prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/__main__.py +2 -1
- dashboard/compliance/c5_azure.py +43 -0
- dashboard/compliance/fedramp_20x_ksi_low_aws.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_azure.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_gcp.py +46 -0
- dashboard/compliance/hipaa_gcp.py +25 -0
- dashboard/compliance/nist_csf_2_0_aws.py +24 -0
- dashboard/compliance/prowler_threatscore_kubernetes.py +28 -0
- prowler/AGENTS.md +366 -0
- prowler/CHANGELOG.md +93 -2
- prowler/__main__.py +54 -7
- prowler/compliance/aws/ens_rd2022_aws.json +1 -1
- prowler/compliance/aws/fedramp_20x_ksi_low_aws.json +347 -0
- prowler/compliance/aws/nis2_aws.json +1 -1
- prowler/compliance/aws/nist_csf_2.0_aws.json +1781 -0
- prowler/compliance/azure/c5_azure.json +9471 -0
- prowler/compliance/azure/ens_rd2022_azure.json +1 -1
- prowler/compliance/azure/fedramp_20x_ksi_low_azure.json +358 -0
- prowler/compliance/azure/nis2_azure.json +1 -1
- prowler/compliance/gcp/c5_gcp.json +9401 -0
- prowler/compliance/gcp/ens_rd2022_gcp.json +1 -1
- prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json +293 -0
- prowler/compliance/gcp/hipaa_gcp.json +415 -0
- prowler/compliance/gcp/nis2_gcp.json +1 -1
- prowler/compliance/github/cis_1.0_github.json +6 -2
- prowler/compliance/kubernetes/prowler_threatscore_kubernetes.json +1269 -0
- prowler/compliance/m365/prowler_threatscore_m365.json +6 -6
- prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json} +1 -1
- prowler/config/config.py +59 -5
- prowler/config/config.yaml +3 -0
- prowler/lib/check/check.py +1 -9
- prowler/lib/check/checks_loader.py +65 -1
- prowler/lib/check/models.py +12 -2
- prowler/lib/check/utils.py +1 -7
- prowler/lib/cli/parser.py +17 -7
- prowler/lib/mutelist/mutelist.py +15 -7
- prowler/lib/outputs/compliance/c5/c5_azure.py +92 -0
- prowler/lib/outputs/compliance/c5/c5_gcp.py +92 -0
- prowler/lib/outputs/compliance/c5/models.py +54 -0
- prowler/lib/outputs/compliance/cis/{cis_oci.py → cis_oraclecloud.py} +7 -7
- prowler/lib/outputs/compliance/cis/models.py +3 -3
- prowler/lib/outputs/compliance/prowler_threatscore/models.py +29 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_kubernetes.py +98 -0
- prowler/lib/outputs/finding.py +16 -5
- prowler/lib/outputs/html/html.py +10 -8
- prowler/lib/outputs/outputs.py +1 -1
- prowler/lib/outputs/summary_table.py +1 -1
- prowler/lib/powershell/powershell.py +12 -11
- prowler/lib/scan/scan.py +105 -24
- prowler/lib/utils/utils.py +1 -1
- prowler/providers/aws/aws_regions_by_service.json +73 -15
- prowler/providers/aws/lib/quick_inventory/quick_inventory.py +1 -1
- prowler/providers/aws/lib/security_hub/security_hub.py +1 -1
- prowler/providers/aws/services/account/account_service.py +1 -1
- prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +1 -3
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +24 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +17 -11
- prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.metadata.json +22 -17
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json +27 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +25 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.metadata.json +17 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +27 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +26 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +25 -12
- prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json +20 -11
- prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +28 -12
- prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json +15 -10
- prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json +19 -11
- prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json +21 -12
- prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json +19 -12
- prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json +24 -13
- prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json +35 -13
- prowler/providers/aws/services/codepipeline/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_client.py +6 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json +30 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py +95 -0
- prowler/providers/aws/services/codepipeline/codepipeline_service.py +164 -0
- prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json +23 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json +19 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json +20 -10
- prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json +26 -13
- prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json +20 -10
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json +18 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json +16 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json +20 -12
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +17 -10
- prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json +19 -12
- prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json +16 -11
- prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json +22 -13
- prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json +19 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json +21 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json +22 -12
- prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json +20 -12
- prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.metadata.json +21 -11
- prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.metadata.json +20 -11
- prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.metadata.json +20 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.metadata.json +21 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.metadata.json +26 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.metadata.json +19 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json +16 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json +21 -14
- prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json +20 -14
- prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json +22 -13
- prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json +21 -12
- prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json +20 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json +22 -14
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.metadata.json +20 -11
- prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json +17 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json +17 -11
- prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json +22 -13
- prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json +24 -13
- prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json +20 -10
- prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json +20 -12
- prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json +19 -12
- prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json +19 -11
- prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.metadata.json +21 -13
- prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.metadata.json +19 -11
- prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.metadata.json +21 -12
- prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json +17 -10
- prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.metadata.json +22 -13
- prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.metadata.json +16 -11
- prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.metadata.json +21 -13
- prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.metadata.json +24 -11
- prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.metadata.json +18 -11
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +26 -13
- prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json +21 -11
- prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json +24 -13
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +26 -14
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.metadata.json +26 -15
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +15 -16
- prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json +23 -11
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json +19 -12
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json +17 -12
- prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json +22 -13
- prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json +21 -12
- prowler/providers/aws/services/iam/lib/policy.py +24 -16
- prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json +21 -13
- prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json +22 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +7 -2
- prowler/providers/azure/services/defender/defender_service.py +4 -2
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/__init__.py +0 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +36 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py +43 -0
- prowler/providers/azure/services/postgresql/postgresql_service.py +66 -9
- prowler/providers/azure/services/storage/storage_service.py +13 -4
- prowler/providers/azure/services/vm/vm_service.py +4 -7
- prowler/providers/common/arguments.py +19 -16
- prowler/providers/common/provider.py +2 -18
- prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json +16 -15
- prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +30 -4
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py +61 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json +12 -9
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +10 -3
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py +40 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py +31 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json +35 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py +55 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py +30 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +48 -2
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +35 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py +36 -0
- prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +14 -8
- prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +30 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py +106 -0
- prowler/providers/github/services/organization/organization_service.py +84 -10
- prowler/providers/iac/iac_provider.py +279 -55
- prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json +16 -12
- prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json +16 -10
- prowler/providers/m365/lib/powershell/m365_powershell.py +80 -93
- prowler/providers/m365/m365_provider.py +1 -6
- prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.py +17 -21
- prowler/providers/m365/services/exchange/exchange_service.py +18 -12
- prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py +9 -7
- prowler/providers/mongodbatlas/exceptions/exceptions.py +16 -0
- prowler/providers/mongodbatlas/mongodbatlas_provider.py +15 -3
- prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json +20 -9
- prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json +14 -9
- prowler/providers/oraclecloud/lib/arguments/arguments.py +4 -13
- prowler/providers/oraclecloud/lib/service/service.py +3 -3
- prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py} +15 -15
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +20 -16
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +17 -17
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +17 -19
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +18 -18
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +17 -18
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +1 -1
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +1 -1
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/METADATA +17 -16
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/RECORD +298 -249
- /prowler/compliance/{oci → oraclecloud}/__init__.py +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/entry_points.txt +0 -0
|
@@ -1,26 +1,34 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "emr_cluster_account_public_block_enabled",
|
|
4
|
-
"CheckTitle": "EMR
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "EMR account has Block Public Access enabled",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
8
|
+
],
|
|
6
9
|
"ServiceName": "emr",
|
|
7
10
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
9
12
|
"Severity": "high",
|
|
10
|
-
"ResourceType": "
|
|
11
|
-
"Description": "EMR
|
|
12
|
-
"Risk": "EMR
|
|
13
|
-
"RelatedUrl": "
|
|
13
|
+
"ResourceType": "Other",
|
|
14
|
+
"Description": "Amazon EMR account-level **Block Public Access** configuration is assessed per Region. When `BlockPublicSecurityGroupRules` is enabled, clusters cannot use security groups that allow inbound public sources (`0.0.0.0/0`, `::/0`) except on permitted ports.",
|
|
15
|
+
