prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (298) hide show
  1. dashboard/__main__.py +2 -1
  2. dashboard/compliance/c5_azure.py +43 -0
  3. dashboard/compliance/fedramp_20x_ksi_low_aws.py +46 -0
  4. dashboard/compliance/fedramp_20x_ksi_low_azure.py +46 -0
  5. dashboard/compliance/fedramp_20x_ksi_low_gcp.py +46 -0
  6. dashboard/compliance/hipaa_gcp.py +25 -0
  7. dashboard/compliance/nist_csf_2_0_aws.py +24 -0
  8. dashboard/compliance/prowler_threatscore_kubernetes.py +28 -0
  9. prowler/AGENTS.md +366 -0
  10. prowler/CHANGELOG.md +93 -2
  11. prowler/__main__.py +54 -7
  12. prowler/compliance/aws/ens_rd2022_aws.json +1 -1
  13. prowler/compliance/aws/fedramp_20x_ksi_low_aws.json +347 -0
  14. prowler/compliance/aws/nis2_aws.json +1 -1
  15. prowler/compliance/aws/nist_csf_2.0_aws.json +1781 -0
  16. prowler/compliance/azure/c5_azure.json +9471 -0
  17. prowler/compliance/azure/ens_rd2022_azure.json +1 -1
  18. prowler/compliance/azure/fedramp_20x_ksi_low_azure.json +358 -0
  19. prowler/compliance/azure/nis2_azure.json +1 -1
  20. prowler/compliance/gcp/c5_gcp.json +9401 -0
  21. prowler/compliance/gcp/ens_rd2022_gcp.json +1 -1
  22. prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json +293 -0
  23. prowler/compliance/gcp/hipaa_gcp.json +415 -0
  24. prowler/compliance/gcp/nis2_gcp.json +1 -1
  25. prowler/compliance/github/cis_1.0_github.json +6 -2
  26. prowler/compliance/kubernetes/prowler_threatscore_kubernetes.json +1269 -0
  27. prowler/compliance/m365/prowler_threatscore_m365.json +6 -6
  28. prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json} +1 -1
  29. prowler/config/config.py +59 -5
  30. prowler/config/config.yaml +3 -0
  31. prowler/lib/check/check.py +1 -9
  32. prowler/lib/check/checks_loader.py +65 -1
  33. prowler/lib/check/models.py +12 -2
  34. prowler/lib/check/utils.py +1 -7
  35. prowler/lib/cli/parser.py +17 -7
  36. prowler/lib/mutelist/mutelist.py +15 -7
  37. prowler/lib/outputs/compliance/c5/c5_azure.py +92 -0
  38. prowler/lib/outputs/compliance/c5/c5_gcp.py +92 -0
  39. prowler/lib/outputs/compliance/c5/models.py +54 -0
  40. prowler/lib/outputs/compliance/cis/{cis_oci.py → cis_oraclecloud.py} +7 -7
  41. prowler/lib/outputs/compliance/cis/models.py +3 -3
  42. prowler/lib/outputs/compliance/prowler_threatscore/models.py +29 -0
  43. prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_kubernetes.py +98 -0
  44. prowler/lib/outputs/finding.py +16 -5
  45. prowler/lib/outputs/html/html.py +10 -8
  46. prowler/lib/outputs/outputs.py +1 -1
  47. prowler/lib/outputs/summary_table.py +1 -1
  48. prowler/lib/powershell/powershell.py +12 -11
  49. prowler/lib/scan/scan.py +105 -24
  50. prowler/lib/utils/utils.py +1 -1
  51. prowler/providers/aws/aws_regions_by_service.json +73 -15
  52. prowler/providers/aws/lib/quick_inventory/quick_inventory.py +1 -1
  53. prowler/providers/aws/lib/security_hub/security_hub.py +1 -1
  54. prowler/providers/aws/services/account/account_service.py +1 -1
  55. prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +1 -3
  56. prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json +23 -12
  57. prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json +21 -12
  58. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +23 -12
  59. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +24 -12
  60. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +21 -12
  61. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +17 -11
  62. prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json +20 -12
  63. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json +22 -13
  64. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.metadata.json +22 -17
  65. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.metadata.json +18 -12
  66. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json +27 -13
  67. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +20 -12
  68. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +22 -12
  69. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +25 -12
  70. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +23 -12
  71. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.metadata.json +17 -12
  72. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +21 -12
  73. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +21 -12
  74. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +27 -12
  75. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +22 -12
  76. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +26 -12
  77. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +25 -12
  78. prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json +20 -11
  79. prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json +22 -12
  80. prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +28 -12
  81. prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json +22 -12
  82. prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json +15 -10
  83. prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json +19 -11
  84. prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json +21 -12
  85. prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json +19 -12
  86. prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json +24 -13
  87. prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json +35 -13
  88. prowler/providers/aws/services/codepipeline/__init__.py +0 -0
  89. prowler/providers/aws/services/codepipeline/codepipeline_client.py +6 -0
  90. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/__init__.py +0 -0
  91. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json +30 -0
  92. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py +95 -0
  93. prowler/providers/aws/services/codepipeline/codepipeline_service.py +164 -0
  94. prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json +18 -12
  95. prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json +18 -12
  96. prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json +24 -13
  97. prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json +23 -13
  98. prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json +24 -13
  99. prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json +19 -13
  100. prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json +20 -10
  101. prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json +26 -13
  102. prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json +20 -10
  103. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json +18 -11
  104. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json +16 -11
  105. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json +21 -13
  106. prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json +20 -12
  107. prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +17 -10
  108. prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json +21 -13
  109. prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json +18 -12
  110. prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json +18 -12
  111. prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json +19 -12
  112. prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json +16 -11
  113. prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json +22 -13
  114. prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json +19 -13
  115. prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json +21 -13
  116. prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json +22 -12
  117. prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json +20 -12
  118. prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.metadata.json +21 -11
  119. prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.metadata.json +20 -11
  120. prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.metadata.json +18 -12
  121. prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.metadata.json +20 -13
  122. prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.metadata.json +21 -13
  123. prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.metadata.json +26 -13
  124. prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.metadata.json +19 -12
  125. prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.metadata.json +18 -12
  126. prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json +16 -12
  127. prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json +21 -14
  128. prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json +19 -13
  129. prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json +20 -13
  130. prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json +20 -13
  131. prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json +20 -14
  132. prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json +22 -13
  133. prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json +19 -13
  134. prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json +21 -12
  135. prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +20 -13
  136. prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json +20 -12
  137. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json +21 -12
  138. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json +20 -13
  139. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json +23 -13
  140. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.metadata.json +21 -12
  141. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json +22 -14
  142. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.metadata.json +20 -11
  143. prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json +23 -13
  144. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json +18 -12
  145. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json +17 -12
  146. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json +17 -11
  147. prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json +22 -13
  148. prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json +24 -13
  149. prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json +20 -11
  150. prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json +20 -10
  151. prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json +20 -11
  152. prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json +20 -12
  153. prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json +19 -12
  154. prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json +19 -11
  155. prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json +17 -12
  156. prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.metadata.json +21 -13
  157. prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.metadata.json +19 -11
  158. prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.metadata.json +21 -12
  159. prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.metadata.json +18 -11
  160. prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json +17 -10
  161. prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.metadata.json +22 -13
  162. prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.metadata.json +18 -12
  163. prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.metadata.json +17 -12
  164. prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.metadata.json +18 -11
  165. prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.metadata.json +18 -12
  166. prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.metadata.json +16 -11
  167. prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.metadata.json +21 -13
  168. prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.metadata.json +24 -11
  169. prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.metadata.json +18 -11
  170. prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +26 -13
  171. prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json +21 -11
  172. prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json +24 -13
  173. prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +26 -14
  174. prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.metadata.json +26 -15
  175. prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +15 -16
  176. prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json +23 -11
  177. prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json +19 -12
  178. prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json +17 -12
  179. prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json +22 -13
  180. prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json +21 -12
  181. prowler/providers/aws/services/iam/lib/policy.py +24 -16
  182. prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json +21 -13
  183. prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json +22 -13
  184. prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +7 -2
  185. prowler/providers/azure/services/defender/defender_service.py +4 -2
  186. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/__init__.py +0 -0
  187. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +36 -0
  188. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py +43 -0
  189. prowler/providers/azure/services/postgresql/postgresql_service.py +66 -9
  190. prowler/providers/azure/services/storage/storage_service.py +13 -4
  191. prowler/providers/azure/services/vm/vm_service.py +4 -7
  192. prowler/providers/common/arguments.py +19 -16
  193. prowler/providers/common/provider.py +2 -18
  194. prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json +16 -15
  195. prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +30 -4
  196. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py +0 -0
  197. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json +36 -0
  198. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py +61 -0
  199. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json +12 -9
  200. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +10 -3
  201. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py +0 -0
  202. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json +36 -0
  203. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py +40 -0
  204. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py +0 -0
  205. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json +36 -0
  206. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py +31 -0
  207. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py +0 -0
  208. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json +35 -0
  209. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py +55 -0
  210. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py +0 -0
  211. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json +36 -0
  212. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py +30 -0
  213. prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +48 -2
  214. prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py +0 -0
  215. prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +35 -0
  216. prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py +36 -0
  217. prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +14 -8
  218. prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py +0 -0
  219. prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +30 -0
  220. prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py +106 -0
  221. prowler/providers/github/services/organization/organization_service.py +84 -10
  222. prowler/providers/iac/iac_provider.py +279 -55
  223. prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json +18 -13
  224. prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json +16 -11
  225. prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json +16 -11
  226. prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json +18 -13
  227. prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json +16 -12
  228. prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json +16 -11
  229. prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json +16 -10
  230. prowler/providers/m365/lib/powershell/m365_powershell.py +80 -93
  231. prowler/providers/m365/m365_provider.py +1 -6
  232. prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.py +17 -21
  233. prowler/providers/m365/services/exchange/exchange_service.py +18 -12
  234. prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py +9 -7
