prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "projects_auditing_enabled",
-  "CheckTitle": "Ensure database auditing is enabled",
+  "CheckTitle": "MongoDB Atlas project has database auditing enabled",
   "CheckType": [],
   "ServiceName": "projects",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "MongoDBAtlasProject",
-  "Description": "Ensure database auditing is enabled to track database operations and security events",
-  "Risk": "Without auditing enabled, security events and database operations are not logged, making it difficult to detect unauthorized access or troubleshoot issues",
+  "Description": "**MongoDB Atlas projects** with **database auditing** capture database operations and administrative events. The evaluation looks for an active audit configuration and, *when present*, notes any configured `audit_filter` that scopes which events are recorded.",
+  "Risk": "Without auditing, critical actions lack traceability, reducing **detectability** and impeding **forensics**. Attackers can mask unauthorized reads/writes and privilege changes, threatening data **confidentiality** and **integrity**, and weakening non-repudiation and incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.mongodb.com/docs/manual/tutorial/configure-auditing/",
+    "https://www.mongodb.com/docs/atlas/architecture/current/auditing/",
+    "https://www.mongodb.com/docs/atlas/architecture/current/auditing-logging/?msockid=0878cc3dfa4e66a707beda0efb5a67b5",
+    "https://www.mongodb.com/docs/atlas/operator/current/ak8so-configure-audit-logs/",
+    "https://www.mongodb.com/docs/manual/core/auditing/",
+    "https://www.mongodb.com/docs/atlas/database-auditing/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "atlas auditing update --projectId <example_resource_id> --enabled",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Sign in to MongoDB Atlas and open the target project\n2. In the left sidebar, click Security > Database & Network Access, then click Advanced\n3. Toggle Database Auditing to On\n4. Click Save",
+      "Terraform": "```hcl\nresource \"mongodbatlas_auditing\" \"example\" {\n  project_id = \"<example_resource_id>\"\n  enabled    = true  # Critical: turns on project-level database auditing to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable database auditing for the MongoDB Atlas project by configuring audit filters and destinations.",
-      "Url": "https://www.mongodb.com/docs/atlas/database-auditing/"
+      "Text": "Enable **auditing** and apply least-privilege filters to capture high-risk events:\n- authentication and session activity\n- DDL/config changes\n- user/role modifications and privilege grants\n\nCentralize logs in a SIEM, enforce retention/immutability with separation of duties, restrict access, and tune `auditAuthorizationSuccess` to balance coverage vs performance.",
+      "Url": "https://hub.prowler.com/check/projects_auditing_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json

@@ -1,29 +1,34 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "projects_network_access_list_exposed_to_internet",
-  "CheckTitle": "Ensure MongoDB Atlas project network access list is not exposed to the internet",
+  "CheckTitle": "MongoDB Atlas project network access list has entries and excludes 0.0.0.0/0, ::/0, 0.0.0.0, and ::",
   "CheckType": [],
   "ServiceName": "projects",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "MongoDBAtlasProject",
-  "Description": "Ensure that MongoDB Atlas projects have properly configured network access lists that don't allow unrestricted access from anywhere on the internet. Network access lists should be configured to allow access only from specific IP addresses, CIDR blocks, or AWS security groups to minimize the attack surface.",
-  "Risk": "If a MongoDB Atlas project has network access entries that allow unrestricted access (0.0.0.0/0 or ::/0), it exposes the database to potential attacks from anywhere on the internet. This significantly increases the risk of unauthorized access, data breaches, and malicious activities.",
-  "RelatedUrl": "https://docs.atlas.mongodb.com/security/ip-access-list/",
+  "Description": "**MongoDB Atlas project network access list** configuration is evaluated for entries that allow access from anywhere (`0.0.0.0/0`, `::/0`, `0.0.0.0`, `::`) or for missing access lists, instead of restricting connections to specific IPs or CIDRs.",
+  "Risk": "Internet-wide access enables scanning, brute force, and credential stuffing against database endpoints. A successful compromise can cause data exfiltration (**confidentiality**), unauthorized writes or drops (**integrity**), and service disruption or lockout (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.atlas.mongodb.com/security/ip-access-list/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In MongoDB Atlas, open your project and go to Security > Database & Network Access > IP Access List\n2. Delete any entries equal to 0.0.0.0/0, ::/0, 0.0.0.0, or ::\n3. If the list becomes empty, click Add IP Address and add a specific IP/CIDR or an AWS Security Group (for a peered VPC)\n4. Click Save",
+      "Terraform": "```hcl\nresource \"mongodbatlas_project_ip_access_list\" \"<example_resource_name>\" {\n  project_id = \"<example_resource_id>\"\n  cidr_block = \"<ALLOWED_CIDR>\" # Critical: add a restricted CIDR (not 0.0.0.0/0 or ::/0) to ensure the list isn't empty and not open to the world\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure network access lists to allow access only from specific IP addresses, CIDR blocks, or AWS security groups. Remove any entries that allow unrestricted access (0.0.0.0/0 or ::/0) and replace them with more restrictive rules based on your application's requirements.",
-      "Url": "https://docs.atlas.mongodb.com/security/ip-access-list/"
+      "Text": "Apply **least privilege**: permit only required IPs/CIDRs or approved security groups; avoid `0.0.0.0/0` and `::/0`. Prefer **private connectivity** (VPC peering or private endpoints) over public access. Use temporary entries for short-lived admin needs and review lists regularly.",
+      "Url": "https://hub.prowler.com/check/projects_network_access_list_exposed_to_internet"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/oraclecloud/lib/arguments/arguments.py

@@ -5,9 +5,11 @@ from prowler.providers.oraclecloud.config import OCI_DEFAULT_CONFIG_FILE, OCI_RE
 
 
 def init_parser(self):
-    """Init the OCI Provider CLI parser"""
+    """Init the Oracle Cloud Infrastructure Provider CLI parser"""
     oci_parser = self.subparsers.add_parser(
-        "oci", parents=[self.common_providers_parser], help="OCI Provider"
+        "oraclecloud",
+        parents=[self.common_providers_parser],
+        help="Oracle Cloud Infrastructure Provider",
     )
 
     # Config File Authentication Options
@@ -109,15 +111,4 @@ def validate_arguments(arguments: Namespace) -> tuple[bool, str]:
             "Cannot use --use-instance-principal with --oci-config-file or --profile options",
         )
 
-    # # Validate compartment OCIDs if provided
-    # if arguments.compartment_id:
-    #     for compartment_id in arguments.compartment_id:
-    #         if not OciProvider.validate_ocid(compartment_id, "compartment"):
-    #             # Check if it's a tenancy OCID (root compartment)
-    #             if not OciProvider.validate_ocid(compartment_id, "tenancy"):
-    #                 return (
-    #                     False,
-    #                     f"Invalid compartment OCID: {compartment_id}",
-    #                 )
-
     return (True, "")

prowler/providers/oraclecloud/lib/service/service.py

@@ -1,7 +1,7 @@
 from concurrent.futures import ThreadPoolExecutor, as_completed
 
 from prowler.lib.logger import logger
-from prowler.providers.oraclecloud.oci_provider import OciProvider
+from prowler.providers.oraclecloud.oraclecloud_provider import OraclecloudProvider
 
 MAX_WORKERS = 10
 
@@ -16,13 +16,13 @@ class OCIService:
     - Handles compartment traversal
     """
 
-    def __init__(self, service: str, provider: OciProvider):
+    def __init__(self, service: str, provider: OraclecloudProvider):
         """
         Initialize the OCIService base class.
 
         Args:
             service (str): The OCI service name (e.g., 'compute', 'object_storage').
-            provider (OciProvider): The OCI provider instance.
+            provider (OraclecloudProvider): The Oracle Cloud Infrastructure provider instance.
         """
         # Audit Information
         self.provider = provider

prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py}

@@ -40,9 +40,9 @@ from prowler.providers.oraclecloud.models import (
 )
 
 
-class OciProvider(Provider):
+class OraclecloudProvider(Provider):
     """
-    OciProvider class is the main class for the OCI provider.
+    OraclecloudProvider class is the main class for the Oracle Cloud Infrastructure provider.
 
     This class is responsible for initializing the OCI provider, setting up the OCI session,
     validating the OCI credentials, getting the OCI identity, and managing compartments and regions.
@@ -58,7 +58,7 @@ class OciProvider(Provider):
         audit_metadata (Audit_Metadata): The audit metadata.
     """
 
-    _type: str = "oci"
+    _type: str = "oraclecloud"
     _identity: OCIIdentityInfo
     _session: OCISession
     _audit_config: dict
@@ -118,11 +118,11 @@ class OciProvider(Provider):
                     or
                     - export OCI_CLI_AUTH=instance_principal (for instance principal)
                 - To create a new OCI provider object:
-                    - oci = OciProvider()
-                    - oci = OciProvider(profile="profile_name")
-                    - oci = OciProvider(oci_config_file="/path/to/config")
-                    - oci = OciProvider(use_instance_principal=True)
-                    - oci = OciProvider(user="ocid1...", fingerprint="...", key_content="...", tenancy="ocid1...", region="us-ashburn-1")
+                    - oci = OraclecloudProvider()
+                    - oci = OraclecloudProvider(profile="profile_name")
+                    - oci = OraclecloudProvider(oci_config_file="/path/to/config")
+                    - oci = OraclecloudProvider(use_instance_principal=True)
+                    - oci = OraclecloudProvider(user="ocid1...", fingerprint="...", key_content="...", tenancy="ocid1...", region="us-ashburn-1")
         """
 
         logger.info("Initializing OCI provider ...")
@@ -439,7 +439,7 @@ class OciProvider(Provider):
                 )
 
             # Validate tenancy OCID format
-            if not OciProvider.validate_ocid(tenancy_id, "tenancy"):
+            if not OraclecloudProvider.validate_ocid(tenancy_id, "tenancy"):
                 raise OCIInvalidTenancyError(
                     file=pathlib.Path(__file__).name,
                     message=f"Invalid tenancy OCID format: {tenancy_id}",
@@ -817,11 +817,11 @@ class OciProvider(Provider):
             Exception: If there is an unexpected error.
 
         Examples:
-            >>> OciProvider.test_connection(profile="DEFAULT", raise_on_exception=False)
+            >>> OraclecloudProvider.test_connection(profile="DEFAULT", raise_on_exception=False)
             Connection(is_connected=True, Error=None)
-            >>> OciProvider.test_connection(use_instance_principal=True, raise_on_exception=False)
+            >>> OraclecloudProvider.test_connection(use_instance_principal=True, raise_on_exception=False)
             Connection(is_connected=True, Error=None)
-            >>> OciProvider.test_connection(
+            >>> OraclecloudProvider.test_connection(
                     user="ocid1.user.oc1..aaaaaa...",
                     fingerprint="12:34:56:78:...",
                     key_content="base64_encoded_key",
@@ -890,13 +890,13 @@ class OciProvider(Provider):
                 session = OCISession(config=config, signer=None, profile=None)
             else:
                 # Use traditional config file or instance principal authentication
-                session = OciProvider.setup_session(
+                session = OraclecloudProvider.setup_session(
                     oci_config_file=oci_config_file,
                     profile=profile,
                     use_instance_principal=use_instance_principal,
                 )
 
-            identity = OciProvider.set_identity(
+            identity = OraclecloudProvider.set_identity(
                 session=session,
                 region=region,
             )
@@ -1032,7 +1032,7 @@ class OciProvider(Provider):
             set: A set of region names.
 
         Example:
-            >>> OciProvider.get_regions()
+            >>> OraclecloudProvider.get_regions()
             {"us-ashburn-1", "us-phoenix-1", ...}
         """
         return set(OCI_REGIONS.keys())

prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json

@@ -1,34 +1,38 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "analytics_instance_access_restricted",
-  "CheckTitle": "Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Oracle Analytics Cloud instance is deployed within a Virtual Cloud Network or restricts public access to allowed sources",
+  "CheckType": [],
   "ServiceName": "analytics",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:analytics:instance",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AnalyticsInstance",
-  "Description": "Oracle Analytics Cloud access should be restricted or deployed in VCN.",
-  "Risk": "Not meeting this network security requirement increases risk of unauthorized access.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Network/home.htm",
+  "Description": "Oracle Analytics Cloud endpoints are evaluated for **network exposure**. Public endpoints must use **restricted allowlists** of specific IPs/CIDRs; presence of `0.0.0.0/0` or no allowed sources indicates unrestricted access. Instances using a **VCN/private endpoint** or public endpoints limited to specific sources align with the intended exposure model.",
+  "Risk": "Unrestricted OAC endpoints allow Internet-wide access to the login surface, enabling **credential stuffing** and **brute force**. Account takeover can expose **reports and data sources** (**confidentiality**), permit **dashboard/model changes** (**integrity**), and support **lateral movement** into connected systems.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.public.content.oci.oraclecloud.com/en-us/iaas/analytics-cloud/doc/public-endpoints-and-access-control-rules.html",
+    "https://docs.oracle.com/en/cloud/paas/analytics-cloud/acsds/connect-databases-deployed-public-ip-address.html",
+    "https://docs.oracle.com/en/cloud/paas/analytics-cloud/acoci/top-faqs-public-or-private-endpoint-security.html",
+    "https://docs.oracle.com/en/cloud/paas/analytics-cloud/acoci/manage-ingress-access-rules-public-endpoint-using-console.html",
+    "https://docs.oracle.com/en-us/iaas/analytics-cloud/doc/public-endpoints-and-access-control-rules.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In OCI Console, go to Analytics & AI > Analytics Cloud and select your instance\n2. On Instance Details, under Network Access, click Edit next to Access Control\n3. Remove any 0.0.0.0/0 entry (if present)\n4. Add an access rule with the specific allowed public IP or CIDR\n5. Click Save",
+      "Terraform": "```hcl\nresource \"oci_analytics_analytics_instance\" \"example\" {\n  compartment_id    = \"<example_resource_id>\"\n  name              = \"<example_resource_name>\"\n  feature_set       = \"ENTERPRISE_ANALYTICS\"\n  license_type      = \"LICENSE_INCLUDED\"\n  idcs_access_token = \"<example_resource_id>\"\n\n  capacity {\n    capacity_type  = \"OLPU_COUNT\"\n    capacity_value = 1\n  }\n\n  network_endpoint_details {\n    network_endpoint_type = \"PUBLIC\"\n    whitelisted_ips       = [\"<example_resource_id>\"] # Critical: restrict to specific allowed CIDR; not 0.0.0.0/0\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network",
-      "Url": "https://hub.prowler.com/check/oci/analytics_instance_access_restricted"
+      "Text": "Prefer **private deployment in a VCN** and apply **least privilege** network access. *If public is required*, enforce **allowlists** to specific IPs/CIDRs and never include `0.0.0.0/0`. Use **private access channels/service gateways**, require **MFA/SSO**, and apply **defense in depth** (WAF, audit monitoring) to reduce exposure.",
+      "Url": "https://hub.prowler.com/check/analytics_instance_access_restricted"
     }
   },
   "Categories": [
-    "network-security"
+    "internet-exposed",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json

@@ -1,35 +1,35 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "audit_log_retention_period_365_days",
-  "CheckTitle": "Ensure audit log retention period is set to 365 days or greater",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Tenancy audit log retention period is 365 days or greater",
+  "CheckType": [],
   "ServiceName": "audit",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:audit:configuration",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciAudit",
-  "Description": "Ensure audit log retention period is set to 365 days or greater",
-  "Risk": "Inadequate audit logging increases risk of undetected security incidents.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Audit/Tasks/settingretentionperiod.htm",
+  "ResourceType": "Compartment",
+  "Description": "**OCI Audit configuration** defines tenancy-wide log retention for audit events. The finding evaluates whether the retention period (days) is `>= 365` and that an audit configuration exists, *applying across all regions and compartments*.",
+  "Risk": "**Insufficient audit retention** or missing configuration shrinks the **detection window** and breaks **accountability**.\n\nEvidence for older actions may be unavailable, enabling attackers to evade detection, mask **data exfiltration**, and impede **forensic reconstruction** and compliance reporting.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Audit/Tasks/settingretentionperiod.htm",
+    "https://docs.oracle.com/en-us/iaas/tools/terraform-provider-oci/4.88.1/docs/r/audit_configuration.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "oci audit configuration update --compartment-id <tenancy-ocid> --retention-period-days 365",
       "NativeIaC": "",
-      "Other": "1. Navigate to Governance > Audit\n2. Click Configuration\n3. Set retention period to 365 days or greater\n4. Save changes",
-      "Terraform": "resource \"oci_audit_configuration\" \"example\" {\n  compartment_id = var.tenancy_ocid\n  retention_period_days = 365\n}"
+      "Other": "1. Open the OCI Console and go to Governance & Administration > Audit\n2. Click Configuration\n3. Set Retention period (days) to 365\n4. Click Save",
+      "Terraform": "```hcl\nresource \"oci_audit_configuration\" \"<example_resource_name>\" {\n  compartment_id        = var.tenancy_ocid\n  retention_period_days = 365 # Critical: sets audit log retention to 365 days to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure audit log retention period is set to 365 days or greater",
-      "Url": "https://hub.prowler.com/check/oci/audit_log_retention_period_365_days"
+      "Text": "Set audit retention to `>= 365` days at the tenancy level and protect the setting with **least privilege** and **separation of duties**.\n\nAdopt **defense in depth**: export audit logs to centralized, immutable storage or a SIEM for extended retention, integrity, and continuous monitoring.",
+      "Url": "https://hub.prowler.com/check/audit_log_retention_period_365_days"
     }
   },
   "Categories": [
     "logging",
-    "security-configuration"
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json

@@ -1,35 +1,33 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "blockstorage_block_volume_encrypted_with_cmk",
-  "CheckTitle": "Ensure Block Volumes are encrypted with Customer Managed Keys",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Block volume is encrypted with a Customer Managed Key (CMK)",
+  "CheckType": [],
   "ServiceName": "blockstorage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:blockstorage:volume",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciBlockVolume",
-  "Description": "Block volumes should be encrypted with Customer Managed Keys (CMK) for enhanced security and control over encryption keys.",
-  "Risk": "Using Oracle-managed encryption keys instead of Customer Managed Keys reduces control over encryption key lifecycle and access policies.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/overview.htm",
+  "ResourceType": "Volume",
+  "Description": "**OCI block volumes** use **Customer-Managed Keys** (`CMK`) from Vault for at-rest encryption instead of Oracle-managed keys.\n\nIdentifies whether a block volume has a customer-managed key associated for its encryption.",
+  "Risk": "Without **CMK**, encryption key control is limited, impacting confidentiality and auditability:\n- No rapid key disable/rotation to contain breaches\n- Weaker restrictions and visibility on decrypt operations\nThis can prolong unauthorized data access and hinder incident response and compliance.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/overview.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci bv volume create --compartment-id <compartment-ocid> --availability-domain <ad> --kms-key-id <kms-key-ocid>",
+      "CLI": "oci bv volume update --volume-id <VOLUME_OCID> --kms-key-id <KMS_KEY_OCID>",
       "NativeIaC": "",
-      "Other": "1. Navigate to Block Storage > Block Volumes\n2. Create a new volume or update existing\n3. Under 'Encryption', select 'Encrypt using customer-managed keys'\n4. Select the KMS vault and key\n5. Click 'Create' or 'Save Changes'",
-      "Terraform": "resource \"oci_core_volume\" \"example\" {\n  compartment_id = var.compartment_id\n  availability_domain = var.availability_domain\n  kms_key_id = var.kms_key_id\n}"
+      "Other": "1. In the OCI Console, go to Block Storage > Block Volumes\n2. Open the failing volume\n3. Click Edit\n4. Under Encryption, select \"Encrypt using customer-managed keys\" and choose the vault key\n5. Click Save changes",
+      "Terraform": "```hcl\nresource \"oci_core_volume\" \"<example_resource_name>\" {\n  compartment_id      = \"<example_resource_id>\"\n  availability_domain = \"<example_resource_name>\"\n  size_in_gbs         = 50\n\n  kms_key_id = \"<example_resource_id>\" # Critical: uses a Customer Managed Key to encrypt the volume\n}\n```"
     },
     "Recommendation": {
-      "Text": "Encrypt all block volumes with Customer Managed Keys for better security control.",
-      "Url": "https://hub.prowler.com/check/oci/blockstorage_block_volume_encrypted_with_cmk"
+      "Text": "Use **Customer-Managed Keys** in Vault for all block volumes.\n- Enforce least privilege and separation of duties on key usage\n- Rotate keys regularly and monitor KMS events\n- Validate that key disable/deny revokes data access\nApply the same controls to snapshots and backups.",
+      "Url": "https://hub.prowler.com/check/blockstorage_block_volume_encrypted_with_cmk"
     }
   },
   "Categories": [
-    "encryption",
-    "storage"
+    "encryption"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json

@@ -1,34 +1,34 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "blockstorage_boot_volume_encrypted_with_cmk",
-  "CheckTitle": "Ensure Boot Volumes are encrypted with Customer Managed Key",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Boot volume is encrypted with Customer Managed Key",
+  "CheckType": [],
   "ServiceName": "blockstorage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:blockstorage:resource",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciBlockstorageResource",
-  "Description": "Boot volumes should be encrypted with Customer Managed Keys (CMK) for enhanced security and control over encryption keys.",
-  "Risk": "Not meeting this requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/",
+  "ResourceType": "BootVolume",
+  "Description": "Boot volumes use **customer-managed keys (CMEK)** when a Vault key is assigned (`kms_key_id` present), rather than default Oracle-managed encryption.",
+  "Risk": "Without **CMEK**, control over encryption is limited: you cannot rapidly disable or rotate keys to contain compromise, weakening **confidentiality** of boot data and backups. Provider-managed keys reduce **separation of duties** and **auditability**, hindering incident response and compliance for sensitive systems.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-BlockVolume/block-volumes-encrypted-with-cmks.html",
+    "https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Block/Concepts/managingblockencryptionkeys.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci bv boot-volume update --boot-volume-id <example_resource_id> --kms-key-id <example_resource_id>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-BlockVolume/block-volumes-encrypted-with-cmks.html",
-      "Terraform": ""
+      "Other": "1. In the OCI Console, go to Storage > Block Storage > Boot Volumes\n2. Click the boot volume name\n3. Click Edit (or Assign master encryption key)\n4. Select a Customer-managed key from Vault\n5. Click Save",
+      "Terraform": "```hcl\nresource \"oci_core_boot_volume_kms_key\" \"<example_resource_name>\" {\n  boot_volume_id = \"<example_resource_id>\"  # Critical: target boot volume to update\n  kms_key_id     = \"<example_resource_id>\"  # Critical: assigns a Customer Managed Key (CMK) to the boot volume\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Boot Volumes are encrypted with Customer Managed Key",
-      "Url": "https://hub.prowler.com/check/oci/blockstorage_boot_volume_encrypted_with_cmk"
+      "Text": "Encrypt boot volumes with **customer-managed keys** and enforce **least privilege** on key usage. Define a key lifecycle (new keys for rotation), monitor and audit key access, and restrict key scope to required compartments and services to achieve **defense in depth** and rapid revocation when needed.",
+      "Url": "https://hub.prowler.com/check/blockstorage_boot_volume_encrypted_with_cmk"
     }
   },
   "Categories": [
-    "security-configuration"
+    "encryption"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json

@@ -1,34 +1,33 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "cloudguard_enabled",
-  "CheckTitle": "Ensure Cloud Guard is enabled in the root compartment of the tenancy",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Cloud Guard is enabled in the root compartment of the tenancy",
+  "CheckType": [],
   "ServiceName": "cloudguard",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:cloudguard:configuration",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "OciCloudGuard",
-  "Description": "Ensure Cloud Guard is enabled in the root compartment of the tenancy",
-  "Risk": "Without Cloud Guard, security threats may not be detected and remediated.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm",
+  "ResourceType": "Compartment",
+  "Description": "**OCI Cloud Guard** status in the tenancy's root compartment is evaluated, expecting `ENABLED` to indicate the service is active for organization-wide detection and response.",
+  "Risk": "Without **Cloud Guard** at the root, signals across compartments can be missed, allowing misconfigurations and malicious activity to persist. This undermines confidentiality (undetected data access), integrity (unauthorized changes), and availability (ongoing abuse without automated response).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci cloud-guard configuration update --compartment-id <tenancy-ocid> --status ENABLED --reporting-region <region>",
+      "CLI": "oci cloud-guard cloud-guard-configuration update --compartment-id <tenancy-ocid> --status ENABLED --reporting-region <region>",
       "NativeIaC": "",
-      "Other": "1. Navigate to Security > Cloud Guard\n2. Enable Cloud Guard\n3. Select reporting region\n4. Configure detectors and responders",
-      "Terraform": "resource \"oci_cloud_guard_cloud_guard_configuration\" \"example\" {\n  compartment_id = var.tenancy_ocid\n  reporting_region = var.region\n  status = \"ENABLED\"\n}"
+      "Other": "1. In the OCI Console, go to Security > Cloud Guard\n2. Ensure the root compartment is selected\n3. Click Enable Cloud Guard\n4. Choose a Reporting region\n5. Click Enable",
+      "Terraform": "```hcl\nresource \"oci_cloud_guard_cloud_guard_configuration\" \"<example_resource_name>\" {\n  compartment_id   = var.tenancy_ocid\n  reporting_region = var.region\n  status           = \"ENABLED\" # Critical: Turns on Cloud Guard in the root compartment\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Cloud Guard is enabled in the root compartment of the tenancy",
-      "Url": "https://hub.prowler.com/check/oci/cloudguard_enabled"
+      "Text": "Enable **Cloud Guard** at the tenancy root to centralize monitoring and automated response. Apply **defense in depth** by using detectors/responders, integrate alerts with monitoring, and enforce **least privilege** for its roles. Regularly tune policies and review findings to prevent blind spots.",
+      "Url": "https://hub.prowler.com/check/cloudguard_enabled"
     }
   },
   "Categories": [
-    "monitoring"
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "compute_instance_in_transit_encryption_enabled",
   "CheckTitle": "Ensure In-transit Encryption is enabled on Compute Instance",
   "CheckType": [

prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "compute_instance_legacy_metadata_endpoint_disabled",
   "CheckTitle": "Ensure Compute Instance Legacy Metadata service endpoint is disabled",
   "CheckType": [

prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "compute_instance_secure_boot_enabled",
   "CheckTitle": "Ensure Secure Boot is enabled on Compute Instance",
   "CheckType": [

prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "database_autonomous_database_access_restricted",
   "CheckTitle": "Ensure Oracle Autonomous Shared Database (ADB) access is restricted or deployed within a VCN",
   "CheckType": [

prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "events_notification_topic_and_subscription_exists",
   "CheckTitle": "Create at least one notification topic and subscription to receive monitoring alerts",
   "CheckType": [

prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "events_rule_cloudguard_problems",
   "CheckTitle": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
   "CheckType": [

prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "events_rule_iam_group_changes",
   "CheckTitle": "Ensure a notification is configured for IAM group changes",
   "CheckType": [

prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "events_rule_iam_policy_changes",
   "CheckTitle": "Ensure a notification is configured for IAM policy changes",
   "CheckType": [

prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "events_rule_identity_provider_changes",
   "CheckTitle": "Ensure a notification is configured for Identity Provider changes",
   "CheckType": [

prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json

@@ -1,5 +1,5 @@
 {
-  "Provider": "oci",
+  "Provider": "oraclecloud",
   "CheckID": "events_rule_idp_group_mapping_changes",
   "CheckTitle": "Ensure a notification is configured for IdP group mapping changes",
   "CheckType": [