"Risk": "Public EMR-facing rules enable Internet reachability to cluster nodes and UIs, inviting brute force and remote exploits.\n\nAttackers can exfiltrate job data, alter processing, or pivot into the VPC, degrading **confidentiality**, **integrity**, and **availability** through data theft, tampering, and service disruption.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EMR/block-public-access.html",
|
|
19
|
+
"https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html",
|
|
20
|
+
"https://github.com/cloudmatos/matos/tree/master/remediations/aws/emr/block-emr-public-access"
|
|
21
|
+
],
|
|
14
22
|
"Remediation": {
|
|
15
23
|
"Code": {
|
|
16
|
-
"CLI": "",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"Other": "
|
|
19
|
-
"Terraform": ""
|
|
24
|
+
"CLI": "aws emr put-block-public-access-configuration --block-public-access-configuration BlockPublicSecurityGroupRules=true",
|
|
25
|
+
"NativeIaC": "```yaml\n# CloudFormation: Enable EMR Block Public Access (account/Region level)\nResources:\n EmrBpaRole:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n Service: lambda.amazonaws.com\n Action: sts:AssumeRole\n Policies:\n - PolicyName: EmrBpaPut\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action: elasticmapreduce:PutBlockPublicAccessConfiguration\n Resource: \"*\"\n\n EmrBpaFunction:\n Type: AWS::Lambda::Function\n Properties:\n Role: !GetAtt EmrBpaRole.Arn\n Runtime: python3.12\n Handler: index.handler\n Code:\n ZipFile: |\n import boto3, json, urllib.request\n def handler(event, context):\n try:\n boto3.client('emr').put_block_public_access_configuration(\n BlockPublicAccessConfiguration={\n 'BlockPublicSecurityGroupRules': True # CRITICAL: enables EMR Block Public Access\n }\n )\n status='SUCCESS'\n except Exception:\n status='FAILED'\n body=json.dumps({\n 'Status': status,\n 'PhysicalResourceId': 'EmrBPA', # respond to CFN\n 'StackId': event['StackId'],\n 'RequestId': event['RequestId'],\n 'LogicalResourceId': event['LogicalResourceId']\n }).encode()\n req=urllib.request.Request(event['ResponseURL'], data=body, method='PUT')\n req.add_header('content-type','')\n req.add_header('content-length',str(len(body)))\n urllib.request.urlopen(req)\n\n EmrBpa:\n Type: Custom::EmrBpa\n Properties:\n ServiceToken: !GetAtt EmrBpaFunction.Arn # Invokes Lambda to apply the setting\n```",
|
|
26
|
+
"Other": "1. In the AWS Console, go to Amazon EMR\n2. Select the target Region (top-right)\n3. In the left menu under \"EMR on EC2\", click \"Block public access\"\n4. Click \"Edit\" and choose \"Turn on\"\n5. Click \"Save\"",
|
|
27
|
+
"Terraform": "```hcl\n# Enable EMR Block Public Access (account/Region level)\nresource \"aws_emr_block_public_access_configuration\" \"example_resource_name\" {\n block_public_security_group_rules = true # CRITICAL: enables Block Public Access\n}\n```"
|
|
20
28
|
},
|
|
21
29
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
30
|
+
"Text": "Keep EMR **Block Public Access** enabled and minimize exceptions; allow only required ports and restrict sources.\n\nApply **least privilege** on security groups, place clusters in private subnets, and use bastion hosts or Session Manager. Combine with **VPC** controls and monitoring for **defense in depth**.",
|
|
31
|
+
"Url": "https://hub.prowler.com/check/emr_cluster_account_public_block_enabled"
|
|
24
32
|
}
|
|
25
33
|
},
|
|
26
34
|
"Categories": [
|
|
@@ -2,28 +2,41 @@
|
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "emr_cluster_master_nodes_no_public_ip",
|
|
4
4
|
"CheckTitle": "EMR Cluster without Public IP.",
|
|
5
|
-
"CheckType": [
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"TTPs/Initial Access"
|
|
9
|
+
],
|
|
6
10
|
"ServiceName": "emr",
|
|
7
11
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
9
13
|
"Severity": "medium",
|
|
10
14
|
"ResourceType": "Other",
|
|
11
|
-
"Description": "EMR
|
|
12
|
-
"Risk": "EMR
|
|
13
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "**Amazon EMR clusters** in non-terminated states are assessed for **public IP assignment** on cluster nodes (primary and workers). The finding identifies clusters whose instances are reachable via public IPs rather than private VPC addresses.",
|
|
16
|
+
"Risk": "**Publicly reachable EMR nodes** expose admin UIs and SSH to the Internet, enabling brute force and service exploits. A compromised primary node can alter jobs and exfiltrate data from S3/HDFS, degrading **confidentiality** and **integrity**, and disrupt workloads, impacting **availability**.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-vpc-subnet.html",
|
|
20
|
+
"https://aws.amazon.com/blogs/aws/new-launch-amazon-emr-clusters-in-private-subnets/",
|
|
21
|
+
"https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html",
|
|
22
|
+
"https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-clusters-in-a-vpc.html",
|
|
23
|
+
"https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-vpc-launching-job-flows.html"
|
|
24
|
+
],
|
|
14
25
|
"Remediation": {
|
|
15
26
|
"Code": {
|
|
16
27
|
"CLI": "",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"Other": "",
|
|
19
|
-
"Terraform": ""
|
|
28
|
+
"NativeIaC": "```yaml\n# CloudFormation: Launch EMR in a private subnet (no public IPs)\nResources:\n <example_resource_name>:\n Type: AWS::EMR::Cluster\n Properties:\n Name: <example_resource_name>\n ReleaseLabel: emr-6.10.0\n ServiceRole: EMR_DefaultRole\n JobFlowRole: EMR_EC2_DefaultRole\n Instances:\n Ec2SubnetId: <example_resource_id> # CRITICAL: use a PRIVATE subnet to prevent public IPs\n InstanceGroups:\n - InstanceRole: MASTER\n InstanceType: m5.xlarge\n InstanceCount: 1\n - InstanceRole: CORE\n InstanceType: m5.xlarge\n InstanceCount: 1\n```",
|
|
29
|
+
"Other": "1. In the AWS Console, go to EMR > Clusters, select the non-compliant cluster (with Public IP) and choose Terminate.\n2. Click Create cluster.\n3. Under Networking, select your VPC and choose a private Subnet (no auto-assign public IPv4).\n4. Create the cluster. Its instances will launch without public IPs.",
|
|
30
|
+
"Terraform": "```hcl\n# Terraform: Launch EMR in a private subnet (no public IPs)\nresource \"aws_emr_cluster\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n release_label = \"emr-6.10.0\"\n master_instance_type = \"m5.xlarge\"\n core_instance_type = \"m5.xlarge\"\n\n service_role = \"EMR_DefaultRole\"\n ec2_attributes {\n instance_profile = \"EMR_EC2_DefaultRole\"\n subnet_id = \"<example_resource_id>\" # CRITICAL: private subnet ensures no public IPs\n }\n}\n```"
