs\n mode: non-blocking # CRITICAL: sets logging to non-blocking to pass the check\n```",
|
|
26
|
+
"Other": "1. Open the AWS Console and go to ECS > Task Definitions\n2. Select the failing task definition and choose Create new revision\n3. Edit the affected container > Log configuration\n4. Set Log driver to awslogs and add option: mode = non-blocking\n5. Ensure awslogs-group, awslogs-region, and (if needed) awslogs-stream-prefix are set\n6. Save and Create; the new revision will have non-blocking logging",
|
|
27
|
+
"Terraform": "```hcl\n# ECS Task Definition with container logging set to non-blocking\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n\n # CRITICAL: \"mode\": \"non-blocking\" in logConfiguration options enforces non-blocking logging\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n logConfiguration = {\n logDriver = \"awslogs\"\n options = {\n awslogs-group = \"<log-group>\"\n awslogs-region = \"<region>\"\n awslogs-stream-prefix = \"ecs\"\n mode = \"non-blocking\" # CRITICAL: required to pass the check\n }\n }\n }\n ])\n}\n```"
|
|
22
28
|
},
|
|
23
29
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
30
|
+
"Text": "Set `logConfiguration.mode` to `non-blocking` for all containers and size `max-buffer-size` to handle bursts. Keep log destinations in-Region to lower latency. Apply **defense in depth**: decouple application execution from logging, monitor log throughput, and design for backpressure so logging never blocks runtime.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/ecs_task_definitions_logging_block_mode"
|
|
26
32
|
}
|
|
27
33
|
},
|
|
28
34
|
"Categories": [
|
|
29
|
-
"logging"
|
|
35
|
+
"logging",
|
|
36
|
+
"resilience"
|
|
30
37
|
],
|
|
31
38
|
"DependsOn": [],
|
|
32
39
|
"RelatedTo": [],
|
|
@@ -1,28 +1,34 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_task_definitions_logging_enabled",
|
|
4
|
-
"CheckTitle": "ECS task
|
|
4
|
+
"CheckTitle": "ECS task definition has logging configured for all containers",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/AWS Security Best Practices"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
7
8
|
],
|
|
8
9
|
"ServiceName": "ecs",
|
|
9
10
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
11
12
|
"Severity": "high",
|
|
12
13
|
"ResourceType": "AwsEcsTaskDefinition",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
14
|
+
"Description": "**Amazon ECS task definition** containers specify a **logging configuration** with a non-null `logDriver` for every container in the latest active revision.",
|
|
15
|
+
"Risk": "Absent container logs erode visibility, letting intrusions, data exfiltration, and configuration tampering go undetected.\n\nMissing audit trails weaken confidentiality and integrity, hinder forensics, and increase MTTR during outages, impacting availability and compliance evidence.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-9",
|
|
19
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#specify-log-config",
|
|
20
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-log-configuration.html"
|
|
21
|
+
],
|
|
16
22
|
"Remediation": {
|
|
17
23
|
"Code": {
|
|
18
|
-
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"<log-group>\",\"awslogs-region\":\"<region>\"
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"<log-group>\",\"awslogs-region\":\"<region>\"}}}]'",
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: ECS task definition with logging enabled for the container\nResources:\n ExampleTaskDefinition:\n Type: AWS::ECS::TaskDefinition\n Properties:\n ContainerDefinitions:\n - Name: \"<example_resource_name>\"\n Image: \"<image>\"\n LogConfiguration: # Critical: ensures container has logging configured\n LogDriver: awslogs # Critical: non-null log driver passes the check\n Options:\n awslogs-group: \"<log-group>\" # Critical: CloudWatch Logs group\n awslogs-region: \"<region>\"\n```",
|
|
26
|
+
"Other": "1. In the AWS Console, go to Amazon ECS > Task Definitions\n2. Select your task definition and click Create new revision\n3. For each container, open Edit and set Log configuration to awslogs\n4. Set Log group to the desired CloudWatch Logs group and select the Region\n5. Save and Create to register the new revision (ensure all containers have logging)",
|
|
27
|
+
"Terraform": "```hcl\n# ECS task definition with logging enabled for the container\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n logConfiguration = { # Critical: enables container logging\n logDriver = \"awslogs\" # Critical: non-null log driver passes the check\n options = {\n awslogs-group = \"<log-group>\" # Critical: CloudWatch Logs group\n awslogs-region = \"<region>\"\n }\n }\n }\n ])\n}\n```"
|
|
22
28
|
},
|
|
23
29
|
"Recommendation": {
|
|
24
|
-
"Text": "Define a
|
|
25
|
-
"Url": "https://
|
|
30
|
+
"Text": "Implement centralized, tamper-resistant **container logging** for all tasks. Define a `logDriver` per container and ship logs to a managed destination with restricted access. Apply **least privilege**, encryption, and retention. Monitor and alert on anomalies. *If using external collectors, ensure equivalent coverage and durability.*",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/ecs_task_definitions_logging_enabled"
|
|
26
32
|
}
|
|
27
33
|
},
|
|
28
34
|
"Categories": [
|
|
@@ -1,30 +1,34 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "ecs_task_definitions_no_environment_secrets",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "ECS task definition has no secrets in environment variables",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"
|
|
7
|
-
"
|
|
8
|
-
"
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Sensitive Data Identifications/Passwords",
|
|
9
|
+
"TTPs/Credential Access"
|
|
9
10
|
],
|
|
10
11
|
"ServiceName": "ecs",
|
|
11
12
|
"SubServiceName": "",
|
|
12
|
-
"ResourceIdTemplate": "
|
|
13
|
+
"ResourceIdTemplate": "",
|
|
13
14
|
"Severity": "critical",
|
|
14
15
|
"ResourceType": "AwsEcsTaskDefinition",
|
|
15
|
-
"Description": "
|
|
16
|
-
"Risk": "
|
|
16
|
+
"Description": "**ECS task definitions** are analyzed for **plaintext secrets** placed in container `environment` variables. It identifies values that resemble credentials (keys, tokens, passwords) within container definitions.",
|
|
17
|
+
"Risk": "Exposed secrets in env vars undermine confidentiality via logs, task metadata, and introspection.\n\nWith container or read-only API access, attackers can reuse credentials to read databases, modify records (integrity), pivot to other services, and trigger outages or unauthorized costs (availability).",
|
|
17
18
|
"RelatedUrl": "",
|
|
19
|
+
"AdditionalURLs": [
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html"
|
|
21
|
+
],
|
|
18
22
|
"Remediation": {
|
|
19
23
|
"Code": {
|
|
20
24
|
"CLI": "",
|
|
21
|
-
"NativeIaC": "",
|
|
22
|
-
"Other": "",
|
|
23
|
-
"Terraform": ""
|
|
25
|
+
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: app\n Image: <image>\n Secrets: # Critical: use Secrets instead of plaintext env vars\n - Name: DB_PASSWORD # Critical: inject secret at runtime\n ValueFrom: <secret_arn_or_parameter_arn> # Critical: reference Secrets Manager/SSM parameter\n```",
|
|
26
|
+
"Other": "1. In the AWS Console, go to ECS > Task Definitions and open your task definition\n2. Create a new revision\n3. For each container, remove any sensitive values from Environment variables\n4. Under Environment variables, add a new entry in the Secrets section with Name (e.g., DB_PASSWORD) and ValueFrom pointing to your Secrets Manager/SSM parameter\n5. Save to create the new revision\n6. If using a service, update the service to use the new task definition revision and deploy",
|
|
27
|
+
"Terraform": "```hcl\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n # Critical: define container secrets instead of plaintext env vars\n container_definitions = jsonencode([\n {\n name = \"app\"\n image = \"<image>\"\n secrets = [\n { name = \"DB_PASSWORD\", valueFrom = \"<secret_arn_or_parameter_arn>\" } # Critical: inject secret at runtime\n ]\n }\n ])\n}\n```"
|
|
24
28
|
},
|
|
25
29
|
"Recommendation": {
|
|
26
|
-
"Text": "
|
|
27
|
-
"Url": "https://
|
|
30
|
+
"Text": "Store secrets in **AWS Secrets Manager** or **SSM Parameter Store** and inject them at runtime instead of plaintext env vars.\n\nApply **least privilege** via task roles, enable regular **rotation**, avoid logging secret values, and prefer **ephemeral credentials** for downstream services.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/ecs_task_definitions_no_environment_secrets"
|
|
28
32
|
}
|
|
29
33
|
},
|
|
30
34
|
"Categories": [
|