PyPI - prowler-cloud - Versions diffs - 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl - Mend

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (326) hide show

prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.py ADDED Viewed

@@ -0,0 +1,89 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.oss.oss_client import oss_client
+def _is_policy_public(policy_document: dict) -> bool:
+    """
+    Check if a bucket policy allows public access.
+    A policy is considered public if it has a statement with:
+    - Effect: "Allow"
+    - Principal: ["*"] (or contains "*")
+    - No Condition elements
+    Args:
+        policy_document: The parsed policy document as a dictionary.
+    Returns:
+        bool: True if policy allows public access, False otherwise.
+    """
+    if not policy_document:
+        return False
+    statements = policy_document.get("Statement", [])
+    if not isinstance(statements, list):
+        statements = [statements]
+    for statement in statements:
+        effect = statement.get("Effect", "")
+        principal = statement.get("Principal", [])
+        condition = statement.get("Condition")
+        # If there's a condition, it's not truly public
+        if condition:
+            continue
+        if effect == "Allow":
+            # Check if Principal is "*" or contains "*"
+            if isinstance(principal, list):
+                if "*" in principal:
+                    return True
+            elif principal == "*":
+                return True
+    return False
+class oss_bucket_not_publicly_accessible(Check):
+    """Check if OSS bucket is not anonymously or publicly accessible."""
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        for bucket in oss_client.buckets.values():
+            report = CheckReportAlibabaCloud(metadata=self.metadata(), resource=bucket)
+            report.region = bucket.region
+            report.resource_id = bucket.name
+            report.resource_arn = bucket.arn
+            # Check bucket ACL
+            acl_public = False
+            if bucket.acl and bucket.acl != "private":
+                if bucket.acl in ["public-read", "public-read-write"]:
+                    acl_public = True
+            # Check bucket policy
+            policy_public = _is_policy_public(bucket.policy)
+            # Determine status
+            if acl_public or policy_public:
+                report.status = "FAIL"
+                issues = []
+                if acl_public:
+                    issues.append(f"Bucket ACL is set to {bucket.acl}")
+                if policy_public:
+                    issues.append("Bucket policy allows public access (Principal: '*')")
+                report.status_extended = (
+                    f"OSS bucket {bucket.name} is publicly accessible. "
+                    + "; ".join(issues)
+                )
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"OSS bucket {bucket.name} is not publicly accessible. "
+                    f"ACL is {bucket.acl} and bucket policy does not allow public access."
+                )
+            findings.append(report)
+        return findings

prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "oss_bucket_secure_transport_enabled",
+  "CheckTitle": "Secure transfer required is set to Enabled",
+  "CheckType": [
+    "Sensitive file tampering"
+  ],
+  "ServiceName": "oss",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:oss::account-id:bucket-name",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudOSSBucket",
+  "Description": "Enable **data encryption in transit**. The secure transfer enhances the security of OSS buckets by only allowing requests to the storage account via a secure connection.\n\nFor example, when calling REST APIs to access storage accounts, the connection must use **HTTPS**. Any requests using HTTP will be rejected.",
+  "Risk": "Without **secure transfer enforcement**, OSS buckets may accept HTTP requests, which are not encrypted in transit.\n\nThis exposes data to potential **interception** and **man-in-the-middle attacks**, compromising data confidentiality and integrity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/85111.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-secure-transfer.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_oss_bucket\" \"example\" {\n  bucket = \"example-bucket\"\n  \n  policy = jsonencode({\n    \"Version\": \"1\",\n    \"Statement\": [{\n      \"Effect\": \"Deny\",\n      \"Principal\": [\"*\"],\n      \"Action\": [\"oss:*\"],\n      \"Resource\": [\"acs:oss:*:*:example-bucket\", \"acs:oss:*:*:example-bucket/*\"],\n      \"Condition\": {\n        \"Bool\": {\n          \"acs:SecureTransport\": \"false\"\n        }\n      }\n    }]\n  })\n}"
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Click on **Files** in the top middle of the console\n4. Click on **Authorize**\n5. Configure: `Whole Bucket`, `*`, `None` (Authorized Operation) and `http` (Conditions: Access Method) to deny HTTP access\n6. Click **Save**",
+      "Url": "https://hub.prowler.com/check/oss_bucket_secure_transport_enabled"
+    }
+  },
+  "Categories": [
+    "encryption"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.py ADDED Viewed

@@ -0,0 +1,87 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.oss.oss_client import oss_client
+def _is_secure_transport_enforced(policy_document: dict) -> bool:
+    """
+    Check if a bucket policy enforces secure transport (HTTPS only).
+    A policy enforces secure transport if it has:
+    - "Condition": {"Bool": {"acs:SecureTransport": ["true"]}} with "Effect": "Allow"
+    OR
+    - "Condition": {"Bool": {"acs:SecureTransport": ["false"]}} with "Effect": "Deny"
+    Args:
+        policy_document: The parsed policy document as a dictionary.
+    Returns:
+        bool: True if secure transport is enforced, False otherwise.
+    """
+    if not policy_document:
+        return False
+    statements = policy_document.get("Statement", [])
+    if not isinstance(statements, list):
+        statements = [statements]
+    for statement in statements:
+        effect = statement.get("Effect", "")
+        condition = statement.get("Condition", {})
+        if not condition:
+            continue
+        # Check for SecureTransport condition
+        bool_condition = condition.get("Bool", {})
+        secure_transport = bool_condition.get("acs:SecureTransport", [])
+        if secure_transport:
+            # Check if it's a list or single value
+            if isinstance(secure_transport, list):
+                secure_transport_value = (
+                    secure_transport[0] if secure_transport else None
+                )
+            else:
+                secure_transport_value = secure_transport
+            # Secure transport is enforced if:
+            # 1. Effect: Allow with SecureTransport: true (only HTTPS allowed)
+            # 2. Effect: Deny with SecureTransport: false (HTTP denied)
+            if effect == "Allow" and secure_transport_value == "true":
+                return True
+            elif effect == "Deny" and secure_transport_value == "false":
+                return True
+    return False
+class oss_bucket_secure_transport_enabled(Check):
+    """Check if 'Secure transfer required' is set to 'Enabled' for OSS buckets."""
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        for bucket in oss_client.buckets.values():
+            report = CheckReportAlibabaCloud(metadata=self.metadata(), resource=bucket)
+            report.region = bucket.region
+            report.resource_id = bucket.name
+            report.resource_arn = bucket.arn
+            # Check if secure transport is enforced via bucket policy
+            secure_transport_enforced = _is_secure_transport_enforced(bucket.policy)
+            if secure_transport_enforced:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"OSS bucket {bucket.name} has secure transfer required enabled."
+                )
+            else:
+                report.status = "FAIL"
+                if bucket.policy:
+                    report.status_extended = f"OSS bucket {bucket.name} does not have secure transfer required enabled."
+                else:
+                    report.status_extended = f"OSS bucket {bucket.name} does not have secure transfer required enabled."
+            findings.append(report)
+        return findings

prowler/providers/alibabacloud/services/oss/oss_client.py ADDED Viewed

@@ -0,0 +1,4 @@
+from prowler.providers.alibabacloud.services.oss.oss_service import OSS
+from prowler.providers.common.provider import Provider
+oss_client = OSS(Provider.get_global_provider())

prowler/providers/alibabacloud/services/oss/oss_service.py ADDED Viewed

@@ -0,0 +1,317 @@
+import base64
+import hashlib
+import hmac
+import json
+from datetime import datetime
+from email.utils import formatdate
+from threading import Lock
+from typing import Optional
+from xml.etree import ElementTree
+import requests
+from pydantic.v1 import BaseModel
+from prowler.lib.logger import logger
+from prowler.lib.scan_filters.scan_filters import is_resource_filtered
+from prowler.providers.alibabacloud.lib.service.service import AlibabaCloudService
+class OSS(AlibabaCloudService):
+    """
+    OSS (Object Storage Service) service class for Alibaba Cloud.
+    This class provides methods to interact with Alibaba Cloud OSS service
+    to retrieve buckets, ACLs, and policies.
+    """
+    def __init__(self, provider):
+        # Call AlibabaCloudService's __init__
+        # Treat as regional for client generation consistency with other services
+        super().__init__(__class__.__name__, provider, global_service=False)
+        self._buckets_lock = Lock()
+        # Fetch OSS resources
+        self.buckets = {}
+        self.__threading_call__(self._list_buckets)
+        self.__threading_call__(self._get_bucket_acl, self.buckets.values())
+        self.__threading_call__(self._get_bucket_policy, self.buckets.values())
+        self.__threading_call__(self._get_bucket_logging, self.buckets.values())
+    def _list_buckets(self, regional_client=None):
+        region = "unknown"
+        try:
+            regional_client = regional_client or self.client
+            region = getattr(regional_client, "region", self.region)
+            endpoint = f"oss-{region}.aliyuncs.com"
+            endpoint_label = f"region {region}"
+            credentials = self.session.get_credentials()
+            date_str = formatdate(usegmt=True)
+            headers = {
+                "Date": date_str,
+                "Host": endpoint,
+            }
+            canonical_headers = []
+            if credentials.security_token:
+                headers["x-oss-security-token"] = credentials.security_token
+                canonical_headers.append(
+                    f"x-oss-security-token:{credentials.security_token}"
+                )
+            canonical_headers_str = ""
+            if canonical_headers:
+                canonical_headers.sort()
+                canonical_headers_str = "\n".join(canonical_headers) + "\n"
+            string_to_sign = f"GET\n\n\n{date_str}\n{canonical_headers_str}/"
+            signature = base64.b64encode(
+                hmac.new(
+                    credentials.access_key_secret.encode("utf-8"),
+                    string_to_sign.encode("utf-8"),
+                    hashlib.sha1,
+                ).digest()
+            ).decode()
+            headers["Authorization"] = f"OSS {credentials.access_key_id}:{signature}"
+            url = f"https://{endpoint}/"
+            response = requests.get(url, headers=headers, timeout=10)
+            if response.status_code != 200:
+                logger.error(
+                    f"OSS - HTTP listing {endpoint_label} returned {response.status_code}: {response.text}"
+                )
+                return
+            try:
+                xml_root = ElementTree.fromstring(response.text)
+            except ElementTree.ParseError as error:
+                logger.error(
+                    f"OSS - HTTP listing {endpoint_label} XML parse error: {error}"
+                )
+                return
+            for bucket_elem in xml_root.findall(".//Bucket"):
+                bucket_name = bucket_elem.findtext("Name", default="")
+                if not bucket_name:
+                    continue
+                location = bucket_elem.findtext("Location", default=self.region)
+                arn = f"acs:oss::{self.audited_account}:{bucket_name}"
+                if self.audit_resources and not is_resource_filtered(
+                    arn, self.audit_resources
+                ):
+                    continue
+                creation_str = bucket_elem.findtext("CreationDate")
+                with self._buckets_lock:
+                    self.buckets[arn] = Bucket(
+                        arn=arn,
+                        name=bucket_name,
+                        region=self._normalize_bucket_region(location),
+                        creation_date=self._parse_creation_date(creation_str),
+                    )
+        except Exception as error:
+            logger.error(
+                f"{region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return
+    def _get_bucket_acl(self, bucket):
+        """Get bucket ACL."""
+        logger.info(f"OSS - Getting ACL for bucket {bucket.name}...")
+        try:
+            # Get OSS client for the bucket's region
+            # OSS bucket operations use regional endpoint: oss-{region}.aliyuncs.com
+            oss_client = self.session.client("oss", bucket.region)
+            # Get bucket ACL
+            response = oss_client.get_bucket_acl(bucket.name)
+            if response and response.body:
+                # ACL can be retrieved from the response
+                # The ACL value is typically in the response body
+                acl_value = getattr(response.body, "acl", None)
+                if acl_value:
+                    # ACL values: private, public-read, public-read-write
+                    bucket.acl = acl_value
+                else:
+                    # Try to get from access_control_list if available
+                    acl_list = getattr(response.body, "access_control_list", None)
+                    if acl_list:
+                        grant = getattr(acl_list, "grant", None)
+                        if grant:
+                            # Check grants to determine ACL type
+                            if isinstance(grant, list):
+                                # Check if any grant has public access
+                                for g in grant:
+                                    permission = getattr(g, "permission", "")
+                                    if permission in ["READ", "FULL_CONTROL"]:
+                                        if permission == "READ":
+                                            bucket.acl = "public-read"
+                                        else:
+                                            bucket.acl = "public-read-write"
+                                        break
+                                else:
+                                    bucket.acl = "private"
+                            else:
+                                permission = getattr(grant, "permission", "")
+                                if permission == "READ":
+                                    bucket.acl = "public-read"
+                                elif permission == "FULL_CONTROL":
+                                    bucket.acl = "public-read-write"
+                                else:
+                                    bucket.acl = "private"
+                        else:
+                            bucket.acl = "private"
+                    else:
+                        bucket.acl = "private"
+            else:
+                bucket.acl = "private"
+        except Exception as error:
+            logger.error(
+                f"{bucket.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    def _get_bucket_policy(self, bucket):
+        """Get bucket policy."""
+        logger.info(f"OSS - Getting policy for bucket {bucket.name}...")
+        try:
+            oss_client = self.session.client("oss", bucket.region)
+            response = oss_client.get_bucket_policy(bucket.name)
+            if response and response.body:
+                if response.body:
+                    try:
+                        bucket.policy = json.loads(response.body)
+                    except json.JSONDecodeError:
+                        bucket.policy = {}
+                else:
+                    bucket.policy = {}
+            else:
+                bucket.policy = {}
+        except Exception as error:
+            # If bucket policy doesn't exist, that's OK - it means no public access via policy
+            error_code = getattr(error, "code", "")
+            if error_code in ["NoSuchBucketPolicy", "NoSuchBucket"]:
+                bucket.policy = {}
+            else:
+                logger.error(
+                    f"{bucket.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+                bucket.policy = {}
+    def _get_bucket_logging(self, bucket):
+        """Get bucket logging configuration using OSS SDK."""
+        logger.info(f"OSS - Getting logging configuration for bucket {bucket.name}...")
+        try:
+            oss_client = self.session.client("oss", bucket.region)
+            response = oss_client.get_bucket_logging(bucket.name)
+            if response and response.body:
+                logging_enabled = None
+                if hasattr(response.body, "logging_enabled"):
+                    logging_enabled = response.body.logging_enabled
+                elif hasattr(response.body, "loggingenabled"):
+                    logging_enabled = response.body.loggingenabled
+                elif hasattr(response.body, "bucket_logging"):
+                    logging_enabled = response.body.bucket_logging
+                if logging_enabled:
+                    target_bucket = None
+                    target_prefix = None
+                    for attr_name in [
+                        "target_bucket",
+                        "targetBucket",
+                        "target_bucket_name",
+                        "targetBucketName",
+                    ]:
+                        if hasattr(logging_enabled, attr_name):
+                            target_bucket = getattr(logging_enabled, attr_name)
+                            break
+                    for attr_name in [
+                        "target_prefix",
+                        "targetPrefix",
+                        "target_prefix_name",
+                        "targetPrefixName",
+                    ]:
+                        if hasattr(logging_enabled, attr_name):
+                            target_prefix = getattr(logging_enabled, attr_name)
+                            break
+                    if target_bucket:
+                        bucket.logging_enabled = True
+                        bucket.logging_target_bucket = (
+                            str(target_bucket) if target_bucket else ""
+                        )
+                        bucket.logging_target_prefix = (
+                            str(target_prefix) if target_prefix else ""
+                        )
+                    else:
+                        bucket.logging_enabled = False
+                        bucket.logging_target_bucket = ""
+                        bucket.logging_target_prefix = ""
+                else:
+                    bucket.logging_enabled = False
+                    bucket.logging_target_bucket = ""
+                    bucket.logging_target_prefix = ""
+            else:
+                bucket.logging_enabled = False
+                bucket.logging_target_bucket = ""
+                bucket.logging_target_prefix = ""
+        except Exception as error:
+            logger.error(
+                f"{bucket.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    @staticmethod
+    def _normalize_bucket_region(bucket_location: str) -> str:
+        """Normalize OSS bucket location values to region IDs."""
+        if not bucket_location:
+            return ""
+        normalized_location = bucket_location.lower()
+        # Remove protocol/hostname suffix if an endpoint was returned
+        if ".aliyuncs.com" in normalized_location:
+            normalized_location = normalized_location.split(".aliyuncs.com")[0]
+        # Strip leading OSS prefix (e.g., oss-ap-southeast-1 -> ap-southeast-1)
+        if normalized_location.startswith("oss-"):
+            normalized_location = normalized_location.replace("oss-", "", 1)
+        return normalized_location
+    @staticmethod
+    def _parse_creation_date(creation_date_str: Optional[str]) -> Optional[datetime]:
+        """Parse OSS bucket creation date strings into datetime objects."""
+        if not creation_date_str:
+            return None
+        for date_format in ("%Y-%m-%dT%H:%M:%S.%f%z", "%Y-%m-%dT%H:%M:%S%z"):
+            try:
+                return datetime.strptime(
+                    creation_date_str.replace("Z", "+00:00"), date_format
+                )
+            except (ValueError, AttributeError):
+                continue
+        return None
+class Bucket(BaseModel):
+    """OSS Bucket model."""
+    arn: str
+    name: str
+    region: str
+    acl: Optional[str] = None  # private, public-read, public-read-write
+    policy: dict = {}
+    logging_enabled: bool = False
+    logging_target_bucket: str = ""
+    logging_target_prefix: str = ""
+    creation_date: Optional[datetime] = None

prowler/providers/alibabacloud/services/ram/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/ram/ram_client.py ADDED Viewed

@@ -0,0 +1,4 @@
+from prowler.providers.alibabacloud.services.ram.ram_service import RAM
+from prowler.providers.common.provider import Provider
+ram_client = RAM(Provider.get_global_provider())

prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ram_no_root_access_key",
+  "CheckTitle": "No root account access key exists",
+  "CheckType": [
+    "Unusual logon",
+    "Cloud threat detection"
+  ],
+  "ServiceName": "ram",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ram::account-id:root",
+  "Severity": "critical",
+  "ResourceType": "AlibabaCloudRAMAccessKey",
+  "Description": "Ensure no **root account access key** exists. Access keys provide programmatic access to a given Alibaba Cloud account.\n\nIt is recommended that all access keys associated with the root account be removed.",
+  "Risk": "The **root account** is the most privileged user in an Alibaba Cloud account. Access Keys provide programmatic access to a given Alibaba Cloud account.\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised and encourages the creation and use of **role-based accounts** that are least privileged.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/102600.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/remove-root-access-keys.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun ram DeleteAccessKey --UserAccessKeyId <access_key_ID>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **RAM Console** by using your Alibaba Cloud account (root account)\n2. Move the pointer over the account icon in the upper-right corner and click **AccessKey**\n3. Click **Continue to manage AccessKey**\n4. On the Security Management page, find the target access keys and click **Delete** to delete the target access keys permanently",
+      "Url": "https://hub.prowler.com/check/ram_no_root_access_key"
+    }
+  },
+  "Categories": [
+    "internet-exposed"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.py ADDED Viewed

@@ -0,0 +1,33 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.ram.ram_client import ram_client
+class ram_no_root_access_key(Check):
+    """Check if root account has no access keys."""
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        report = CheckReportAlibabaCloud(metadata=self.metadata(), resource={})
+        report.region = ram_client.region
+        report.resource_id = "<root_account>"
+        report.resource_arn = f"acs:ram::{ram_client.audited_account}:root"
+        # Check if we're authenticated as root account
+        # Use the is_root flag from identity (set via STS GetCallerIdentity)
+        is_root = ram_client.provider.identity.is_root
+        if not is_root:
+            # If authenticated as RAM user, we can't verify root account access keys
+            report.status = "MANUAL"
+            report.status_extended = "Cannot verify root account access keys: authenticated as RAM user. This check requires root account credentials."
+        elif ram_client.root_access_keys:
+            report.status = "FAIL"
+            report.status_extended = "Root account has access keys."
+        else:
+            report.status = "PASS"
+            report.status_extended = "Root account does not have access keys."
+        findings.append(report)
+        return findings

prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/__init__.py ADDED Viewed

File without changes

prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "ram_password_policy_lowercase",
+  "CheckTitle": "RAM password policy requires at least one lowercase letter",
+  "CheckType": [
+    "Unusual logon",
+    "Abnormal account"
+  ],
+  "ServiceName": "ram",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:ram::account-id:password-policy",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudRAMPasswordPolicy",
+  "Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **lowercase letter**.",
+  "Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nWeak passwords without character variety are more susceptible to dictionary attacks and automated password cracking tools.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/116413.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/lowercase-letter-password-policy.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun ram SetPasswordPolicy --RequireLowercaseCharacters true",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n  require_lowercase_characters = true\n}"
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the Charset section, select **Lower case**\n5. Click **OK**",
+      "Url": "https://hub.prowler.com/check/ram_password_policy_lowercase"
+    }
+  },
+  "Categories": [
+    "secrets"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl