prowler-cloud 5.14.1__py3-none-any.whl → 5.15.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/assets/images/providers/alibabacloud_provider.png +0 -0
- dashboard/compliance/cis_2_0_alibabacloud.py +24 -0
- dashboard/lib/layouts.py +1 -0
- dashboard/pages/compliance.py +8 -2
- dashboard/pages/overview.py +52 -1
- prowler/CHANGELOG.md +59 -20
- prowler/__main__.py +40 -0
- prowler/compliance/alibabacloud/__init__.py +0 -0
- prowler/compliance/alibabacloud/cis_2.0_alibabacloud.json +1833 -0
- prowler/compliance/aws/iso27001_2013_aws.json +158 -158
- prowler/compliance/aws/soc2_aws.json +100 -0
- prowler/compliance/azure/rbi_cyber_security_framework_azure.json +248 -0
- prowler/compliance/azure/soc2_azure.json +87 -1
- prowler/compliance/gcp/soc2_gcp.json +82 -1
- prowler/config/config.py +2 -1
- prowler/lib/check/check.py +47 -1
- prowler/lib/check/models.py +23 -0
- prowler/lib/check/utils.py +1 -1
- prowler/lib/cli/parser.py +3 -2
- prowler/lib/outputs/compliance/cis/cis_alibabacloud.py +106 -0
- prowler/lib/outputs/compliance/cis/models.py +35 -0
- prowler/lib/outputs/finding.py +16 -0
- prowler/lib/outputs/html/html.py +67 -0
- prowler/lib/outputs/outputs.py +2 -0
- prowler/lib/outputs/summary_table.py +3 -0
- prowler/providers/alibabacloud/__init__.py +0 -0
- prowler/providers/alibabacloud/alibabacloud_provider.py +872 -0
- prowler/providers/alibabacloud/config.py +41 -0
- prowler/providers/alibabacloud/exceptions/__init__.py +0 -0
- prowler/providers/alibabacloud/exceptions/exceptions.py +116 -0
- prowler/providers/alibabacloud/lib/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/arguments/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/arguments/arguments.py +58 -0
- prowler/providers/alibabacloud/lib/mutelist/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/mutelist/mutelist.py +175 -0
- prowler/providers/alibabacloud/lib/service/__init__.py +0 -0
- prowler/providers/alibabacloud/lib/service/service.py +113 -0
- prowler/providers/alibabacloud/models.py +266 -0
- prowler/providers/alibabacloud/services/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_client.py +6 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.py +81 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json +40 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.py +119 -0
- prowler/providers/alibabacloud/services/actiontrail/actiontrail_service.py +110 -0
- prowler/providers/alibabacloud/services/cs/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_client.py +4 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.py +62 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json +38 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.py +62 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json +40 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.py +26 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json +40 -0
- prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.py +28 -0
- prowler/providers/alibabacloud/services/cs/cs_service.py +354 -0
- prowler/providers/alibabacloud/services/ecs/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.py +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_client.py +4 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json +41 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.py +47 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.py +50 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.py +34 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.py +68 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.py +68 -0
- prowler/providers/alibabacloud/services/ecs/ecs_service.py +380 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json +38 -0
- prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.py +38 -0
- prowler/providers/alibabacloud/services/ecs/lib/security_groups.py +23 -0
- prowler/providers/alibabacloud/services/oss/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.py +37 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json +39 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.py +89 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.py +87 -0
- prowler/providers/alibabacloud/services/oss/oss_client.py +4 -0
- prowler/providers/alibabacloud/services/oss/oss_service.py +317 -0
- prowler/providers/alibabacloud/services/ram/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_client.py +4 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.py +33 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.py +30 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_number/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.py +34 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.py +32 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.py +35 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.py +73 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.py +58 -0
- prowler/providers/alibabacloud/services/ram/ram_service.py +478 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.py +56 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/__init__.py +0 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json +39 -0
- prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.py +36 -0
