PyPI - prowler-cloud - Versions diffs - 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl - Mend

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (326) hide show

prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.metadata.json CHANGED Viewed

@@ -1,32 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "guardduty_eks_audit_log_enabled",
-  "CheckTitle": "GuardDuty EKS Audit Log Monitoring Enabled",
+  "CheckTitle": "GuardDuty detector has EKS Audit Log Monitoring enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "guardduty",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsGuardDutyDetector",
-  "Description": "Checks whether GuardDuty EKS Audit Log Monitoring is enabled as source in a detector.",
-  "Risk": "Without GuardDuty EKS Audit Log Monitoring enabled, you may not be able to detect potentially suspicious activities in your Amazon Elastic Kubernetes Service (Amazon EKS) clusters.",
-  "RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html",
+  "Description": "**Amazon GuardDuty detectors** are evaluated for **EKS Audit Log Monitoring** (`EKS_AUDIT_LOGS`) being enabled to analyze Kubernetes audit activity from your **Amazon EKS** clusters.",
+  "Risk": "Without it, **Kubernetes API abuse** may go undetected, impacting CIA:\n- Secret access and data exfiltration\n- RBAC changes enabling privilege escalation\n- Rogue deployments for persistence/cryptomining\n\nAttackers can laterally move to AWS using harvested credentials.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/guardduty/latest/ug/eks-protection-enable-standalone-account.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-5",
+    "https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws guardduty update-detector --detector-id <detector-id> --data-sources Kubernetes={AuditLogs={Enable=true}}",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-5",
-      "Terraform": ""
+      "CLI": "aws guardduty update-detector --detector-id <detector-id> --features '[{\"Name\":\"EKS_AUDIT_LOGS\",\"Status\":\"ENABLED\"}]'",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable EKS Audit Log Monitoring on GuardDuty detector\nResources:\n  GuardDutyDetector:\n    Type: AWS::GuardDuty::Detector\n    Properties:\n      Enable: true\n      DataSources:\n        Kubernetes:\n          AuditLogs:\n            Enable: true  # CRITICAL: Enables EKS Audit Log Monitoring\n```",
+      "Other": "1. Open the AWS Console and go to Amazon GuardDuty\n2. Select the Region where you want to enable it\n3. In the left menu, click EKS Protection\n4. Click Enable and confirm\n5. If using AWS Organizations, perform these steps in the delegated GuardDuty administrator account",
+      "Terraform": "```hcl\n# Enable EKS Audit Log Monitoring on GuardDuty detector\nresource \"aws_guardduty_detector\" \"example\" {\n  enable = true\n\n  features {\n    name   = \"EKS_AUDIT_LOGS\"\n    status = \"ENABLED\"  # CRITICAL: Enables EKS Audit Log Monitoring\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable GuardDuty EKS Audit Log Monitoring to detect potentially suspicious activities in your Amazon Elastic Kubernetes Service (Amazon EKS) clusters.",
-      "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/eks-protection-enable-standalone-account.html"
+      "Text": "Enable **EKS Audit Log Monitoring** on all detectors in every required Region, centrally managed by the GuardDuty administrator.\n- Route findings to alerting/IR workflows\n- Enforce **least privilege** on access to findings and configs\n- Combine with **defense-in-depth**: hardened RBAC and runtime monitoring",
+      "Url": "https://hub.prowler.com/check/guardduty_eks_audit_log_enabled"
     }
   },
   "Categories": [
-    "logging"
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.metadata.json CHANGED Viewed

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "guardduty_eks_runtime_monitoring_enabled",
-  "CheckTitle": "GuardDuty EKS Runtime Monitoring should be enabled",
+  "CheckTitle": "GuardDuty detector has EKS Runtime Monitoring enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "guardduty",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:guardduty:{region}:{account-id}:detector/{detector-id}",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsGuardDutyDetector",
-  "Description": "This control checks whether GuardDuty EKS Runtime Monitoring with automated agent management is enabled. For a standalone account, the control fails if GuardDuty EKS Runtime Monitoring with automated agent management is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have EKS Runtime Monitoring with automated agent management enabled.",
-  "Risk": "Without EKS Runtime Monitoring in GuardDuty, your Amazon EKS clusters may lack necessary protection against potential threats that can compromise container security, leading to unmonitored security risks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-runtime-enabled.html",
+  "Description": "GuardDuty detectors are evaluated for **EKS Runtime Monitoring** being enabled for Amazon EKS. The configuration is at the detector level and relates to visibility into *process, file, and network* activity on EKS nodes and containers.",
+  "Risk": "Absent **EKS runtime monitoring**, in-cluster activity is blind to detection. Adversaries can run malware or cryptominers, exfiltrate secrets via pods, tamper with workloads, or pivot to other services, degrading confidentiality, corrupting integrity, and exhausting resources (availability).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html",
+    "https://docs.aws.amazon.com/config/latest/developerguide/guardduty-eks-protection-runtime-enabled.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-7"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws guardduty update-organization-configuration --detector-id <detector-id> --eks-runtime-monitoring-configuration Enable=true --auto-enable",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-7",
-      "Terraform": ""
+      "CLI": "aws guardduty update-detector --detector-id <detector-id> --features name=EKS_RUNTIME_MONITORING,status=ENABLED",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::GuardDuty::Detector\n    Properties:\n      Enable: true\n      Features:\n        - Name: EKS_RUNTIME_MONITORING   # Critical: selects EKS Runtime Monitoring feature\n          Status: ENABLED                # Critical: enables the feature to pass the check\n```",
+      "Other": "1. Open the AWS Console and go to Amazon GuardDuty\n2. In the left pane, select Settings > Runtime monitoring\n3. Under EKS Runtime Monitoring, switch the status to Enabled\n4. Click Save changes",
+      "Terraform": "```hcl\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n  enable = true\n\n  features {\n    name   = \"EKS_RUNTIME_MONITORING\"  # Critical: selects EKS Runtime Monitoring feature\n    status = \"ENABLED\"                 # Critical: enables the feature to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable GuardDuty EKS Runtime Monitoring with automated agent management to protect EKS clusters.",
-      "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-configuration.html"
+      "Text": "- Enable **EKS Runtime Monitoring** with automated agent management across all accounts and clusters\n- Enforce **least privilege** for agents and segment cluster access\n- Integrate findings with response workflows and periodically verify runtime coverage",
+      "Url": "https://hub.prowler.com/check/guardduty_eks_runtime_monitoring_enabled"
     }
   },
   "Categories": [],

prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.metadata.json CHANGED Viewed

@@ -1,26 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "guardduty_is_enabled",
-  "CheckTitle": "Check if GuardDuty is enabled",
-  "CheckType": [],
+  "CheckTitle": "GuardDuty detector is enabled and not suspended",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+  ],
   "ServiceName": "guardduty",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsGuardDutyDetector",
-  "Description": "Check if GuardDuty is enabled",
-  "Risk": "Amazon GuardDuty is a continuous security monitoring service that analyzes and processes several datasources.",
-  "RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html",
+  "Description": "**Amazon GuardDuty** detector existence and health are evaluated per Region. It identifies where GuardDuty isn't enabled for the account, where a detector has no status, or where a detector is configured but `suspended`.",
+  "Risk": "Without active **GuardDuty**, threats in CloudTrail, VPC Flow Logs, DNS, S3, EKS, EBS, and Lambda can go unnoticed. Attackers can exfiltrate data, move laterally, and mine crypto, degrading confidentiality, integrity, and availability-especially in unmonitored Regions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html",
+    "https://aws.plainenglish.io/how-to-protect-your-organizations-aws-account-with-aws-guardduty-a1a635c417aa",
+    "https://medium.com/swlh/aws-cdk-automating-guardduty-event-notifications-in-all-regions-f0bbcec6077d",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/guardduty-enabled.html",
+    "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-terraform-to-automatically-enable-amazon-guardduty-for-an-organization.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws guardduty create-detector --region <REGION> --enable",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/guardduty-enabled.html",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-guardduty-is-enabled-to-specific-orgregion#fix---buildtime"
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Ensure GuardDuty detector is enabled (not suspended) in the Region\nResources:\n  ExampleGuardDutyDetector:\n    Type: AWS::GuardDuty::Detector\n    Properties:\n      Enable: true  # Critical: enables the detector so GuardDuty is active (not suspended)\n```",
+      "Other": "1. Sign in to the AWS Console and open Amazon GuardDuty\n2. Switch to the target AWS Region\n3. If prompted with Get started, click Enable GuardDuty\n4. If GuardDuty is already configured but suspended, go to Settings and click Enable (or Resume) to activate the detector\n5. Repeat in each required Region",
+      "Terraform": "```hcl\n# Terraform: Ensure GuardDuty detector is enabled (not suspended) in the Region\nresource \"aws_guardduty_detector\" \"example_resource_name\" {\n  enable = true  # Critical: turns GuardDuty on and ensures it is not suspended\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable GuardDuty and analyze its findings.",
-      "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html"
+      "Text": "Enable and keep **GuardDuty** active in all supported Regions and accounts under a delegated admin. Turn on relevant protection plans and auto-enroll new accounts. Avoid `suspended` detectors, enforce **least privilege** for admins, and integrate findings into response for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/guardduty_is_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json CHANGED Viewed

