PyPI - prowler-cloud - Versions diffs - 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl - Mend

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (326) hide show

prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.metadata.json CHANGED Viewed

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "lightsail_static_ip_unused",
-  "CheckTitle": "Static IP are allocated but not attached to any instance",
-  "CheckType": [],
+  "CheckTitle": "Lightsail static IP is associated with an instance",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Resource Consumption"
+  ],
   "ServiceName": "lightsail",
-  "SubServiceName": "static_ip",
-  "ResourceIdTemplate": "arn:partition:lightsail:region:account:static-ip/static-ip-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "Other",
-  "Description": "Static IPs that are allocated but not attached to any instance are wasting resources and may pose a security risk if left unused for extended periods.",
-  "Risk": "Unattached static IPs can be potential entry points for unauthorized access or DDoS attacks if not properly secured.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lightsail/latest/userguide/understanding-public-ip-and-private-ip-addresses-in-amazon-lightsail.html",
+  "Description": "**Amazon Lightsail static IPs** detected as **not associated** with any instance, indicating reserved but unused addresses.\n\nThe evaluation focuses on the association state of each static IP to highlight potential leftovers.",
+  "Risk": "**Unattached static IPs** incur ongoing charges and indicate asset drift. If DNS or apps still reference the address, requests are blackholed, impacting **availability**. Later attaching the same IP to an unintended host can expose services and data, affecting **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/understanding-public-ip-and-private-ip-addresses-in-amazon-lightsail.html",
+    "https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Lightsail.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws lightsail release-static-ip --static-ip-name static-ip-name",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws lightsail attach-static-ip --static-ip-name <example_resource_name> --instance-name <example_resource_name>",
+      "NativeIaC": "```yaml\nResources:\n  AttachStaticIp:\n    Type: AWS::Lightsail::StaticIpAttachment\n    Properties:\n      InstanceName: <example_resource_name>  # Critical: instance to attach to; marks IP as attached\n      StaticIpName: <example_resource_name>  # Critical: static IP to attach; fixes FAIL by associating it\n```",
+      "Other": "1. In the AWS Console, go to Lightsail > Networking > Static IPs\n2. Select the unused static IP and click \"Attach to instance\"\n3. Choose the target instance and confirm\n4. Verify the static IP now shows as attached",
+      "Terraform": "```hcl\nresource \"aws_lightsail_static_ip_attachment\" \"attach\" {\n  static_ip_name = \"<example_resource_name>\"  # Critical: specify the static IP to attach\n  instance_name  = \"<example_resource_name>\"  # Critical: target instance; association makes check PASS\n}\n```"
     },
     "Recommendation": {
-      "Text": "Release or attach any unused static IPs to ensure efficient resource utilization and minimize potential security risks.",
-      "Url": ""
+      "Text": "Release unused static IPs or attach them to the intended instance.\n\nApply **least privilege** for IP allocation, enforce tagging and ownership, and run periodic audits with alerts for unattached addresses. *If reservation is required*, document purpose and set a time limit to prevent drift and cost.",
+      "Url": "https://hub.prowler.com/check/lightsail_static_ip_unused"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.metadata.json CHANGED Viewed

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "macie_automated_sensitive_data_discovery_enabled",
-  "CheckTitle": "Check if Macie automated sensitive data discovery is enabled.",
+  "CheckTitle": "Macie automated sensitive data discovery is enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "macie",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsAccount",
-  "Description": "Check if automated sensitive data discovery is enabled for an Amazon Macie account. The control fails if it isn't enabled.",
-  "Risk": "Without automated sensitive data discovery, there could be delays in identifying sensitive data, leading to data exposure risks in Amazon S3 buckets.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/macie-auto-sensitive-data-discovery-check.html",
+  "ResourceType": "Other",
+  "Description": "**Amazon Macie** administrator account has **automated sensitive data discovery** enabled for S3 data. The evaluation confirms the feature's status for the account in each Region.",
+  "Risk": "Without continuous discovery, sensitive S3 objects remain unclassified and unnoticed, weakening **confidentiality**. Over-permissive or public access can persist undetected, enabling **data exfiltration** and delaying containment and **forensic** response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/config/latest/developerguide/macie-auto-sensitive-data-discovery-check.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html#macie-2",
+    "https://docs.aws.amazon.com/macie/latest/user/discovery-asdd-account-enable.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws macie2 update-automated-discovery-configuration --status ENABLED",
+      "CLI": "aws macie2 update-automated-discovery-configuration --status ENABLED --region <REGION>",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html#macie-2",
+      "Other": "1. In the AWS Console, open Amazon Macie\n2. Select the correct Region from the Region selector\n3. Go to Settings > Automated sensitive data discovery\n4. Click Enable under Status (choose My account if prompted)\n5. Repeat in other Regions where Macie is enabled if needed",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "To enable and configure automated sensitive data discovery jobs for S3 buckets, refer to the Configuring automated sensitive data discovery tutorial.",
-      "Url": "https://docs.aws.amazon.com/macie/latest/user/discovery-asdd-account-enable.html"
+      "Text": "Enable and maintain `automated sensitive data discovery` for the Macie administrator across required Regions. Include relevant buckets, tune identifiers and allow lists to reduce noise, and route findings to monitoring. Complement with **least privilege** on S3 and **defense in depth** for data protection.",
+      "Url": "https://hub.prowler.com/check/macie_automated_sensitive_data_discovery_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.metadata.json CHANGED Viewed

@@ -1,31 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "macie_is_enabled",
-  "CheckTitle": "Check if Amazon Macie is enabled.",
+  "CheckTitle": "Amazon Macie is enabled",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "macie",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:access-analyzer:region:account-id:analyzer/resource-id",
-  "Severity": "low",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Check if Amazon Macie is enabled.",
-  "Risk": "Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover, monitor and protect your sensitive data in AWS.",
+  "Description": "**Amazon Macie** status is assessed per region with **S3** presence to determine if sensitive data discovery is operational. The outcome reflects whether Macie is active or in a `PAUSED`/not enabled state for the account and region.",
+  "Risk": "Without active Macie, sensitive data in **S3** can remain unclassified and exposed. Misconfigured access and public buckets may go undetected, enabling data exfiltration and secret leakage. This degrades confidentiality and widens breach blast radius by reducing visibility into where sensitive data resides.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/macie/getting-started/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws macie2 enable-macie",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws macie2 enable-macie --region <REGION>",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Amazon Macie in this region\nResources:\n  MacieSession:\n    Type: AWS::Macie::Session\n    Properties:\n      Status: ENABLED  # Critical: Enables Macie for the account in this region\n```",
+      "Other": "1. Sign in to the AWS Management Console and switch to the target region\n2. Open Amazon Macie\n3. Click Get started or Enable Macie\n4. If Macie shows Suspended/Paused, click Resume Macie\n5. Repeat in each region with S3 buckets as needed",
+      "Terraform": "```hcl\n# Enables Amazon Macie in this region\nresource \"aws_macie2_account\" \"main\" {\n  # Critical: Creating this resource enables Macie for the account in the region\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Amazon Macie and create appropriate jobs to discover sensitive data.",
-      "Url": "https://aws.amazon.com/macie/getting-started/"
+      "Text": "Enable and maintain **Amazon Macie** in all regions hosting **S3** data. Use continuous sensitive data discovery, apply custom classifications for your data types, and route findings to monitoring. Enforce least privilege for Macie access and strengthen defense in depth with restrictive bucket policies and access controls.",
+      "Url": "https://hub.prowler.com/check/macie_is_enabled"
     }
   },
   "Categories": [
+    "secrets",
     "forensics-ready"
   ],
   "DependsOn": [],

prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.metadata.json CHANGED Viewed

@@ -1,32 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_active_deployment_mode",
-  "CheckTitle": "Apache ActiveMQ brokers should be configured in active/standby mode.",
+  "CheckTitle": "Apache ActiveMQ broker is configured in active/standby Multi-AZ deployment mode",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Ensure Amazon MQ Apache ActiveMQ brokers are configured in active/standby mode for high availability and fault tolerance.",
-  "Risk": "Apache ActiveMQ brokers not configured in active/standby mode lack high availability, increasing the risk of downtime and data loss during failures.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-basic-elements.html",
+  "Description": "**ActiveMQ broker deployment mode** is configured as **active/standby** (`ACTIVE_STANDBY_MULTI_AZ`), indicating a redundant pair operating across Availability Zones",
+  "Risk": "Without **active/standby**, a single-instance broker becomes a **single point of failure**, degrading **availability** and risking **message loss or duplication** during outages or maintenance. This can stall message flows, grow backlogs, and cause inconsistent processing across dependent services.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/deployment-mode.html",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-basic-elements.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-5",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-broker-architecture.html#active-standby-broker-deployment"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws mq create-broker --broker-name <broker-name> --engine-type ActiveMQ --deployment-mode ACTIVE_STANDBY_MULTI_AZ",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-5",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/deployment-mode.html"
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Create an ActiveMQ broker in active/standby Multi-AZ\nResources:\n  <example_resource_name>:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: <example_resource_name>\n      EngineType: ACTIVEMQ\n      EngineVersion: <example_resource_name>\n      HostInstanceType: mq.t3.micro\n      PubliclyAccessible: false\n      DeploymentMode: ACTIVE_STANDBY_MULTI_AZ  # Critical: sets active/standby Multi-AZ to pass the check\n      SubnetIds:\n        - <example_resource_id>\n        - <example_resource_id>  # Critical: two subnets in different AZs required for active/standby\n      SecurityGroups:\n        - <example_resource_id>\n      Users:\n        - Username: <example_resource_name>\n          Password: <example_resource_id>\n```",
+      "Other": "1. In the AWS Console, go to Amazon MQ > Brokers > Create broker\n2. Select Engine: ActiveMQ\n3. Set Deployment mode to Active/standby broker (Multi-AZ)\n4. Choose two subnets in different AZs and a security group\n5. Enter a broker name, instance type, and create a user (username/password)\n6. Create the broker, update clients to use the new endpoints, then delete the old single-instance broker",
+      "Terraform": "```hcl\n# Create an ActiveMQ broker in active/standby Multi-AZ\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n  broker_name         = \"<example_resource_name>\"\n  engine_type         = \"ActiveMQ\"\n  engine_version      = \"<example_resource_name>\"\n  host_instance_type  = \"mq.t3.micro\"\n  publicly_accessible = false\n  deployment_mode     = \"ACTIVE_STANDBY_MULTI_AZ\"  # Critical: enables active/standby Multi-AZ to pass the check\n\n  subnet_ids      = [\"<example_resource_id>\", \"<example_resource_id>\"]  # Critical: two subnets in different AZs\n  security_groups = [\"<example_resource_id>\"]\n\n  user {\n    username = \"<example_resource_name>\"\n    password = \"<example_resource_id>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Amazon MQ Apache ActiveMQ brokers use active/standby deployment mode for high availability and fault tolerance.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-broker-architecture.html#active-standby-broker-deployment"
+      "Text": "Adopt **active/standby deployment** for ActiveMQ brokers to provide multi-AZ resilience.\n\nDesign clients for **failover** with retries and idempotent processing, validate recovery through regular **failover testing**, monitor broker health, and apply **least privilege** to limit blast radius.",
+      "Url": "https://hub.prowler.com/check/mq_broker_active_deployment_mode"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.metadata.json CHANGED Viewed

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_auto_minor_version_upgrades",
-  "CheckTitle": "MQ Broker Auto Minor Version Upgrades should be enabled.",
+  "CheckTitle": "Amazon MQ broker has automated minor version upgrades enabled",
   "CheckType": [
+    "Software and Configuration Checks/Patch Management",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Ensure that automatic minor version upgrades are enabled on Amazon MQ brokers.",
-  "Risk": "Amazon MQ brokers without automatic minor version upgrades may miss critical updates, leaving them vulnerable to security risks, bugs, and performance issues.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades",
+  "Description": "**Amazon MQ brokers** have `autoMinorVersionUpgrade` enabled to automatically apply supported minor and patch engine updates during the scheduled maintenance window.",
+  "Risk": "Without automatic minor upgrades, brokers may run **known-vulnerable engine versions**, enabling exploits that impact:\n- **Confidentiality**: message disclosure\n- **Integrity**: tampering or replay\n- **Availability**: crashes/DoS and instability\n\nDelayed patches also increase operational risk and drift.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/auto-minor-version-upgrade.html",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-3",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws mq update-broker --broker-id <broker-id> --auto-minor-version-upgrade",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-mqbrokers-minor-version-updates-are-enabled/",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-3",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/auto-minor-version-upgrade.html"
+      "CLI": "aws mq update-broker --broker-id <example_resource_id> --auto-minor-version-upgrade",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable automatic minor version upgrades on an MQ broker\nResources:\n  <example_resource_name>:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: <example_resource_name>\n      AutoMinorVersionUpgrade: true  # Critical: enables automatic minor version upgrades\n      DeploymentMode: SINGLE_INSTANCE\n      EngineType: ACTIVEMQ\n      EngineVersion: <ENGINE_VERSION>\n      HostInstanceType: mq.t3.micro\n      PubliclyAccessible: true\n      Users:\n        - Username: <USERNAME>\n          Password: <PASSWORD>\n```",
+      "Other": "1. Open the Amazon MQ console\n2. Go to Brokers and select the target broker\n3. Click Edit\n4. Under Maintenance, check Enable automatic minor version upgrades\n5. Click Save",
+      "Terraform": "```hcl\n# Terraform: Enable automatic minor version upgrades on an MQ broker\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n  broker_name                = \"<example_resource_name>\"\n  engine_type                = \"ActiveMQ\"\n  engine_version             = \"<ENGINE_VERSION>\"\n  host_instance_type         = \"mq.t3.micro\"\n  publicly_accessible        = true\n  auto_minor_version_upgrade = true  # Critical: enables automatic minor version upgrades\n\n  user {\n    username = \"<USERNAME>\"\n    password = \"<PASSWORD>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that automatic minor version upgrades are enabled on Amazon MQ brokers to receive the latest security patches and improvements automatically.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html"
+      "Text": "Enable `autoMinorVersionUpgrade` on all brokers to reduce patch latency.\n\n- Align upgrades with a defined maintenance window\n- Validate changes in staging before production\n- Monitor broker health and logs after updates\n- Maintain HA and tested backups for rollback (*defense in depth*)",
+      "Url": "https://hub.prowler.com/check/mq_broker_auto_minor_version_upgrades"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.metadata.json CHANGED Viewed

@@ -1,32 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_cluster_deployment_mode",
-  "CheckTitle": "MQ RabbitMQ Brokers should use cluster deployment mode.",
+  "CheckTitle": "MQ RabbitMQ broker has cluster (multi-AZ) deployment mode",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
-  "Severity": "low",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Ensure that RabbitMQ Brokers use cluster deployment mode.",
-  "Risk": "Using a single-instance RabbitMQ broker limits fault tolerance and high availability. Without cluster deployment, broker failures could lead to significant downtime and potential data loss.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-basic-elements.html",
+  "Description": "**Amazon MQ RabbitMQ brokers** are assessed for **cluster deployment mode** (`CLUSTER_MULTI_AZ`) with nodes spread across multiple AZs and shared state.\n\nBrokers configured otherwise are identified.",
+  "Risk": "Without **clustered RabbitMQ**, the broker is a **single point of failure**. An instance or AZ outage can halt queues, cause message loss or duplication, and break ordering, reducing **availability** and **integrity** of workloads that depend on the broker.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-basic-elements.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-6",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture.html#rabbitmq-broker-architecture-cluster",
+    "https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.html",
+    "https://docs.aws.amazon.com/controltower/latest/controlreference/mq-rules.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws mq create-broker --broker-name <your-broker-name> --engine-type RabbitMQ --deployment-mode CLUSTER_MULTI_AZ",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-6",
-      "Terraform": ""
+      "CLI": "aws mq create-broker --broker-name <example_resource_name> --engine-type RABBITMQ --deployment-mode CLUSTER_MULTI_AZ --host-instance-type mq.m5.large --publicly-accessible --auto-minor-version-upgrade --users '[{\"Username\":\"<example_username>\",\"Password\":\"<example_password>\"}]'",
+      "NativeIaC": "```yaml\n# CloudFormation: create a RabbitMQ broker in cluster (Multi-AZ) mode\nResources:\n  ExampleBroker:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: \"<example_resource_name>\"\n      EngineType: RABBITMQ            # Critical: ensures the broker is RabbitMQ\n      DeploymentMode: CLUSTER_MULTI_AZ # Critical: sets cluster (Multi-AZ) to pass the check\n      HostInstanceType: mq.m5.large\n      PubliclyAccessible: true\n      Users:\n        - Username: \"<example_username>\"\n          Password: \"<example_password>\"\n```",
+      "Other": "1. Open the AWS Console and go to Amazon MQ\n2. Click Brokers > Create broker\n3. Select RabbitMQ as the engine\n4. Set Deployment mode to Cluster (Multi-AZ)\n5. Enter a broker name, choose an instance type, set Public access as needed, and create one admin user\n6. Click Create broker\n7. Migrate applications to the new broker endpoint, then delete the old single-instance broker\n\nNote: Deployment mode cannot be changed on an existing broker; you must create a new cluster broker.",
+      "Terraform": "```hcl\n# Terraform: create a RabbitMQ broker in cluster (Multi-AZ) mode\nresource \"aws_mq_broker\" \"example\" {\n  broker_name         = \"<example_resource_name>\"\n  engine_type         = \"RabbitMQ\"         # Critical: RabbitMQ engine\n  deployment_mode     = \"CLUSTER_MULTI_AZ\" # Critical: cluster (Multi-AZ) to pass the check\n  host_instance_type  = \"mq.m5.large\"\n  publicly_accessible = true\n\n  user {\n    username = \"<example_username>\"\n    password = \"<example_password>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure RabbitMQ brokers are deployed in cluster mode to enhance resilience and prevent data loss during failures.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture.html#rabbitmq-broker-architecture-cluster"
+      "Text": "Use **cluster deployment** (`CLUSTER_MULTI_AZ`) for RabbitMQ to remove single-instance risk.\n\nApply **resiliency by design**: clients auto-reconnect, retries with backoff, and idempotent processing; test failover, size for node loss, and enforce **least privilege** with monitoring for defense in depth.",
+      "Url": "https://hub.prowler.com/check/mq_broker_cluster_deployment_mode"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.metadata.json CHANGED Viewed

@@ -1,28 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_logging_enabled",
-  "CheckTitle": "MQ brokers should stream audit logs to CloudWatch.",
+  "CheckTitle": "MQ broker has general logging enabled and, for ActiveMQ, audit logging enabled",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "low",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Ensure MQ brokers are configured to stream audit logs to CloudWatch to enhance monitoring and detect security-related issues.",
-  "Risk": "Without streaming audit logs to CloudWatch, monitoring and alerting on suspicious activity or security incidents is limited. This reduces visibility into the broker's operations and potential security breaches.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html",
+  "Description": "**Amazon MQ brokers** have logging to **CloudWatch Logs** enabled per engine type: **ActiveMQ** requires both `general` and `audit` logs; **RabbitMQ** requires `general` logs.",
+  "Risk": "Missing broker logs creates blind spots in authentication events, administrative changes, and broker failures. Adversaries can act without detection, enabling unauthorized access and message tampering (confidentiality/integrity) and hindering incident response and root-cause analysis (availability).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-2",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/log-exports.html",
+    "https://docs.aws.amazon.com/cli/latest/reference/mq/create-broker.html",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws mq update-broker --broker-id <broker-id> --logs 'audit=true'",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_10/#terraform",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-2",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/log-exports.html"
+      "CLI": "aws mq update-broker --broker-id <example_resource_id> --logs Audit=true,General=true",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Amazon MQ logging\nResources:\n  <example_resource_name>:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: <example_resource_name>\n      EngineType: ACTIVEMQ\n      HostInstanceType: mq.t3.micro\n      DeploymentMode: SINGLE_INSTANCE\n      PubliclyAccessible: true\n      Users:\n        - Username: <example_user>\n          Password: <example_password>\n      Logs:\n        General: true  # Critical: enables general logs to CloudWatch\n        Audit: true    # Critical: enables audit logs (required for ActiveMQ)\n```",
+      "Other": "1. In the AWS Console, go to Amazon MQ > Brokers\n2. Select <example_resource_name> and choose Edit\n3. In Log settings:\n   - For ActiveMQ: enable General logs and Audit logs\n   - For RabbitMQ: enable General logs only\n4. Save changes and reboot if prompted",
+      "Terraform": "```hcl\n# Terraform: Enable Amazon MQ logging\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n  broker_name         = \"<example_resource_name>\"\n  engine_type         = \"ActiveMQ\"\n  host_instance_type  = \"mq.t3.micro\"\n  deployment_mode     = \"SINGLE_INSTANCE\"\n  publicly_accessible = true\n\n  user {\n    username = \"<example_user>\"\n    password = \"<example_password>\"\n  }\n\n  logs {\n    general = true  # Critical: enables general logs\n    audit   = true  # Critical: enables audit logs (ActiveMQ)\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure MQ brokers are configured to stream audit logs to CloudWatch to enhance monitoring and detect security-related issues.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html"
+      "Text": "Enable centralized **CloudWatch Logs** for brokers. For **ActiveMQ**, turn on both `general` and `audit` logs; for **RabbitMQ**, enable `general` logs.\n\nApply **least privilege** to log access, set retention, and create alerts for anomalous events to strengthen **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/mq_broker_logging_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.metadata.json CHANGED Viewed

@@ -1,28 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_not_publicly_accessible",
-  "CheckTitle": "MQ brokers should not be publicly accessible.",
+  "CheckTitle": "Amazon MQ broker is not publicly accessible",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
+    "TTPs/Initial Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Brokers created without public accessibility can't be accessed from outside of your VPC. This greatly reduces your broker's susceptibility to Distributed Denial of Service (DDoS) attacks from the public internet.",
-  "Risk": "Public Amazon MQ brokers can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your brokers through their public endpoints and this can increase the opportunity for malicious activity such as cross-site scripting (XSS) and clickjacking attacks. ",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html#prefer-brokers-without-public-accessibility",
+  "Description": "**Amazon MQ brokers** are evaluated for **public accessibility**, determining whether a broker exposes a public endpoint or is restricted to VPC-only connectivity via its `publicly accessible` setting.",
+  "Risk": "**Publicly reachable brokers** expand exposure: internet hosts can probe protocols and consoles, attempt credential spraying, publish/consume messages, and flood connections. This threatens **confidentiality** (data leakage), **integrity** (message tampering), and **availability** (DoS/resource exhaustion).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html#prefer-brokers-without-public-accessibility",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/publicly-accessible.html#"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/publicly-accessible.html#",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Amazon MQ broker without public accessibility\nResources:\n  <example_resource_name>:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: <example_resource_name>\n      EngineType: ACTIVEMQ\n      EngineVersion: <example_engine_version>\n      HostInstanceType: <example_instance_type>\n      PubliclyAccessible: false  # Critical: disables public internet access\n      Users:\n        - Username: <example_username>\n          Password: <example_password>\n      SubnetIds:\n        - <example_subnet_id>\n      SecurityGroups:\n        - <example_security_group_id>\n      AutoMinorVersionUpgrade: true\n```",
+      "Other": "1. Open the AWS Console and go to Amazon MQ\n2. Create a new broker and set Public accessibility to Disabled/No\n3. Point your clients to the new broker's private endpoints\n4. Delete the old publicly accessible broker",
+      "Terraform": "```hcl\n# Amazon MQ broker without public accessibility\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n  broker_name         = \"<example_resource_name>\"\n  engine_type         = \"ActiveMQ\"\n  engine_version      = \"<example_engine_version>\"\n  host_instance_type  = \"<example_instance_type>\"\n  publicly_accessible = false # Critical: disables public internet access\n  security_groups     = [\"<example_security_group_id>\"]\n  subnet_ids          = [\"<example_subnet_id>\"]\n\n  user {\n    username = \"<example_username>\"\n    password = \"<example_password>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that the Amazon MQ brokers provisioned in your AWS account are not publicly accessible from the Internet in order to avoid exposing sensitive data and minimize security risks.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html#prefer-brokers-without-public-accessibility"
+      "Text": "Prefer private deployment: set `publicly_accessible=false`, place brokers in private subnets, and restrict security groups to trusted producers/consumers. Use private connectivity (VPC endpoints, peering, VPN/Direct Connect). Enforce strong authn and authorization maps, and allow only required protocol ports. Apply **least privilege**.",
+      "Url": "https://hub.prowler.com/check/mq_broker_not_publicly_accessible"
     }
   },
   "Categories": [

prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.metadata.json CHANGED Viewed

@@ -1,29 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "networkfirewall_deletion_protection",
-  "CheckTitle": "Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls.",
-  "CheckType": [],
+  "CheckTitle": "Network Firewall has deletion protection enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "networkfirewall",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsNetworkFirewallFirewall",
-  "Description": "Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls in order to protect the firewalls from being accidentally deleted. By default, Deletion Protection is disabled for VPC network firewalls.",
-  "Risk": "Without a network firewall, it can be difficult to monitor and control traffic within the VPC. This can make it harder to detect and prevent attacks or unauthorized access to resources.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9",
+  "Description": "**AWS Network Firewall firewalls** have **deletion protection** enabled (`DeleteProtection=true`).",
+  "Risk": "Without deletion protection, a firewall can be removed accidentally or by a compromised identity, letting traffic bypass inspection and logging.\n\nThis threatens **confidentiality** and **integrity** via unfiltered access, and harms **availability** through routing disruption and loss of perimeter controls.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws network-firewall update-firewall-delete-protection --region <value> --firewall-name <value> --delete-protection",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws network-firewall update-firewall-delete-protection --firewall-name <FIREWALL_NAME> --delete-protection",
+      "NativeIaC": "```yaml\n# CloudFormation: enable deletion protection on a Network Firewall\nResources:\n  <example_resource_name>:\n    Type: AWS::NetworkFirewall::Firewall\n    Properties:\n      FirewallName: <example_resource_name>  # Required: unique name for the firewall\n      FirewallPolicyArn: <example_resource_id>\n      VpcId: <example_resource_id>\n      SubnetMappings:\n        - SubnetId: <example_resource_id>\n      DeleteProtection: true  # Critical: enables deletion protection to pass the check\n```",
+      "Other": "1. Open the AWS console and go to VPC > Network Firewall > Firewalls\n2. Select the target firewall\n3. On Firewall details, choose Edit (or Change protections)\n4. Enable Deletion protection\n5. Save changes",
+      "Terraform": "```hcl\n# Terraform: enable deletion protection on a Network Firewall\nresource \"aws_networkfirewall_firewall\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  firewall_policy_arn = \"<example_resource_id>\"\n  vpc_id              = \"<example_resource_id>\"\n\n  subnet_mapping {\n    subnet_id = \"<example_resource_id>\"\n  }\n\n  delete_protection = true  # Critical: prevents deletion to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9"
+      "Text": "Enable **deletion protection** on every firewall (`DeleteProtection=true`). Enforce **least privilege** to prevent delete actions, require **change approval** for firewall modifications, and implement guardrails with policy-as-code. Apply **defense in depth** so alternate controls contain traffic if a firewall is altered.",
+      "Url": "https://hub.prowler.com/check/networkfirewall_deletion_protection"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.metadata.json CHANGED Viewed