- prowler/providers/alibabacloud/services/rds/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_client.py +4 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.py +36 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json +38 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.py +29 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.py +32 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.py +41 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.py +30 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.py +32 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/__init__.py +0 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json +39 -0
- prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.py +38 -0
- prowler/providers/alibabacloud/services/rds/rds_service.py +274 -0
- prowler/providers/alibabacloud/services/securitycenter/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json +43 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.py +48 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json +42 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.py +48 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_client.py +6 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json +42 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.py +65 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_service.py +394 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.py +68 -0
- prowler/providers/alibabacloud/services/sls/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_client.py +4 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.py +50 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.py +48 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json +38 -0
- prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.py +32 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.py +44 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.py +49 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.py +57 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.py +48 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.py +54 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.py +72 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.py +50 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.py +56 -0
- prowler/providers/alibabacloud/services/sls/sls_service.py +137 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.py +56 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.py +57 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.py +52 -0
- prowler/providers/alibabacloud/services/vpc/__init__.py +0 -0
- prowler/providers/alibabacloud/services/vpc/vpc_client.py +4 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/__init__.py +0 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json +39 -0
- prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +30 -0
- prowler/providers/alibabacloud/services/vpc/vpc_service.py +102 -0
- prowler/providers/aws/aws_regions_by_service.json +20 -0
- prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json +1 -3
- prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.metadata.json +1 -1
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +1 -2
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +0 -1
- prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.metadata.json +16 -10
- prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.metadata.json +23 -14
- prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.metadata.json +19 -13
- prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.metadata.json +18 -12
- prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.metadata.json +24 -13
- prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json +20 -14
- prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.metadata.json +18 -9
- prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.metadata.json +18 -11
- prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.metadata.json +21 -12
- prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.metadata.json +21 -13
- prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.metadata.json +24 -13
- prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.metadata.json +21 -13
- prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.metadata.json +23 -14
- prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.metadata.json +20 -12
- prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.metadata.json +17 -12
- prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.metadata.json +22 -13
- prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.metadata.json +21 -12
- prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.metadata.json +23 -14
- prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.metadata.json +22 -13
- prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.metadata.json +20 -12
- prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.metadata.json +21 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.metadata.json +23 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json +20 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.metadata.json +22 -14
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.metadata.json +26 -14
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.metadata.json +22 -13
- prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.metadata.json +25 -14
- prowler/providers/common/provider.py +12 -0
- prowler/providers/gcp/services/accesscontextmanager/__init__.py +0 -0
- prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_client.py +6 -0
- prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_service.py +101 -0
- prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +10 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +13 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.py +67 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.py +35 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.py +29 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/__init__.py +0 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.metadata.json +37 -0
- prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.py +32 -0
- prowler/providers/gcp/services/compute/compute_service.py +16 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/__init__.py +0 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.metadata.json +33 -0
- prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.py +41 -0
- prowler/providers/github/services/repository/repository_service.py +52 -0
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/METADATA +40 -22
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/RECORD +326 -73
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.14.1.dist-info → prowler_cloud-5.15.0.dist-info}/entry_points.txt +0 -0
|
@@ -1,28 +1,35 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "networkfirewall_logging_enabled",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Network Firewall has logging enabled",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
|
|
7
9
|
],
|
|
8
10
|
"ServiceName": "networkfirewall",
|
|
9
11
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
-
"Severity": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
|
+
"Severity": "high",
|
|
12
14
|
"ResourceType": "AwsNetworkFirewallFirewall",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "**AWS Network Firewall** has stateful engine logging configured with at least one log type (`FLOW`, `ALERT`, or `TLS`) and an active log destination",
|
|
16
|
+
"Risk": "Absent Network Firewall logs reduce **visibility** and **forensics**. Malicious flows, C2 traffic, and data exfiltration can go **undetected**, impacting:\n- Confidentiality (leakage)\n- Integrity (unauthorized traffic allowed)\n- Availability (DDoS patterns unnoticed)",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html",
|
|
20
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html",
|
|
21
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-2"
|
|
22
|
+
],
|
|
16
23
|
"Remediation": {
|
|
17
24
|
"Code": {
|
|
18
|
-
"CLI": "aws network-firewall update-logging-configuration --firewall-arn <
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
25
|
+
"CLI": "aws network-firewall update-logging-configuration --firewall-arn <FIREWALL_ARN> --logging-configuration 'LogDestinationConfigs=[{LogType=FLOW,LogDestinationType=CLOUDWATCH_LOGS,LogDestination={LogGroup=<LOG_GROUP_NAME>}}]'",
|
|
26
|
+
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::LoggingConfiguration\n Properties:\n FirewallArn: <example_resource_id> # CRITICAL: Targets the firewall to enable logging\n LoggingConfiguration:\n LogDestinationConfigs:\n - LogType: FLOW # CRITICAL: Enables at least one log type\n LogDestinationType: CloudWatchLogs # CRITICAL: Selects a valid destination type\n LogDestination:\n logGroup: <example_log_group_name> # CRITICAL: Existing CloudWatch Logs group to receive logs\n```",
|
|
27
|
+
"Other": "1. Open the AWS console and go to VPC > Network Firewall > Firewalls\n2. Select your firewall and open the Firewall details tab\n3. In the Logging section, click Edit\n4. Enable at least one Log type (e.g., Flow)\n5. Choose Destination type: CloudWatch Logs and select an existing log group\n6. Click Save",
|
|
28
|
+
"Terraform": "```hcl\nresource \"aws_networkfirewall_logging_configuration\" \"<example_resource_name>\" {\n firewall_arn = \"<example_resource_id>\" # CRITICAL: Targets the firewall to enable logging\n\n logging_configuration {\n log_destination_config {\n log_type = \"FLOW\" # CRITICAL: Enables at least one log type\n log_destination_type = \"CloudWatchLogs\" # CRITICAL: Selects a valid destination type\n log_destination = {\n logGroup = \"<example_log_group_name>\" # CRITICAL: Existing CloudWatch Logs group to receive logs\n }\n }\n }\n}\n```"
|
|
22
29
|
},
|
|
23
30
|
"Recommendation": {
|
|
24
|
-
"Text": "Enable logging
|
|
25
|
-
"Url": "https://
|
|
31
|
+
"Text": "Enable comprehensive firewall logging and send `FLOW`, `ALERT`, and *when applicable* `TLS` events to a centralized, tamper-resistant destination. Apply **least privilege** to writers/readers, enforce **encryption** and **retention**, and integrate alerts with monitoring for **defense in depth**.",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/networkfirewall_logging_enabled"
|
|
26
33
|
}
|
|
27
34
|
},
|
|
28
35
|
"Categories": [
|
|
@@ -1,32 +1,40 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "networkfirewall_multi_az",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Network Firewall firewall is deployed across multiple Availability Zones",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
|
|
8
|
+
"Effects/Denial of Service"
|
|
7
9
|
],
|
|
8
10
|
"ServiceName": "networkfirewall",
|
|
9
11
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