@@ -1,32 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "guardduty_lambda_protection_enabled",
-  "CheckTitle": "Check if GuardDuty Lambda Protection is enabled.",
+  "CheckTitle": "GuardDuty detector has Lambda Protection enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "guardduty",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsGuardDutyDetector",
-  "Description": "GuardDuty Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked. After you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your AWS account.",
-  "Risk": "If Lambda Protection is not enabled, GuardDuty will not be able to monitor Lambda network activity logs and may miss potential security threats.",
-  "RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html",
+  "Description": "**Amazon GuardDuty detectors** with **Lambda Protection** enabled analyze **Lambda invocation network activity logs** across your account.\n\nEvaluation determines whether the detector has `Lambda Protection` turned on.",
+  "Risk": "Without **Lambda Protection**, Lambda network traffic is uninspected, enabling:\n- **C2 callbacks** and data exfiltration (confidentiality)\n- Malicious code altering data or configs (integrity)\n- Lateral movement or abuse causing disruption (availability)",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-6",
+    "https://docs.aws.amazon.com/guardduty/latest/ug/configure-lambda-protection-standalone-acc.html",
+    "https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws guardduty update-detector --detector-id <detector-id> --features Name=LAMBDA_NETWORK_LOGS,Status=ENABLED",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-6",
-      "Terraform": ""
+      "CLI": "aws guardduty update-detector --detector-id <detector-id> --features '[{\"Name\":\"LAMBDA_NETWORK_LOGS\",\"Status\":\"ENABLED\"}]'",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::GuardDuty::Detector\n    Properties:\n      Enable: true\n      Features:\n        - Name: LAMBDA_NETWORK_LOGS  # Critical: selects Lambda Protection feature\n          Status: ENABLED            # Critical: enables Lambda Protection\n```",
+      "Other": "1. Open the AWS Console and go to GuardDuty\n2. In the left pane, select Settings > Lambda Protection\n3. Click Enable\n4. Click Confirm to save",
+      "Terraform": "```hcl\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n  enable = true\n  features {\n    name   = \"LAMBDA_NETWORK_LOGS\"  # Critical: selects Lambda Protection feature\n    status = \"ENABLED\"               # Critical: enables Lambda Protection\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Lambda Protection in your GuardDuty detector to start monitoring Lambda Network Activity in your account.",
-      "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/configure-lambda-protection-standalone-acc.html"
+      "Text": "Enable **Lambda Protection** on all detectors in every active Region and account.\n\nApply **least privilege** to Lambda roles, restrict egress with network controls, and integrate findings with alerting and response for **defense in depth**. *In multi-account setups*, manage centrally for consistent coverage.",
+      "Url": "https://hub.prowler.com/check/guardduty_lambda_protection_enabled"
     }
   },
   "Categories": [],
-  "Notes": "",
   "DependsOn": [],
-  "RelatedTo": []
+  "RelatedTo": [],
+  "Notes": ""
 }

prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.metadata.json CHANGED Viewed

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "guardduty_no_high_severity_findings",
-  "CheckTitle": "There are High severity GuardDuty findings ",
-  "CheckType": [],
+  "CheckTitle": "GuardDuty detector has no high severity findings",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "TTPs",
+    "Unusual Behaviors"
+  ],
   "ServiceName": "guardduty",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsGuardDutyDetector",
-  "Description": "There are High severity GuardDuty findings ",
-  "Risk": "If critical findings are not addressed threats can spread in the environment.",
-  "RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html",
+  "Description": "**GuardDuty detectors** are evaluated for the presence of **High-severity findings**. This surfaces whether any detector currently has findings labeled `High` by GuardDuty.",
+  "Risk": "Unresolved **High findings** often signal active compromise, enabling:\n- Data exfiltration and unauthorized access (confidentiality)\n- Privilege escalation and tampering (integrity)\n- Disruption via malware/crypto-mining (availability)\n\nAttackers can pivot laterally and persist if not contained.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html",
+    "https://docs.aws.amazon.com/prescriptive-guidance/latest/vulnerability-management/assess-and-prioritize-security-findings.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/findings.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/findings.html",
+      "Other": "1. Sign in to the AWS console and open Amazon GuardDuty\n2. Use the Region selector to choose a Region where GuardDuty is enabled\n3. Go to Findings and filter: Severity = High (7-8.9), Archived status = Not archived\n4. Select all results, click Actions > Archive\n5. Repeat steps 2-4 for every Region with GuardDuty enabled\n6. Confirm there are 0 active High severity findings in each Region",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Review and remediate critical GuardDuty findings as quickly as possible.",
-      "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html"
+      "Text": "Treat **High findings** as incidents.\n\n- Prioritize triage and containment; isolate affected resources, rotate secrets\n- Automate alerting and response with playbooks; integrate into IR\n- Enforce **least privilege**, network segmentation, and hardened baselines\n- Continuously tune detections and remove unused access to prevent recurrence",
+      "Url": "https://hub.prowler.com/check/guardduty_no_high_severity_findings"
     }
   },
   "Categories": [],

prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.metadata.json CHANGED Viewed

@@ -1,28 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "guardduty_rds_protection_enabled",
-  "CheckTitle": "Check if GuardDuty RDS Protection is enabled.",
+  "CheckTitle": "GuardDuty detector has RDS Protection enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Credential Access"
   ],
   "ServiceName": "guardduty",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:guardduty:<region>:<account-id>:detector/<detector-id>",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsGuardDutyDetector",
-  "Description": "Check if GuardDuty RDS Protection is enabled to ensure monitoring and threat detection for RDS activity.",
-  "Risk": "Without GuardDuty RDS Protection enabled, suspicious login activities to your databases may go undetected, increasing the risk of unauthorized access, data breaches, or compromised database security.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/guard-duty-rds-protection.html",
+  "Description": "Active **Amazon GuardDuty detectors** are assessed for **RDS Protection** being enabled, allowing analysis of RDS and Aurora login activity to profile and flag anomalous access patterns.",
+  "Risk": "Without **RDS Protection**, anomalous database logins can go unnoticed. Attackers using **stolen** or **brute-forced** credentials may access data, alter schemas, or pivot via the DB, impacting **confidentiality** and **integrity**, and potentially **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-9",
+    "https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html",
+    "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/guard-duty-rds-protection.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws guardduty update-detector --detector-id <detector-id> --features Name=RDS_LOGIN_EVENTS,Status=ENABLED",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-9",
-      "Terraform": ""
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::GuardDuty::Detector\n    Properties:\n      Enable: true\n      Features:\n        - Name: RDS_LOGIN_EVENTS  # critical: selects GuardDuty RDS Protection feature\n          Status: ENABLED         # critical: turns RDS Protection on\n```",
+      "Other": "1. In the AWS Console, open Amazon GuardDuty\n2. Go to Settings (or Protection plans/Features)\n3. Find RDS Protection (RDS login events) and click Enable\n4. Save changes\n5. If using Organizations, perform this in the delegated GuardDuty administrator account",
+      "Terraform": "```hcl\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n  enable = true\n  features {\n    name   = \"RDS_LOGIN_EVENTS\"  # critical: GuardDuty RDS Protection feature\n    status = \"ENABLED\"            # critical: enable the feature\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable GuardDuty RDS Protection to continuously monitor and detect anomalous login behaviors on your Aurora databases, helping to identify and respond to potential access threats without impacting database performance.",
-      "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html"
+      "Text": "Enable **GuardDuty RDS Protection** across all accounts and Regions.\n- Enforce **least privilege** for DB users and rotate credentials\n- Restrict network exposure to databases\n- Integrate findings with alerting and incident response for rapid containment",
+      "Url": "https://hub.prowler.com/check/guardduty_rds_protection_enabled"
     }
   },
   "Categories": [],

prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.metadata.json CHANGED Viewed

@@ -1,28 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "guardduty_s3_protection_enabled",
-  "CheckTitle": "Check if GuardDuty S3 Protection is enabled.",
+  "CheckTitle": "GuardDuty detector has S3 Protection enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exfiltration"
   ],
   "ServiceName": "guardduty",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:guardduty:<region>:<account-id>:detector/<detector-id>",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsGuardDutyDetector",
-  "Description": "This control checks whether GuardDuty S3 Protection is enabled in the account.",
-  "Risk": "Without GuardDuty S3 Protection enabled, your S3 buckets are not monitored for potential security risks at the object level, which may lead to undetected malicious activities and data breaches.",
-  "RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html",
+  "Description": "Amazon GuardDuty detectors are evaluated for **S3 Protection**, which analyzes CloudTrail S3 data events to monitor **object-level API activity** (`GetObject`, `PutObject`, `DeleteObject`) across S3 buckets in the account and Region.",
+  "Risk": "Without S3 Protection, **object-level S3 activity** isn't analyzed, enabling:\n- **Exfiltration** via mass reads/copies\n- **Destructive deletes**\n- **Policy/ACL tampering**\n\nUndetected actions degrade data confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.amazonaws.cn/en_us/guardduty/latest/ug/guardduty_finding-types-s3.html",
+    "https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/GuardDuty/enable-s3-protection.html",
+    "https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-10"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws guardduty update-detector --detector-id <detector-id> --data-sources S3Logs={Enable=true}}'",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html#guardduty-10",
-      "Terraform": ""
+      "CLI": "aws guardduty update-detector --detector-id <detector-id> --data-sources S3Logs={Enable=true}",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable S3 Protection on a GuardDuty detector\nResources:\n  <example_resource_name>:\n    Type: AWS::GuardDuty::Detector\n    Properties:\n      Enable: true\n      DataSources:\n        S3Logs:\n          Enable: true  # Critical: Enables GuardDuty S3 Protection\n```",
+      "Other": "1. Open the AWS Management Console and go to GuardDuty\n2. In the left menu, select Settings\n3. Find the S3 Protection section and click Enable (or toggle On)\n4. Click Save",
+      "Terraform": "```hcl\n# Enable S3 Protection on a GuardDuty detector\nresource \"aws_guardduty_detector\" \"<example_resource_name>\" {\n  enable = true\n\n  datasources {\n    s3_logs {\n      enable = true  # Critical: Enables GuardDuty S3 Protection\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable GuardDuty S3 Protection to monitor object-level API operations in your S3 buckets.",
-      "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html"
+      "Text": "Enable **S3 Protection** across all accounts and Regions to add **defense in depth** for S3. Apply **least privilege** to IAM and bucket policies, keep **Block Public Access** enforced, integrate findings with alerting, and regularly review anomalies to prevent data loss and tampering.",
+      "Url": "https://hub.prowler.com/check/guardduty_s3_protection_enabled"
     }
   },
   "Categories": [],

prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.metadata.json CHANGED Viewed

@@ -1,28 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "lightsail_database_public",
-  "CheckTitle": "Check if the database has the public mode.",
+  "CheckTitle": "Lightsail database public access disabled",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure",
+    "TTPs/Initial Access"
   ],
   "ServiceName": "lightsail",
-  "SubServiceName": "database",
-  "ResourceIdTemplate": "arn:partition:lightsail:region:account:RelationalDatabase/database-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "Other",
-  "Description": "The database is in public mode, which means it is exposed to the internet.",
-  "Risk": "This can lead to unauthorized access to the database.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-databases.html",
+  "Description": "**Lightsail managed database** is evaluated for **public accessibility**. When `public mode` is enabled, the database accepts connections from the Internet using its endpoint and port; otherwise, access is limited to authorized Lightsail resources.",
+  "Risk": "**Publicly reachable databases** expose confidential data and credentials to the Internet, enabling:\n- **Brute-force** and credential stuffing\n- **Data exfiltration** via unauthorized queries\n- **Service disruption** from scanning or DoS\n\nCompromise enables **lateral movement** and tampering, impacting confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-databases.html",
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-database-public-mode.html",
+    "https://spinupwp.com/doc/external-database-amazon-lightsail/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws lightsail update-relational-database --relational-database-name <example_resource_name> --no-publicly-accessible",
+      "NativeIaC": "```yaml\n# CloudFormation: disable public access on an existing Lightsail database\nResources:\n  <example_resource_name>:\n    Type: AWS::Lightsail::Database\n    Properties:\n      RelationalDatabaseName: <example_resource_name>\n      PubliclyAccessible: false  # Critical: turns off public mode so the database is not publicly accessible\n```",
+      "Other": "1. In the AWS Console, go to Lightsail > Databases\n2. Select <example_resource_name>\n3. Open the Networking tab\n4. In Public mode, toggle Off\n5. Wait until status returns to Available",
+      "Terraform": "```hcl\n# Disable public access for a Lightsail database\nresource \"aws_lightsail_database\" \"<example_resource_name>\" {\n  name                 = \"<example_resource_name>\"\n  availability_zone    = \"<availability_zone>\"\n  blueprint_id         = \"<blueprint_id>\"\n  bundle_id            = \"<bundle_id>\"\n  master_database_name = \"<master_database_name>\"\n  master_username      = \"<master_username>\"\n  master_password      = \"<master_password>\"\n\n  publicly_accessible = false  # Critical: ensures the database is not publicly accessible\n}\n```"
     },
     "Recommendation": {
-      "Text": "Change the database to private mode.",
-      "Url": ""
+      "Text": "Disable **public mode** and keep the database reachable only from trusted, private networks.\n\n- Enforce **least privilege** and network segmentation\n- Use bastion hosts, tunnels, or private endpoints for admin access\n- If exposure is unavoidable, restrict by IP, rotate credentials, and monitor connections for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/lightsail_database_public"
     }
   },
   "Categories": [

prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.metadata.json CHANGED Viewed

@@ -1,31 +1,42 @@
 {
   "Provider": "aws",
   "CheckID": "lightsail_instance_automated_snapshots",
-  "CheckTitle": "Check if instances have automated snapshots enabled",
+  "CheckTitle": "Lightsail instance has automated snapshots enabled",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/ISO 27001 Controls",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Effects/Data Destruction"
   ],
   "ServiceName": "lightsail",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:lightsail:region:account:Instance/instance-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Amazon Lightsail automatically creates daily snapshots of your instances. These snapshots are used for automatic backups and are stored at no additional cost. It is recommended to enable automatic snapshots for your Lightsail instances.",
-  "Risk": "If automatic snapshots are not enabled, you may lose data in case of accidental deletion or corruption.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-automatic-snapshots.html",
+  "Description": "**Amazon Lightsail instances** with **automatic daily snapshots** enabled are identified. The evaluation checks if an instance is configured to take recurring snapshots at a scheduled time.",
+  "Risk": "Absent automation, data lacks **point-in-time recovery**, increasing **availability** risk from accidental deletion, corruption, or ransomware. Failed updates or compromise hinder quick rollback, degrading **integrity** and extending RPO/RTO, causing prolonged outages.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-changing-automatic-snapshot-time.html",
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-automatic-snapshots.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws lightsail enable-add-on --region <REGION> --resource-name <example_resource_name> --add-on-request addOnType=AutoSnapshot",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable automatic snapshots for a Lightsail instance\nResources:\n  <example_resource_name>:\n    Type: AWS::Lightsail::Instance\n    Properties:\n      InstanceName: <example_resource_name>\n      AvailabilityZone: <example_az>\n      BlueprintId: <example_blueprint_id>\n      BundleId: <example_bundle_id>\n      AddOns:\n        - AddOnType: AutoSnapshot  # Critical: enables automatic snapshots for the instance\n```",
+      "Other": "1. Open the AWS Management Console and go to Lightsail\n2. Click Instances and select <example_resource_name>\n3. Open the Snapshots tab\n4. In Automatic snapshots, toggle On and confirm\n5. (Optional) Set a snapshot time if needed; otherwise the default time is used",
+      "Terraform": "```hcl\n# Enable automatic snapshots for a Lightsail instance\nresource \"aws_lightsail_instance\" \"<example_resource_name>\" {\n  name              = \"<example_resource_name>\"\n  availability_zone = \"<example_az>\"\n  blueprint_id      = \"<example_blueprint_id>\"\n  bundle_id         = \"<example_bundle_id>\"\n\n  add_on {\n    type   = \"AutoSnapshot\"  # Critical: enables automatic snapshots\n    status = \"Enabled\"       # Critical: turns the add-on on\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "The automatic snapshot is a best practice to protect your data. It is recommended to enable automatic snapshots for your Lightsail instances.",
-      "Url": "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-changing-automatic-snapshot-time.html"
+      "Text": "Enable **automatic snapshots** on Lightsail instances and align the schedule with low-traffic windows. Apply **least privilege** to snapshot create/delete, and regularly test restores. Use **defense in depth**: retain multiple versions and replicate backups *for critical workloads* across regions or accounts.",
+      "Url": "https://hub.prowler.com/check/lightsail_instance_automated_snapshots"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.metadata.json CHANGED Viewed

@@ -1,26 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "lightsail_instance_public",
-  "CheckTitle": "Ensure that Lightsail instances are not publicly accessible",
-  "CheckType": [],
+  "CheckTitle": "Lightsail instance has no publicly accessible ports",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access"
+  ],
   "ServiceName": "lightsail",
-  "SubServiceName": "instance",
-  "ResourceIdTemplate": "arn:partition:lightsail:region:account:Instance/instance-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "Other",
-  "Description": "Ensure that Lightsail instances are not publicly accessible",
-  "Risk": "If an instance is publicly accessible, it can be accessed by anyone on the internet. This can lead to unauthorized access to the instance and its data.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lightsail/latest/userguide/understanding-public-ip-and-private-ip-addresses-in-amazon-lightsail.html#ipv4-addresses",
+  "Description": "**Lightsail instances** that have a **public IP** and at least one firewall rule allowing **public ports** are treated as publicly exposed. The evaluation inspects instance addressing and port rules to detect any port or range marked `public`.",
+  "Risk": "Public IP plus open ports enables Internet scanning, brute force, and exploits.\n- Confidentiality: data exfiltration\n- Integrity: RCE/admin takeover via exposed services\n- Availability: DoS or abuse (botnets, cryptomining), service disruption",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-editing-firewall-rules.html",
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/understanding-public-ip-and-private-ip-addresses-in-amazon-lightsail.html#ipv4-addresses"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws lightsail put-instance-public-ports --instance-name <example_resource_name> --port-infos '[]'",
+      "NativeIaC": "```yaml\n# CloudFormation: remove all public ports from a Lightsail instance\nResources:\n  ClosePublicPorts:\n    Type: AWS::Lightsail::InstancePublicPorts\n    Properties:\n      InstanceName: <example_resource_name>\n      PortInfos: []  # Critical: empty list clears all public ports so the instance is not publicly exposed\n```",
+      "Other": "1. Sign in to the AWS Lightsail console\n2. Go to Instances and select <example_resource_name>\n3. Open the Networking tab\n4. In IPv4 Firewall, delete all existing rules, then Save\n5. If IPv6 is enabled, in IPv6 Firewall, delete all existing rules, then Save",
+      "Terraform": "```hcl\n# Terraform: ensure no public ports are open on the Lightsail instance\nresource \"aws_lightsail_instance_public_ports\" \"<example_resource_name>\" {\n  instance_name = \"<example_resource_name>\"\n\n  # Critical: no port_info blocks -> no public ports are configured (closes all)\n  dynamic \"port_info\" {\n    for_each = []\n    content {\n      from_port = 0\n      to_port   = 0\n      protocol  = \"tcp\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "We recommend that you disable public access to the instance and use a VPN or a bastion host to access the instance securely.",
-      "Url": ""
+      "Text": "Apply **least privilege** network access: close unused ports, restrict sources (avoid `0.0.0.0/0`), and review IPv4/IPv6 rules. Use a **VPN** or **bastion host** for administration. Place services behind private networking or load balancers, and harden/monitor any required public endpoints.",
+      "Url": "https://hub.prowler.com/check/lightsail_instance_public"
     }
   },
   "Categories": [

prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl