prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (298) hide show
  1. dashboard/__main__.py +2 -1
  2. dashboard/compliance/c5_azure.py +43 -0
  3. dashboard/compliance/fedramp_20x_ksi_low_aws.py +46 -0
  4. dashboard/compliance/fedramp_20x_ksi_low_azure.py +46 -0
  5. dashboard/compliance/fedramp_20x_ksi_low_gcp.py +46 -0
  6. dashboard/compliance/hipaa_gcp.py +25 -0
  7. dashboard/compliance/nist_csf_2_0_aws.py +24 -0
  8. dashboard/compliance/prowler_threatscore_kubernetes.py +28 -0
  9. prowler/AGENTS.md +366 -0
  10. prowler/CHANGELOG.md +93 -2
  11. prowler/__main__.py +54 -7
  12. prowler/compliance/aws/ens_rd2022_aws.json +1 -1
  13. prowler/compliance/aws/fedramp_20x_ksi_low_aws.json +347 -0
  14. prowler/compliance/aws/nis2_aws.json +1 -1
  15. prowler/compliance/aws/nist_csf_2.0_aws.json +1781 -0
  16. prowler/compliance/azure/c5_azure.json +9471 -0
  17. prowler/compliance/azure/ens_rd2022_azure.json +1 -1
  18. prowler/compliance/azure/fedramp_20x_ksi_low_azure.json +358 -0
  19. prowler/compliance/azure/nis2_azure.json +1 -1
  20. prowler/compliance/gcp/c5_gcp.json +9401 -0
  21. prowler/compliance/gcp/ens_rd2022_gcp.json +1 -1
  22. prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json +293 -0
  23. prowler/compliance/gcp/hipaa_gcp.json +415 -0
  24. prowler/compliance/gcp/nis2_gcp.json +1 -1
  25. prowler/compliance/github/cis_1.0_github.json +6 -2
  26. prowler/compliance/kubernetes/prowler_threatscore_kubernetes.json +1269 -0
  27. prowler/compliance/m365/prowler_threatscore_m365.json +6 -6
  28. prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json} +1 -1
  29. prowler/config/config.py +59 -5
  30. prowler/config/config.yaml +3 -0
  31. prowler/lib/check/check.py +1 -9
  32. prowler/lib/check/checks_loader.py +65 -1
  33. prowler/lib/check/models.py +12 -2
  34. prowler/lib/check/utils.py +1 -7
  35. prowler/lib/cli/parser.py +17 -7
  36. prowler/lib/mutelist/mutelist.py +15 -7
  37. prowler/lib/outputs/compliance/c5/c5_azure.py +92 -0
  38. prowler/lib/outputs/compliance/c5/c5_gcp.py +92 -0
  39. prowler/lib/outputs/compliance/c5/models.py +54 -0
  40. prowler/lib/outputs/compliance/cis/{cis_oci.py → cis_oraclecloud.py} +7 -7
  41. prowler/lib/outputs/compliance/cis/models.py +3 -3
  42. prowler/lib/outputs/compliance/prowler_threatscore/models.py +29 -0
  43. prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_kubernetes.py +98 -0
  44. prowler/lib/outputs/finding.py +16 -5
  45. prowler/lib/outputs/html/html.py +10 -8
  46. prowler/lib/outputs/outputs.py +1 -1
  47. prowler/lib/outputs/summary_table.py +1 -1
  48. prowler/lib/powershell/powershell.py +12 -11
  49. prowler/lib/scan/scan.py +105 -24
  50. prowler/lib/utils/utils.py +1 -1
  51. prowler/providers/aws/aws_regions_by_service.json +73 -15
  52. prowler/providers/aws/lib/quick_inventory/quick_inventory.py +1 -1
  53. prowler/providers/aws/lib/security_hub/security_hub.py +1 -1
  54. prowler/providers/aws/services/account/account_service.py +1 -1
  55. prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +1 -3
  56. prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json +23 -12
  57. prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json +21 -12
  58. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +23 -12
  59. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +24 -12
  60. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +21 -12
  61. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +17 -11
  62. prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json +20 -12
  63. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json +22 -13
  64. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.metadata.json +22 -17
  65. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.metadata.json +18 -12
  66. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json +27 -13
  67. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +20 -12
  68. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +22 -12
  69. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +25 -12
  70. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +23 -12
  71. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.metadata.json +17 -12
  72. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +21 -12
  73. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +21 -12
  74. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +27 -12
  75. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +22 -12
  76. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +26 -12
  77. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +25 -12
  78. prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json +20 -11
  79. prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json +22 -12
  80. prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +28 -12
  81. prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json +22 -12
  82. prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json +15 -10
  83. prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json +19 -11
  84. prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json +21 -12
  85. prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json +19 -12
  86. prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json +24 -13
  87. prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json +35 -13
  88. prowler/providers/aws/services/codepipeline/__init__.py +0 -0
  89. prowler/providers/aws/services/codepipeline/codepipeline_client.py +6 -0
  90. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/__init__.py +0 -0
  91. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json +30 -0
  92. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py +95 -0
  93. prowler/providers/aws/services/codepipeline/codepipeline_service.py +164 -0
  94. prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json +18 -12
  95. prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json +18 -12
  96. prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json +24 -13
  97. prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json +23 -13
  98. prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json +24 -13
  99. prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json +19 -13
  100. prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json +20 -10
  101. prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json +26 -13
  102. prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json +20 -10
  103. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json +18 -11
  104. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json +16 -11
  105. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json +21 -13
  106. prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json +20 -12
  107. prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +17 -10
  108. prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json +21 -13
  109. prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json +18 -12
  110. prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json +18 -12
  111. prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json +19 -12
  112. prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json +16 -11
  113. prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json +22 -13
  114. prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json +19 -13
  115. prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json +21 -13
  116. prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json +22 -12
  117. prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json +20 -12
  118. prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.metadata.json +21 -11
  119. prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.metadata.json +20 -11
  120. prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.metadata.json +18 -12
  121. prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.metadata.json +20 -13
  122. prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.metadata.json +21 -13
  123. prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.metadata.json +26 -13
  124. prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.metadata.json +19 -12
  125. prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.metadata.json +18 -12
  126. prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json +16 -12
  127. prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json +21 -14
  128. prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json +19 -13
  129. prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json +20 -13
  130. prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json +20 -13
  131. prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json +20 -14
  132. prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json +22 -13
  133. prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json +19 -13
  134. prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json +21 -12
  135. prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +20 -13
  136. prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json +20 -12
  137. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json +21 -12
  138. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json +20 -13
  139. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json +23 -13
  140. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.metadata.json +21 -12
  141. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json +22 -14
  142. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.metadata.json +20 -11
  143. prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json +23 -13
  144. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json +18 -12
  145. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json +17 -12
  146. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json +17 -11
  147. prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json +22 -13
  148. prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json +24 -13
  149. prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json +20 -11
  150. prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json +20 -10