-
"Severity": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
|
+
"Severity": "high",
|
|
12
14
|
"ResourceType": "AwsNetworkFirewallFirewall",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "**AWS Network Firewall firewalls** are assessed for **multi-AZ deployment**, expecting subnet mappings in more than one Availability Zone.\n\nA configuration with only one subnet mapping indicates a single-AZ firewall.",
|
|
16
|
+
"Risk": "Single-AZ firewalls are a single point of failure. An AZ outage can drop or blackhole traffic, degrading **availability**, or prompt route changes that bypass inspection, exposing **confidentiality** and **integrity** to unfiltered access, data exfiltration, and lateral movement.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/id_id/network-firewall/latest/developerguide/arch-two-zone-igw.html",
|
|
20
|
+
"https://aws.amazon.com/es/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/",
|
|
21
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/arch-two-zone-igw.html",
|
|
22
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-1"
|
|
23
|
+
],
|
|
16
24
|
"Remediation": {
|
|
17
25
|
"Code": {
|
|
18
|
-
"CLI": "aws network-firewall
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
26
|
+
"CLI": "aws network-firewall associate-subnets --firewall-arn <FIREWALL_ARN> --subnet-mappings SubnetId=<SUBNET_ID_IN_DIFFERENT_AZ>",
|
|
27
|
+
"NativeIaC": "```yaml\n# CloudFormation: Ensure the firewall spans multiple AZs by adding a second subnet mapping\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::Firewall\n Properties:\n FirewallName: <example_resource_name>\n FirewallPolicyArn: <example_firewall_policy_arn>\n VpcId: <example_vpc_id>\n SubnetMappings:\n - SubnetId: <subnet-id-1>\n - SubnetId: <subnet-id-2> # CRITICAL: second subnet in a different AZ to achieve multi-AZ\n```",
|
|
28
|
+
"Other": "1. Open the AWS Console and go to VPC > Network Firewall > Firewalls\n2. Select your firewall and open the Firewall details tab\n3. In Associated policy and VPC, click Edit\n4. Click Add new subnet, choose an additional Availability Zone and its subnet in the same VPC\n5. Ensure at least two AZs are selected, then click Save",
|
|
29
|
+
"Terraform": "```hcl\n# Terraform: Add a second subnet_mapping to deploy the firewall across multiple AZs\nresource \"aws_networkfirewall_firewall\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n firewall_policy_arn = \"<example_firewall_policy_arn>\"\n vpc_id = \"<example_vpc_id>\"\n\n subnet_mapping {\n subnet_id = \"<subnet-id-1>\"\n }\n\n subnet_mapping {\n subnet_id = \"<subnet-id-2>\" # CRITICAL: second subnet in a different AZ for multi-AZ\n }\n}\n```"
|
|
22
30
|
},
|
|
23
31
|
"Recommendation": {
|
|
24
|
-
"Text": "Deploy
|
|
25
|
-
"Url": "https://
|
|
32
|
+
"Text": "Deploy firewalls across `>=2` AZs with a dedicated subnet in each used AZ. Maintain per-AZ, symmetric routing to the local endpoint to preserve stateful inspection. Apply **defense in depth** and automate drift controls and AZ failover tests to sustain resilience.",
|
|
33
|
+
"Url": "https://hub.prowler.com/check/networkfirewall_multi_az"
|
|
26
34
|
}
|
|
27
35
|
},
|
|
28
36
|
"Categories": [
|
|
29
|
-
"
|
|
37
|
+
"resilience"
|
|
30
38
|
],
|
|
31
39
|
"DependsOn": [],
|
|
32
40
|
"RelatedTo": [],
|
|
@@ -1,31 +1,43 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "networkfirewall_policy_default_action_fragmented_packets",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Network Firewall policy drops or forwards fragmented packets by default",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
|
|
9
|
+
"TTPs/Defense Evasion"
|
|
7
10
|
],
|
|
8
11
|
"ServiceName": "networkfirewall",
|
|
9
12
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
-
"Severity": "
|
|
13
|
+
"ResourceIdTemplate": "",
|
|
14
|
+
"Severity": "high",
|
|
12
15
|
"ResourceType": "AwsNetworkFirewallFirewall",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
16
|
+
"Description": "**Network Firewall policies** are assessed for the `StatelessFragmentDefaultActions` setting to confirm **fragmented UDP packets** use `aws:drop` or `aws:forward_to_sfe`.",
|
|
17
|
+
"Risk": "Using `aws:pass` for **fragmented UDP** lets uninspected traffic traverse the firewall. Attackers can evade filters via fragmentation, enabling **data exfiltration** (confidentiality), payload smuggling and lateral movement (integrity), and fragment floods that strain services (availability).",
|
|
18
|
+
"RelatedUrl": "",
|
|
19
|
+
"AdditionalURLs": [
|
|
20
|
+
"https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_FirewallPolicy.html",
|
|
21
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-5",
|
|
22
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html",
|
|
23
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateless-default-actions.html",
|
|
24
|
+
"https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-fragment-packets.html"
|
|
25
|
+
],
|
|
16
26
|
"Remediation": {
|
|
17
27
|
"Code": {
|
|
18
|
-
"CLI": "
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
28
|
+
"CLI": "",
|
|
29
|
+
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::FirewallPolicy\n Properties:\n FirewallPolicyName: <example_resource_name>\n FirewallPolicy:\n StatelessDefaultActions:\n - aws:drop\n StatelessFragmentDefaultActions:\n - aws:drop # Critical: ensures fragmented UDP packets are dropped by default to pass the check\n```",
