prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (298) hide show
  1. dashboard/__main__.py +2 -1
  2. dashboard/compliance/c5_azure.py +43 -0
  3. dashboard/compliance/fedramp_20x_ksi_low_aws.py +46 -0
  4. dashboard/compliance/fedramp_20x_ksi_low_azure.py +46 -0
  5. dashboard/compliance/fedramp_20x_ksi_low_gcp.py +46 -0
  6. dashboard/compliance/hipaa_gcp.py +25 -0
  7. dashboard/compliance/nist_csf_2_0_aws.py +24 -0
  8. dashboard/compliance/prowler_threatscore_kubernetes.py +28 -0
  9. prowler/AGENTS.md +366 -0
  10. prowler/CHANGELOG.md +93 -2
  11. prowler/__main__.py +54 -7
  12. prowler/compliance/aws/ens_rd2022_aws.json +1 -1
  13. prowler/compliance/aws/fedramp_20x_ksi_low_aws.json +347 -0
  14. prowler/compliance/aws/nis2_aws.json +1 -1
  15. prowler/compliance/aws/nist_csf_2.0_aws.json +1781 -0
  16. prowler/compliance/azure/c5_azure.json +9471 -0
  17. prowler/compliance/azure/ens_rd2022_azure.json +1 -1
  18. prowler/compliance/azure/fedramp_20x_ksi_low_azure.json +358 -0
  19. prowler/compliance/azure/nis2_azure.json +1 -1
  20. prowler/compliance/gcp/c5_gcp.json +9401 -0
  21. prowler/compliance/gcp/ens_rd2022_gcp.json +1 -1
  22. prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json +293 -0
  23. prowler/compliance/gcp/hipaa_gcp.json +415 -0
  24. prowler/compliance/gcp/nis2_gcp.json +1 -1
  25. prowler/compliance/github/cis_1.0_github.json +6 -2
  26. prowler/compliance/kubernetes/prowler_threatscore_kubernetes.json +1269 -0
  27. prowler/compliance/m365/prowler_threatscore_m365.json +6 -6
  28. prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json} +1 -1
  29. prowler/config/config.py +59 -5
  30. prowler/config/config.yaml +3 -0
  31. prowler/lib/check/check.py +1 -9
  32. prowler/lib/check/checks_loader.py +65 -1
  33. prowler/lib/check/models.py +12 -2
  34. prowler/lib/check/utils.py +1 -7
  35. prowler/lib/cli/parser.py +17 -7
  36. prowler/lib/mutelist/mutelist.py +15 -7
  37. prowler/lib/outputs/compliance/c5/c5_azure.py +92 -0
  38. prowler/lib/outputs/compliance/c5/c5_gcp.py +92 -0
  39. prowler/lib/outputs/compliance/c5/models.py +54 -0
  40. prowler/lib/outputs/compliance/cis/{cis_oci.py → cis_oraclecloud.py} +7 -7
  41. prowler/lib/outputs/compliance/cis/models.py +3 -3
  42. prowler/lib/outputs/compliance/prowler_threatscore/models.py +29 -0
  43. prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_kubernetes.py +98 -0
  44. prowler/lib/outputs/finding.py +16 -5
  45. prowler/lib/outputs/html/html.py +10 -8
  46. prowler/lib/outputs/outputs.py +1 -1
  47. prowler/lib/outputs/summary_table.py +1 -1
  48. prowler/lib/powershell/powershell.py +12 -11
  49. prowler/lib/scan/scan.py +105 -24
  50. prowler/lib/utils/utils.py +1 -1
  51. prowler/providers/aws/aws_regions_by_service.json +73 -15
  52. prowler/providers/aws/lib/quick_inventory/quick_inventory.py +1 -1
  53. prowler/providers/aws/lib/security_hub/security_hub.py +1 -1
  54. prowler/providers/aws/services/account/account_service.py +1 -1
  55. prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +1 -3
  56. prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json +23 -12
  57. prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json +21 -12
  58. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +23 -12
  59. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +24 -12
  60. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +21 -12
  61. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +17 -11
  62. prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json +20 -12
  63. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json +22 -13
  64. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.metadata.json +22 -17
  65. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.metadata.json +18 -12
  66. prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json +27 -13
  67. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +20 -12
  68. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +22 -12
  69. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +25 -12
  70. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +23 -12
  71. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.metadata.json +17 -12
  72. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +21 -12
  73. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +21 -12
  74. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +27 -12
  75. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +22 -12
  76. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +26 -12
  77. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +25 -12
  78. prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json +20 -11
  79. prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json +22 -12
  80. prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +28 -12
  81. prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json +22 -12
  82. prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json +15 -10
  83. prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json +19 -11
  84. prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json +21 -12
  85. prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json +19 -12
  86. prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json +24 -13
  87. prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json +35 -13
  88. prowler/providers/aws/services/codepipeline/__init__.py +0 -0
  89. prowler/providers/aws/services/codepipeline/codepipeline_client.py +6 -0
  90. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/__init__.py +0 -0
  91. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json +30 -0
  92. prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py +95 -0
  93. prowler/providers/aws/services/codepipeline/codepipeline_service.py +164 -0
  94. prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json +18 -12
  95. prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json +18 -12
  96. prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json +24 -13
  97. prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json +23 -13
  98. prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json +24 -13
  99. prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json +19 -13
  100. prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json +20 -10
  101. prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json +26 -13
  102. prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json +20 -10
  103. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json +18 -11
  104. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json +16 -11
  105. prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json +21 -13
  106. prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json +20 -12
  107. prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +17 -10
  108. prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json +21 -13
  109. prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json +18 -12
  110. prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json +18 -12
  111. prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json +19 -12
  112. prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json +16 -11
  113. prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json +22 -13
  114. prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json +19 -13
  115. prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json +21 -13
  116. prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json +22 -12
  117. prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json +20 -12
  118. prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.metadata.json +21 -11
  119. prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.metadata.json +20 -11
  120. prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.metadata.json +18 -12
  121. prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.metadata.json +20 -13
  122. prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.metadata.json +21 -13
  123. prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.metadata.json +26 -13
  124. prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.metadata.json +19 -12
  125. prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.metadata.json +18 -12
  126. prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json +16 -12
  127. prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json +21 -14
  128. prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json +19 -13
  129. prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json +20 -13
  130. prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json +20 -13
  131. prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json +20 -14
  132. prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json +22 -13
  133. prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json +19 -13
  134. prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json +21 -12
  135. prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +20 -13
  136. prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json +20 -12
  137. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json +21 -12
  138. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json +20 -13
  139. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json +23 -13
  140. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.metadata.json +21 -12
  141. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json +22 -14
  142. prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.metadata.json +20 -11
  143. prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json +23 -13
  144. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json +18 -12
  145. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json +17 -12
  146. prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json +17 -11
  147. prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json +22 -13
  148. prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json +24 -13
  149. prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json +20 -11
  150. prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json +20 -10
  151. prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json +20 -11
  152. prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json +20 -12
  153. prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json +19 -12
  154. prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json +19 -11
  155. prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json +17 -12
  156. prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.metadata.json +21 -13
  157. prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.metadata.json +19 -11
  158. prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.metadata.json +21 -12
  159. prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.metadata.json +18 -11
  160. prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json +17 -10
  161. prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.metadata.json +22 -13
  162. prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.metadata.json +18 -12
  163. prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.metadata.json +17 -12
  164. prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.metadata.json +18 -11
  165. prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.metadata.json +18 -12
  166. prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.metadata.json +16 -11
  167. prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.metadata.json +21 -13
  168. prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.metadata.json +24 -11
  169. prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.metadata.json +18 -11
  170. prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +26 -13
  171. prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json +21 -11
  172. prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json +24 -13
  173. prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +26 -14
  174. prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.metadata.json +26 -15
  175. prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +15 -16
  176. prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json +23 -11
  177. prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json +19 -12
  178. prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json +17 -12
  179. prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json +22 -13
  180. prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json +21 -12
  181. prowler/providers/aws/services/iam/lib/policy.py +24 -16
  182. prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json +21 -13
  183. prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json +22 -13
  184. prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +7 -2
  185. prowler/providers/azure/services/defender/defender_service.py +4 -2
  186. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/__init__.py +0 -0
  187. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +36 -0
  188. prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py +43 -0
  189. prowler/providers/azure/services/postgresql/postgresql_service.py +66 -9
  190. prowler/providers/azure/services/storage/storage_service.py +13 -4
  191. prowler/providers/azure/services/vm/vm_service.py +4 -7
  192. prowler/providers/common/arguments.py +19 -16
  193. prowler/providers/common/provider.py +2 -18
  194. prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json +16 -15
  195. prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +30 -4
  196. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py +0 -0
  197. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json +36 -0
  198. prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py +61 -0
  199. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json +12 -9
  200. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +10 -3
  201. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py +0 -0
  202. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json +36 -0
  203. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py +40 -0
  204. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py +0 -0
  205. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json +36 -0
  206. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py +31 -0
  207. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py +0 -0
  208. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json +35 -0
  209. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py +55 -0
  210. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py +0 -0
  211. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json +36 -0
  212. prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py +30 -0
  213. prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +48 -2
  214. prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py +0 -0
  215. prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +35 -0
  216. prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py +36 -0
  217. prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +14 -8
  218. prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py +0 -0
  219. prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +30 -0
  220. prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py +106 -0
  221. prowler/providers/github/services/organization/organization_service.py +84 -10
  222. prowler/providers/iac/iac_provider.py +279 -55
  223. prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json +18 -13
  224. prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json +16 -11
  225. prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json +16 -11
  226. prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json +18 -13
  227. prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json +16 -12
  228. prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json +16 -11
  229. prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json +16 -10
  230. prowler/providers/m365/lib/powershell/m365_powershell.py +80 -93
  231. prowler/providers/m365/m365_provider.py +1 -6
  232. prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.py +17 -21
  233. prowler/providers/m365/services/exchange/exchange_service.py +18 -12
  234. prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py +9 -7
  235. prowler/providers/mongodbatlas/exceptions/exceptions.py +16 -0
  236. prowler/providers/mongodbatlas/mongodbatlas_provider.py +15 -3
  237. prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json +20 -9
  238. prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json +14 -9
  239. prowler/providers/oraclecloud/lib/arguments/arguments.py +4 -13
  240. prowler/providers/oraclecloud/lib/service/service.py +3 -3
  241. prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py} +15 -15
  242. prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +20 -16
  243. prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +17 -17
  244. prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +17 -19
  245. prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +18 -18
  246. prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +17 -18
  247. prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +1 -1
  248. prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +1 -1
  249. prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +1 -1
  250. prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +1 -1
  251. prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +1 -1
  252. prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +1 -1
  253. prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +1 -1
  254. prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +1 -1
  255. prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +1 -1
  256. prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +1 -1
  257. prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +1 -1
  258. prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +1 -1
  259. prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +1 -1
  260. prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +1 -1
  261. prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +1 -1
  262. prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +1 -1
  263. prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +1 -1
  264. prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +1 -1
  265. prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +1 -1
  266. prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +1 -1
  267. prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +1 -1
  268. prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +1 -1
  269. prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +1 -1
  270. prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +1 -1
  271. prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +1 -1
  272. prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +1 -1
  273. prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +1 -1
  274. prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +1 -1
  275. prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +1 -1
  276. prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +1 -1
  277. prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +1 -1
  278. prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +1 -1
  279. prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +1 -1
  280. prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +1 -1
  281. prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +1 -1
  282. prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +1 -1
  283. prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +1 -1
  284. prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +1 -1
  285. prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +1 -1
  286. prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +1 -1
  287. prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +1 -1
  288. prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +1 -1
  289. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +1 -1
  290. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +1 -1
  291. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +1 -1
  292. prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +1 -1
  293. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/METADATA +17 -16
  294. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/RECORD +298 -249
  295. /prowler/compliance/{oci → oraclecloud}/__init__.py +0 -0
  296. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/LICENSE +0 -0
  297. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/WHEEL +0 -0
  298. {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/entry_points.txt +0 -0
prowler/compliance/gcp/ens_rd2022_gcp.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "Framework": "ENS",
3
- "Name": "ENS RD 311/2022",
3
+ "Name": "ENS RD 311/2022 - Categoría Alta",
4
4
  "Version": "RD2022",
5
5
  "Provider": "GCP",
6
6
  "Description": "The accreditation scheme of the ENS (National Security Scheme) has been developed by the Ministry of Finance and Public Administrations and the CCN (National Cryptological Center). This includes the basic principles and minimum requirements necessary for the adequate protection of information.",
prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json ADDED
@@ -0,0 +1,293 @@
1
+ {
2
+ "Framework": "FedRAMP-20x-KSI-Low",
3
+ "Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
4
+ "Version": "25.05C",
5
+ "Provider": "GCP",
6
+ "Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
7
+ "Requirements": [
8
+ {
9
+ "Id": "ksi-cmt",
10
+ "Name": "KSI-CMT: Change Management",
11
+ "Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
12
+ "Attributes": [
13
+ {
14
+ "ItemId": "ksi-cmt",
15
+ "Section": "Change Management",
16
+ "Service": "gcp"
17
+ }
18
+ ],
19
+ "Checks": [
20
+ "iam_audit_logs_enabled",
21
+ "iam_cloud_asset_inventory_enabled",
22
+ "logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
23
+ "logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
24
+ "logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
25
+ "logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
26
+ "logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
27
+ "logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
28
+ "logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
29
+ "logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled",
30
+ "compute_instance_serial_ports_in_use",
31
+ "compute_project_os_login_enabled"
32
+ ]
33
+ },
34
+ {
35
+ "Id": "ksi-cna",
36
+ "Name": "KSI-CNA: Cloud Native Architecture",
37
+ "Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
38
+ "Attributes": [
39
+ {
40
+ "ItemId": "ksi-cna",
41
+ "Section": "Cloud Native Architecture",
42
+ "Service": "gcp"
43
+ }
44
+ ],
45
+ "Checks": [
46
+ "cloudsql_instance_private_ip_assignment",
47
+ "cloudsql_instance_public_access",
48
+ "cloudsql_instance_public_ip",
49
+ "cloudstorage_bucket_uniform_bucket_level_access",
50
+ "compute_firewall_rdp_access_from_the_internet_allowed",
51
+ "compute_firewall_ssh_access_from_the_internet_allowed",
52
+ "compute_instance_block_project_wide_ssh_keys_disabled",
53
+ "compute_instance_confidential_computing_enabled",
54
+ "compute_instance_ip_forwarding_is_enabled",
55
+ "compute_instance_public_ip",
56
+ "compute_instance_shielded_vm_enabled",
57
+ "compute_loadbalancer_logging_enabled",
58
+ "compute_network_default_in_use",
59
+ "compute_network_dns_logging_enabled",
60
+ "compute_network_not_legacy",
61
+ "compute_subnet_flow_logs_enabled",
62
+ "gke_cluster_no_default_service_account"
63
+ ]
64
+ },
65
+ {
66
+ "Id": "ksi-iam",
67
+ "Name": "KSI-IAM: Identity and Access Management",
68
+ "Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
69
+ "Attributes": [
70
+ {
71
+ "ItemId": "ksi-iam",
72
+ "Section": "Identity and Access Management",
73
+ "Service": "gcp"
74
+ }
75
+ ],
76
+ "Checks": [
77
+ "apikeys_api_restrictions_configured",
78
+ "apikeys_key_exists",
79
+ "apikeys_key_rotated_in_90_days",
80
+ "compute_instance_default_service_account_in_use",
81
+ "compute_instance_default_service_account_in_use_with_full_api_access",
82
+ "iam_no_service_roles_at_project_level",
83
+ "iam_role_kms_enforce_separation_of_duties",
84
+ "iam_role_sa_enforce_separation_of_duties",
85
+ "iam_sa_no_administrative_privileges",
86
+ "iam_sa_no_user_managed_keys",
87
+ "iam_sa_user_managed_key_rotate_90_days",
88
+ "iam_sa_user_managed_key_unused",
89
+ "iam_service_account_unused"
90
+ ]
91
+ },
92
+ {
93
+ "Id": "ksi-inr",
94
+ "Name": "KSI-INR: Incident Response",
95
+ "Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
96
+ "Attributes": [
97
+ {
98
+ "ItemId": "ksi-inr",
99
+ "Section": "Incident Response",
100
+ "Service": "gcp"
101
+ }
102
+ ],
103
+ "Checks": [
104
+ "iam_organization_essential_contacts_configured",
105
+ "iam_account_access_approval_enabled",
106
+ "logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
107
+ "logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
108
+ "logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
109
+ "logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
110
+ "logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
111
+ "logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
112
+ "logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
113
+ "logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled"
114
+ ]
115
+ },
116
+ {
117
+ "Id": "ksi-mla",
118
+ "Name": "KSI-MLA: Monitoring, Logging, and Auditing",
119
+ "Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
120
+ "Attributes": [
121
+ {
122
+ "ItemId": "ksi-mla",
123
+ "Section": "Monitoring, Logging, and Auditing",
124
+ "Service": "gcp"
125
+ }
126
+ ],
127
+ "Checks": [
128
+ "cloudsql_instance_postgres_enable_pgaudit_flag",
129
+ "cloudsql_instance_postgres_log_connections_flag",
130
+ "cloudsql_instance_postgres_log_disconnections_flag",
131
+ "cloudsql_instance_postgres_log_error_verbosity_flag",
132
+ "cloudsql_instance_postgres_log_min_duration_statement_flag",
133
+ "cloudsql_instance_postgres_log_min_error_statement_flag",
134
+ "cloudsql_instance_postgres_log_min_messages_flag",
135
+ "cloudsql_instance_postgres_log_statement_flag",
136
+ "cloudsql_instance_sqlserver_trace_flag",
137
+ "cloudstorage_bucket_log_retention_policy_lock",
138
+ "compute_loadbalancer_logging_enabled",
139
+ "compute_network_dns_logging_enabled",
140
+ "compute_subnet_flow_logs_enabled",
141
+ "iam_audit_logs_enabled",
142
+ "logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
143
+ "logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
144
+ "logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
145
+ "logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
146
+ "logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
147
+ "logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
148
+ "logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
149
+ "logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled",
150
+ "logging_sink_created"
151
+ ]
152
+ },
153
+ {
154
+ "Id": "ksi-piy",
155
+ "Name": "KSI-PIY: Policy and Inventory",
156
+ "Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
157
+ "Attributes": [
158
+ {
159
+ "ItemId": "ksi-piy",
160
+ "Section": "Policy and Inventory",
161
+ "Service": "gcp"
162
+ }
163
+ ],
164
+ "Checks": [
165
+ "iam_cloud_asset_inventory_enabled",
166
+ "iam_organization_essential_contacts_configured",
167
+ "iam_audit_logs_enabled",
168
+ "compute_project_os_login_enabled",
169
+ "compute_instance_serial_ports_in_use",
170
+ "compute_instance_block_project_wide_ssh_keys_disabled",
171
+ "logging_sink_created"
172
+ ]
173
+ },
174
+ {
175
+ "Id": "ksi-rpl",
176
+ "Name": "KSI-RPL: Recovery Planning",
177
+ "Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
178
+ "Attributes": [
179
+ {
180
+ "ItemId": "ksi-rpl",
181
+ "Section": "Recovery Planning",
182
+ "Service": "gcp"
183
+ }
184
+ ],
185
+ "Checks": [
186
+ "cloudsql_instance_automated_backups",
187
+ "cloudstorage_bucket_log_retention_policy_lock",
188
+ "cloudstorage_bucket_versioning_enabled",
189
+ "cloudstorage_bucket_lifecycle_management_enabled"
190
+ ]
191
+ },
192
+ {
193
+ "Id": "ksi-svc",
194
+ "Name": "KSI-SVC: Service Configuration",
195
+ "Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
196
+ "Attributes": [
197
+ {
198
+ "ItemId": "ksi-svc",
199
+ "Section": "Service Configuration",
200
+ "Service": "gcp"
201
+ }
202
+ ],
203
+ "Checks": [
204
+ "bigquery_dataset_cmk_encryption",
205
+ "bigquery_table_cmk_encryption",
206
+ "cloudsql_instance_mysql_local_infile_flag",
207
+ "cloudsql_instance_mysql_skip_show_database_flag",
208
+ "cloudsql_instance_postgres_enable_pgaudit_flag",
209
+ "cloudsql_instance_postgres_log_connections_flag",
210
+ "cloudsql_instance_postgres_log_disconnections_flag",
211
+ "cloudsql_instance_postgres_log_error_verbosity_flag",
212
+ "cloudsql_instance_postgres_log_min_duration_statement_flag",
213
+ "cloudsql_instance_postgres_log_min_error_statement_flag",
214
+ "cloudsql_instance_postgres_log_min_messages_flag",
215
+ "cloudsql_instance_postgres_log_statement_flag",
216
+ "cloudsql_instance_sqlserver_contained_database_authentication_flag",
217
+ "cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag",
218
+ "cloudsql_instance_sqlserver_external_scripts_enabled_flag",
219
+ "cloudsql_instance_sqlserver_remote_access_flag",
220
+ "cloudsql_instance_sqlserver_trace_flag",
221
+ "cloudsql_instance_sqlserver_user_connections_flag",
222
+ "cloudsql_instance_sqlserver_user_options_flag",
223
+ "cloudsql_instance_ssl_connections",
224
+ "compute_instance_encryption_with_csek_enabled",
225
+ "compute_instance_shielded_vm_enabled",
226
+ "dataproc_encrypted_with_cmks_disabled",
227
+ "dns_dnssec_disabled",
228
+ "dns_rsasha1_in_use_to_key_sign_in_dnssec",
229
+ "dns_rsasha1_in_use_to_zone_sign_in_dnssec",
230
+ "kms_key_not_publicly_accessible",
231
+ "kms_key_rotation_enabled"
232
+ ]
233
+ },
234
+ {
235
+ "Id": "ksi-tpr",
236
+ "Name": "KSI-TPR: Third-Party Information Resources",
237
+ "Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
238
+ "Attributes": [
239
+ {
240
+ "ItemId": "ksi-tpr",
241
+ "Section": "Third-Party Information Resources",
242
+ "Service": "gcp"
243
+ }
244
+ ],
245
+ "Checks": [
246
+ "artifacts_container_analysis_enabled",
247
+ "gcr_container_scanning_enabled",
248
+ "compute_public_address_shodan",
249
+ "cloudsql_instance_automated_backups",
250
+ "iam_sa_user_managed_key_rotate_90_days",
251
+ "iam_service_account_unused"
252
+ ]
253
+ },
254
+ {
255
+ "Id": "ksi-iam-07",
256
+ "Name": "KSI-IAM-07: Account Lifecycle Management",
257
+ "Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
258
+ "Attributes": [
259
+ {
260
+ "ItemId": "ksi-iam-07",
261
+ "Section": "Identity and Access Management",
262
+ "Service": "gcp"
263
+ }
264
+ ],
265
+ "Checks": [
266
+ "apikeys_key_rotated_in_90_days",
267
+ "iam_sa_user_managed_key_rotate_90_days",
268
+ "iam_sa_user_managed_key_unused",
269
+ "iam_service_account_unused",
270
+ "compute_instance_default_service_account_in_use"
271
+ ]
272
+ },
273
+ {
274
+ "Id": "ksi-mla-07",
275
+ "Name": "KSI-MLA-07: Monitoring and Logging Inventory",
276
+ "Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
277
+ "Attributes": [
278
+ {
279
+ "ItemId": "ksi-mla-07",
280
+ "Section": "Monitoring, Logging, and Auditing",
281
+ "Service": "gcp"
282
+ }
283
+ ],
284
+ "Checks": [
285
+ "iam_audit_logs_enabled",
286
+ "iam_cloud_asset_inventory_enabled",
287
+ "logging_sink_created",
288
+ "compute_subnet_flow_logs_enabled",
289
+ "compute_network_dns_logging_enabled"
290
+ ]
291
+ }
292
+ ]
293
+ }