  235. prowler/providers/mongodbatlas/exceptions/exceptions.py +16 -0
  236. prowler/providers/mongodbatlas/mongodbatlas_provider.py +15 -3
  237. prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json +20 -9
  238. prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json +14 -9
  239. prowler/providers/oraclecloud/lib/arguments/arguments.py +4 -13
  240. prowler/providers/oraclecloud/lib/service/service.py +3 -3
  241. prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py} +15 -15
  242. prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +20 -16
  243. prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +17 -17
  244. prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +17 -19
  245. prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +18 -18
  246. prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +17 -18
  247. prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +1 -1
  248. prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +1 -1
  249. prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +1 -1
  250. prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +1 -1
  251. prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +1 -1
  252. prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +1 -1
  253. prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +1 -1
  254. prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +1 -1
  255. prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +1 -1
  256. prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +1 -1
  257. prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +1 -1
  258. prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +1 -1
  259. prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +1 -1
  260. prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +1 -1
  261. prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +1 -1
  262. prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +1 -1
  263. prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +1 -1
  264. prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +1 -1
  265. prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +1 -1
  266. prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +1 -1
  267. prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +1 -1
  268. prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +1 -1
  269. prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +1 -1
  270. prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +1 -1
  271. prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +1 -1
  272. prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +1 -1
  273. prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +1 -1
  274. prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +1 -1
  275. prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +1 -1
  276. prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +1 -1
  277. prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +1 -1
  278. prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +1 -1
  279. prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +1 -1
  280. prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +1 -1
  281. prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +1 -1
  282. prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +1 -1
  283. prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +1 -1
  284. prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +1 -1
  285. prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +1 -1
  286. prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +1 -1
  287. prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +1 -1
  288. prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +1 -1
  289. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +1 -1
  290. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +1 -1
  291. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +1 -1
  292. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +1 -1
  293. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/METADATA +17 -16
  294. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/RECORD +298 -249
  295. /prowler/compliance/{oci → oraclecloud}/__init__.py +0 -0
  296. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/LICENSE +0 -0
  297. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/WHEEL +0 -0
  298. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/entry_points.txt +0 -0
prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json CHANGED
@@ -1,32 +1,39 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "ecs_task_definitions_no_privileged_containers",
4
- "CheckTitle": "ECS task definitions shouldn't have privileged containers",
4
+ "CheckTitle": "ECS task definition has no privileged containers",
5
5
  "CheckType": [
6
- "Software and Configuration Checks/AWS Security Best Practices"
6
+ "Software and Configuration Checks/AWS Security Best Practices",
7
+ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks",
8
+ "TTPs/Privilege Escalation"
7
9
  ],
8
10
  "ServiceName": "ecs",
9
- "SubServiceName": "taskDefinition",
10
- "ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-definition/{task-definition-name}",
11
+ "SubServiceName": "",
12
+ "ResourceIdTemplate": "",
11
13
  "Severity": "high",
12
14
  "ResourceType": "AwsEcsTaskDefinition",
13
- "Description": "This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.",
14
- "Risk": "Running containers with elevated privileges increases the risk of privilege escalation attacks, potentially allowing unauthorized access to the host and other containers.",
15
- "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-nonprivileged.html",
15
+ "Description": "**Amazon ECS task definitions** are evaluated for containers configured with **privileged mode** (`privileged: true`).\n\nThe outcome indicates whether any container definition enables this setting.",
16
+ "Risk": "**Privileged containers** can act with host-level root, breaking isolation. A foothold lets attackers achieve **container escape**, mount host devices, read secrets, alter configs, and control other workloads-impacting confidentiality, integrity, and availability via data theft, tampering, and service disruption.",
17
+ "RelatedUrl": "",
18
+ "AdditionalURLs": [
19
+ "https://docs.aws.amazon.com/config/latest/developerguide/ecs-containers-nonprivileged.html",
20
+ "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-4",
21
+ "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security"
22
+ ],
16
23
  "Remediation": {
17
24
  "Code": {
18
- "CLI": "aws ecs register-task-definition --family <task-family> --container-definitions '[{\"name\":\"<container-name>\",\"image\":\"<image>\",\"privileged\":false}]'",
19
- "NativeIaC": "",
20
- "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-4",
21
- "Terraform": ""
25
+ "CLI": "aws ecs deregister-task-definition --task-definition <task-family>:<revision>",
26
+ "NativeIaC": "```yaml\n# CloudFormation: ECS task definition with non-privileged container\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskDefinition\n Properties:\n Family: <example_resource_name>\n ContainerDefinitions:\n - Name: <example_resource_name>\n Image: <image>\n Privileged: false # Critical: ensures container is non-privileged to pass the check\n```",
27
+ "Other": "1. Open the Amazon ECS console and go to Task definitions\n2. Select the failing task definition family and open the failing revision\n3. Click Create new revision\n4. Edit the affected container and uncheck Privileged (set it to false)\n5. Click Create to register the new revision",
28
+ "Terraform": "```hcl\n# ECS task definition with non-privileged container\nresource \"aws_ecs_task_definition\" \"<example_resource_name>\" {\n family = \"<example_resource_name>\"\n container_definitions = jsonencode([\n {\n name = \"<example_resource_name>\"\n image = \"<image>\"\n privileged = false # Critical: ensures container is non-privileged to pass the check\n }\n ])\n}\n```"
22
29
  },
23
30
  "Recommendation": {
24
- "Text": "Ensure that containers are running without elevated privileges to minimize the risk of privilege escalation.",
25
- "Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security"
31
+ "Text": "Run containers without elevated rights (`privileged: false`) and as non-root (`user`). Apply **least privilege**:\n- Grant only required Linux capabilities via `capDrop`/`capAdd`\n- Prefer `readonlyRootFilesystem: true`\n- Isolate networks and separate duties\n- Monitor with logging to support defense in depth",
32
+ "Url": "https://hub.prowler.com/check/ecs_task_definitions_no_privileged_containers"
26
33
  }
27
34
  },
28
35
  "Categories": [
29
- "vulnerabilities"
36
+ "container-security"
30
37
  ],
31
38
  "DependsOn": [],
32
39
  "RelatedTo": [],
prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json CHANGED
@@ -1,28 +1,34 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "ecs_task_set_no_assign_public_ip",
4
- "CheckTitle": "ECS task sets should not automatically assign public IP addresses",
4
+ "CheckTitle": "ECS task set does not automatically assign a public IP address",
5
5
  "CheckType": [
6
- "Software and Configuration Checks/AWS Security Best Practices"
6
+ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
7
+ "Effects/Data Exposure"
7
8
  ],
8
9
  "ServiceName": "ecs",
9
10
  "SubServiceName": "",
10
- "ResourceIdTemplate": "arn:aws:ecs:{region}:{account-id}:task-set/{cluster-name}/{service-name}/{task-set-id}",
11
+ "ResourceIdTemplate": "",
11
12
  "Severity": "high",
12
- "ResourceType": "AwsEcsTaskSet",
13
- "Description": "This control checks whether an Amazon ECS task set is configured to automatically assign public IP addresses. The control fails if AssignPublicIP is set to ENABLED.",
14
- "Risk": "A public IP address is reachable from the internet, potentially exposing resources associated with the ECS task set. ECS task sets shouldn't be publicly accessible, as this may allow unintended access to container application servers.",
15
- "RelatedUrl": "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskSet.html",
13
+ "ResourceType": "AwsEcsService",
14
+ "Description": "**ECS task sets** are assessed for **automatic public IP assignment** via `AssignPublicIP`. When set to `ENABLED`, tasks are given public addresses in their network configuration.",
15
+ "Risk": "Public IPs make tasks directly reachable from the Internet, enabling scanning, brute force, and exploit attempts.\n\nImpacts: **confidentiality** (data exposure), **integrity** (unauthorized actions), **availability** (DoS). Attackers can bypass internal controls and pivot for lateral movement.",
16
+ "RelatedUrl": "",
17
+ "AdditionalURLs": [
18
+ "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html",
19
+ "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskSet.html",
20
+ "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-16"
21
+ ],
16
22
  "Remediation": {
17
23
  "Code": {
18
- "CLI": "aws ecs update-service --cluster <cluster-name> --service <service-name> --network-configuration 'awsvpcConfiguration={assignPublicIp=\"DISABLED\"}'",
19
- "NativeIaC": "",
20
- "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html#ecs-16",
21
- "Terraform": ""
24
+ "CLI": "",
25
+ "NativeIaC": "```yaml\n# CloudFormation to ensure ECS Task Set does not auto-assign public IP\nResources:\n <example_resource_name>:\n Type: AWS::ECS::TaskSet\n Properties:\n Cluster: \"<example_resource_id>\"\n Service: \"<example_resource_id>\"\n TaskDefinition: \"<example_resource_id>\"\n NetworkConfiguration:\n AwsvpcConfiguration:\n AssignPublicIp: DISABLED # CRITICAL: disables automatic public IP assignment\n Subnets:\n - \"<example_resource_id>\"\n```",
26
+ "Other": "1. In the AWS Console, go to ECS > Clusters > select your cluster\n2. Open your Service and choose Update (or Edit)\n3. In Networking, set Public IP assignment to Disabled\n4. Save/Deploy the update to create a new deployment/task set\n5. After the new task set is Primary and stable, delete the old task set that had Public IP enabled",
27
+ "Terraform": "```hcl\n# ECS Task Set with public IP assignment disabled\nresource \"aws_ecs_task_set\" \"<example_resource_name>\" {\n cluster = \"<example_resource_id>\"\n service = \"<example_resource_id>\"\n task_definition = \"<example_resource_id>\"\n\n network_configuration {\n subnets = [\"<example_resource_id>\"]\n assign_public_ip = false # CRITICAL: disables automatic public IP assignment\n }\n}\n```"
22
28
  },
23
29
  "Recommendation": {
24
- "Text": "Configure ECS task sets to not assign public IP addresses to prevent unintended public access to your containerized applications.",
25
- "Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-task-definition-console-v2.html"
30
+ "Text": "Disable **automatic public IPs** on task sets.\n\nUse private subnets behind controlled entry points (load balancers, API gateways, or service discovery). Enforce **least privilege** security groups and **defense in depth**. Prefer private connectivity (VPC endpoints/VPN). *Expose only frontends, not tasks.*",
31
+ "Url": "https://hub.prowler.com/check/ecs_task_set_no_assign_public_ip"
26
32
  }
27
33
  },
28
34
  "Categories": [
prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json CHANGED
@@ -1,31 +1,38 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "eks_cluster_deletion_protection_enabled",
4
- "CheckTitle": "Ensure EKS clusters have deletion protection enabled",
4
+ "CheckTitle": "EKS cluster has deletion protection enabled",
5
5
  "CheckType": [
6
- "Software and Configuration Checks/AWS Security Best Practices/Resource Management"
6
+ "Software and Configuration Checks/AWS Security Best Practices",
7
+ "Effects/Data Destruction"
7
8
  ],
8
9
  "ServiceName": "eks",
9
10
  "SubServiceName": "",
10
- "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
11
+ "ResourceIdTemplate": "",
11
12
  "Severity": "high",
12
13
  "ResourceType": "AwsEksCluster",
13
- "Description": "Ensure that your Amazon EKS clusters have deletion protection enabled to prevent accidental deletion of critical Kubernetes clusters.",
14
- "Risk": "Without deletion protection, EKS clusters can be accidentally deleted through Terraform automation, AWS CLI commands, or the AWS console, leading to data loss and service disruption.",
15
- "RelatedUrl": "https://docs.aws.amazon.com/eks/latest/userguide/deletion-protection.html",
14
+ "Description": "**Amazon EKS clusters** have **deletion protection** enabled blocking cluster removal until protection is explicitly disabled.",
15
+ "Risk": "Without **deletion protection**, automation errors or a compromised admin can remove the cluster control plane, causing immediate **availability** loss and downtime. Destructive actions can also affect the **integrity** of deployments, leave orphaned resources, hinder recovery, and raise **operational cost**.",
16
+ "RelatedUrl": "",
17
+ "AdditionalURLs": [
18
+ "https://docs.aws.amazon.com/eks/latest/APIReference/API_UpdateClusterConfig.html",
19
+ "https://docs.aws.amazon.com/eks/latest/userguide/deletion-protection.html"
20
+ ],
16
21
  "Remediation": {
17
22
  "Code": {
18
- "CLI": "aws eks update-cluster-config --region <region_name> --name <cluster_name> --deletion-protection",
19
- "NativeIaC": "",
20
- "Other": "",
21
- "Terraform": "resource \"aws_eks_cluster\" \"example\" {\n name = \"example-cluster\"\n role_arn = aws_iam_role.example.arn\n deletion_protection = true\n # ... other configuration\n}"
23
+ "CLI": "aws eks update-cluster-config --name <cluster_name> --region <region_name> --deletion-protection",
24
+ "NativeIaC": "```yaml\n# CloudFormation: enable deletion protection on the EKS cluster\nResources:\n <example_resource_name>:\n Type: AWS::EKS::Cluster\n Properties:\n RoleArn: <example_role_arn>\n ResourcesVpcConfig:\n SubnetIds: [<example_subnet_id_1>, <example_subnet_id_2>]\n DeletionProtection: true # critical: prevents cluster deletion until disabled\n```",
25
+ "Other": "1. Open the AWS Management Console and go to Amazon EKS\n2. Select your cluster\n3. Go to the Configuration tab and click Edit\n4. Enable Deletion protection\n5. Click Save changes",
26
+ "Terraform": "```hcl\n# Enable deletion protection for the EKS cluster\nresource \"aws_eks_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n\n vpc_config {\n subnet_ids = [\"<subnet_id_1>\", \"<subnet_id_2>\"]\n }\n\n deletion_protection = true # critical: prevents cluster deletion until disabled\n}\n```"
22
27
  },
23
28
  "Recommendation": {
24
- "Text": "Enable deletion protection on all EKS clusters to prevent accidental deletion. This is especially important for production clusters and those managed through Infrastructure as Code (IaC) tools.",
25
- "Url": "https://docs.aws.amazon.com/eks/latest/userguide/deletion-protection.html"
29
+ "Text": "Enable **deletion protection** on critical clusters (`deletionProtection=true`). Enforce **least privilege** so only narrowly scoped roles can disable or delete clusters. Require **change control** with approvals and **separation of duties**, and apply guardrails to prevent broad delete permissions.",
30
+ "Url": "https://hub.prowler.com/check/eks_cluster_deletion_protection_enabled"
26
31
  }
27
32
  },
28
- "Categories": [],
33
+ "Categories": [
34
+ "resilience"
35
+ ],
29
36
  "DependsOn": [],
30
37
  "RelatedTo": [],
31
38
  "Notes": ""
prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json CHANGED
@@ -1,33 +1,40 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "eks_cluster_kms_cmk_encryption_in_secrets_enabled",
4
- "CheckTitle": "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)",
4
+ "CheckTitle": "EKS cluster has Kubernetes secrets encryption enabled",
5
5
  "CheckType": [
6
- "Protect",
7
- "Data protection"
6
+ "Software and Configuration Checks/AWS Security Best Practices",
7
+ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
8
8
  ],
9
9
  "ServiceName": "eks",
10
10
  "SubServiceName": "",
11
- "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
11
+ "ResourceIdTemplate": "",
12
12
  "Severity": "medium",
13
13
  "ResourceType": "AwsEksCluster",
14
- "Description": "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)",
15
- "Risk": "Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.",
14
+ "Description": "**Amazon EKS** clusters configure **AWS KMS envelope encryption** so Kubernetes **Secrets** are stored in etcd as ciphertext at rest.",
15
+ "Risk": "Without KMS-backed encryption, etcd data and snapshots can reveal plaintext secrets. Attackers with API, node, or storage access can steal tokens, passwords, and keys, enabling impersonation, pod takeover, and lateral movement-compromising confidentiality and leading to privilege escalation.",
16
16
  "RelatedUrl": "",
17
+ "AdditionalURLs": [
18
+ "https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/eks.html",
19
+ "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/enable-envelope-encryption.html",
20
+ "https://devoriales.com/post/329/aws-eks-secret-encryption-securing-your-eks-secrets-at-rest-with-aws-kms",
21
+ "https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html"
22
+ ],
17
23
  "Remediation": {
18
24
  "Code": {
19
- "CLI": "",
20
- "NativeIaC": "https://docs.prowler.com/checks/aws/kubernetes-policies-1/bc_aws_kubernetes_3#fix---builtime",
21
- "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/enable-envelope-encryption.html",
22
- "Terraform": ""
25
+ "CLI": "aws eks associate-encryption-config --cluster-name <example_resource_name> --encryption-config '[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<example_resource_id>\"}}]'",
26
+ "NativeIaC": "```yaml\n# CloudFormation: enable KMS envelope encryption for Kubernetes secrets\nResources:\n EKSCluster:\n Type: AWS::EKS::Cluster\n Properties:\n Name: \"<example_resource_name>\"\n RoleArn: \"arn:aws:iam::<ACCOUNT_ID>:role/<example_resource_name>\"\n ResourcesVpcConfig:\n SubnetIds:\n - \"<example_resource_id>\"\n - \"<example_resource_id>\"\n EncryptionConfig: # Critical: enables KMS encryption for Kubernetes secrets\n - Resources:\n - secrets # Critical: encrypts only Kubernetes secrets\n Provider:\n KeyArn: \"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<example_resource_id>\" # Critical: KMS key used for encryption\n```",
27
+ "Other": "1. Open the AWS Management Console and go to Amazon EKS\n2. Select your cluster\n3. On the Overview tab, find Secrets encryption and click Enable\n4. Select the KMS key and click Enable\n5. Click Confirm to apply",
28
+ "Terraform": "```hcl\n# Enable KMS envelope encryption for Kubernetes secrets\nresource \"aws_eks_cluster\" \"main\" {\n name = \"<example_resource_name>\"\n role_arn = \"arn:aws:iam::<ACCOUNT_ID>:role/<example_resource_name>\"\n\n vpc_config {\n subnet_ids = [\"<example_resource_id>\", \"<example_resource_id>\"]\n }\n\n encryption_config { # Critical: enables KMS encryption for secrets\n resources = [\"secrets\"] # Critical: scope to Kubernetes secrets\n provider {\n key_arn = \"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<example_resource_id>\" # Critical: KMS key\n }\n }\n}\n```"
23
29
  },
24
30
  "Recommendation": {
25
- "Text": "Setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.",
26
- "Url": "https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html"
31
+ "Text": "Enable cluster-level secrets encryption with **AWS KMS** and prefer a **customer managed KMS key** for control and rotation. Apply **least privilege** to key policies and cluster roles, monitor key usage, and combine with strict **RBAC** to limit who can read or create secrets as part of **defense in depth**.",
32
+ "Url": "https://hub.prowler.com/check/eks_cluster_kms_cmk_encryption_in_secrets_enabled"
27
33
  }
28
34
  },
29
35
  "Categories": [
30
- "encryption"
36
+ "encryption",
37
+ "cluster-security"
31
38
  ],
32
39
  "DependsOn": [],
33
40
  "RelatedTo": [],
prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json CHANGED
@@ -1,33 +1,39 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "eks_cluster_network_policy_enabled",
4
- "CheckTitle": "Ensure Network Policy is Enabled and Set as Appropriate",
4
+ "CheckTitle": "EKS cluster has network policy enabled",
5
5
  "CheckType": [
6
- "Security",
7
- "Configuration"
6
+ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
7
+ "TTPs/Lateral Movement"
8
8
  ],
9
9
  "ServiceName": "eks",
10
10
  "SubServiceName": "",
11
- "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
11
+ "ResourceIdTemplate": "",
12
12
  "Severity": "high",
13
13
  "ResourceType": "AwsEksCluster",
14
- "Description": "Ensure that Network Policy is enabled and set as appropriate in Amazon EKS clusters. Network Policy provides pod-level firewalling to restrict traffic between sources, enhancing network security within the cluster.",
15
- "Risk": "Without proper Network Policy settings, pods within the cluster may be vulnerable to unauthorized access and communication.",
16
- "RelatedUrl": "https://docs.aws.amazon.com/eks/latest/userguide/eks-networking-add-ons.html",
14
+ "Description": "**Amazon EKS clusters** are evaluated for **pod-level network isolation** via Kubernetes `NetworkPolicy`, indicating whether traffic between pods and namespaces is restricted according to defined rules.",
15
+ "Risk": "Without **NetworkPolicy**, pods can communicate freely, enabling **lateral movement**, **data exfiltration**, and abuse of internal services. Unrestricted east-west traffic undermines confidentiality and integrity and enlarges the blast radius of a single compromised pod.",
16
+ "RelatedUrl": "",
17
+ "AdditionalURLs": [
18
+ "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/security-groups.html",
19
+ "https://docs.aws.amazon.com/eks/latest/userguide/eks-networking-add-ons.html",
20
+ "https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html"
21
+ ],
17
22
  "Remediation": {
18
23
  "Code": {
19
- "CLI": "",
20
- "NativeIaC": "",
21
- "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/security-groups.html",
22
- "Terraform": "https://docs.prowler.com/checks/aws/kubernetes-policies-1/bc_aws_kubernetes_1#terraform"
24
+ "CLI": "aws eks update-cluster-config --name <example_cluster_name> --resources-vpc-config securityGroupIds=<example_security_group_id>",
25
+ "NativeIaC": "```yaml\n# CloudFormation: attach a security group to the EKS cluster\nResources:\n <example_resource_name>:\n Type: AWS::EKS::Cluster\n Properties:\n RoleArn: <example_role_arn>\n ResourcesVpcConfig:\n SubnetIds:\n - <example_subnet_id>\n SecurityGroupIds:\n - <example_security_group_id> # Critical: sets a security group for the cluster, satisfying the check\n```",
26
+ "Other": "1. Open the AWS Console and go to EKS > Clusters\n2. Select <your cluster> and open the Networking tab\n3. Click Edit (or Update) in the Networking section\n4. Under Security groups, add/select <example_security_group_id>\n5. Click Save to apply",
27
+ "Terraform": "```hcl\n# Minimal EKS cluster config with a security group attached\nresource \"aws_eks_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n\n vpc_config {\n subnet_ids = [\"<example_subnet_id>\"]\n security_group_ids = [\"<example_security_group_id>\"] # Critical: attaches a security group to pass the check\n }\n}\n```"
23
28
  },
24
29
  "Recommendation": {
25
- "Text": "Enable and configure Network Policy to enhance network security within the EKS cluster.",
26
- "Url": "https://docs.aws.amazon.com/eks/latest/userguide/eks-networking-add-ons.html"
30
+ "Text": "Enforce **least privilege** `NetworkPolicy` with a `default-deny` for ingress and egress, then explicitly allow required flows by labels and namespaces. Apply **defense in depth** with security groups for pods and private access, and continuously test and monitor policy effectiveness.",
31
+ "Url": "https://hub.prowler.com/check/eks_cluster_network_policy_enabled"
27
32
  }
28
33
  },
29
34
  "Categories": [
30
- "internet-exposed"
35
+ "trust-boundaries",
36
+ "cluster-security"
31
37
  ],
32
38
  "DependsOn": [],
33
39
  "RelatedTo": [],
prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json CHANGED
@@ -1,36 +1,45 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "eks_cluster_not_publicly_accessible",
4
- "CheckTitle": "Ensure EKS Clusters are not publicly accessible",
4
+ "CheckTitle": "EKS cluster endpoint is not publicly accessible from 0.0.0.0/0",
5
5
  "CheckAliases": [
6
6
  "eks_endpoints_not_publicly_accessible",
7
7
  "eks_control_plane_endpoint_access_restricted"
8
8
  ],
9
9
  "CheckType": [
10
- "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
10
+ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
11
+ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
12
+ "TTPs/Initial Access/Unauthorized Access",
13
+ "Effects/Data Exposure"
11
14
  ],
12
15
  "ServiceName": "eks",
13
16
  "SubServiceName": "",
14
- "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
17
+ "ResourceIdTemplate": "",
15
18
  "Severity": "high",
16
19
  "ResourceType": "AwsEksCluster",
17
- "Description": "Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks.",
18
- "Risk": "By default, this API server endpoint is publicly accessible, meaning any machine on the internet can potentially connect to your EKS cluster using its public endpoint. This exposes your cluster to a higher risk of malicious activities and attacks.",
19
- "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-1",
20
+ "Description": "**Amazon EKS** cluster API server endpoint is evaluated for **unrestricted Internet access**, specifically when the public endpoint permits connections from `0.0.0.0/0` instead of private access or limited CIDR ranges.",
21
+ "Risk": "An openly reachable API endpoint enables Internet-wide probing, brute force, and enumeration, increasing exposure to RBAC misconfigurations or API flaws. Successful access can drive secret exfiltration (confidentiality), workload tampering (integrity), and control-plane disruption or scaling abuse (availability, cost).",
22
+ "RelatedUrl": "",
23
+ "AdditionalURLs": [
24
+ "https://docs.aws.amazon.com/eks/latest/eksctl/vpc-cluster-access.html",
25
+ "https://docs.aws.amazon.com/eks/latest/userguide/config-cluster-endpoint.html",
26
+ "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/endpoint-access.html"
27
+ ],
20
28
  "Remediation": {
21
29
  "Code": {
22
- "CLI": "aws eks update-cluster-config --region <region_name> --name <cluster_name> --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true,publicAccessCidrs=[\"123.123.123.123/32\"]",
23
- "NativeIaC": "",
24
- "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/endpoint-access.html",
25
- "Terraform": ""
30
+ "CLI": "aws eks update-cluster-config --region <region_name> --name <cluster_name> --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true",
31
+ "NativeIaC": "```yaml\n# CloudFormation: Disable public endpoint and enable private endpoint\nResources:\n <example_resource_name>:\n Type: AWS::EKS::Cluster\n Properties:\n RoleArn: <example_role_arn>\n ResourcesVpcConfig:\n SubnetIds:\n - <example_subnet_id_1>\n - <example_subnet_id_2>\n EndpointPublicAccess: false # critical: disables public API endpoint\n EndpointPrivateAccess: true # critical: enables private API endpoint\n```",
32
+ "Other": "1. Open the Amazon EKS console\n2. Select your cluster\n3. Go to the Networking tab and click Manage endpoint access\n4. Enable Private access and Disable Public access\n5. Click Update/Save",
33
+ "Terraform": "```hcl\n# Terraform: Disable public endpoint and enable private endpoint\nresource \"aws_eks_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n\n vpc_config {\n subnet_ids = [\"<example_subnet_id_1>\", \"<example_subnet_id_2>\"]\n endpoint_public_access = false # critical: disables public API endpoint\n endpoint_private_access = true # critical: enables private API endpoint\n }\n}\n```"
26
34
  },
27
35
  "Recommendation": {
28
- "Text": "Restricting public access to the Kubernetes API endpoint managed by the EKS cluster is a security best practice that helps protect your cluster from unauthorized access and potential security threats. By not allowing public access to the cluster's Kubernetes API endpoint, you ensure that only authorized entities can interact with your Amazon EKS cluster.",
29
- "Url": "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html"
36
+ "Text": "Prefer **private endpoint access** and avoid broad exposure. *If public access is required*, restrict to trusted admin CIDRs (not `0.0.0.0/0`), reach the API via **VPN/Direct Connect or bastions**, and enforce **least privilege** with IAM/RBAC. Apply **defense in depth** through network segmentation and continuous monitoring.",
37
+ "Url": "https://hub.prowler.com/check/eks_cluster_not_publicly_accessible"
30
38
  }
31
39
  },
32
40
  "Categories": [
33
- "internet-exposed"
41
+ "internet-exposed",
42
+ "cluster-security"
34
43
  ],
35
44
  "DependsOn": [],
36
45
  "RelatedTo": [],
prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json CHANGED
@@ -1,33 +1,39 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "eks_cluster_private_nodes_enabled",
4
- "CheckTitle": "Ensure Clusters are created with Private Nodes",
4
+ "CheckTitle": "EKS cluster has private endpoint access enabled",
5
5
  "CheckType": [
6
- "Security",
7
- "Configuration"
6
+ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
7
+ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
8
+ "TTPs/Initial Access/Unauthorized Access"
8
9
  ],
9
10
  "ServiceName": "eks",
10
11
  "SubServiceName": "",
11
12
  "ResourceIdTemplate": "",
12
13
  "Severity": "high",
13
14
  "ResourceType": "AwsEksCluster",
14
- "Description": "Ensure that clusters are created with private nodes, disabling public IP addresses for cluster nodes. Private nodes have no public IP addresses, restricting access to internal networks and enhancing security.",
15
- "Risk": "Without private nodes, cluster nodes may have public IP addresses, increasing the attack surface and exposing them to potential threats from the internet.",
16
- "RelatedUrl": "https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html",
15
+ "Description": "**Amazon EKS cluster** has **private endpoint access** enabled for the **Kubernetes API server**, allowing control plane traffic to use a VPC-resolved private endpoint.\n\nThe check evaluates the cluster's `endpointPrivateAccess` setting.",
16
+ "Risk": "Without **private endpoint access**, the API server is exposed on the public internet. This expands attack surface and weakens **confidentiality** and **integrity**: stolen creds or mis-scoped CIDRs can enable unauthorized API calls, secret reads, pod deployments, and config changes. **Availability** also depends on internet egress, increasing failure modes.",
17
+ "RelatedUrl": "",
18
+ "AdditionalURLs": [
19
+ "https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html",
20
+ "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html"
21
+ ],
17
22
  "Remediation": {
18
23
  "Code": {
19
- "CLI": "aws eks update-cluster-config --region region-code --name my-cluster --resources-vpc-config endpointPrivateAccess=true",
20
- "NativeIaC": "",
21
- "Other": "",
22
- "Terraform": ""
24
+ "CLI": "aws eks update-cluster-config --region <REGION> --name <CLUSTER_NAME> --resources-vpc-config endpointPrivateAccess=true",
25
+ "NativeIaC": "```yaml\n# CloudFormation: Enable private endpoint access for an EKS cluster\nResources:\n <example_resource_name>:\n Type: AWS::EKS::Cluster\n Properties:\n RoleArn: <example_resource_id>\n ResourcesVpcConfig:\n SubnetIds:\n - <example_resource_id>\n EndpointPrivateAccess: true # Critical: enables private endpoint access to pass the check\n```",
26
+ "Other": "1. In the AWS Console, open Amazon EKS and select your cluster\n2. Go to the Networking tab\n3. Click Edit next to Cluster endpoint access\n4. Enable Private access\n5. Click Save",
27
+ "Terraform": "```hcl\n# Terraform: Enable private endpoint access for an EKS cluster\nresource \"aws_eks_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_resource_id>\"\n\n vpc_config {\n subnet_ids = [\"<example_resource_id>\"]\n endpoint_private_access = true # Critical: enables private API endpoint access to pass the check\n }\n}\n```"
23
28
  },
24
29
  "Recommendation": {
25
- "Text": "Update the cluster configuration to enable private nodes, disabling public IP addresses for cluster nodes.",
26
- "Url": "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html"
30
+ "Text": "Enable **private endpoint access** and disable or tightly restrict the public endpoint.\n\nRequire administration from private networks, enforce **least privilege** with IAM/RBAC, and apply **defense in depth** via segmentation and logging. *If external access is needed*, allow only specific CIDRs and monitor API activity.",
31
+ "Url": "https://hub.prowler.com/check/eks_cluster_private_nodes_enabled"
27
32
  }
28
33
  },
29
34
  "Categories": [
30
- "internet-exposed"
35
+ "internet-exposed",
36
+ "trust-boundaries"
31
37
  ],
32
38
  "DependsOn": [],
33
39
  "RelatedTo": [],
prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json CHANGED
@@ -1,26 +1,35 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "eks_cluster_uses_a_supported_version",
4
- "CheckTitle": "Ensure Kubernetes cluster runs on a supported Kubernetes version",
5
- "CheckType": [],
4
+ "CheckTitle": "EKS cluster uses a supported Kubernetes version",
5
+ "CheckType": [
6
+ "Software and Configuration Checks/Patch Management",
7
+ "Software and Configuration Checks/AWS Security Best Practices",
8
+ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
9
+ ],
6
10
  "ServiceName": "eks",
7
11
  "SubServiceName": "",
8
- "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
12
+ "ResourceIdTemplate": "",
9
13
  "Severity": "high",
10
14
  "ResourceType": "AwsEksCluster",
11
- "Description": "Ensure Kubernetes cluster runs on a supported Kubernetes version",
12
- "Risk": "Running an Amazon EKS cluster on an unsupported Kubernetes version exposes it to common security vulnerabilities",
13
- "RelatedUrl": "https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html",
15
+ "Description": "Amazon EKS clusters use a **supported Kubernetes version** at or above the defined baseline (e.g., `1.28+`). The evaluation compares each cluster's Kubernetes minor version to the minimum supported level and highlights clusters running below that baseline.",
16
+ "Risk": "Running an **unsupported Kubernetes version** removes upstream and EKS security fixes, exposing clusters to known CVEs and privilege escalation bugs (**confidentiality/integrity**). Deprecated or removed APIs can break controllers and add-ons, causing outages (**availability**).",
17
+ "RelatedUrl": "",
18
+ "AdditionalURLs": [
19
+ "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/kubernetes-version.html",
20
+ "https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-2",
21
+ "https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html"
22
+ ],
14
23
  "Remediation": {
15
24
  "Code": {
16
- "CLI": "aws eks update-cluster-version --region <region> --name <cluster_name> --kubernetes-version <latest_supported_version>",
17
- "NativeIaC": "",
18
- "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/kubernetes-version.html",
19
- "Terraform": ""
25
+ "CLI": "aws eks update-cluster-version --name <cluster_name> --kubernetes-version <supported_version>",
26
+ "NativeIaC": "```yaml\n# CloudFormation: update EKS cluster to a supported Kubernetes version\nResources:\n <example_resource_name>:\n Type: AWS::EKS::Cluster\n Properties:\n Name: <example_resource_name>\n RoleArn: <example_role_arn>\n ResourcesVpcConfig:\n SubnetIds: [\"<example_subnet_id>\"]\n Version: \"<supported_version>\" # Critical: set a supported Kubernetes version to pass the check\n```",
27
+ "Other": "1. Open the AWS Management Console and go to Amazon EKS\n2. Select your cluster (<cluster_name>)\n3. Click Update (or Edit) next to Kubernetes version\n4. Choose a supported version (>= required) and confirm the update\n5. Wait for the control plane update to complete",
28
+ "Terraform": "```hcl\n# Terraform: update EKS cluster to a supported Kubernetes version\nresource \"aws_eks_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n role_arn = \"<example_role_arn>\"\n\n version = \"<supported_version>\" # Critical: set a supported Kubernetes version to pass the check\n\n vpc_config {\n subnet_ids = [\"<example_subnet_id>\"]\n }\n}\n```"
20
29
  },
21
30
  "Recommendation": {
22
- "Text": "If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that is supported by EKS for your clusters.",
23
- "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-2"
31
+ "Text": "Adopt a **version management policy**: keep clusters on a supported minor version, schedule regular upgrades, and test workloads for API deprecations. Upgrade nodes and add-ons with the control plane. Track EKS releases, automate drift alerts, and favor **defense in depth** over deprecated features.",
32
+ "Url": "https://hub.prowler.com/check/eks_cluster_uses_a_supported_version"
24
33
  }
25
34
  },
26
35
  "Categories": [
prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json CHANGED
@@ -1,33 +1,40 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "eks_control_plane_logging_all_types_enabled",
4
- "CheckTitle": "Ensure EKS Control Plane Logging is enabled for all required log types",
4
+ "CheckTitle": "EKS cluster has control plane logging enabled for api, audit, authenticator, controllerManager, and scheduler",
5
5
  "CheckType": [
6
- "Logging and Monitoring"
6
+ "Software and Configuration Checks/AWS Security Best Practices",
7
+ "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
7
8
  ],
8
9
  "ServiceName": "eks",
9
10
  "SubServiceName": "",
10
- "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
11
+ "ResourceIdTemplate": "",
11
12
  "Severity": "medium",
12
13
  "ResourceType": "AwsEksCluster",
13
- "Description": "Ensure EKS Control Plane Logging is enabled for all required log types",
14
- "Risk": "If logs are not enabled, monitoring of service use or threat analysis is not possible.",
14
+ "Description": "**Amazon EKS clusters** are evaluated for **control plane logging** coverage of required types: `api`, `audit`, `authenticator`, `controllerManager`, `scheduler`.\n\nThe finding identifies clusters where any of these log types are not configured.",
15
+ "Risk": "Gaps in **control plane logging** reduce visibility across the cluster.\n- Confidentiality: undetected API access, RBAC abuse, token misuse\n- Integrity: untraceable config changes and policy edits\n- Availability: scheduler/controller issues lack evidence, delaying recovery and masking attacker persistence",
15
16
  "RelatedUrl": "",
17
+ "AdditionalURLs": [
18
+ "https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html",
19
+ "https://support.icompaas.com/support/solutions/articles/62000233623-ensure-eks-control-plane-logging-is-enabled-for-all-required-log-types",
20
+ "https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html",
21
+ "https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/kubernetes-eks-logging.html"
22
+ ],
16
23
  "Remediation": {
17
24
  "Code": {
18
- "CLI": "aws eks update-cluster-config --region <region_name> --name <cluster_name> --logging '{\"clusterLogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"],\"enabled\":true}]}'",
19
- "NativeIaC": "",
20
- "Other": "https://docs.prowler.com/checks/aws/kubernetes-policies-1/bc_aws_kubernetes_4#aws-console",
21
- "Terraform": "https://docs.prowler.com/checks/aws/kubernetes-policies-1/bc_aws_kubernetes_4#fix---buildtime"
25
+ "CLI": "aws eks update-cluster-config --name <cluster_name> --logging '{\"clusterLogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"],\"enabled\":true}]}'",
26
+ "NativeIaC": "```yaml\n# CloudFormation: enable all EKS control plane log types\nResources:\n <example_resource_name>:\n Type: AWS::EKS::Cluster\n Properties:\n RoleArn: <example_role_arn>\n ResourcesVpcConfig:\n SubnetIds: [<example_subnet_id>]\n Logging:\n ClusterLogging:\n - EnabledTypes:\n - Type: api # Critical: enable required control plane log types\n - Type: audit # Critical: enable required control plane log types\n - Type: authenticator # Critical: enable required control plane log types\n - Type: controllerManager # Critical: enable required control plane log types\n - Type: scheduler # Critical: enable required control plane log types\n```",
27
+ "Other": "1. In the AWS console, go to Amazon EKS and open your cluster\n2. Open the Observability (or Logging) tab and click Manage logging\n3. Turn on: api, audit, authenticator, controllerManager, scheduler\n4. Click Save changes",
28
+ "Terraform": "```hcl\n# Enable all required EKS control plane log types\nresource \"aws_eks_cluster\" \"<example_resource_name>\" {\n enabled_cluster_log_types = [\n \"api\", # Critical: required control plane log types\n \"audit\", # Critical: required control plane log types\n \"authenticator\", # Critical: required control plane log types\n \"controllerManager\", # Critical: required control plane log types\n \"scheduler\" # Critical: required control plane log types\n ]\n}\n```"
22
29
  },
23
30
  "Recommendation": {
24
- "Text": "Make sure logging for EKS control plane is enabled for all required log types.",
25
- "Url": "https://docs.aws.amazon.com/eks/latest/userguide/logging-monitoring.html"
31
+ "Text": "Enable and standardize **EKS control plane logging** for all required types `[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"]`.\n\nApply least privilege to log access, set retention and alerts, and centralize analysis to support defense in depth, rapid detection, and reliable forensics.",
32
+ "Url": "https://hub.prowler.com/check/eks_control_plane_logging_all_types_enabled"
26
33
  }
27
34
  },
28
35
  "Categories": [
29
- "forensics-ready",
30
- "logging"
36
+ "logging",
37
+ "forensics-ready"
31
38
  ],
32
39
  "DependsOn": [],
33
40
  "RelatedTo": [],
prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json CHANGED
@@ -1,26 +1,34 @@
1
1
  {
2
2
  "Provider": "aws",
3
3
  "CheckID": "elasticache_cluster_uses_public_subnet",
4
- "CheckTitle": "Ensure Elasticache Cluster is not using a public subnet",
5
- "CheckType": [],
4
+ "CheckTitle": "ElastiCache cluster is not using public subnets",
5
+ "CheckType": [
6
+ "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
7
+ "Industry and Regulatory Standards/AWS Foundational Security Best Practices",
8
+ "Effects/Data Exposure"
9
+ ],
6
10
  "ServiceName": "elasticache",
7
11
  "SubServiceName": "",
8
- "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
12
+ "ResourceIdTemplate": "",
9
13
  "Severity": "medium",
10
14
  "ResourceType": "Other",
11
- "Description": "Ensure Elasticache Cluster is not using a public subnet",
12
- "Risk": "There is a risk of exposing sensitive data if Elasticache Cluster uses a public subnet.",
13
- "RelatedUrl": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.html",
15
+ "Description": "**ElastiCache resources** (Redis nodes and Memcached clusters) are assessed for placement in **public subnets**.\n\nThe finding identifies cache subnet groups that include subnets configured with Internet routing instead of private-only subnets.",
16
+ "Risk": "Hosting caches in **public subnets** can permit direct or misconfigured Internet access, impacting CIA:\n- Confidentiality: unauthorized reads and key dumps\n- Integrity: cache poisoning or key tampering\n- Availability: scanning and DDoS\n\nAttackers may pivot from the cache to **lateral movement** within the VPC.",
17
+ "RelatedUrl": "",
18
+ "AdditionalURLs": [
19
+ "https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SubnetGroups.html",
20
+ "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.html"
21
+ ],
14
22
  "Remediation": {
15
23
  "Code": {
16
- "CLI": "aws elasticache modify-cache-cluster --cache-cluster-id my-elasticache-cluster --cache-subnet-group-name my-private-subnet-group",
17
- "NativeIaC": "",
18
- "Other": "",
19
- "Terraform": ""
24
+ "CLI": "aws elasticache modify-cache-cluster --cache-cluster-id <example_resource_id> --cache-subnet-group-name <example_resource_name> --apply-immediately",
25
+ "NativeIaC": "```yaml\n# CloudFormation: move ElastiCache into private subnets via a private subnet group\nResources:\n PrivateCacheSubnetGroup:\n Type: AWS::ElastiCache::SubnetGroup\n Properties:\n Description: Private subnets only\n SubnetIds:\n - <example_resource_id> # private subnet\n - <example_resource_id> # private subnet\n\n CacheCluster:\n Type: AWS::ElastiCache::CacheCluster\n Properties:\n CacheClusterId: <example_resource_id>\n Engine: redis\n CacheNodeType: cache.t3.micro\n NumCacheNodes: 1\n CacheSubnetGroupName: !Ref PrivateCacheSubnetGroup # CRITICAL: forces the cluster to use only private subnets\n```",
26
+ "Other": "1. In the AWS Console, go to ElastiCache > Subnet groups\n2. Click Create cache subnet group and select only private subnets (no route to an Internet Gateway)\n3. Go to ElastiCache > Redis or Memcached, select your cluster\n4. Click Modify, set Subnet group to the private subnet group\n5. Check Apply immediately and click Modify to save",
27
+ "Terraform": "```hcl\n# Terraform: ensure the cluster uses a subnet group with only private subnets\nresource \"aws_elasticache_subnet_group\" \"private\" {\n name = \"<example_resource_name>\"\n subnet_ids = [\"<example_resource_id>\", \"<example_resource_id>\"] # private subnets only\n}\n\nresource \"aws_elasticache_cluster\" \"cache\" {\n cluster_id = \"<example_resource_id>\"\n engine = \"redis\"\n node_type = \"cache.t3.micro\"\n num_cache_nodes = 1\n subnet_group_name = aws_elasticache_subnet_group.private.name # CRITICAL: restricts cluster to private subnets\n}\n```"
20
28
  },
21
29
  "Recommendation": {
22
- "Text": "To ensure your Elasticache cluster is not using a public subnet, follow the recommended remediation steps based on your preferred method.",
23
- "Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.html"
30
+ "Text": "Place caches in **private subnets** only and ensure route tables lack Internet egress. Apply **least privilege** with tight **security groups** limited to required ports and trusted sources.\n\nFor external access, use **VPC peering**, **VPN**, or **PrivateLink**. Enable encryption in transit and Redis `AUTH` for layered controls.",
31
+ "Url": "https://hub.prowler.com/check/elasticache_cluster_uses_public_subnet"
24
32
  }
25
33
  },
26
34
  "Categories": [