prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "rds_instance_tde_key_custom",
+  "CheckTitle": "RDS instance TDE protector is encrypted with BYOK (Use your own key)",
+  "CheckType": [
+    "Sensitive file tampering",
+    "Intrusion into applications"
+  ],
+  "ServiceName": "rds",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudRDSDBInstance",
+  "Description": "**TDE with BYOK** support provides increased transparency and control, increased security with an HSM-backed KMS service, and promotion of separation of duties.\n\nBased on business needs or criticality of data, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (**BYOK**).",
+  "Risk": "Using **service-managed keys** means the cloud provider manages the encryption keys. **BYOK (Bring Your Own Key)** gives you full control over the key lifecycle and permissions.\n\nThis ensures that even the cloud provider cannot access your data without your explicit permission.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/96121.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-tde-with-cmk.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun rds ModifyDBInstanceTDE --DBInstanceId <instance_id> --TDEStatus Enabled --EncryptionKey <kms_key_id>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "resource \"alicloud_db_instance\" \"example\" {\n  engine           = \"MySQL\"\n  engine_version   = \"8.0\"\n  instance_type    = \"rds.mysql.s1.small\"\n  instance_storage = 20\n  tde_status       = \"Enabled\"\n  encryption_key   = alicloud_kms_key.example.id\n}"
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **RDS Console**\n2. Go to **Data Security** > **TDE** tab\n3. Click the switch next to **Disabled**\n4. In the displayed dialog box, choose **custom key**\n5. Click **Confirm**",
+      "Url": "https://hub.prowler.com/check/rds_instance_tde_key_custom"
+    }
+  },
+  "Categories": [
+    "encryption"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.py

@@ -0,0 +1,38 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.rds.rds_client import rds_client
+
+
+class rds_instance_tde_key_custom(Check):
+    """Check if RDS instance TDE protector is encrypted with BYOK."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        for instance in rds_client.instances:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=instance
+            )
+            report.region = instance.region
+            report.resource_id = instance.id
+            report.resource_arn = f"acs:rds:{instance.region}:{rds_client.audited_account}:dbinstance/{instance.id}"
+
+            # TDE must be enabled AND key must be custom (not service managed)
+            # Note: The API response for TDEKeyId usually indicates if it's a custom KMS key
+            # If it's a UUID-like string, it's likely a KMS key. If it's "ServiceManaged" or similar, it's not.
+            # For Alibaba Cloud, typically if you supply a KeyId it's BYOK.
+
+            if instance.tde_status == "Enabled" and instance.tde_key_id:
+                report.status = "PASS"
+                report.status_extended = f"RDS Instance {instance.name} has TDE enabled with custom key {instance.tde_key_id}."
+            elif instance.tde_status == "Enabled":
+                report.status = "FAIL"
+                report.status_extended = f"RDS Instance {instance.name} has TDE enabled but uses service-managed key."
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"RDS Instance {instance.name} does not have TDE enabled."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/rds/rds_service.py

@@ -0,0 +1,274 @@
+from alibabacloud_rds20140815 import models as rds_models
+from pydantic.v1 import BaseModel
+
+from prowler.lib.logger import logger
+from prowler.lib.scan_filters.scan_filters import is_resource_filtered
+from prowler.providers.alibabacloud.lib.service.service import AlibabaCloudService
+
+
+class RDS(AlibabaCloudService):
+    """
+    RDS (Relational Database Service) class for Alibaba Cloud.
+
+    This class provides methods to interact with Alibaba Cloud RDS service
+    to retrieve DB instances and their configurations.
+    """
+
+    def __init__(self, provider):
+        # Call AlibabaCloudService's __init__
+        super().__init__(__class__.__name__, provider, global_service=False)
+
+        # Fetch RDS resources
+        self.instances = []
+        self.__threading_call__(self._describe_instances)
+
+    def _describe_instances(self, regional_client):
+        """List all RDS instances and fetch their details in a specific region."""
+        region = getattr(regional_client, "region", "unknown")
+        logger.info(f"RDS - Describing instances in {region}...")
+
+        try:
+            # DescribeDBInstances returns instance list
+            request = rds_models.DescribeDBInstancesRequest()
+            response = regional_client.describe_dbinstances(request)
+
+            if response and response.body and response.body.items:
+                for instance_data in response.body.items.dbinstance:
+                    instance_id = getattr(instance_data, "dbinstance_id", "")
+
+                    if not self.audit_resources or is_resource_filtered(
+                        instance_id, self.audit_resources
+                    ):
+
+                        # Get additional information for specific checks
+                        attribute_info = self._describe_db_instance_attribute(
+                            regional_client, instance_id
+                        )
+
+                        # Check if SSL is enabled
+                        ssl_status = self._describe_db_instance_ssl(
+                            regional_client, instance_id
+                        )
+
+                        # Check TDE status
+                        tde_status = self._describe_db_instance_tde(
+                            regional_client, instance_id
+                        )
+
+                        # Check whitelist/security IPs
+                        security_ips = self._describe_db_instance_ip_array(
+                            regional_client, instance_id
+                        )
+
+                        # Check SQL audit status (SQL Explorer)
+                        audit_status = self._describe_sql_collector_policy(
+                            regional_client, instance_id
+                        )
+
+                        # Check parameters (log_connections, log_disconnections, log_duration)
+                        parameters = self._describe_parameters(
+                            regional_client, instance_id
+                        )
+
+                        self.instances.append(
+                            DBInstance(
+                                id=instance_id,
+                                name=getattr(
+                                    instance_data, "dbinstance_description", instance_id
+                                ),
+                                region=region,
+                                engine=getattr(instance_data, "engine", ""),
+                                engine_version=getattr(
+                                    instance_data, "engine_version", ""
+                                ),
+                                status=getattr(instance_data, "dbinstance_status", ""),
+                                type=getattr(instance_data, "dbinstance_type", ""),
+                                net_type=getattr(
+                                    instance_data, "dbinstance_net_type", ""
+                                ),
+                                connection_mode=getattr(
+                                    instance_data, "connection_mode", ""
+                                ),
+                                public_connection_string=attribute_info.get(
+                                    "ConnectionString", ""
+                                ),
+                                ssl_enabled=ssl_status.get("SSLEnabled", False),
+                                tde_status=tde_status.get("TDEStatus", "Disabled"),
+                                tde_key_id=tde_status.get("TDEKeyId", ""),
+                                security_ips=security_ips,
+                                audit_log_enabled=audit_status.get("StoragePeriod")
+                                is not None,
+                                audit_log_retention=audit_status.get(
+                                    "StoragePeriod", 0
+                                ),
+                                log_connections=parameters.get(
+                                    "log_connections", "off"
+                                ),
+                                log_disconnections=parameters.get(
+                                    "log_disconnections", "off"
+                                ),
+                                log_duration=parameters.get("log_duration", "off"),
+                            )
+                        )
+
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _describe_db_instance_attribute(
+        self, regional_client, instance_id: str
+    ) -> dict:
+        """Get DB instance attributes including connection string."""
+        try:
+            request = rds_models.DescribeDBInstanceAttributeRequest()
+            request.dbinstance_id = instance_id
+            response = regional_client.describe_dbinstance_attribute(request)
+
+            if (
+                response
+                and response.body
+                and response.body.items
+                and response.body.items.dbinstance_attribute
+            ):
+                # The response is a list, usually with one item
+                attrs = response.body.items.dbinstance_attribute[0]
+                return {"ConnectionString": getattr(attrs, "connection_string", "")}
+            return {}
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return {}
+
+    def _describe_db_instance_ssl(self, regional_client, instance_id: str) -> dict:
+        """Check if SSL is enabled."""
+        try:
+            request = rds_models.DescribeDBInstanceSSLRequest()
+            request.dbinstance_id = instance_id
+            response = regional_client.describe_dbinstance_ssl(request)
+
+            if response and response.body:
+                # response.body is a DescribeDBInstanceSSLResponseBody model object, use getattr
+                ssl_enabled = getattr(response.body, "sslenabled", "No")
+                force_encryption = getattr(response.body, "force_encryption", "0")
+
+                # SSL is enabled if SSLEnabled is "Yes" or ForceEncryption is "1"
+                ssl_status = ssl_enabled == "Yes" or force_encryption == "1"
+                return {"SSLEnabled": ssl_status}
+            return {"SSLEnabled": False}
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            # Some instance types might not support SSL query
+            return {"SSLEnabled": False}
+
+    def _describe_db_instance_tde(self, regional_client, instance_id: str) -> dict:
+        """Check TDE status."""
+        try:
+            request = rds_models.DescribeDBInstanceTDERequest()
+            request.dbinstance_id = instance_id
+            response = regional_client.describe_dbinstance_tde(request)
+
+            if response and response.body:
+                return {
+                    "TDEStatus": getattr(response.body, "tdestatus", "Disabled"),
+                }
+            return {"TDEStatus": "Disabled"}
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return {"TDEStatus": "Disabled"}
+
+    def _describe_db_instance_ip_array(self, regional_client, instance_id: str) -> list:
+        """Get whitelist IP arrays."""
+        try:
+            request = rds_models.DescribeDBInstanceIPArrayListRequest()
+            request.dbinstance_id = instance_id
+            response = regional_client.describe_dbinstance_iparray_list(request)
+
+            ips = []
+            if response and response.body and response.body.items:
+                for item in response.body.items.dbinstance_iparray:
+                    security_ips = getattr(item, "security_ips", "")
+                    if security_ips:
+                        ips.extend(security_ips.split(","))
+            return ips
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return []
+
+    def _describe_sql_collector_policy(self, regional_client, instance_id: str) -> dict:
+        """Check SQL audit status."""
+        try:
+            request = rds_models.DescribeSQLLogRecordsRequest()
+            request.dbinstance_id = instance_id
+
+            policy_request = rds_models.DescribeSQLCollectorPolicyRequest()
+            policy_request.dbinstance_id = instance_id
+            response = regional_client.describe_sqlcollector_policy(policy_request)
+
+            if response and response.body:
+                status = getattr(response.body, "sqlcollector_status", "")
+                # storage_period is in days
+                storage_period = getattr(response.body, "storage_period", 0)
+
+                if status == "Enable":
+                    return {"StoragePeriod": storage_period}
+
+            return {}
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return {}
+
+    def _describe_parameters(self, regional_client, instance_id: str) -> dict:
+        """Get instance parameters."""
+        try:
+            request = rds_models.DescribeParametersRequest()
+            request.dbinstance_id = instance_id
+            response = regional_client.describe_parameters(request)
+
+            params = {}
+            if response and response.body and response.body.running_parameters:
+                for param in response.body.running_parameters.dbinstance_parameter:
+                    key = getattr(param, "parameter_name", "")
+                    value = getattr(param, "parameter_value", "")
+                    if key in ["log_connections", "log_disconnections", "log_duration"]:
+                        params[key] = value.lower()
+
+            return params
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            return {}
+
+
+class DBInstance(BaseModel):
+    """RDS DB Instance model."""
+
+    id: str
+    name: str
+    region: str
+    engine: str
+    engine_version: str
+    status: str
+    type: str
+    net_type: str
+    connection_mode: str
+    public_connection_string: str
+    ssl_enabled: bool
+    tde_status: str
+    tde_key_id: str
+    security_ips: list
+    audit_log_enabled: bool
+    audit_log_retention: int  # in days
+    log_connections: str
+    log_disconnections: str
+    log_duration: str

prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json

@@ -0,0 +1,43 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "securitycenter_advanced_or_enterprise_edition",
+  "CheckTitle": "Security Center is Advanced or Enterprise Edition",
+  "CheckType": [
+    "Suspicious process",
+    "Webshell",
+    "Unusual logon",
+    "Sensitive file tampering",
+    "Malicious software",
+    "Precision defense"
+  ],
+  "ServiceName": "securitycenter",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:sas::account-id:security-center",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSecurityCenter",
+  "Description": "The **Advanced or Enterprise Edition** enables threat detection for network and endpoints, providing **malware detection**, **webshell detection**, and **anomaly detection** in Security Center.",
+  "Risk": "Using **Basic or Free Edition** of Security Center may not provide comprehensive protection against cloud threats.\n\n**Advanced or Enterprise Edition** allows for full protection to defend against cloud threats.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/product/28498.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/security-center-plan.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "Logon to Security Center Console > Select Overview > Click Upgrade > Select Advanced or Enterprise Edition > Finish order placement",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **Security Center Console**\n2. Select **Overview**\n3. Click **Upgrade**\n4. Select **Advanced** or **Enterprise Edition**\n5. Finish order placement",
+      "Url": "https://hub.prowler.com/check/securitycenter_advanced_or_enterprise_edition"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.py

@@ -0,0 +1,48 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.securitycenter.securitycenter_client import (
+    securitycenter_client,
+)
+
+
+class securitycenter_advanced_or_enterprise_edition(Check):
+    """Check if Security Center is Advanced or Enterprise Edition."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        report = CheckReportAlibabaCloud(metadata=self.metadata(), resource={})
+        report.region = securitycenter_client.region
+        report.resource_id = securitycenter_client.audited_account
+        report.resource_arn = (
+            f"acs:sas::{securitycenter_client.audited_account}:security-center"
+        )
+
+        version = securitycenter_client.version
+        edition = securitycenter_client.edition
+
+        if version is None or edition == "Unknown":
+            report.status = "MANUAL"
+            report.status_extended = (
+                "Security Center edition could not be determined. "
+                "Please check Security Center Console manually."
+            )
+        else:
+            # Check if version is 3 (Enterprise) or 5 (Advanced)
+            # Version mapping: 1=Basic, 3=Enterprise, 5=Advanced, 6=Anti-virus, 7=Ultimate, 8=Multi-Version, 10=Value-added Plan
+            if version == 3 or version == 5:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Security Center is {edition} edition (Version {version}), which provides "
+                    "threat detection for network and endpoints, malware detection, "
+                    "webshell detection and anomaly detection."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Security Center is {edition} edition (Version {version}). "
+                    "It is recommended to use Advanced Edition (Version 5) or Enterprise Edition (Version 3) "
+                    "for full protection to defend cloud threats."
+                )
+
+        findings.append(report)
+        return findings

prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json

@@ -0,0 +1,42 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "securitycenter_all_assets_agent_installed",
+  "CheckTitle": "All assets are installed with security agent",
+  "CheckType": [
+    "Suspicious process",
+    "Webshell",
+    "Unusual logon",
+    "Sensitive file tampering",
+    "Malicious software"
+  ],
+  "ServiceName": "securitycenter",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:sas:region:account-id:machine/{machine-id}",
+  "Severity": "high",
+  "ResourceType": "AlibabaCloudSecurityCenterMachine",
+  "Description": "The endpoint protection of **Security Center** requires an agent to be installed on the endpoint to work. Such an agent-based approach allows the security center to provide comprehensive endpoint intrusion detection and protection capabilities.\n\nThis includes remote logon detection, **webshell detection** and removal, **anomaly detection** (detection of abnormal process behaviors and network connections), and detection of changes in key files and suspicious accounts.",
+  "Risk": "Assets without **Security Center agent** installed are not protected by endpoint intrusion detection and protection capabilities, leaving them vulnerable to security threats.\n\nUnprotected assets become blind spots in your security monitoring.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/111650.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/install-security-agent.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun sas InstallUninstallAegis --InstanceIds <instance_id_1>,<instance_id_2>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Agent**\n4. On the `Client to be installed` tab, select all items on the list\n5. Click **One-click installation** to install the agent on all assets",
+      "Url": "https://hub.prowler.com/check/securitycenter_all_assets_agent_installed"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.py

@@ -0,0 +1,48 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.securitycenter.securitycenter_client import (
+    securitycenter_client,
+)
+
+
+class securitycenter_all_assets_agent_installed(Check):
+    """Check if all assets are installed with security agent."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        uninstalled_machines = securitycenter_client.uninstalled_machines
+
+        if not uninstalled_machines:
+            # All assets have the agent installed
+            report = CheckReportAlibabaCloud(metadata=self.metadata(), resource={})
+            report.region = securitycenter_client.region
+            report.resource_id = securitycenter_client.audited_account
+            report.resource_arn = (
+                f"acs:sas::{securitycenter_client.audited_account}:security-center"
+            )
+            report.status = "PASS"
+            report.status_extended = "All assets have Security Center agent installed."
+            findings.append(report)
+        else:
+            # Report each uninstalled machine
+            for machine in uninstalled_machines:
+                report = CheckReportAlibabaCloud(
+                    metadata=self.metadata(), resource=machine
+                )
+                report.region = machine.region
+                report.resource_id = machine.instance_id
+                report.resource_arn = (
+                    f"acs:ecs:{machine.region}:{securitycenter_client.audited_account}:instance/{machine.instance_id}"
+                    if machine.instance_id.startswith("i-")
+                    or "ecs" in machine.instance_id.lower()
+                    else f"acs:sas:{machine.region}:{securitycenter_client.audited_account}:machine/{machine.instance_id}"
+                )
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Asset {machine.instance_name if machine.instance_name else machine.instance_id} "
+                    f"({machine.instance_id}) does not have Security Center agent installed. "
+                    f"Region: {machine.region}, OS: {machine.os if machine.os else 'Unknown'}."
+                )
+                findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/securitycenter/securitycenter_client.py

@@ -0,0 +1,6 @@
+from prowler.providers.alibabacloud.services.securitycenter.securitycenter_service import (
+    SecurityCenter,
+)
+from prowler.providers.common.provider import Provider
+
+securitycenter_client = SecurityCenter(Provider.get_global_provider())

prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json

@@ -0,0 +1,42 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "securitycenter_notification_enabled_high_risk",
+  "CheckTitle": "Notification is enabled on all high risk items",
+  "CheckType": [
+    "Suspicious process",
+    "Webshell",
+    "Unusual logon",
+    "Sensitive file tampering",
+    "Malicious software"
+  ],
+  "ServiceName": "securitycenter",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:sas::account-id:notice-config/{project}",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSecurityCenterNoticeConfig",
+  "Description": "Enable all **risk item notifications** in Vulnerability, Baseline Risks, Alerts, and AccessKey Leak event detection categories.\n\nThis ensures that relevant security operators receive notifications as soon as security events occur.",
+  "Risk": "Without **notifications enabled** for high-risk items, security operators may not be aware of critical security events in a timely manner, potentially leading to **delayed response** and **increased security exposure**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/111648.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/enable-high-risk-item-notifications.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aliyun sas ModifyNoticeConfig --Project <project_name> --Route <route_value>",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Notification**\n4. Enable all high-risk items on Notification setting\n\nRoute values: `1`=text message, `2`=email, `3`=internal message, `4`=text+email, `5`=text+internal, `6`=email+internal, `7`=all methods",
+      "Url": "https://hub.prowler.com/check/securitycenter_notification_enabled_high_risk"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.py

@@ -0,0 +1,65 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.securitycenter.securitycenter_client import (
+    securitycenter_client,
+)
+
+
+class securitycenter_notification_enabled_high_risk(Check):
+    """Check if notification is enabled on all high risk items."""
+
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        # High-risk categories based on CIS benchmark:
+        # - Vulnerability: sas_vulnerability, yundun_sas_vul_Emergency
+        # - Baseline Risks: sas_healthcheck
+        # - Alerts: sas_suspicious, suspicious, remotelogin, webshell, bruteforcesuccess
+        # - Accesskey Leak: yundun_sas_ak_leakage
+        high_risk_projects = [
+            "sas_vulnerability",  # Vulnerability
+            "yundun_sas_vul_Emergency",  # Emergency vulnerabilities
+            "sas_healthcheck",  # Baseline Risks
+            "sas_suspicious",  # Alerts - Suspicious
+            "suspicious",  # Alerts - Suspicious
+            "remotelogin",  # Alerts - Remote login
+            "webshell",  # Alerts - Webshell
+            "bruteforcesuccess",  # Alerts - Brute force success
+            "yundun_sas_ak_leakage",  # Accesskey Leak
+        ]
+
+        notice_configs = securitycenter_client.notice_configs
+
+        # Check each high-risk project
+        for project in high_risk_projects:
+            config = notice_configs.get(project)
+
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=config if config else {}
+            )
+            report.region = securitycenter_client.region
+            report.resource_id = project
+            report.resource_arn = f"acs:sas::{securitycenter_client.audited_account}:notice-config/{project}"
+
+            if not config:
+                # Configuration not found - may not be available or not configured
+                report.status = "MANUAL"
+                report.status_extended = (
+                    f"Notification configuration for high-risk item '{project}' "
+                    "could not be determined. Please check Security Center Console manually."
+                )
+            elif config.notification_enabled:
+                # Route != 0 means notification is enabled
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Notification is enabled for high-risk item '{project}'."
+                )
+            else:
+                # Route == 0 means notification is disabled
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Notification is not enabled for high-risk item '{project}'."
+                )
+
+            findings.append(report)
+
+        return findings