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "networkfirewall_in_all_vpc",
-  "CheckTitle": "Ensure all VPCs have Network Firewall enabled",
-  "CheckType": [],
+  "CheckTitle": "VPC has Network Firewall enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "networkfirewall",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsEc2Vpc",
-  "Description": "Ensure all VPCs have Network Firewall enabled",
-  "Risk": "Without a network firewall, it can be difficult to monitor and control traffic within the VPC. This can make it harder to detect and prevent attacks or unauthorized access to resources.",
-  "RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/setting-up.html",
+  "Description": "**VPCs** with an **AWS Network Firewall** associated to the same VPC to inspect and filter network traffic.\n\nIdentifies VPCs that do not have a Network Firewall resource linked to them.",
+  "Risk": "Without a **Network Firewall**, VPC traffic can bypass deep inspection and centralized policy enforcement, enabling **data exfiltration**, **command-and-control**, and **lateral movement**. Confidentiality is reduced by unmonitored flows; integrity and availability are threatened by malware and disruptive traffic.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/network-firewall/latest/developerguide/vpc-config.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/NetworkFirewall/network-firewall-in-use.html",
+    "https://docs.aws.amazon.com/network-firewall/latest/developerguide/setting-up.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws network-firewall create-firewall --firewall-name <value> --vpc-id <value>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/NetworkFirewall/network-firewall-in-use.html",
-      "Terraform": ""
+      "CLI": "aws network-firewall create-firewall --firewall-name <example_resource_name> --firewall-policy-arn <example_resource_id> --vpc-id <example_resource_id> --subnet-mappings \"SubnetId=<example_resource_id>\"",
+      "NativeIaC": "```yaml\n# CloudFormation: Create a Network Firewall in the VPC\nResources:\n  <example_resource_name>:\n    Type: AWS::NetworkFirewall::Firewall\n    Properties:\n      FirewallName: <example_resource_name>\n      FirewallPolicyArn: <example_resource_id>  # Critical: required policy for the firewall\n      VpcId: <example_resource_id>              # Critical: associates the firewall to the target VPC (fixes the check)\n      SubnetMappings:                           # Critical: creates firewall endpoints in the VPC\n        - SubnetId: <example_resource_id>\n```",
+      "Other": "1. In the AWS Console, go to Network Firewall > Firewalls > Create firewall\n2. Enter a name and select the target VPC\n3. Select an existing Firewall policy (or create one when prompted)\n4. Add at least one subnet from the VPC under Subnet mappings\n5. Choose Create firewall\n6. Verify the firewall shows under the selected VPC",
+      "Terraform": "```hcl\n# Create a Network Firewall in the VPC\nresource \"aws_networkfirewall_firewall\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  firewall_policy_arn = \"<example_resource_id>\"  # Critical: required policy\n  vpc_id              = \"<example_resource_id>\"  # Critical: associates firewall to the VPC (fixes the check)\n\n  subnet_mapping {                                # Critical: creates firewall endpoint in the VPC\n    subnet_id = \"<example_resource_id>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure all VPCs have Network Firewall enabled",
-      "Url": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/vpc-config.html"
+      "Text": "Deploy **AWS Network Firewall** in each VPC or centralize inspection through a dedicated hub VPC.\n\nAdopt a `default-deny` posture with least-privilege rules, restrict egress to required destinations, segment workloads (**defense in depth**, **zero trust**), and enable logging to monitor and tune network policies.",
+      "Url": "https://hub.prowler.com/check/networkfirewall_in_all_vpc"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl

prowler-cloud 5.14.1py3-none-any.whl → 5.15.0py3-none-any.whl