prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.py

@@ -0,0 +1,48 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.sls.sls_client import sls_client
+
+
+class sls_customer_created_cmk_changes_alert_enabled(Check):
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        found = False
+
+        for alert in sls_client.alerts:
+            query_list = alert.configuration.get("queryList", [])
+            if not query_list:
+                continue
+
+            for query_obj in query_list:
+                query = query_obj.get("query", "")
+                if "Kms" in query and (
+                    "DisableKey" in query
+                    or "ScheduleKeyDeletion" in query
+                    or "DeleteKeyMaterial" in query
+                ):
+                    found = True
+                    report = CheckReportAlibabaCloud(
+                        metadata=self.metadata(), resource=alert
+                    )
+                    report.status = "PASS"
+                    report.status_extended = f"SLS Alert {alert.name} is configured for disabling or deletion of customer created CMKs."
+                    report.resource_id = alert.name
+                    report.resource_arn = alert.arn
+                    report.region = alert.region
+                    findings.append(report)
+                    break
+
+            if found:
+                break
+
+        if not found:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=sls_client.provider.identity
+            )
+            report.status = "FAIL"
+            report.status_extended = "No SLS Alert configured for disabling or deletion of customer created CMKs."
+            report.resource_id = sls_client.audited_account
+            report.resource_arn = sls_client.provider.identity.identity_arn
+            report.region = sls_client.region
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json

@@ -0,0 +1,38 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "sls_logstore_retention_period",
+  "CheckTitle": "Logstore data retention period is set to the recommended period (default 365 days)",
+  "CheckType": [
+    "Cloud threat detection"
+  ],
+  "ServiceName": "sls",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/logstore/logstore-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSLSLogStore",
+  "Description": "Ensure **Activity Log Retention** is set for **365 days** or greater.",
+  "Risk": "Logstore lifecycle controls how your activity log is exported and retained. It is recommended to retain your activity log for **365 days or more** to have time to respond to any incidents.\n\nShort retention periods may result in loss of **forensic evidence** needed for security investigations.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/48990.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/sufficient-logstore-data-retention-period.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **SLS Console**\n2. Find the project in the Projects section\n3. Click **Modify** icon next to the Logstore\n4. Modify the `Data Retention Period` to `365` or greater",
+      "Url": "https://hub.prowler.com/check/sls_logstore_retention_period"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.py

@@ -0,0 +1,32 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.sls.sls_client import sls_client
+
+
+class sls_logstore_retention_period(Check):
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+
+        # Get configurable max days from audit config (default: 365 days)
+        min_log_retention_days = sls_client.audit_config.get(
+            "min_log_retention_days", 365
+        )
+
+        for log_store in sls_client.log_stores:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=log_store
+            )
+            report.resource_id = log_store.name
+            report.resource_arn = log_store.arn
+            report.region = log_store.region
+
+            # Check retention
+            if log_store.retention_days >= min_log_retention_days:
+                report.status = "PASS"
+                report.status_extended = f"SLS LogStore {log_store.name} in project {log_store.project} has retention set to {log_store.retention_days} days (>= {min_log_retention_days} days)."
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"SLS LogStore {log_store.name} in project {log_store.project} has retention set to {log_store.retention_days} days (less than {min_log_retention_days} days)."
+
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "sls_management_console_authentication_failures_alert_enabled",
+  "CheckTitle": "A log monitoring and alerts are set up for Management Console authentication failures",
+  "CheckType": [
+    "Unusual logon",
+    "Abnormal account"
+  ],
+  "ServiceName": "sls",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSLSAlert",
+  "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for **failed console authentication attempts**.",
+  "Risk": "Monitoring **failed console logins** may decrease lead time to detect an attempt to **brute force** a credential, which may provide an indicator (such as source IP) that can be used in other event correlation.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/en/doc-detail/91784.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/account-continuous-login-failures-alert.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **SLS Console**\n2. Ensure **ActionTrail** is enabled\n3. Select **Alerts**\n4. Ensure alert rule has been enabled for Management Console authentication failures",
+      "Url": "https://hub.prowler.com/check/sls_management_console_authentication_failures_alert_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.py

@@ -0,0 +1,44 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.sls.sls_client import sls_client
+
+
+class sls_management_console_authentication_failures_alert_enabled(Check):
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        found = False
+
+        for alert in sls_client.alerts:
+            query_list = alert.configuration.get("queryList", [])
+            if not query_list:
+                continue
+
+            for query_obj in query_list:
+                query = query_obj.get("query", "")
+                if "ConsoleSignin" in query and "event.errorCode" in query:
+                    found = True
+                    report = CheckReportAlibabaCloud(
+                        metadata=self.metadata(), resource=alert
+                    )
+                    report.status = "PASS"
+                    report.status_extended = f"SLS Alert {alert.name} is configured for Management Console authentication failures."
+                    report.resource_id = alert.name
+                    report.resource_arn = alert.arn
+                    report.region = alert.region
+                    findings.append(report)
+                    break
+
+            if found:
+                break
+
+        if not found:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=sls_client.provider.identity
+            )
+            report.status = "FAIL"
+            report.status_extended = "No SLS Alert configured for Management Console authentication failures."
+            report.resource_id = sls_client.audited_account
+            report.resource_arn = sls_client.provider.identity.identity_arn
+            report.region = sls_client.region
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "sls_management_console_signin_without_mfa_alert_enabled",
+  "CheckTitle": "A log monitoring and alerts are set up for Management Console sign-in without MFA",
+  "CheckType": [
+    "Unusual logon",
+    "Abnormal account"
+  ],
+  "ServiceName": "sls",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSLSAlert",
+  "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for console logins that are not protected by **multi-factor authentication (MFA)**.",
+  "Risk": "Monitoring for **single-factor console logins** will increase visibility into accounts that are not protected by MFA.\n\nThis helps identify potential security gaps in authentication enforcement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/en/doc-detail/91784.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/single-factor-console-logins-alert.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **SLS Console**\n2. Ensure **ActionTrail** is enabled\n3. Select **Alerts**\n4. Ensure alert rule has been enabled for Management Console sign-in without MFA",
+      "Url": "https://hub.prowler.com/check/sls_management_console_signin_without_mfa_alert_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.py

@@ -0,0 +1,49 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.sls.sls_client import sls_client
+
+
+class sls_management_console_signin_without_mfa_alert_enabled(Check):
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        found = False
+
+        for alert in sls_client.alerts:
+            query_list = alert.configuration.get("queryList", [])
+            if not query_list:
+                continue
+
+            for query_obj in query_list:
+                query = query_obj.get("query", "")
+                if (
+                    "ConsoleSignin" in query
+                    and "addionalEventData.loginAccount" in query
+                ):
+                    found = True
+                    report = CheckReportAlibabaCloud(
+                        metadata=self.metadata(), resource=alert
+                    )
+                    report.status = "PASS"
+                    report.status_extended = f"SLS Alert {alert.name} is configured for Management Console sign-in without MFA."
+                    report.resource_id = alert.name
+                    report.resource_arn = alert.arn
+                    report.region = alert.region
+                    findings.append(report)
+                    break
+
+            if found:
+                break
+
+        if not found:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=sls_client.provider.identity
+            )
+            report.status = "FAIL"
+            report.status_extended = (
+                "No SLS Alert configured for Management Console sign-in without MFA."
+            )
+            report.resource_id = sls_client.audited_account
+            report.resource_arn = sls_client.provider.identity.identity_arn
+            report.region = sls_client.region
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "sls_oss_bucket_policy_changes_alert_enabled",
+  "CheckTitle": "A log monitoring and alerts are set up for OSS bucket policy changes",
+  "CheckType": [
+    "Sensitive file tampering",
+    "Cloud threat detection"
+  ],
+  "ServiceName": "sls",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSLSAlert",
+  "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for changes to **OSS bucket policies**.",
+  "Risk": "Monitoring changes to **OSS bucket policies** may reduce time to detect and correct **permissive policies** on sensitive OSS buckets.\n\nThis helps prevent unintended data exposure.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/en/doc-detail/91784.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/oss-bucket-authority-changes-alert.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **SLS Console**\n2. Ensure **ActionTrail** is enabled\n3. Select **Alerts**\n4. Ensure alert rule has been enabled for OSS bucket policy changes",
+      "Url": "https://hub.prowler.com/check/sls_oss_bucket_policy_changes_alert_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.py

@@ -0,0 +1,57 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.sls.sls_client import sls_client
+
+
+class sls_oss_bucket_policy_changes_alert_enabled(Check):
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        found = False
+
+        for alert in sls_client.alerts:
+            query_list = alert.configuration.get("queryList", [])
+            if not query_list:
+                continue
+
+            for query_obj in query_list:
+                query = query_obj.get("query", "")
+                if (
+                    "PutBucketLifecycle" in query
+                    or "PutBucketPolicy" in query
+                    or "PutBucketCors" in query
+                    or "PutBucketEncryption" in query
+                    or "PutBucketReplication" in query
+                    or "DeleteBucketPolicy" in query
+                    or "DeleteBucketCors" in query
+                    or "DeleteBucketLifecycle" in query
+                    or "DeleteBucketEncryption" in query
+                    or "DeleteBucketReplication" in query
+                ):
+                    found = True
+                    report = CheckReportAlibabaCloud(
+                        metadata=self.metadata(), resource=alert
+                    )
+                    report.status = "PASS"
+                    report.status_extended = f"SLS Alert {alert.name} is configured for OSS bucket policy changes."
+                    report.resource_id = alert.name
+                    report.resource_arn = alert.arn
+                    report.region = alert.region
+                    findings.append(report)
+                    break
+
+            if found:
+                break
+
+        if not found:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=sls_client.provider.identity
+            )
+            report.status = "FAIL"
+            report.status_extended = (
+                "No SLS Alert configured for OSS bucket policy changes."
+            )
+            report.resource_id = sls_client.audited_account
+            report.resource_arn = sls_client.provider.identity.identity_arn
+            report.region = sls_client.region
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "sls_oss_permission_changes_alert_enabled",
+  "CheckTitle": "Log monitoring and alerts are set up for OSS permission changes",
+  "CheckType": [
+    "Sensitive file tampering",
+    "Cloud threat detection"
+  ],
+  "ServiceName": "sls",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSLSAlert",
+  "Description": "It is recommended that a **metric filter and alarm** be established for **OSS Bucket RAM** changes.",
+  "Risk": "Monitoring changes to **OSS permissions** may reduce time to detect and correct permissions on sensitive OSS buckets and objects inside the bucket.\n\nThis helps prevent **unauthorized access** to stored data.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/en/doc-detail/91784.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/oss-bucket-permission-changes-alert.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **SLS Console**\n2. Ensure **OSS logging** is enabled\n3. Select **Alerts**\n4. Ensure alert rule has been enabled for OSS permission changes",
+      "Url": "https://hub.prowler.com/check/sls_oss_permission_changes_alert_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.py

@@ -0,0 +1,48 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.sls.sls_client import sls_client
+
+
+class sls_oss_permission_changes_alert_enabled(Check):
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        found = False
+
+        for alert in sls_client.alerts:
+            query_list = alert.configuration.get("queryList", [])
+            if not query_list:
+                continue
+
+            for query_obj in query_list:
+                query = query_obj.get("query", "")
+                if ("PutBucket" in query and "acl" in query) or (
+                    "PutObjectAcl" in query
+                ):
+                    found = True
+                    report = CheckReportAlibabaCloud(
+                        metadata=self.metadata(), resource=alert
+                    )
+                    report.status = "PASS"
+                    report.status_extended = f"SLS Alert {alert.name} is configured for OSS permission changes."
+                    report.resource_id = alert.name
+                    report.resource_arn = alert.arn
+                    report.region = alert.region
+                    findings.append(report)
+                    break
+
+            if found:
+                break
+
+        if not found:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=sls_client.provider.identity
+            )
+            report.status = "FAIL"
+            report.status_extended = (
+                "No SLS Alert configured for OSS permission changes."
+            )
+            report.resource_id = sls_client.audited_account
+            report.resource_arn = sls_client.provider.identity.identity_arn
+            report.region = sls_client.region
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "sls_ram_role_changes_alert_enabled",
+  "CheckTitle": "Log monitoring and alerts are set up for RAM Role changes",
+  "CheckType": [
+    "Abnormal account",
+    "Cloud threat detection"
+  ],
+  "ServiceName": "sls",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSLSAlert",
+  "Description": "It is recommended that a query and alarm be established for **RAM Role** creation, deletion, and updating activities.",
+  "Risk": "Monitoring **role creation**, **deletion**, and **updating** activities will help in identifying potential **malicious actions** at an early stage.\n\nUnauthorized role changes could lead to privilege escalation.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/doc-detail/91784.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/ram-policy-changes-alert.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **SLS Console**\n2. Ensure **ActionTrail** is enabled\n3. Select **Alerts**\n4. Ensure alert rule has been enabled for RAM/ResourceManager policy changes",
+      "Url": "https://hub.prowler.com/check/sls_ram_role_changes_alert_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.py

@@ -0,0 +1,54 @@
+from prowler.lib.check.models import Check, CheckReportAlibabaCloud
+from prowler.providers.alibabacloud.services.sls.sls_client import sls_client
+
+
+class sls_ram_role_changes_alert_enabled(Check):
+    def execute(self) -> list[CheckReportAlibabaCloud]:
+        findings = []
+        found = False
+
+        for alert in sls_client.alerts:
+            # Check configuration for query
+            # alert.configuration is a dict. configuration['queryList'] is a list of dicts with 'query'
+            query_list = alert.configuration.get("queryList", [])
+            if not query_list:
+                continue
+
+            for query_obj in query_list:
+                query = query_obj.get("query", "")
+                # Check for key terms
+                # Query: ("event.serviceName": ResourceManager or "event.serviceName": Ram) ...
+                if (
+                    ("ResourceManager" in query or "Ram" in query)
+                    and "CreatePolicy" in query
+                    and "DeletePolicy" in query
+                ):
+                    found = True
+                    report = CheckReportAlibabaCloud(
+                        metadata=self.metadata(), resource=alert
+                    )
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"SLS Alert {alert.name} is configured for RAM Role changes."
+                    )
+                    report.resource_id = alert.name
+                    report.resource_arn = alert.arn
+                    report.region = alert.region
+                    findings.append(report)
+                    break  # Found one query in this alert
+
+            if found:
+                break
+
+        if not found:
+            report = CheckReportAlibabaCloud(
+                metadata=self.metadata(), resource=sls_client.provider.identity
+            )
+            report.status = "FAIL"
+            report.status_extended = "No SLS Alert configured for RAM Role changes."
+            report.resource_id = sls_client.audited_account
+            report.resource_arn = sls_client.provider.identity.identity_arn
+            report.region = sls_client.region
+            findings.append(report)
+
+        return findings

prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "alibabacloud",
+  "CheckID": "sls_rds_instance_configuration_changes_alert_enabled",
+  "CheckTitle": "Log monitoring and alerts are set up for RDS instance configuration changes",
+  "CheckType": [
+    "Intrusion into applications",
+    "Cloud threat detection"
+  ],
+  "ServiceName": "sls",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
+  "Severity": "medium",
+  "ResourceType": "AlibabaCloudSLSAlert",
+  "Description": "It is recommended that a **metric filter and alarm** be established for **RDS Instance** configuration changes.",
+  "Risk": "Monitoring changes to **RDS Instance configuration** may reduce time to detect and correct **misconfigurations** done on database servers.\n\nThis helps prevent security gaps in database deployments.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.alibabacloud.com/help/en/doc-detail/91784.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/rds-instance-config-changes-alert.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Log on to the **SLS Console**\n2. Ensure **ActionTrail** is enabled\n3. Select **Alerts**\n4. Ensure alert rule has been enabled for RDS instance configuration changes",
+      "Url": "https://hub.prowler.com/check/sls_rds_instance_configuration_changes_alert_enabled"
+    }
+  },
+  "Categories": [
+    "logging"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}