  151. prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json +20 -11
  152. prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json +20 -12
  153. prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json +19 -12
  154. prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json +19 -11
  155. prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json +17 -12
  156. prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.metadata.json +21 -13
  157. prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.metadata.json +19 -11
  158. prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.metadata.json +21 -12
  159. prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.metadata.json +18 -11
  160. prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json +17 -10
  161. prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.metadata.json +22 -13
  162. prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.metadata.json +18 -12
  163. prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.metadata.json +17 -12
  164. prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.metadata.json +18 -11
  165. prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.metadata.json +18 -12
  166. prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.metadata.json +16 -11
  167. prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.metadata.json +21 -13
  168. prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.metadata.json +24 -11
  169. prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.metadata.json +18 -11
  170. prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +26 -13
  171. prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json +21 -11
  172. prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json +24 -13
  173. prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +26 -14
  174. prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.metadata.json +26 -15
  175. prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +15 -16
  176. prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json +23 -11
  177. prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json +19 -12
  178. prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json +17 -12
  179. prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json +22 -13
  180. prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json +21 -12
  181. prowler/providers/aws/services/iam/lib/policy.py +24 -16
  182. prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json +21 -13
  183. prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json +22 -13
  184. prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +7 -2
  185. prowler/providers/azure/services/defender/defender_service.py +4 -2
  186. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/__init__.py +0 -0
  187. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +36 -0
  188. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py +43 -0
  189. prowler/providers/azure/services/postgresql/postgresql_service.py +66 -9
  190. prowler/providers/azure/services/storage/storage_service.py +13 -4
  191. prowler/providers/azure/services/vm/vm_service.py +4 -7
  192. prowler/providers/common/arguments.py +19 -16
  193. prowler/providers/common/provider.py +2 -18
  194. prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json +16 -15
  195. prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +30 -4
  196. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py +0 -0
  197. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json +36 -0
  198. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py +61 -0
  199. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json +12 -9
  200. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +10 -3
  201. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py +0 -0
  202. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json +36 -0
  203. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py +40 -0
  204. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py +0 -0
  205. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json +36 -0
  206. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py +31 -0
  207. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py +0 -0
  208. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json +35 -0
  209. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py +55 -0
  210. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py +0 -0
  211. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json +36 -0
  212. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py +30 -0
  213. prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +48 -2
  214. prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py +0 -0
  215. prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +35 -0
  216. prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py +36 -0
  217. prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +14 -8
  218. prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py +0 -0
  219. prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +30 -0
  220. prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py +106 -0
  221. prowler/providers/github/services/organization/organization_service.py +84 -10
  222. prowler/providers/iac/iac_provider.py +279 -55
  223. prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json +18 -13
  224. prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json +16 -11
  225. prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json +16 -11
  226. prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json +18 -13
  227. prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json +16 -12
  228. prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json +16 -11
  229. prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json +16 -10
  230. prowler/providers/m365/lib/powershell/m365_powershell.py +80 -93
  231. prowler/providers/m365/m365_provider.py +1 -6
  232. prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.py +17 -21
  233. prowler/providers/m365/services/exchange/exchange_service.py +18 -12
  234. prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py +9 -7
  235. prowler/providers/mongodbatlas/exceptions/exceptions.py +16 -0
  236. prowler/providers/mongodbatlas/mongodbatlas_provider.py +15 -3
  237. prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json +20 -9
  238. prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json +14 -9
  239. prowler/providers/oraclecloud/lib/arguments/arguments.py +4 -13
  240. prowler/providers/oraclecloud/lib/service/service.py +3 -3
  241. prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py} +15 -15
  242. prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +20 -16
  243. prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +17 -17
  244. prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +17 -19
  245. prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +18 -18
  246. prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +17 -18
  247. prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +1 -1
  248. prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +1 -1
  249. prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +1 -1
  250. prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +1 -1
  251. prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +1 -1
  252. prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +1 -1
  253. prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +1 -1
  254. prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +1 -1
  255. prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +1 -1
  256. prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +1 -1
  257. prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +1 -1
  258. prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +1 -1
  259. prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +1 -1
  260. prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +1 -1
  261. prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +1 -1
  262. prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +1 -1
  263. prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +1 -1
  264. prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +1 -1
  265. prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +1 -1
  266. prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +1 -1
  267. prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +1 -1
  268. prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +1 -1
  269. prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +1 -1
  270. prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +1 -1
  271. prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +1 -1
  272. prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +1 -1
  273. prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +1 -1
  274. prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +1 -1
  275. prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +1 -1
  276. prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +1 -1
  277. prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +1 -1
  278. prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +1 -1
  279. prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +1 -1
  280. prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +1 -1
  281. prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +1 -1
  282. prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +1 -1
  283. prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +1 -1
  284. prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +1 -1
  285. prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +1 -1
  286. prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +1 -1
  287. prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +1 -1
  288. prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +1 -1
  289. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +1 -1
  290. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +1 -1
  291. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +1 -1
  292. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +1 -1
  293. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/METADATA +17 -16
  294. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/RECORD +298 -249
  295. /prowler/compliance/{oci → oraclecloud}/__init__.py +0 -0
  296. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/LICENSE +0 -0
  297. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/WHEEL +0 -0
  298. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/entry_points.txt +0 -0
prowler/compliance/azure/ens_rd2022_azure.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "Framework": "ENS",
3
- "Name": "ENS RD 311/2022",
3
+ "Name": "ENS RD 311/2022 - Categoría Alta",
4
4
  "Version": "RD2022",
5
5
  "Provider": "AZURE",
6
6
  "Description": "The accreditation scheme of the ENS (National Security Scheme) has been developed by the Ministry of Finance and Public Administrations and the CCN (National Cryptological Center). This includes the basic principles and minimum requirements necessary for the adequate protection of information.",
prowler/compliance/azure/fedramp_20x_ksi_low_azure.json ADDED
@@ -0,0 +1,358 @@
1
+ {
2
+ "Framework": "FedRAMP-20x-KSI-Low",
3
+ "Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
4
+ "Version": "25.05C",
5
+ "Provider": "Azure",
6
+ "Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
7
+ "Requirements": [
8
+ {
9
+ "Id": "ksi-cmt",
10
+ "Name": "KSI-CMT: Change Management",
11
+ "Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
12
+ "Attributes": [
13
+ {
14
+ "ItemId": "ksi-cmt",
15
+ "Section": "Change Management",
16
+ "Service": "azure"
17
+ }
18
+ ],
19
+ "Checks": [
20
+ "monitor_activity_log_alert_cmk_delete",
21
+ "monitor_activity_log_alert_create_policy_assignment",
22
+ "monitor_activity_log_alert_create_update_delete_network_sg",
23
+ "monitor_activity_log_alert_create_update_delete_network_sg_rule",
24
+ "monitor_activity_log_alert_create_update_delete_sql_server_fw_rule",
25
+ "monitor_activity_log_alert_create_update_nsg",
26
+ "monitor_activity_log_alert_create_update_public_ip_address",
27
+ "monitor_activity_log_alert_create_update_security_solution",
28
+ "monitor_activity_log_alert_delete_nsg",
29
+ "monitor_activity_log_alert_delete_policy_assignment",
30
+ "monitor_activity_log_alert_delete_public_ip_address",
31
+ "monitor_activity_log_alert_delete_security_solution",
32
+ "monitor_log_profile_all_categories",
33
+ "monitor_log_profile_all_regions",
34
+ "vm_agent_installed",
35
+ "vm_antimalware_solution_installed",
36
+ "vm_endpoint_protection_installed",
37
+ "vm_guest_configuration_installed",
38
+ "vm_guest_configuration_with_no_managed_identity",
39
+ "vm_guest_configuration_with_user_identity"
40
+ ]
41
+ },
42
+ {
43
+ "Id": "ksi-cna",
44
+ "Name": "KSI-CNA: Cloud Native Architecture",
45
+ "Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
46
+ "Attributes": [
47
+ {
48
+ "ItemId": "ksi-cna",
49
+ "Section": "Cloud Native Architecture",
50
+ "Service": "azure"
51
+ }
52
+ ],
53
+ "Checks": [
54
+ "aks_clusters_created_with_private_nodes",
55
+ "aks_clusters_public_access_disabled",
56
+ "aks_network_policy_enabled",
57
+ "app_function_vnet_integration_enabled",
58
+ "app_function_not_publicly_accessible",
59
+ "containerregistry_not_publicly_accessible",
60
+ "containerregistry_uses_private_link",
61
+ "cosmosdb_account_use_private_endpoints",
62
+ "cosmosdb_account_firewall_use_selected_networks",
63
+ "databricks_workspace_vnet_injection_enabled",
64
+ "keyvault_access_only_through_private_endpoints",
65
+ "keyvault_private_endpoints",
66
+ "network_bastion_host_exists",
67
+ "network_flow_logs_enabled",
68
+ "network_security_group_not_empty",
69
+ "network_sg_ssh_access_restricted",
70
+ "network_sg_rdp_access_restricted",
71
+ "network_sg_open_all_ports_to_any_source",
72
+ "network_watcher_enabled",
73
+ "postgresql_flexible_server_public_network_access_disabled",
74
+ "sqlserver_public_network_access_disabled",
75
+ "storage_default_network_access_rule_set_to_deny",
76
+ "vm_availability_zones_enabled",
77
+ "vm_availability_set_deployed"
78
+ ]
79
+ },
80
+ {
81
+ "Id": "ksi-iam",
82
+ "Name": "KSI-IAM: Identity and Access Management",
83
+ "Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
84
+ "Attributes": [
85
+ {
86
+ "ItemId": "ksi-iam",
87
+ "Section": "Identity and Access Management",
88
+ "Service": "azure"
89
+ }
90
+ ],
91
+ "Checks": [
92
+ "entra_conditional_access_policy_require_mfa_for_management_api",
93
+ "entra_global_admin_in_less_than_five_users",
94
+ "entra_non_privileged_user_has_mfa",
95
+ "entra_policy_default_users_cannot_create_security_groups",
96
+ "entra_policy_ensure_default_user_cannot_create_apps",
97
+ "entra_policy_ensure_default_user_cannot_create_tenants",
98
+ "entra_policy_guest_invite_only_for_admin_roles",
99
+ "entra_policy_guest_users_access_restrictions",
100
+ "entra_policy_restricts_user_consent_for_apps",
101
+ "entra_policy_user_consent_for_verified_apps",
102
+ "entra_privileged_user_has_mfa",
103
+ "entra_security_defaults_enabled",
104
+ "entra_trusted_named_locations_exists",
105
+ "entra_user_with_vm_access_has_mfa",
106
+ "entra_users_cannot_create_microsoft_365_groups",
107
+ "iam_custom_role_has_permissions_to_administer_resource_locks",
108
+ "iam_role_user_access_admin_restricted",
109
+ "iam_subscription_roles_owner_custom_not_created",
110
+ "keyvault_rbac_enabled",
111
+ "app_function_identity_is_configured",
112
+ "app_function_identity_without_admin_privileges",
113
+ "app_ensure_auth_is_set_up",
114
+ "app_register_with_identity",
115
+ "vm_managed_identity_enabled"
116
+ ]
117
+ },
118
+ {
119
+ "Id": "ksi-inr",
120
+ "Name": "KSI-INR: Incident Response",
121
+ "Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
122
+ "Attributes": [
123
+ {
124
+ "ItemId": "ksi-inr",
125
+ "Section": "Incident Response",
126
+ "Service": "azure"
127
+ }
128
+ ],
129
+ "Checks": [
130
+ "defender_attack_path_notifications_properly_configured",
131
+ "defender_ensure_notify_alerts_severity_is_high",
132
+ "defender_ensure_notify_emails_to_owners",
133
+ "defender_additional_email_configured_with_a_security_contact",
134
+ "defender_container_images_resolved_vulnerabilities",
135
+ "defender_container_images_scan_enabled",
136
+ "defender_ensure_defender_for_app_services_is_on",
137
+ "defender_ensure_defender_for_arm_is_on",
138
+ "defender_ensure_defender_for_azure_sql_databases_is_on",
139
+ "defender_ensure_defender_for_containers_is_on",
140
+ "defender_ensure_defender_for_cosmosdb_is_on",
141
+ "defender_ensure_defender_for_databases_is_on",
142
+ "defender_ensure_defender_for_dns_is_on",
143
+ "defender_ensure_defender_for_keyvault_is_on",
144
+ "defender_ensure_defender_for_os_relational_databases_is_on",
145
+ "defender_ensure_defender_for_server_is_on",
146
+ "defender_ensure_defender_for_sql_servers_is_on",
147
+ "defender_ensure_defender_for_storage_is_on",
148
+ "defender_ensure_iot_hub_defender_is_on",
149
+ "defender_ensure_wdatp_is_enabled"
150
+ ]
151
+ },
152
+ {
153
+ "Id": "ksi-mla",
154
+ "Name": "KSI-MLA: Monitoring, Logging, and Auditing",
155
+ "Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
156
+ "Attributes": [
157
+ {
158
+ "ItemId": "ksi-mla",
159
+ "Section": "Monitoring, Logging, and Auditing",
160
+ "Service": "azure"
161
+ }
162
+ ],
163
+ "Checks": [
164
+ "app_function_application_insights_enabled",
165
+ "app_http_logs_enabled",
166
+ "appinsights_ensure_is_configured",
167
+ "defender_auto_provisioning_log_analytics_agent_vms_on",
168
+ "defender_auto_provisioning_vulnerabilty_assessments_machines_on",
169
+ "keyvault_logging_enabled",
170
+ "monitor_activity_log_retention_policy_set",
171
+ "monitor_diagnostic_logs_categories",
172
+ "monitor_diagnostic_setting_deployed_for_all_resources",
173
+ "monitor_diagnostic_settings_captures_proper_categories",
174
+ "monitor_log_profile_all_categories",
175
+ "monitor_log_profile_all_regions",
176
+ "monitor_log_profile_captures_all_activities",
177
+ "monitor_log_profile_retention_policy_at_least_365",
178
+ "network_flow_logs_enabled",
179
+ "network_flow_log_retention_policy_at_least_90",
180
+ "network_watcher_enabled",
181
+ "postgresql_flexible_server_audit_logs_enabled",
182
+ "postgresql_flexible_server_log_checkpoints_enabled",
183
+ "postgresql_flexible_server_log_connections_enabled",
184
+ "postgresql_flexible_server_log_disconnections_enabled",
185
+ "sqlserver_auditing_on",
186
+ "sqlserver_auditing_retention_90_days",
187
+ "storage_storage_account_logging_queue_read_write_delete_enabled"
188
+ ]
189
+ },
190
+ {
191
+ "Id": "ksi-piy",
192
+ "Name": "KSI-PIY: Policy and Inventory",
193
+ "Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
194
+ "Attributes": [
195
+ {
196
+ "ItemId": "ksi-piy",
197
+ "Section": "Policy and Inventory",
198
+ "Service": "azure"
199
+ }
200
+ ],
201
+ "Checks": [
202
+ "policy_ensure_asc_for_aks_is_enabled",
203
+ "policy_ensure_asc_for_app_services_is_enabled",
204
+ "policy_ensure_asc_for_azure_sql_is_enabled",
205
+ "policy_ensure_asc_for_key_vault_is_enabled",
206
+ "policy_ensure_asc_for_servers_is_enabled",
207
+ "policy_ensure_asc_for_sql_servers_is_enabled",
208
+ "policy_ensure_asc_for_storage_is_enabled",
209
+ "policy_ensure_allowed_extensions_are_installed",
210
+ "policy_ensure_allowed_locations_is_enabled",
211
+ "policy_ensure_allowed_resource_types_is_enabled",
212
+ "policy_ensure_audit_diagnostic_log_enabled_for_all_services",
213
+ "policy_ensure_not_allowed_resource_types_is_enabled",
214
+ "vm_guest_configuration_installed",
215
+ "vm_guest_configuration_with_no_managed_identity",
216
+ "vm_guest_configuration_with_user_identity"
217
+ ]
218
+ },
219
+ {
220
+ "Id": "ksi-rpl",
221
+ "Name": "KSI-RPL: Recovery Planning",
222
+ "Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
223
+ "Attributes": [
224
+ {
225
+ "ItemId": "ksi-rpl",
226
+ "Section": "Recovery Planning",
227
+ "Service": "azure"
228
+ }
229
+ ],
230
+ "Checks": [
231
+ "mysql_flexible_server_geo_redundant_backup_enabled",
232
+ "mysql_flexible_server_retain_backup_35_days",
233
+ "postgresql_flexible_server_geo_redundant_backup_enabled",
234
+ "postgresql_flexible_server_backup_retention_period_35_days",
235
+ "recovery_services_vault_uses_private_link",
236
+ "recovery_services_vault_uses_private_link_for_backup",
237
+ "sqlserver_database_long_term_geo_redundant_backup",
238
+ "sqlserver_database_retention_policy_exceeds_90_days",
239
+ "storage_default_storage_account_encrypted_with_cmk_not_stored_in_storage_account",
240
+ "storage_geo_redundant_enabled",
241
+ "storage_infrastructure_encryption_is_enabled",
242
+ "storage_soft_delete_containers_enabled",
243
+ "storage_soft_delete_enabled",
244
+ "vm_backup_enabled",
245
+ "vm_sufficient_daily_backup_retention_period"
246
+ ]
247
+ },
248
+ {
249
+ "Id": "ksi-svc",
250
+ "Name": "KSI-SVC: Service Configuration",
251
+ "Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
252
+ "Attributes": [
253
+ {
254
+ "ItemId": "ksi-svc",
255
+ "Section": "Service Configuration",
256
+ "Service": "azure"
257
+ }
258
+ ],
259
+ "Checks": [
260
+ "app_client_certificates_on",
261
+ "app_ensure_http_is_redirected_to_https",
262
+ "app_minimum_tls_version_12",
263
+ "containerregistry_admin_user_disabled",
264
+ "cosmosdb_account_use_aad_and_rbac",
265
+ "databricks_workspace_cmk_encryption_enabled",
266
+ "keyvault_key_expiration_set_in_non_rbac",
267
+ "keyvault_key_rotation_enabled",
268
+ "keyvault_non_rbac_secret_expiration_set",
269
+ "mysql_flexible_server_encrypted_at_rest_using_cmk",
270
+ "mysql_flexible_server_encrypted_in_transit",
271
+ "mysql_flexible_server_minimum_tls_version_tls12",
272
+ "postgresql_flexible_server_encrypted_at_rest_using_cmk",
273
+ "postgresql_flexible_server_encrypted_in_transit",
274
+ "postgresql_flexible_server_minimum_tls_version_tls12",
275
+ "sqlserver_advanced_data_security_enabled",
276
+ "sqlserver_database_encryption_with_cmk",
277
+ "sqlserver_database_tde_encryption_enabled",
278
+ "sqlserver_minimum_tls_version_12",
279
+ "storage_secure_transfer_required_enabled",
280
+ "storage_default_storage_account_encrypted_with_cmk",
281
+ "storage_infrastructure_encryption_is_enabled",
282
+ "storage_storage_account_encrypted_with_cmk",
283
+ "storage_storage_account_minimum_tls_version_tls12",
284
+ "vm_encrypted_at_host",
285
+ "vm_data_disks_encrypted_with_cmk",
286
+ "vm_managed_disks_encrypted_with_cmk",
287
+ "vm_os_disk_are_encrypted_with_cmk",
288
+ "vm_temporary_disks_and_cache_encrypted"
289
+ ]
290
+ },
291
+ {
292
+ "Id": "ksi-tpr",
293
+ "Name": "KSI-TPR: Third-Party Information Resources",
294
+ "Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
295
+ "Attributes": [
296
+ {
297
+ "ItemId": "ksi-tpr",
298
+ "Section": "Third-Party Information Resources",
299
+ "Service": "azure"
300
+ }
301
+ ],
302
+ "Checks": [
303
+ "app_ensure_java_version_is_latest",
304
+ "app_ensure_php_version_is_latest",
305
+ "app_ensure_python_version_is_latest",
306
+ "app_function_latest_runtime_version",
307
+ "defender_container_images_resolved_vulnerabilities",
308
+ "defender_container_images_scan_enabled",
309
+ "defender_ensure_system_updates_are_applied",
310
+ "vm_agent_installed",
311
+ "vm_antimalware_solution_installed",
312
+ "vm_endpoint_protection_installed",
313
+ "vm_os_update_system_updates",
314
+ "vm_security_patch_assessment"
315
+ ]
316
+ },
317
+ {
318
+ "Id": "ksi-iam-07",
319
+ "Name": "KSI-IAM-07: Account Lifecycle Management",
320
+ "Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
321
+ "Attributes": [
322
+ {
323
+ "ItemId": "ksi-iam-07",
324
+ "Section": "Identity and Access Management",
325
+ "Service": "azure"
326
+ }
327
+ ],
328
+ "Checks": [
329
+ "entra_non_privileged_user_has_mfa",
330
+ "entra_privileged_user_has_mfa",
331
+ "entra_user_with_vm_access_has_mfa",
332
+ "iam_custom_role_has_permissions_to_administer_resource_locks",
333
+ "iam_role_user_access_admin_restricted",
334
+ "app_function_identity_is_configured",
335
+ "vm_managed_identity_enabled"
336
+ ]
337
+ },
338
+ {
339
+ "Id": "ksi-mla-07",
340
+ "Name": "KSI-MLA-07: Monitoring and Logging Inventory",
341
+ "Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
342
+ "Attributes": [
343
+ {
344
+ "ItemId": "ksi-mla-07",
345
+ "Section": "Monitoring, Logging, and Auditing",
346
+ "Service": "azure"
347
+ }
348
+ ],
349
+ "Checks": [
350
+ "monitor_log_profile_all_categories",
351
+ "monitor_log_profile_all_regions",
352
+ "monitor_log_profile_captures_all_activities",
353
+ "monitor_diagnostic_setting_deployed_for_all_resources",
354
+ "network_watcher_enabled"
355
+ ]
356
+ }
357
+ ]
358
+ }
prowler/compliance/azure/nis2_azure.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "Framework": "NIS2",
3
- "Name": "Network and Information Security Directive (Directive (EU) 2022/2555)",
3
+ "Name": "NIS2 - Network and Information Security Directive (Directive (EU) 2022/2555)",
4
4
  "Version": "",
5
5
  "Provider": "Azure",
6
6
  "Description": "ANNEX to the Commission Implementing Regulation laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers",