prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json

@@ -1,31 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "fsx_file_system_copy_tags_to_backups_enabled",
-  "CheckTitle": "Check if FSx file systems are configured to copy tags to backups.",
+  "CheckTitle": "FSx file system has copy tags to backups enabled",
   "CheckType": [
-    "Software and Configuration Checks/Vulnerabilities"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "fsx",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsFSxFileSystem",
-  "Description": "Check if an Amazon FSx file system is configured to copy tags to backups. The control fails if this configuration isn't enabled.",
-  "Risk": "Without tag copying, managing and tracking your resources could be more difficult, impacting your governance and inventory management processes.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html",
+  "Description": "**Amazon FSx file systems** are evaluated for whether they copy **resource tags** to their **backups** via the `copy_tags_to_backups` setting.",
+  "Risk": "Missing tag inheritance leaves backups unclassified and outside tag-based controls, weakening confidentiality and availability. Tag-aware IAM and retention policies may not apply, enabling unauthorized access, accidental deletion, or orphaned backups that complicate recovery and inflate costs.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-2",
+    "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html",
+    "https://docs.aws.amazon.com/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws fsx update-file-system --file-system-id <file-system-id> --open-zfs-configuration CopyTagsToBackups=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-2",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Enable copying tags to backups for FSx OpenZFS\nResources:\n  <example_resource_name>:\n    Type: AWS::FSx::FileSystem\n    Properties:\n      FileSystemType: OPENZFS\n      OpenZFSConfiguration:\n        CopyTagsToBackups: true  # Critical: ensures tags are copied to backups (passes the check)\n```",
+      "Other": "1. Open the AWS Console and go to Amazon FSx\n2. Select your FSx file system and choose Actions > Update file system\n3. Enable Copy tags to backups\n4. Click Update to save",
+      "Terraform": "```hcl\n# Terraform: Enable copying tags to backups for FSx OpenZFS\nresource \"aws_fsx_openzfs_file_system\" \"<example_resource_name>\" {\n  subnet_ids          = [\"<subnet_id>\"]\n  deployment_type     = \"SINGLE_AZ_1\"\n  throughput_capacity = 64\n  storage_capacity    = 128\n\n  copy_tags_to_backups = true # Critical: ensures tags are copied to backups (passes the check)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your FSx file system to copy tags to backups to improve resource management and tracking.",
-      "Url": "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html"
+      "Text": "Enable tag copying for FSx backups and standardize mandatory tags (owner, data classification, environment).\nMap **least privilege** and lifecycle policies to these tags, enforce with automation and guardrails, and regularly audit to prevent untagged or misclassified backups.",
+      "Url": "https://hub.prowler.com/check/fsx_file_system_copy_tags_to_backups_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json

@@ -1,28 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "fsx_file_system_copy_tags_to_volumes_enabled",
-  "CheckTitle": "Check if FSx file systems are configured to copy tags to volumes.",
+  "CheckTitle": "FSx file system has copy tags to volumes enabled",
   "CheckType": [
-    "Software and Configuration Checks/Vulnerabilities"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "fsx",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "AwsFSxFileSystem",
-  "Description": "Check if an Amazon FSx file system is configured to copy tags to volumes. The control fails if this configuration isn't enabled.",
-  "Risk": "Without tag copying, managing and tracking your resources could be more difficult, impacting your governance and inventory management processes.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-openzfs-copy-tags-enabled.html",
+  "ResourceType": "Other",
+  "Description": "**Amazon FSx file systems** are configured to **copy tags to volumes** via `copy_tags_to_volumes`.\n\nIdentifies file systems where volume resources will not inherit the file system's tags.",
+  "Risk": "Without tag propagation, volumes lack consistent labels used for **ABAC**, classification, and automation. This can erode confidentiality through mis-scoped access controls and impact availability if backups or safeguards aren't applied to untagged volumes.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-1",
+    "https://docs.aws.amazon.com/config/latest/developerguide/fsx-openzfs-copy-tags-enabled.html",
+    "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws fsx update-file-system --file-system-id <file-system-id> --open-zfs-configuration CopyTagsToVolumes=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-1",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Enable copying tags to volumes for FSx for OpenZFS\nResources:\n  <example_resource_name>:\n    Type: AWS::FSx::FileSystem\n    Properties:\n      FileSystemType: OPENZFS\n      SubnetIds:\n        - <example_resource_id>\n      OpenZFSConfiguration:\n        DeploymentType: SINGLE_AZ_1\n        ThroughputCapacity: 64\n        CopyTagsToVolumes: true  # Critical: ensures volumes inherit file system tags\n```",
+      "Other": "1. Open the AWS Console and go to Amazon FSx\n2. Select your FSx for OpenZFS file system\n3. Click Actions > Update file system\n4. Set Copy tags to volumes to On\n5. Click Update to save",
+      "Terraform": "```hcl\n# FSx for OpenZFS with copy tags to volumes enabled\nresource \"aws_fsx_openzfs_file_system\" \"<example_resource_name>\" {\n  deployment_type      = \"SINGLE_AZ_1\"\n  subnet_ids           = [\"<example_resource_id>\"]\n  throughput_capacity  = 64\n  copy_tags_to_volumes = true  # Critical: ensures volumes inherit file system tags\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your FSx file system to copy tags to volumes to improve resource management and tracking.",
-      "Url": "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html"
+      "Text": "Enable `copy_tags_to_volumes` and adopt a **mandatory tagging policy** (owner, environment, data class). Apply **least privilege/ABAC** using tags and integrate tags into backup, retention, and monitoring workflows to enforce **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/fsx_file_system_copy_tags_to_volumes_enabled"
     }
   },
   "Categories": [],

prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json

@@ -1,30 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "fsx_windows_file_system_multi_az_enabled",
-  "CheckTitle": "Check if FSx Windows file systems are configured with Multi-AZ.",
-  "CheckType": [],
+  "CheckTitle": "FSx Windows file system is configured for Multi-AZ deployment",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service"
+  ],
   "ServiceName": "fsx",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "AwsFSxFileSystem",
-  "Description": "Check if FSx Windows file systems are configured with Multi-AZ. The control fails if this configuration isn't enabled.",
-  "Risk": "Relative to Single-AZ deployment, Multi-AZ deployments provide enhanced durability by further replicating data across AZs, and enhanced availability during planned system maintenance and unplanned service disruption by failing over automatically to the standby AZ. This allows you to continue accessing your data, and helps to protect your data against instance failure and AZ disruption.",
-  "RelatedUrl": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html",
+  "ResourceType": "Other",
+  "Description": "**FSx for Windows File Server** file systems are evaluated for **Multi-AZ deployment**, determined when `SubnetIds` include more than one subnet in different Availability Zones.",
+  "Risk": "Using **Single-AZ** creates a **single point of failure**. AZ outages, server failures, or maintenance can cause extended file share downtime, impacting availability. Crash scenarios may leave data inconsistent, threatening **integrity**, and recovery may rely on backups, increasing **RTO/RPO**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/dfs-r.html",
+    "https://docs.aws.amazon.com/fsx/latest/APIReference/API_WindowsFileSystemConfiguration.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html",
+    "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Create FSx for Windows File Server with Multi-AZ\nResources:\n  <example_resource_name>:\n    Type: AWS::FSx::FileSystem\n    Properties:\n      FileSystemType: WINDOWS\n      StorageCapacity: 32\n      SubnetIds:\n        - <example_subnet_id_1>  # CRITICAL: two subnets -> Multi-AZ across AZs\n        - <example_subnet_id_2>  # CRITICAL: two subnets -> Multi-AZ across AZs\n      WindowsConfiguration:\n        ThroughputCapacity: 8\n        DeploymentType: MULTI_AZ_1  # CRITICAL: enables Multi-AZ deployment\n        PreferredSubnetId: <example_subnet_id_1>\n```",
+      "Other": "1. In AWS Console, go to FSx > Create file system > Amazon FSx for Windows File Server\n2. Set Deployment type to Multi-AZ\n3. Select two Subnets in different Availability Zones\n4. Set minimal required capacity/throughput and Create\n5. Migrate data to the new file system and repoint clients to its DNS name\n6. Delete the old Single-AZ file system",
+      "Terraform": "```hcl\n# Terraform: FSx for Windows File Server configured for Multi-AZ\nresource \"aws_fsx_windows_file_system\" \"<example_resource_name>\" {\n  storage_capacity    = 32\n  subnet_ids          = [\"<example_subnet_id_1>\", \"<example_subnet_id_2>\"] # CRITICAL: two subnets in different AZs\n  throughput_capacity = 8\n  deployment_type     = \"MULTI_AZ_1\"                                      # CRITICAL: enables Multi-AZ deployment\n  preferred_subnet_id = \"<example_subnet_id_1>\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your FSx Windows file system to be highly available with ENIs in Multiple AZs.",
-      "Url": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html"
+      "Text": "Prefer `MULTI_AZ_1` for production to uphold **high availability** and avoid AZ-level single points of failure. Apply **resilience** and **defense in depth**: design to tolerate AZ loss, capacity-plan for failover, and test failover regularly. *If Single-AZ is unavoidable*, limit to noncritical or app-replicated workloads and keep frequent, verified backups.",
+      "Url": "https://hub.prowler.com/check/fsx_windows_file_system_multi_az_enabled"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "glacier_vaults_policy_public_access",
-  "CheckTitle": "Check if S3 Glacier vaults have policies which allow access to everyone.",
-  "CheckType": [],
+  "CheckTitle": "S3 Glacier vault has no policy or its policy does not allow access to everyone",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure",
+    "TTPs/Initial Access/Unauthorized Access"
+  ],
   "ServiceName": "glacier",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:glacier:region:account-id:vaults/vault-name",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "Other",
-  "Description": "Ensure CodeArtifact internal packages do not allow external public source publishing.",
-  "Risk": "Vaults accessible to everyone could expose sensitive data to bad actors.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html",
+  "Description": "**Glacier vault** access policy is evaluated for exposure to **public principals**. The finding highlights `Allow` statements that grant access to `Principal: '*'` (including wildcard forms), and notes when a vault lacks a policy.",
+  "Risk": "Publicly grantable vault access undermines **confidentiality** and **integrity**. Anyone could list, retrieve, or delete archives, leading to data exposure or loss. Attackers may also trigger large retrieval operations, degrading **availability** and driving unexpected costs.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html",
+    "https://docs.prowler.com/checks/aws/general-policies/ensure-glacier-vault-access-policy-is-not-public-by-only-allowing-specific-services-or-principals-to-access-it#terraform"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-glacier-vault-access-policy-is-not-public-by-only-allowing-specific-services-or-principals-to-access-it#terraform"
+      "CLI": "aws glacier delete-vault-access-policy --account-id <ACCOUNT_ID> --vault-name <VAULT_NAME>",
+      "NativeIaC": "```yaml\n# CloudFormation: Glacier vault without an access policy (no public access)\nResources:\n  <example_resource_name>:\n    Type: AWS::Glacier::Vault\n    Properties:\n      VaultName: <example_resource_name>\n      # AccessPolicy omitted to remove any public access and pass the check\n```",
+      "Other": "1. In AWS Console, open Amazon S3 Glacier (Classic)\n2. Go to Vaults and select the target vault\n3. Open the Access policy tab and click Edit\n4. Remove the policy (clear all content) or delete it\n5. Save changes",
+      "Terraform": "```hcl\n# Glacier vault with no access policy (not public)\nresource \"aws_glacier_vault\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n  # access_policy omitted to remove any public access and pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure vault policy does not have principle as *.",
-      "Url": "https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html"
+      "Text": "Enforce **least privilege** on vault policies: restrict to specific AWS accounts or roles, avoid `Principal: '*'`, and grant only necessary actions. Apply **defense in depth** with **Vault Lock** for immutable retention and continuous review and monitoring of access to prevent broad or unintended exposure.",
+      "Url": "https://hub.prowler.com/check/glacier_vaults_policy_public_access"
     }
   },
   "Categories": [

prowler/providers/aws/services/iam/lib/policy.py

@@ -427,25 +427,33 @@ def is_policy_public(
                         has_public_access = True
 
                     # Check for cross-service confused deputy
-                    if check_cross_service_confused_deputy and (
+                    if check_cross_service_confused_deputy:
                         # Check if function can be invoked by other AWS services if check_cross_service_confused_deputy is True
-                        (
-                            ".amazonaws.com" in principal.get("Service", "")
-                            or ".amazon.com" in principal.get("Service", "")
-                            or "*" in principal.get("Service", "")
+
+                        svc = principal.get("Service", [])
+                        if isinstance(svc, str):
+                            services = [svc]
+                        elif isinstance(svc, list):
+                            services = [s for s in svc if isinstance(s, str)]
+                        else:
+                            services = []
+
+                        is_cross_service = any(
+                            s == "*"
+                            or s.endswith(".amazonaws.com")
+                            or s.endswith(".amazon.com")
+                            for s in services
                         )
-                        and (
-                            "secretsmanager.amazonaws.com"
-                            not in principal.get(
-                                "Service", ""
-                            )  # AWS ensures that resources called by SecretsManager are executed in the same AWS account
-                            or "eks.amazonaws.com"
-                            not in principal.get(
-                                "Service", ""
-                            )  # AWS ensures that resources called by EKS are executed in the same AWS account
+
+                        # AWS ensures that resources called by SecretsManager are executed in the same AWS account
+                        # AWS ensures that resources called by EKS are executed in the same AWS account
+                        is_exempt = any(
+                            s in {"secretsmanager.amazonaws.com", "eks.amazonaws.com"}
+                            for s in services
                         )
-                    ):
-                        has_public_access = True
+
+                        if is_cross_service and not is_exempt:
+                            has_public_access = True
 
                 if has_public_access and (
                     not not_allowed_actions  # If not_allowed_actions is empty, the function will not consider the actions in the policy

prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "kinesis_stream_data_retention_period",
-  "CheckTitle": "Kinesis streams should have an adequate data retention period.",
+  "CheckTitle": "Kinesis stream retains data for at least the required minimum hours",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
   ],
   "ServiceName": "kinesis",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kinesis::account-id:stream/stream-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsKinesisStream",
-  "Description": "Ensure Kinesis streams have an adequate data retention period.",
-  "Risk": "An inadequate data retention period may result in data records being deleted before they can be processed or backed up, increasing the risk of data loss. This is especially critical for applications that rely on historical data availability for analysis, monitoring, and recovery in case of failures.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/kinesis-stream-backup-retention-check.html",
+  "Description": "**Kinesis Data Streams** retention window is evaluated to confirm records are kept for at least the configured minimum duration (default `168` hours).",
+  "Risk": "Insufficient retention causes records to expire before consumers read or reprocess them, undermining **availability** and analytics **integrity**. Backlogs or outages can create irreversible data gaps, hinder investigations and recovery, and enable denial-of-service-by-lag against event pipelines.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-3"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kinesis increase-stream-retention-period --stream-name <stream-name> --retention-period-hours <hours>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-3",
-      "Terraform": ""
+      "CLI": "aws kinesis increase-stream-retention-period --stream-name <example_resource_name> --retention-period-hours 168",
+      "NativeIaC": "```yaml\n# CloudFormation: set Kinesis stream retention to minimum required hours\nResources:\n  <example_resource_name>:\n    Type: AWS::Kinesis::Stream\n    Properties:\n      ShardCount: 1\n      RetentionPeriodHours: 168  # critical: sets retention to >= 168 hours to pass the check\n```",
+      "Other": "1. Sign in to the AWS Console and open Amazon Kinesis\n2. Go to Data streams and select <example_resource_name>\n3. Click Edit\n4. Set Retention period to 168 hours (or higher, per your policy)\n5. Click Save changes",
+      "Terraform": "```hcl\n# Kinesis stream with adequate retention period\nresource \"aws_kinesis_stream\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  shard_count      = 1\n  retention_period = 168  # critical: sets retention to >= 168 hours to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure an adequate data retention period for Kinesis streams to ensure data is available for the required timeframe. Set the retention period based on your application’s data retention requirements, and consider at least 168 hours (or customize as necessary).",
-      "Url": "https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html"
+      "Text": "Set the **retention period** to exceed worst-case consumer lag, replay needs, and compliance windows; use at least `168` hours by default (or customize as necessary) and raise as required. Enforce **change control** and least privilege on retention changes, monitor consumer lag, and maintain **secondary durability** (e.g., archival) for critical streams.",
+      "Url": "https://hub.prowler.com/check/kinesis_stream_data_retention_period"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "kinesis_stream_encrypted_at_rest",
-  "CheckTitle": "Kinesis streams should be encrypted at rest.",
+  "CheckTitle": "Kinesis stream is encrypted at rest with KMS",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "kinesis",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kinesis::account-id:stream/stream-name",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsKinesisStream",
-  "Description": "Ensure Kinesis streams use server-side encryption with AWS KMS keys for data protection.",
-  "Risk": "If Kinesis streams are not encrypted at rest, sensitive data stored in the stream could be exposed to unauthorized access or breaches. This could lead to potential data theft or misuse of unencrypted data.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html",
+  "Description": "**Amazon Kinesis Data Streams** with **server-side encryption** use **AWS KMS** to protect records at rest. The evaluation determines whether a stream has `SSE-KMS` configured with a KMS key; streams lacking KMS-based at rest encryption are identified.",
+  "Risk": "Without **SSE-KMS**, records in shards may be exposed in plaintext if storage, backups, or analytics exports are accessed, undermining **confidentiality**. Absence of KMS controls also reduces **integrity** and oversight by removing key policies, rotation, and audit trails-enabling covert data exfiltration or insider misuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-1",
+    "https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Kinesis/server-side-encryption.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kinesis start-stream-encryption --stream-name <your-stream-name> --encryption-type KMS --key-id <your-kms-key-id>",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_22/#cloudformation",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html#kinesis-1",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_22/#terraform"
+      "CLI": "aws kinesis start-stream-encryption --stream-name <KINESIS_STREAM_NAME> --encryption-type KMS --key-id alias/aws/kinesis",
+      "NativeIaC": "```yaml\n# CloudFormation: enable KMS encryption on a Kinesis stream\nResources:\n  <example_resource_name>:\n    Type: AWS::Kinesis::Stream\n    Properties:\n      ShardCount: 1\n      StreamEncryption:\n        EncryptionType: KMS  # Critical: enables KMS encryption at rest\n        KeyId: alias/aws/kinesis  # Critical: uses AWS managed Kinesis KMS key\n```",
+      "Other": "1. Open the AWS Console and go to Amazon Kinesis > Data streams\n2. Select the stream\n3. On the Details tab, click Edit in Server-side encryption\n4. Select Enabled\n5. Choose the (Default) aws/kinesis KMS key\n6. Click Save",
+      "Terraform": "```hcl\n# Enable KMS encryption on a Kinesis stream\nresource \"aws_kinesis_stream\" \"<example_resource_name>\" {\n  name            = \"<example_resource_name>\"\n  shard_count     = 1\n  encryption_type = \"KMS\"            # Critical: enables KMS encryption at rest\n  kms_key_id      = \"alias/aws/kinesis\" # Critical: uses AWS managed Kinesis KMS key\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable server-side encryption for Kinesis streams using AWS KMS keys to ensure that all data is encrypted before it is stored, protecting data at rest and reducing the risk of unauthorized access.",
-      "Url": "https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html"
+      "Text": "Enable **SSE-KMS** on all streams.\n- Use **customer-managed keys** for rotation and ownership\n- Enforce **least privilege** on KMS grants; limit cross-account use\n- Monitor key usage and require encryption in CI/CD",
+      "Url": "https://hub.prowler.com/check/kinesis_stream_encrypted_at_rest"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/cosmosdb/cosmosdb_service.py

@@ -36,9 +36,14 @@ class CosmosDB(AzureService):
                                     name=private_endpoint_connection.name,
                                     type=private_endpoint_connection.type,
                                 )
-                                for private_endpoint_connection in account.private_endpoint_connections
+                                for private_endpoint_connection in getattr(
+                                    account, "private_endpoint_connections", []
+                                )
+                                if private_endpoint_connection
                             ],
-                            disable_local_auth=account.disable_local_auth,
+                            disable_local_auth=getattr(
+                                account, "disable_local_auth", False
+                            ),
                         )
                     )
             except Exception as error:

prowler/providers/azure/services/defender/defender_service.py

@@ -112,7 +112,9 @@ class Defender(AzureService):
                             assessment.display_name: Assesment(
                                 resource_id=assessment.id,
                                 resource_name=assessment.name,
-                                status=assessment.status.code,
+                                status=getattr(
+                                    getattr(assessment, "status", None), "code", None
+                                ),
                             )
                         }
                     )
@@ -304,7 +306,7 @@ class AutoProvisioningSetting(BaseModel):
 class Assesment(BaseModel):
     resource_id: str
     resource_name: str
-    status: str
+    status: Optional[str] = None
 
 
 class Setting(BaseModel):

prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "azure",
+  "CheckID": "postgresql_flexible_server_entra_id_authentication_enabled",
+  "CheckTitle": "PostgreSQL Flexible Server enforces Microsoft Entra ID authentication with administrators",
+  "CheckType": [],
+  "ServiceName": "postgresql",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "PostgreSQL",
+  "Description": "**PostgreSQL Flexible Servers** must set `authConfig.activeDirectoryAuth` to `Enabled` and keep at least one **Microsoft Entra administrator** assigned so database sessions inherit centrally governed identities instead of unmanaged PostgreSQL accounts.",
+  "Risk": "Without Entra ID authentication, stolen local passwords bypass **MFA** and conditional access, enabling persistent database logins. Missing administrators leaves the feature unusable, blocking security teams from rotating duties and allowing unauthorized access or **privilege escalation**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/security-entra-concepts",
+    "https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/security-entra-configure"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "az postgres flexible-server update --resource-group <resourceGroupName> --name <serverName> --active-directory-auth Enabled\naz postgres flexible-server microsoft-entra-admin create --resource-group <resourceGroupName> --server-name <serverName> --object-id <objectId> --display-name <displayName>",
+      "NativeIaC": "",
+      "Other": "1. In the Azure Portal, open Azure Database for PostgreSQL flexible server and select the target server.\n2. Under Security > Authentication, set Microsoft Entra ID authentication (or combined mode) to Enabled and save the change.\n3. Under Security > Microsoft Entra ID, add at least one administrator (user or group) linked to an Entra object ID and confirm the assignment.",
+      "Terraform": "```hcl\ndata \"azurerm_client_config\" \"current\" {}\n\nresource \"azurerm_postgresql_flexible_server\" \"example\" {\n  name                = \"pg-flex\"\n  resource_group_name = azurerm_resource_group.example.name\n  location            = azurerm_resource_group.example.location\n  sku_name            = \"GP_Standard_D4s_v3\"\n  administrator_login = \"pgadmin\"\n  administrator_password = \"<complexPassword>\"\n  storage_mb          = 131072\n  version             = \"16\"\n\n  authentication {\n    active_directory_auth_enabled = true\n    tenant_id                     = data.azurerm_client_config.current.tenant_id\n  }\n}\n\nresource \"azurerm_postgresql_flexible_server_active_directory_administrator\" \"entra_admin\" {\n  server_id     = azurerm_postgresql_flexible_server.example.id\n  object_id     = var.entra_object_id\n  principal_name = var.entra_principal_name\n  principal_type = \"User\"\n  tenant_id     = data.azurerm_client_config.current.tenant_id\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Federate PostgreSQL Flexible Server access through **Microsoft Entra ID** so MFA, conditional access, and centralized RBAC govern logins. Maintain at least one delegated administrator group and rotate membership through identity governance processes.",
+      "Url": "https://hub.prowler.com/check/postgresql_flexible_server_entra_id_authentication_enabled"
+    }
+  },
+  "Categories": [
+    "identity-access"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check fails when Microsoft Entra ID authentication is disabled or no administrators are returned by the flexible server microsoft-entra-admin API."
+}

prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py

@@ -0,0 +1,43 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.postgresql.postgresql_client import (
+    postgresql_client,
+)
+
+
+class postgresql_flexible_server_entra_id_authentication_enabled(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for (
+            subscription,
+            flexible_servers,
+        ) in postgresql_client.flexible_servers.items():
+            for server in flexible_servers:
+                report = Check_Report_Azure(metadata=self.metadata(), resource=server)
+                report.subscription = subscription
+                # Default to FAIL
+                report.status = "FAIL"
+
+                # Check if Entra ID authentication is enabled
+                # Note: active_directory_auth is already normalized to uppercase in service layer
+                if (
+                    not server.active_directory_auth
+                    or server.active_directory_auth != "ENABLED"
+                ):
+                    report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has Microsoft Entra ID authentication disabled"
+                else:
+                    # Authentication is enabled, now check for admins
+                    admin_count = (
+                        len(server.entra_id_admins) if server.entra_id_admins else 0
+                    )
+
+                    if admin_count == 0:
+                        report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has Microsoft Entra ID authentication enabled but no Entra ID administrators configured"
+                    else:
+                        report.status = "PASS"
+                        admin_text = (
+                            "administrator" if admin_count == 1 else "administrators"
+                        )
+                        report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has Microsoft Entra ID authentication enabled with {admin_count} {admin_text} configured"
+                findings.append(report)
+
+        return findings