|
|
20
31
|
},
|
|
21
32
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
33
|
+
"Text": "Run EMR in **private subnets** without public IPs. Use **VPC endpoints** for AWS services and **NAT** only when needed. Enforce **least privilege** security groups, avoid `0.0.0.0/0`, and prefer **SSM** or a bastion for admin access. Keep **EMR block public access** enabled and favor **private connectivity** for external dependencies.",
|
|
34
|
+
"Url": "https://hub.prowler.com/check/emr_cluster_master_nodes_no_public_ip"
|
|
24
35
|
}
|
|
25
36
|
},
|
|
26
|
-
"Categories": [
|
|
37
|
+
"Categories": [
|
|
38
|
+
"internet-exposed"
|
|
39
|
+
],
|
|
27
40
|
"DependsOn": [],
|
|
28
41
|
"RelatedTo": [],
|
|
29
42
|
"Notes": ""
|
|
@@ -1,26 +1,33 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "emr_cluster_publicly_accesible",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "EMR cluster is not publicly accessible",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"TTPs/Initial Access"
|
|
9
|
+
],
|
|
6
10
|
"ServiceName": "emr",
|
|
7
11
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
9
13
|
"Severity": "medium",
|
|
10
14
|
"ResourceType": "Other",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "EMR
|
|
13
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "**Amazon EMR clusters** are assessed for **public network exposure** by examining master and core/task node security groups for inbound rules that allow any source (`0.0.0.0/0` or `::/0`).\n\nOnly active clusters are considered, and findings identify exposure via the specific security groups attached to the cluster nodes.",
|
|
16
|
+
"Risk": "**Open Internet ingress** to EMR nodes enables direct access to services and UIs, facilitating brute force, RCE, and data theft. Adversaries can pivot inside the VPC, alter jobs and outputs (**integrity**), exfiltrate datasets (**confidentiality**), or abuse compute for mining, degrading **availability**.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html"
|
|
20
|
+
],
|
|
14
21
|
"Remediation": {
|
|
15
22
|
"Code": {
|
|
16
23
|
"CLI": "",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"Other": "",
|
|
19
|
-
"Terraform": "
|
|
24
|
+
"NativeIaC": "```yaml\n# CloudFormation: Security Group without public ingress for EMR nodes\nResources:\n <example_resource_name>:\n Type: AWS::EC2::SecurityGroup\n Properties:\n GroupDescription: SG for EMR without public access\n VpcId: <example_resource_id>\n SecurityGroupIngress:\n - IpProtocol: tcp\n FromPort: 22\n ToPort: 22\n CidrIp: 10.0.0.0/8 # CRITICAL: restrict source; do not use 0.0.0.0/0 or ::/0 to avoid public access\n```",
|
|
25
|
+
"Other": "1. In AWS Console, go to EMR > Clusters and open the affected cluster\n2. In the cluster details, note the Security Groups for Master and Core/Task under Network and security\n3. Open the EC2 Console > Security Groups and select each noted group\n4. Edit Inbound rules and remove any rule with Source 0.0.0.0/0 or ::/0\n5. If access is required, re-add only from specific CIDR(s) you control, then Save",
|
|
26
|
+
"Terraform": "```hcl\n# Restrict EMR SG ingress to avoid 0.0.0.0/0 or ::/0\nresource \"aws_security_group_rule\" \"<example_resource_name>\" {\n type = \"ingress\"\n from_port = 22\n to_port = 22\n protocol = \"tcp\"\n security_group_id = \"<example_resource_id>\" # EMR master/core SG\n cidr_blocks = [\"10.0.0.0/8\"] # CRITICAL: restrict source; not 0.0.0.0/0 or ::/0\n}\n```"
|
|
20
27
|
},
|
|
21
28
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
29
|
+
"Text": "Apply **least privilege** and **defense in depth**:\n- Place clusters in private subnets; avoid public IPs\n- Deny `0.0.0.0/0` and `::/0` in node security groups; allow trusted CIDRs only\n- Keep EMR **Block Public Access** enabled with minimal exceptions\n- Use **bastion/SSM**, private connectivity, and logging for hardened access",
|
|
30
|
+
"Url": "https://hub.prowler.com/check/emr_cluster_publicly_accesible"
|
|
24
31
|
}
|
|
25
32
|
},
|
|
26
33
|
"Categories": [
|
|
@@ -1,29 +1,42 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "eventbridge_bus_cross_account_access",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "AWS EventBridge event bus does not allow cross-account access",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"TTPs/Initial Access/Unauthorized Access",
|
|
9
|
+
"Effects/Data Exposure"
|
|
10
|
+
],
|
|
6
11
|
"ServiceName": "eventbridge",
|
|
7
|
-
"SubServiceName": "
|
|
8
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"SubServiceName": "",
|
|
13
|
+
"ResourceIdTemplate": "",
|
|
9
14
|
"Severity": "high",
|
|
10
15
|
"ResourceType": "AwsEventsEventbus",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
16
|
+
"Description": "**EventBridge event bus** has a **resource policy** that grants **cross-account event delivery** to principals outside the account, including broad or public access.\n\nFocus is on buses whose policies permit external accounts to send events.",
|
|
17
|
+
"Risk": "**Cross-account event injection** can erode **integrity** and **availability**. Spoofed events may trigger rules and invoke downstream targets, causing unintended actions, data exposure via targets, lateral movement through over-privileged roles, and cost or service disruption from event floods.",
|
|
18
|
+
"RelatedUrl": "",
|
|
19
|
+
"AdditionalURLs": [
|
|
20
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchEvents/event-bus-cross-account-access.html",
|
|
21
|
+
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html",
|
|
22
|
+
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html"
|
|
23
|
+
],
|
|
14
24
|
"Remediation": {
|
|
15
25
|
"Code": {
|
|
16
26
|
"CLI": "aws events remove-permission --event-bus-name <event_bus_name> --statement-id <statement_id>",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"Other": "
|
|
19
|
-
"Terraform": ""
|
|
27
|
+
"NativeIaC": "```yaml\n# CloudFormation: restrict EventBridge event bus to same account only\nResources:\n <example_resource_name>:\n Type: AWS::Events::EventBusPolicy\n Properties:\n StatementId: <example_resource_id>\n Action: events:PutEvents\n Principal: !Ref AWS::AccountId # Critical: allows only this AWS account, blocking cross-account access\n EventBusName: <example_resource_name>\n```",
|
|
28
|
+
"Other": "1. In the AWS Console, go to Amazon EventBridge > Event buses\n2. Select the event bus (<event_bus_name>)\n3. Open the Permissions tab and click Edit\n4. Remove any statements that grant access to other accounts, an organization, or \"*\"\n5. Save changes",
|
|
29
|
+
"Terraform": "```hcl\n# Terraform: restrict EventBridge event bus to same account only\nresource \"aws_cloudwatch_event_permission\" \"<example_resource_name>\" {\n statement_id = \"<example_resource_id>\"\n action = \"events:PutEvents\"\n principal = \"<example_resource_id>\" # Critical: set to your own AWS account ID to block cross-account access\n event_bus_name = \"<example_resource_name>\"\n}\n```"
|
|
20
30
|
},
|
|
21
31
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
32
|
+
"Text": "Apply **least privilege** on the event bus resource policy: allow only specific account IDs or org scope (e.g., `aws:PrincipalOrgID`) and avoid wildcard `Principal` or `*`.\n\nConstrain rules to trusted senders using the `account` field and vetted sources, and add monitoring/throttling for **defense in depth**.",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/eventbridge_bus_cross_account_access"
|
|
24
34
|
}
|
|
25
35
|
},
|
|
26
|
-
"Categories": [
|
|
36
|
+
"Categories": [
|
|
37
|
+
"identity-access",
|
|
38
|
+
"trust-boundaries"
|
|
39
|
+
],
|
|
27
40
|
"DependsOn": [],
|
|
28
41
|
"RelatedTo": [],
|
|
29
42
|
"Notes": ""
|
|
@@ -1,26 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "eventbridge_bus_exposed",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "AWS EventBridge event bus policy does not allow public access",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"TTPs/Initial Access/Unauthorized Access"
|
|
9
|
+
],
|
|
6
10
|
"ServiceName": "eventbridge",
|
|
7
11
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
9
13
|
"Severity": "high",
|
|
10
14
|
"ResourceType": "AwsEventsEventbus",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "EventBridge event bus resource policy is evaluated for **public access**, such as a `Principal: \"*\"` or overly broad conditions that allow any AWS account to publish events or manage rules on the bus.",
|
|
16
|
+
"Risk": "Publicly accessible event buses enable **event injection** and unauthorized rule changes, undermining **integrity** and enabling **lateral movement**. Attackers can trigger downstream targets, causing **data exposure**, service disruption, and unexpected **costs** through high-volume events.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html",
|
|
20
|
+
"https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_GettingStarted.html",
|
|
21
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudWatchEvents/event-bus-exposed.html",
|
|
22
|
+
"https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/"
|
|
23
|
+
],
|
|
14
24
|
"Remediation": {
|
|
15
25
|
"Code": {
|
|
16
26
|
"CLI": "aws events remove-permission --event-bus-name <event_bus_name> --statement-id <statement_id>",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"Other": "
|
|
19
|
-
"Terraform": ""
|
|
27
|
+
"NativeIaC": "```yaml\n# CloudFormation: restrict EventBridge event bus access to a specific account (not public)\nResources:\n <example_resource_name>:\n Type: AWS::Events::EventBusPolicy\n Properties:\n StatementId: AllowSpecificAccount\n Action: events:PutEvents\n Principal: arn:aws:iam::<example_account_id>:root # CRITICAL: limit access to a specific AWS account to prevent public access\n # Omitting EventBusName applies this to the default event bus\n```",
|
|
28
|
+
"Other": "1. Open the AWS Console and go to EventBridge > Event buses\n2. Select the target event bus and open the Permissions tab\n3. Click Edit policy\n4. Remove any statement where Principal is \"*\" or AWS is \"*\"\n5. If needed, add a statement allowing only your trusted account ID as Principal (arn:aws:iam::<ACCOUNT_ID>:root)\n6. Save changes",
|
|
29
|
+
"Terraform": "```hcl\nresource \"aws_cloudwatch_event_bus_policy\" \"<example_resource_name>\" {\n # CRITICAL: Principal is a specific AWS account, not \"*\", preventing public access\n policy = <<POLICY\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [{\n \"Sid\": \"AllowSpecificAccount\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::<example_account_id>:root\"},\n \"Action\": \"events:PutEvents\",\n \"Resource\": \"arn:aws:events:<example_region>:<example_account_id>:event-bus/default\"\n }]\n}\nPOLICY\n}\n```"
|
|
20
30
|
},
|
|
21
31
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
32
|
+
"Text": "Apply **least privilege** resource policies: limit principals to specific accounts or your organization, and constrain actions and event attributes (e.g., `source`, `detail-type`). Avoid `Principal: \"*\"`.\n\nUse **defense in depth** with rule patterns that include the expected `account`. Monitor policy changes and bus activity.",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/eventbridge_bus_exposed"
|
|
24
34
|
}
|
|
25
35
|
},
|
|
26
36
|
"Categories": [
|
|
@@ -1,32 +1,43 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "eventbridge_global_endpoint_event_replication_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "EventBridge global endpoint has event replication enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
7
8
|
],
|
|
8
9
|
"ServiceName": "eventbridge",
|
|
9
10
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
11
12
|
"Severity": "medium",
|
|
12
13
|
"ResourceType": "AwsEventsEndpoint",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
14
|
+
"Description": "**EventBridge global endpoints** are configured with **event replication** `ENABLED` (not `DISABLED`) so custom events are replicated to both the primary and secondary Regions.",
|
|
15
|
+
"Risk": "**No event replication** degrades **availability** and increases **RPO** during Regional outages.\n- Events can be lost or delayed if the primary Region fails\n- Automatic recovery to the primary may not occur, prolonging failover\n- Cross-Region inconsistency can affect data integrity",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/eventbridge-controls.html#eventbridge-4",
|
|
19
|
+
"https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-global-endpoints.html",
|
|
20
|
+
"https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Endpoint.html",
|
|
21
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/global-endpoint-event-replication-enabled.html",
|
|
22
|
+
"https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-ge-create-endpoint.html",
|
|
23
|
+
"https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-ge-best-practices.html",
|
|
24
|
+
"https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_CreateEndpoint.html",
|
|
25
|
+
"https://aws.amazon.com/blogs/compute/introducing-global-endpoints-for-amazon-eventbridge/"
|
|
26
|
+
],
|
|
16
27
|
"Remediation": {
|
|
17
28
|
"Code": {
|
|
18
|
-
"CLI": "aws events update-endpoint --name <endpoint-name> --
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
29
|
+
"CLI": "aws events update-endpoint --name <endpoint-name> --replication-config State=ENABLED --role-arn <role-arn>",
|
|
30
|
+
"NativeIaC": "```yaml\n# CloudFormation: Enable event replication on an EventBridge global endpoint\nResources:\n Endpoint:\n Type: AWS::Events::Endpoint\n Properties:\n Name: <example_resource_name>\n EventBuses:\n - EventBusArn: arn:aws:events:us-east-1:<example_resource_id>:event-bus/<example_resource_name>\n - EventBusArn: arn:aws:events:us-west-2:<example_resource_id>:event-bus/<example_resource_name>\n RoutingConfig:\n FailoverConfig:\n Primary:\n HealthCheck: arn:aws:route53:::healthcheck/<example_resource_id>\n Secondary:\n Route: us-west-2\n ReplicationConfig:\n State: ENABLED # Critical: enables event replication\n RoleArn: arn:aws:iam::<example_resource_id>:role/<example_resource_name> # Critical: role used by replication\n```",
|
|
31
|
+
"Other": "1. In the AWS Console, open Amazon EventBridge and go to Global endpoints\n2. Select the endpoint and choose Edit\n3. Under Event replication, check Event replication enabled\n4. For Execution role, select an existing role or create a new one\n5. Save changes",
|
|
32
|
+
"Terraform": "```hcl\n# Terraform (awscc): Enable event replication on an EventBridge global endpoint\nresource \"awscc_events_endpoint\" \"example\" {\n name = \"<example_resource_name>\"\n\n event_buses = [\n { event_bus_arn = \"arn:aws:events:us-east-1:<example_resource_id>:event-bus/<example_resource_name>\" },\n { event_bus_arn = \"arn:aws:events:us-west-2:<example_resource_id>:event-bus/<example_resource_name>\" }\n ]\n\n routing_config = {\n failover_config = {\n primary = { health_check = \"arn:aws:route53:::healthcheck/<example_resource_id>\" }\n secondary = { route = \"us-west-2\" }\n }\n }\n\n replication_config = { state = \"ENABLED\" } # Critical: enables event replication\n role_arn = \"arn:aws:iam::<example_resource_id>:role/<example_resource_name>\" # Critical: role used by replication\n}\n```"
|
|
22
33
|
},
|
|
23
34
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
35
|
+
"Text": "Turn on **event replication** for global endpoints to ensure Regional resilience. Keep event buses, rules, and targets aligned across Regions. Use a dedicated IAM role with **least privilege** for replication. Design consumers for **idempotency** with unique IDs. Regularly test failover and monitor health as part of **defense in depth**.",
|
|
36
|
+
"Url": "https://hub.prowler.com/check/eventbridge_global_endpoint_event_replication_enabled"
|
|
26
37
|
}
|
|
27
38
|
},
|
|
28
39
|
"Categories": [
|
|
29
|
-
"
|
|
40
|
+
"resilience"
|
|
30
41
|
],
|
|
31
42
|
"DependsOn": [],
|
|
32
43
|
"RelatedTo": [],
|
|
@@ -1,29 +1,41 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "eventbridge_schema_registry_cross_account_access",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "AWS EventBridge schema registry does not allow cross-account access",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"TTPs/Initial Access/Unauthorized Access",
|
|
9
|
+
"Effects/Data Exposure"
|
|
10
|
+
],
|
|
6
11
|
"ServiceName": "eventbridge",
|
|
7
|
-
"SubServiceName": "
|
|
8
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"SubServiceName": "",
|
|
13
|
+
"ResourceIdTemplate": "",
|
|
9
14
|
"Severity": "high",
|
|
10
15
|
"ResourceType": "AwsEventSchemasRegistry",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
16
|
+
"Description": "**EventBridge schema registry** resource policies are assessed for **cross-account access**. It identifies statements that grant external or public principals (e.g., `Principal: *` or other accounts) permissions to interact with the registry and its schemas.",
|
|
17
|
+
"Risk": "Unknown cross-account access exposes schema definitions, enabling reconnaissance and leaking data models (**confidentiality**). Excessive permissions may let outsiders alter or delete schemas, corrupt code bindings, and disrupt integrations (**integrity** and **availability**).",
|
|
18
|
+
"RelatedUrl": "",
|
|
19
|
+
"AdditionalURLs": [
|
|
20
|
+
"https://aws.amazon.com/about-aws/whats-new/2021/09/cross-account-discovery-amazon-eventbridge-schema/",
|
|
21
|
+
"https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schema.html"
|
|
22
|
+
],
|
|
14
23
|
"Remediation": {
|
|
15
24
|
"Code": {
|
|
16
|
-
"CLI": "",
|
|
17
|
-
"NativeIaC": "",
|
|
18
|
-
"Other": "",
|
|
19
|
-
"Terraform": ""
|
|
25
|
+
"CLI": "aws schemas put-resource-policy --registry-name <example_resource_name> --policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<example_account_id>:root\"},\"Action\":\"schemas:*\",\"Resource\":\"*\"}]}'",
|
|
26
|
+
"NativeIaC": "```yaml\n# CloudFormation: Restrict EventBridge Schema Registry policy to same account only\nResources:\n <example_resource_name>RegistryPolicy:\n Type: AWS::EventSchemas::RegistryPolicy\n Properties:\n RegistryName: <example_resource_name>\n # Critical: Principal limited to this AWS account to prevent cross-account access\n Policy: !Sub |\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": { \"AWS\": \"arn:${AWS::Partition}:iam::${AWS::AccountId}:root\" },\n \"Action\": \"schemas:*\",\n \"Resource\": \"*\"\n }\n ]\n }\n```",
|
|
27
|
+
"Other": "1. Open the Amazon EventBridge console\n2. Go to Schemas > Registries and select <example_resource_name>\n3. Open the Permissions tab and click Edit\n4. Remove any statement with Principal set to \"*\" or an AWS account different from yours\n5. Add a single Allow statement with Principal = arn:aws:iam::<your_account_id>:root\n6. Save changes",
|
|
28
|
+
"Terraform": "```hcl\n# Restrict EventBridge Schema Registry policy to same account only\nresource \"aws_schemas_registry_policy\" \"<example_resource_name>\" {\n registry_name = \"<example_resource_name>\"\n\n # Critical: Principal limited to same account to remove cross-account access\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = { AWS = \"arn:aws:iam::<example_account_id>:root\" }\n Action = \"schemas:*\"\n Resource = \"*\"\n }]\n })\n}\n```"
|
|
20
29
|
},
|
|
21
30
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
31
|
+
"Text": "Apply **least privilege** to registry resource policies:\n- Avoid public principals like `Principal: *`\n- Allow only trusted account ARNs or org IDs\n- Grant minimal actions, prefer read-only\n- Use **separation of duties** and log changes\n\n*If cross-account is needed*, scope tightly and review often.",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/eventbridge_schema_registry_cross_account_access"
|
|
24
33
|
}
|
|
25
34
|
},
|
|
26
|
-
"Categories": [
|
|
35
|
+
"Categories": [
|
|
36
|
+
"trust-boundaries",
|
|
37
|
+
"identity-access"
|
|
38
|
+
],
|
|
27
39
|
"DependsOn": [],
|
|
28
40
|
"RelatedTo": [],
|
|
29
41
|
"Notes": ""
|
|
@@ -1,31 +1,42 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "firehose_stream_encrypted_at_rest",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Kinesis Data Firehose delivery stream is encrypted at rest",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
|
|
9
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)"
|
|
7
10
|
],
|
|
8
11
|
"ServiceName": "firehose",
|
|
9
|
-
"SubServiceName": "
|
|
10
|
-
"ResourceIdTemplate": "
|
|
12
|
+
"SubServiceName": "",
|
|
13
|
+
"ResourceIdTemplate": "",
|
|
11
14
|
"Severity": "medium",
|
|
12
|
-
"ResourceType": "
|
|
13
|
-
"Description": "",
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
15
|
+
"ResourceType": "AwsKinesisStream",
|
|
16
|
+
"Description": "**Amazon Data Firehose** delivery streams must enable **server-side encryption at rest** with AWS KMS regardless of the source type. Encryption of upstream sources such as **Kinesis Data Streams** or **MSK** does not replace the need to protect the delivery stream itself.",
|
|
17
|
+
"Risk": "Unencrypted Firehose data at rest can be read if storage or backups are accessed, harming **confidentiality** and **integrity**. Disk-level access, snapshots, or misconfigured destinations enable data exfiltration or tampering. Lacking KMS-backed controls also reduces key rotation, segregation of duties, and auditability.",
|
|
18
|
+
"RelatedUrl": "",
|
|
19
|
+
"AdditionalURLs": [
|
|
20
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Firehose/delivery-stream-encrypted-with-kms-customer-master-keys.html",
|
|
21
|
+
"https://docs.aws.amazon.com/firehose/latest/dev/encryption.html",
|
|
22
|
+
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html",
|
|
23
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/datafirehose-controls.html#datafirehose-1"
|
|
24
|
+
],
|
|
16
25
|
"Remediation": {
|
|
17
26
|
"Code": {
|
|
18
|
-
"CLI": "aws firehose
|
|
19
|
-
"NativeIaC": "
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": "
|
|
27
|
+
"CLI": "aws firehose start-delivery-stream-encryption --delivery-stream-name <delivery-stream-name> --delivery-stream-encryption-configuration-input KeyType=AWS_OWNED_CMK",
|
|
28
|
+
"NativeIaC": "```yaml\n# CloudFormation: Enable at-rest encryption for a Firehose delivery stream\nResources:\n <example_resource_name>:\n Type: AWS::KinesisFirehose::DeliveryStream\n Properties:\n DeliveryStreamEncryptionConfigurationInput:\n KeyType: AWS_OWNED_CMK # critical: enables SSE at rest using AWS owned KMS key\n ExtendedS3DestinationConfiguration:\n BucketARN: arn:aws:s3:::<example_resource_name>\n RoleARN: arn:aws:iam::<example_account_id>:role/<example_resource_name>\n```",
|
|
29
|
+
"Other": "1. In the AWS Console, go to Amazon Data Firehose\n2. Select the affected delivery stream and click Edit\n3. Under Server-side encryption, set to Enabled (choose AWS owned key)\n4. Click Save changes",
|
|
30
|
+
"Terraform": "```hcl\n# Terraform: Enable at-rest encryption for a Firehose delivery stream\nresource \"aws_kinesis_firehose_delivery_stream\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n destination = \"extended_s3\"\n\n server_side_encryption {\n enabled = true # critical: turns on SSE at rest (uses AWS owned KMS key by default)\n }\n\n extended_s3_configuration {\n role_arn = \"arn:aws:iam::<example_account_id>:role/<example_resource_name>\"\n bucket_arn = \"arn:aws:s3:::<example_resource_name>\"\n }\n}\n```"
|
|
22
31
|
},
|
|
23
32
|
"Recommendation": {
|
|
24
|
-
"Text": "Enable server-side encryption for
|
|
25
|
-
"Url": "https://
|
|
33
|
+
"Text": "Enable **server-side encryption** for Firehose with AWS KMS. Prefer **customer managed keys** (`CMEK`) to enforce **least privilege**, rotation, and auditing. Ensure upstream **Kinesis** sources are encrypted and confirm MSK defaults meet policy. Monitor KMS health signals and deny writes without encryption. Apply **defense in depth** at destinations.",
|
|
34
|
+
"Url": "https://hub.prowler.com/check/firehose_stream_encrypted_at_rest"
|
|
26
35
|
}
|
|
27
36
|
},
|
|
28
|
-
"Categories": [
|
|
37
|
+
"Categories": [
|
|
38
|
+
"encryption"
|
|
39
|
+
],
|
|
29
40
|
"DependsOn": [],
|
|
30
41
|
"RelatedTo": [],
|
|
31
42
|
"Notes": ""
|
|
@@ -26,23 +26,27 @@ class firehose_stream_encrypted_at_rest(Check):
|
|
|
26
26
|
for stream in firehose_client.delivery_streams.values():
|
|
27
27
|
report = Check_Report_AWS(metadata=self.metadata(), resource=stream)
|
|
28
28
|
report.status = "FAIL"
|
|
29
|
-
report.status_extended = f"Firehose Stream {stream.name} does not have at rest encryption enabled
|
|
29
|
+
report.status_extended = f"Firehose Stream {stream.name} does not have at rest encryption enabled."
|
|
30
30
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
31
|
+
if stream.kms_encryption == EncryptionStatus.ENABLED:
|
|
32
|
+
report.status = "PASS"
|
|
33
|
+
report.status_extended = f"Firehose Stream {stream.name} does have at rest encryption enabled."
|
|
34
|
+
|
|
35
|
+
elif stream.delivery_stream_type == "KinesisStreamAsSource":
|
|
36
|
+
source_stream_arn = stream.source.kinesis_stream.kinesis_stream_arn
|
|
37
|
+
source_stream = kinesis_client.streams.get(source_stream_arn, None)
|
|
36
38
|
if source_stream:
|
|
37
|
-
if source_stream.encrypted_at_rest
|
|
38
|
-
report.
|
|
39
|
-
|
|
39
|
+
if source_stream.encrypted_at_rest == EncryptionType.KMS:
|
|
40
|
+
report.status_extended = f"Firehose Stream {stream.name} does not have at rest encryption enabled even though source stream {source_stream.name} has at rest encryption enabled."
|
|
41
|
+
else:
|
|
42
|
+
report.status_extended = f"Firehose Stream {stream.name} does not have at rest encryption enabled and the source stream {source_stream.name} is not encrypted at rest."
|
|
43
|
+
else:
|
|
44
|
+
report.status_extended = f"Firehose Stream {stream.name} does not have at rest encryption enabled and the referenced source stream could not be found."
|
|
40
45
|
|
|
41
|
-
# MSK source - check if the MSK cluster has encryption at rest with CMK
|
|
42
46
|
elif stream.delivery_stream_type == "MSKAsSource":
|
|
43
47
|
msk_cluster_arn = stream.source.msk.msk_cluster_arn
|
|
48
|
+
msk_cluster = None
|
|
44
49
|
if msk_cluster_arn:
|
|
45
|
-
msk_cluster = None
|
|
46
50
|
for cluster in kafka_client.clusters.values():
|
|
47
51
|
if cluster.arn == msk_cluster_arn:
|
|
48
52
|
msk_cluster = cluster
|
|
@@ -59,11 +63,6 @@ class firehose_stream_encrypted_at_rest(Check):
|
|
|
59
63
|
else:
|
|
60
64
|
report.status_extended = f"Firehose Stream {stream.name} uses MSK source which always has encryption at rest enabled by AWS."
|
|
61
65
|
|
|
62
|
-
# Check if the stream has encryption enabled directly (DirectPut or DatabaseAsSource cases)
|
|
63
|
-
elif stream.kms_encryption == EncryptionStatus.ENABLED:
|
|
64
|
-
report.status = "PASS"
|
|
65
|
-
report.status_extended = f"Firehose Stream {stream.name} does have at rest encryption enabled."
|
|
66
|
-
|
|
67
66
|
findings.append(report)
|
|
68
67
|
|
|
69
68
|
return findings
|
|
@@ -1,29 +1,41 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "fms_policy_compliant",
|
|
4
|
-
"CheckTitle": "
|
|
5
|
-
"CheckType": [
|
|
4
|
+
"CheckTitle": "All AWS FMS policies in the admin account are compliant for all accounts",
|
|
5
|
+
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
|
|
8
|
+
],
|
|
6
9
|
"ServiceName": "fms",
|
|
7
10
|
"SubServiceName": "",
|
|
8
|
-
"ResourceIdTemplate": "
|
|
11
|
+
"ResourceIdTemplate": "",
|
|
9
12
|
"Severity": "medium",
|
|
10
13
|
"ResourceType": "Other",
|
|
11
|
-
"Description": "
|
|
12
|
-
"Risk": "
|
|
13
|
-
"RelatedUrl": "
|
|
14
|
+
"Description": "**Firewall Manager** policies in the administrator account are evaluated for organization-wide compliance. The assessment reviews each policy's account-level status and flags entries marked `NON_COMPLIANT` or unset. It also identifies when no effective policies exist within the administrator scope.",
|
|
15
|
+
"Risk": "Policy drift or absence leaves in-scope resources without enforced controls, degrading **confidentiality**, **integrity**, and **availability**. Missing WAF, Shield, security group, or network firewall baselines can enable DDoS exposure, unsafe routes, and open access, leading to unauthorized entry and data exfiltration.",
|
|
16
|
+
"RelatedUrl": "",
|
|
17
|
+
"AdditionalURLs": [
|
|
18
|
+
"https://aws.amazon.com/firewall-manager/faqs/",
|
|
19
|
+
"https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-intro.html",
|
|
20
|
+
"https://www.amazonaws.cn/en/firewall-manager/faqs/",
|
|
21
|
+
"https://docs.aws.amazon.com/waf/latest/developerguide/fms-compliance.html"
|
|
22
|
+
],
|
|
14
23
|
"Remediation": {
|
|
15
24
|
"Code": {
|
|
16
|
-
"CLI": "
|
|
25
|
+
"CLI": "",
|
|
17
26
|
"NativeIaC": "",
|
|
18
|
-
"Other": "",
|
|
27
|
+
"Other": "1. Sign in to the AWS console with the Firewall Manager administrator account\n2. Open Firewall Manager > Security policies\n3. If no policies exist: Click Create policy, choose the policy type you use, set scope to All accounts, enable Automatic remediation, and create the policy\n4. If policies exist with Noncompliant accounts: Open the policy > Edit > enable Automatic remediation and ensure scope includes All accounts > Save\n5. In AWS Config (organization management account): Settings > Organization settings > Enable recording for all accounts and all regions > Save\n6. Return to each Firewall Manager policy and verify Accounts within policy scope show Compliant",
|
|
19
28
|
"Terraform": ""
|
|
20
29
|
},
|
|
21
30
|
"Recommendation": {
|
|
22
|
-
"Text": "
|
|
23
|
-
"Url": "https://
|
|
31
|
+
"Text": "Maintain centralized enforcement with **Firewall Manager**: define mandatory policies for all relevant accounts/resources, enable automatic remediation where appropriate, and continuously monitor compliance. Apply **least privilege** and **defense in depth** by standardizing web, network, and DNS protections and alerting on drift.",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/fms_policy_compliant"
|
|
24
33
|
}
|
|
25
34
|
},
|
|
26
|
-
"Categories": [
|
|
35
|
+
"Categories": [
|
|
36
|
+
"internet-exposed",
|
|
37
|
+
"trust-boundaries"
|
|
38
|
+
],
|
|
27
39
|
"DependsOn": [],
|
|
28
40
|
"RelatedTo": [],
|
|
29
41
|
"Notes": ""
|