|
|
30
|
+
"Other": "1. Open the Amazon VPC console and go to Network Firewall > Firewall policies\n2. Select the policy to edit and choose Edit\n3. Under Stateless default actions, find Fragmented packets\n4. Set the action to Drop (or Forward to stateful rule groups)\n5. Save changes",
|
|
31
|
+
"Terraform": "```hcl\nresource \"aws_networkfirewall_firewall_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n firewall_policy {\n stateless_default_actions = [\"aws:drop\"]\n stateless_fragment_default_actions = [\"aws:drop\"] # Critical: drop fragmented UDP packets by default to pass the check\n }\n}\n```"
|
|
22
32
|
},
|
|
23
33
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
34
|
+
"Text": "Set `StatelessFragmentDefaultActions` to `aws:drop` or `aws:forward_to_sfe` so fragments are blocked or sent for **stateful inspection**. Apply **least privilege** on traffic flows, use **defense in depth** with rule groups, and monitor logs for anomalous fragmentation.",
|
|
35
|
+
"Url": "https://hub.prowler.com/check/networkfirewall_policy_default_action_fragmented_packets"
|
|
26
36
|
}
|
|
27
37
|
},
|
|
28
|
-
"Categories": [
|
|
38
|
+
"Categories": [
|
|
39
|
+
"trust-boundaries"
|
|
40
|
+
],
|
|
29
41
|
"DependsOn": [],
|
|
30
42
|
"RelatedTo": [],
|
|
31
43
|
"Notes": ""
|
|
@@ -1,31 +1,40 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "networkfirewall_policy_default_action_full_packets",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Network Firewall firewall policy default stateless action for full packets is drop or forward",
|
|
5
5
|
"CheckType": [
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
6
8
|
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
|
|
7
9
|
],
|
|
8
10
|
"ServiceName": "networkfirewall",
|
|
9
11
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
-
"Severity": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
|
+
"Severity": "high",
|
|
12
14
|
"ResourceType": "AwsNetworkFirewallFirewall",
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
15
|
+
"Description": "**AWS Network Firewall policies** define a **stateless default action** for full packets. This evaluates whether unmatched packets are handled by `aws:drop` or `aws:forward_to_sfe`, meaning they are either discarded or sent to the stateful engine rather than allowed to pass.",
|
|
16
|
+
"Risk": "Using `Pass` as the default allows unmatched full packets to bypass stateless filtering and stateful inspection, enabling reconnaissance, malware delivery, and covert data exfiltration. This undermines **confidentiality** and **integrity**, and can threaten **availability** through unfiltered attacks.",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-4",
|
|
20
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateless-default-actions.html",
|
|
21
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html"
|
|
22
|
+
],
|
|
16
23
|
"Remediation": {
|
|
17
24
|
"Code": {
|
|
18
|
-
"CLI": "
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
25
|
+
"CLI": "",
|
|
26
|
+
"NativeIaC": "```yaml\n# CloudFormation: set default stateless action for full packets to Drop\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::FirewallPolicy\n Properties:\n FirewallPolicyName: <example_resource_name>\n FirewallPolicy:\n StatelessDefaultActions:\n - aws:drop # CRITICAL: full packets default to Drop (fixes the check)\n StatelessFragmentDefaultActions:\n - aws:drop # Required for a valid policy\n```",
|
|
27
|
+
"Other": "1. In the AWS console, open Amazon VPC\n2. Under Network Firewall, select Firewall policies\n3. Open the target firewall policy and choose Edit\n4. In Stateless default actions (full packets), select Drop (or Forward to stateful rule groups)\n5. Choose Save",
|
|
28
|
+
"Terraform": "```hcl\n# Terraform: set default stateless action for full packets to Drop\nresource \"aws_networkfirewall_firewall_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n firewall_policy {\n stateless_default_actions = [\"aws:drop\"] # CRITICAL: full packets default to Drop (fixes the check)\n stateless_fragment_default_actions = [\"aws:drop\"] # Required for a valid policy\n }\n}\n```"
|
|
22
29
|
},
|
|
23
30
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
31
|
+
"Text": "Enforce a **deny-by-default** posture: set the stateless default for full packets to `aws:drop` or `aws:forward_to_sfe`. Use explicit allow rules, layer **stateful inspection**, and maintain logging and reviews to support **defense in depth** and **least privilege**.",
|
|
32
|
+
"Url": "https://hub.prowler.com/check/networkfirewall_policy_default_action_full_packets"
|
|
26
33
|
}
|
|
27
34
|
},
|
|
28
|
-
"Categories": [
|
|
35
|
+
"Categories": [
|
|
36
|
+
"trust-boundaries"
|
|
37
|
+
],
|
|
29
38
|
"DependsOn": [],
|
|
30
39
|
"RelatedTo": [],
|
|
31
40
|
"Notes": ""
|
|
@@ -1,31 +1,42 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Provider": "aws",
|
|
3
3
|
"CheckID": "networkfirewall_policy_rule_group_associated",
|
|
4
|
-
"CheckTitle": "
|
|
4
|
+
"CheckTitle": "Network Firewall policy has at least one rule group associated",
|
|
5
5
|
"CheckType": [
|
|
6
|
-
"Software and Configuration Checks/
|
|
6
|
+
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
|
|
7
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
|
|
8
|
+
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
|
|
7
9
|
],
|
|
8
10
|
"ServiceName": "networkfirewall",
|
|
9
11
|
"SubServiceName": "",
|
|
10
|
-
"ResourceIdTemplate": "
|
|
11
|
-
"Severity": "
|
|
12
|
-
"ResourceType": "
|
|
13
|
-
"Description": "
|
|
14
|
-
"Risk": "
|
|
15
|
-
"RelatedUrl": "
|
|
12
|
+
"ResourceIdTemplate": "",
|
|
13
|
+
"Severity": "high",
|
|
14
|
+
"ResourceType": "AwsNetworkFirewallFirewall",
|
|
15
|
+
"Description": "Network Firewall policies have one or more **stateful** or **stateless rule groups** associated to define packet inspection and handling.\n\nPolicies with no rule groups are identified.",
|
|
16
|
+
"Risk": "Without rule groups, traffic isn't meaningfully inspected, allowing unauthorized flows across VPC boundaries.\n\nImpacts:\n- Confidentiality: data exfiltration\n- Integrity: unauthorized changes via exposed services\n- Availability: C2, scanning, or DoS traffic passes; enables lateral movement",
|
|
17
|
+
"RelatedUrl": "",
|
|
18
|
+
"AdditionalURLs": [
|
|
19
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups.html",
|
|
20
|
+
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html",
|
|
21
|
+
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-3",
|
|
22
|
+
"https://medium.com/slalom-blog/secure-internet-access-egress-filtering-with-aws-network-firewall-ddf52ae121f9",
|
|
23
|
+
"https://docs.aws.amazon.com/de_de/network-firewall/latest/developerguide/nwfw-using-managed-rule-groups-add-to-policy.html"
|
|
24
|
+
],
|
|
16
25
|
"Remediation": {
|
|
17
26
|
"Code": {
|
|
18
27
|
"CLI": "",
|
|
19
|
-
"NativeIaC": "",
|
|
20
|
-
"Other": "
|
|
21
|
-
"Terraform": ""
|
|
28
|
+
"NativeIaC": "```yaml\n# CloudFormation: Attach at least one rule group to a Network Firewall policy\nResources:\n FirewallPolicy:\n Type: AWS::NetworkFirewall::FirewallPolicy\n Properties:\n FirewallPolicyName: <example_resource_name>\n FirewallPolicy:\n StatelessDefaultActions:\n - aws:forward_to_sfe\n StatelessFragmentDefaultActions:\n - aws:forward_to_sfe\n # Critical: Associate at least one rule group with the policy to pass the check\n StatefulRuleGroupReferences:\n - ResourceArn: <example_resource_arn> # Critical line: references an existing rule group ARN\n```",
|
|
29
|
+
"Other": "1. Open the AWS Console and go to VPC > Network Firewall > Firewall policies\n2. Select the target firewall policy\n3. In Stateful rule groups (or Stateless rule groups), choose Add rule groups (or Add managed stateful/stateless rule groups)\n4. Select at least one existing rule group and choose Add to policy\n5. Click Save",
|
|
30
|
+
"Terraform": "```hcl\n# Attach at least one rule group to a Network Firewall policy\nresource \"aws_networkfirewall_firewall_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n firewall_policy {\n stateless_default_actions = [\"aws:forward_to_sfe\"]\n stateless_fragment_default_actions = [\"aws:forward_to_sfe\"]\n\n # Critical: Associate at least one rule group with the policy to pass the check\n stateful_rule_group_reference {\n resource_arn = \"<example_resource_arn>\" # Critical line: references an existing rule group ARN\n }\n }\n}\n```"
|
|
22
31
|
},
|
|
23
32
|
"Recommendation": {
|
|
24
|
-
"Text": "
|
|
25
|
-
"Url": "https://
|
|
33
|
+
"Text": "Associate appropriate **stateful** and **stateless rule groups** with every policy.\n- Enforce a **deny-by-default** posture (least privilege)\n- Use vetted managed rule groups as a baseline, then tailor to workloads\n- Review and test regularly; version rules, monitor logs, and require change control",
|
|
34
|
+
"Url": "https://hub.prowler.com/check/networkfirewall_policy_rule_group_associated"
|
|
26
35
|
}
|
|
27
36
|
},
|
|
28
|
-
"Categories": [
|
|
37
|
+
"Categories": [
|
|
38
|
+
"trust-boundaries"
|
|
39
|
+
],
|
|
29
40
|
"DependsOn": [],
|
|
30
41
|
"RelatedTo": [],
|
|
31
42
|
"Notes": ""
|
|
@@ -286,6 +286,18 @@ class Provider(ABC):
|
|
|
286
286
|
fixer_config=fixer_config,
|
|
287
287
|
use_instance_principal=arguments.use_instance_principal,
|
|
288
288
|
)
|
|
289
|
+
elif "alibabacloud" in provider_class_name.lower():
|
|
290
|
+
provider_class(
|
|
291
|
+
role_arn=arguments.role_arn,
|
|
292
|
+
role_session_name=arguments.role_session_name,
|
|
293
|
+
ecs_ram_role=arguments.ecs_ram_role,
|
|
294
|
+
oidc_role_arn=arguments.oidc_role_arn,
|
|
295
|
+
credentials_uri=arguments.credentials_uri,
|
|
296
|
+
regions=arguments.regions,
|
|
297
|
+
config_path=arguments.config_file,
|
|
298
|
+
mutelist_path=arguments.mutelist_file,
|
|
299
|
+
fixer_config=fixer_config,
|
|
300
|
+
)
|
|
289
301
|
|
|
290
302
|
except TypeError as error:
|
|
291
303
|
logger.critical(
|
|
File without changes
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
from pydantic.v1 import BaseModel
|
|
2
|
+
|
|
3
|
+
import prowler.providers.gcp.config as config
|
|
4
|
+
from prowler.lib.logger import logger
|
|
5
|
+
from prowler.providers.gcp.gcp_provider import GcpProvider
|
|
6
|
+
from prowler.providers.gcp.lib.service.service import GCPService
|
|
7
|
+
from prowler.providers.gcp.services.cloudresourcemanager.cloudresourcemanager_client import (
|
|
8
|
+
cloudresourcemanager_client,
|
|
9
|
+
)
|
|
10
|
+
|
|
11
|
+
|
|
12
|
+
class AccessContextManager(GCPService):
|
|
13
|
+
def __init__(self, provider: GcpProvider):
|
|
14
|
+
super().__init__("accesscontextmanager", provider, api_version="v1")
|
|
15
|
+
self.service_perimeters = []
|
|
16
|
+
self._get_service_perimeters()
|
|
17
|
+
|
|
18
|
+
def _get_service_perimeters(self):
|
|
19
|
+
for org in cloudresourcemanager_client.organizations:
|
|
20
|
+
try:
|
|
21
|
+
access_policies = []
|
|
22
|
+
try:
|
|
23
|
+
request = self.client.accessPolicies().list(
|
|
24
|
+
parent=f"organizations/{org.id}"
|
|
25
|
+
)
|
|
26
|
+
while request is not None:
|
|
27
|
+
response = request.execute(
|
|
28
|
+
num_retries=config.DEFAULT_RETRY_ATTEMPTS
|
|
29
|
+
)
|
|
30
|
+
access_policies.extend(response.get("accessPolicies", []))
|
|
31
|
+
|
|
32
|
+
request = self.client.accessPolicies().list_next(
|
|
33
|
+
previous_request=request, previous_response=response
|
|
34
|
+
)
|
|
35
|
+
except Exception as error:
|
|
36
|
+
logger.error(
|
|
37
|
+
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
38
|
+
)
|
|
39
|
+
continue
|
|
40
|
+
|
|
41
|
+
for policy in access_policies:
|
|
42
|
+
try:
|
|
43
|
+
request = (
|
|
44
|
+
self.client.accessPolicies()
|
|
45
|
+
.servicePerimeters()
|
|
46
|
+
.list(parent=policy["name"])
|
|
47
|
+
)
|
|
48
|
+
while request is not None:
|
|
49
|
+
response = request.execute(
|
|
50
|
+
num_retries=config.DEFAULT_RETRY_ATTEMPTS
|
|
51
|
+
)
|
|
52
|
+
|
|
53
|
+
for perimeter in response.get("servicePerimeters", []):
|
|
54
|
+
status = perimeter.get("status", {})
|
|
55
|
+
spec = perimeter.get("spec", {})
|
|
56
|
+
|
|
57
|
+
perimeter_config = status if status else spec
|
|
58
|
+
|
|
59
|
+
resources = perimeter_config.get("resources", [])
|
|
60
|
+
restricted_services = perimeter_config.get(
|
|
61
|
+
"restrictedServices", []
|
|
62
|
+
)
|
|
63
|
+
|
|
64
|
+
self.service_perimeters.append(
|
|
65
|
+
ServicePerimeter(
|
|
66
|
+
name=perimeter["name"],
|
|
67
|
+
title=perimeter.get("title", ""),
|
|
68
|
+
perimeter_type=perimeter.get(
|
|
69
|
+
"perimeterType", ""
|
|
70
|
+
),
|
|
71
|
+
resources=resources,
|
|
72
|
+
restricted_services=restricted_services,
|
|
73
|
+
policy_name=policy["name"],
|
|
74
|
+
)
|
|
75
|
+
)
|
|
76
|
+
|
|
77
|
+
request = (
|
|
78
|
+
self.client.accessPolicies()
|
|
79
|
+
.servicePerimeters()
|
|
80
|
+
.list_next(
|
|
81
|
+
previous_request=request, previous_response=response
|
|
82
|
+
)
|
|
83
|
+
)
|
|
84
|
+
except Exception as error:
|
|
85
|
+
logger.error(
|
|
86
|
+
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
87
|
+
)
|
|
88
|
+
|
|
89
|
+
except Exception as error:
|
|
90
|
+
logger.error(
|
|
91
|
+
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
|
92
|
+
)
|
|
93
|
+
|
|
94
|
+
|
|
95
|
+
class ServicePerimeter(BaseModel):
|
|
96
|
+
name: str
|
|
97
|
+
title: str
|
|
98
|
+
perimeter_type: str
|
|
99
|
+
resources: list[str]
|
|
100
|
+
restricted_services: list[str]
|
|
101
|
+
policy_name: str
|
|
@@ -19,6 +19,14 @@ class CloudResourceManager(GCPService):
|
|
|
19
19
|
def _get_iam_policy(self):
|
|
20
20
|
for project_id in self.project_ids:
|
|
21
21
|
try:
|
|
22
|
+
# Get project details to obtain project number
|
|
23
|
+
project_details = (
|
|
24
|
+
self.client.projects()
|
|
25
|
+
.get(projectId=project_id)
|
|
26
|
+
.execute(num_retries=DEFAULT_RETRY_ATTEMPTS)
|
|
27
|
+
)
|
|
28
|
+
project_number = project_details.get("projectNumber", "")
|
|
29
|
+
|
|
22
30
|
policy = (
|
|
23
31
|
self.client.projects()
|
|
24
32
|
.getIamPolicy(resource=project_id)
|
|
@@ -41,6 +49,7 @@ class CloudResourceManager(GCPService):
|
|
|
41
49
|
self.cloud_resource_manager_projects.append(
|
|
42
50
|
Project(
|
|
43
51
|
id=project_id,
|
|
52
|
+
number=project_number,
|
|
44
53
|
audit_logging=audit_logging,
|
|
45
54
|
audit_configs=audit_configs,
|
|
46
55
|
)
|
|
@@ -96,6 +105,7 @@ class Binding(BaseModel):
|
|
|
96
105
|
|
|
97
106
|
class Project(BaseModel):
|
|
98
107
|
id: str
|
|
108
|
+
number: str = ""
|
|
99
109
|
audit_logging: bool
|
|
100
110
|
audit_configs: list[AuditConfig] = []
|
|
101
111
|
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
from typing import Optional
|
|
2
2
|
|
|
3
|
+
from googleapiclient.errors import HttpError
|
|
3
4
|
from pydantic.v1 import BaseModel
|
|
4
5
|
|
|
5
6
|
from prowler.lib.logger import logger
|
|
@@ -12,6 +13,7 @@ class CloudStorage(GCPService):
|
|
|
12
13
|
def __init__(self, provider: GcpProvider):
|
|
13
14
|
super().__init__("storage", provider)
|
|
14
15
|
self.buckets = []
|
|
16
|
+
self.vpc_service_controls_protected_projects = set()
|
|
15
17
|
self._get_buckets()
|
|
16
18
|
|
|
17
19
|
def _get_buckets(self):
|
|
@@ -93,6 +95,17 @@ class CloudStorage(GCPService):
|
|
|
93
95
|
request = self.client.buckets().list_next(
|
|
94
96
|
previous_request=request, previous_response=response
|
|
95
97
|
)
|
|
98
|
+
except HttpError as http_error:
|
|
99
|
+
# Check if the error is due to VPC Service Controls blocking the API
|
|
100
|
+
if "vpcServiceControlsUniqueIdentifier" in str(http_error):
|
|
101
|
+
self.vpc_service_controls_protected_projects.add(project_id)
|
|
102
|
+
logger.warning(
|
|
103
|
+
f"Project {project_id} is protected by VPC Service Controls for Cloud Storage API."
|
|
104
|
+
)
|
|
105
|
+
else:
|
|
106
|
+
logger.error(
|
|
107
|
+
f"{http_error.__class__.__name__}[{http_error.__traceback__.tb_lineno}]: {http_error}"
|
|
108
|
+
)
|
|
96
109
|
except Exception as error:
|
|
97
110
|
logger.error(
|
|
98
111
|
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/__init__.py
ADDED
|
File without changes
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
{
|
|
2
|
+
"Provider": "gcp",
|
|
3
|
+
"CheckID": "cloudstorage_uses_vpc_service_controls",
|
|
4
|
+
"CheckTitle": "Cloud Storage services are protected by VPC Service Controls",
|
|
5
|
+
"CheckType": [],
|
|
6
|
+
"ServiceName": "cloudstorage",
|
|
7
|
+
"SubServiceName": "",
|
|
8
|
+
"ResourceIdTemplate": "",
|
|
9
|
+
"Severity": "medium",
|
|
10
|
+
"ResourceType": "cloudresourcemanager.googleapis.com/Project",
|
|
11
|
+
"Description": "**GCP Projects** are evaluated to ensure they have **VPC Service Controls** enabled for Cloud Storage. VPC Service Controls establish security boundaries by restricting access to Cloud Storage resources to specific networks and trusted clients, preventing unauthorized data access and exfiltration.",
|
|
12
|
+
"Risk": "Projects without VPC Service Controls protection for Cloud Storage may be vulnerable to unauthorized data access and exfiltration, even with proper IAM policies in place. VPC Service Controls provide an additional layer of network-level security that restricts API access based on the context of the request.",
|
|
13
|
+
"RelatedUrl": "",
|
|
14
|
+
"AdditionalURLs": [
|
|
15
|
+
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/use-vpc-service-controls.html",
|
|
16
|
+
"https://cloud.google.com/vpc-service-controls/docs/create-service-perimeters"
|
|
17
|
+
],
|
|
18
|
+
"Remediation": {
|
|
19
|
+
"Code": {
|
|
20
|
+
"CLI": "",
|
|
21
|
+
"NativeIaC": "",
|
|
22
|
+
"Other": "1) Open Google Cloud Console → Security → VPC Service Controls\n2) Create a new service perimeter or select an existing one\n3) Add the relevant GCP projects to the perimeter's protected resources\n4) Add 'storage.googleapis.com' to the list of restricted services\n5) Configure appropriate ingress and egress rules\n6) Save the perimeter configuration",
|
|
23
|
+
"Terraform": ""
|
|
24
|
+
},
|
|
25
|
+
"Recommendation": {
|
|
26
|
+
"Text": "Enable VPC Service Controls for all Cloud Storage buckets by adding their projects to a service perimeter with storage.googleapis.com as a restricted service. This prevents data exfiltration and ensures API calls are only allowed from authorized networks.",
|
|
27
|
+
"Url": "https://hub.prowler.com/check/cloudstorage_uses_vpc_service_controls"
|
|
28
|
+
}
|
|
29
|
+
},
|
|
30
|
+
"Categories": [
|
|
31
|
+
"internet-exposed"
|
|
32
|
+
],
|
|
33
|
+
"DependsOn": [],
|
|
34
|
+
"RelatedTo": [],
|
|
35
|
+
"Notes": ""
|
|
36
|
+
}
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
from prowler.lib.check.models import Check, Check_Report_GCP
|
|
2
|
+
from prowler.providers.gcp.services.accesscontextmanager.accesscontextmanager_client import (
|
|
3
|
+
accesscontextmanager_client,
|
|
4
|
+
)
|
|
5
|
+
from prowler.providers.gcp.services.cloudresourcemanager.cloudresourcemanager_client import (
|
|
6
|
+
cloudresourcemanager_client,
|
|
7
|
+
)
|
|
8
|
+
from prowler.providers.gcp.services.cloudstorage.cloudstorage_client import (
|
|
9
|
+
cloudstorage_client,
|
|
10
|
+
)
|
|
11
|
+
|
|
12
|
+
|
|
13
|
+
class cloudstorage_uses_vpc_service_controls(Check):
|
|
14
|
+
"""
|
|
15
|
+
Ensure Cloud Storage is protected by VPC Service Controls at project level.
|
|
16
|
+
|
|
17
|
+
Reports PASS if:
|
|
18
|
+
- A project is in a VPC Service Controls perimeter with storage.googleapis.com
|
|
19
|
+
as a restricted service, OR
|
|
20
|
+
- The Cloud Storage API access is blocked by VPC Service Controls
|
|
21
|
+
(verified by vpcServiceControlsUniqueIdentifier in the error response)
|
|
22
|
+
|
|
23
|
+
Otherwise reports FAIL.
|
|
24
|
+
"""
|
|
25
|
+
|
|
26
|
+
def execute(self) -> list[Check_Report_GCP]:
|
|
27
|
+
findings = []
|
|
28
|
+
|
|
29
|
+
protected_projects = {}
|
|
30
|
+
for perimeter in accesscontextmanager_client.service_perimeters:
|
|
31
|
+
if any(
|
|
32
|
+
service == "storage.googleapis.com"
|
|
33
|
+
for service in perimeter.restricted_services
|
|
34
|
+
):
|
|
35
|
+
for resource in perimeter.resources:
|
|
36
|
+
protected_projects[resource] = perimeter.title
|
|
37
|
+
|
|
38
|
+
for project in cloudresourcemanager_client.cloud_resource_manager_projects:
|
|
39
|
+
report = Check_Report_GCP(
|
|
40
|
+
metadata=self.metadata(),
|
|
41
|
+
resource=cloudresourcemanager_client.projects[project.id],
|
|
42
|
+
project_id=project.id,
|
|
43
|
+
location=cloudresourcemanager_client.region,
|
|
44
|
+
resource_name=(
|
|
45
|
+
cloudresourcemanager_client.projects[project.id].name
|
|
46
|
+
if cloudresourcemanager_client.projects[project.id].name
|
|
47
|
+
else "GCP Project"
|
|
48
|
+
),
|
|
49
|
+
)
|
|
50
|
+
report.status = "FAIL"
|
|
51
|
+
report.status_extended = f"Project {project.id} does not have VPC Service Controls enabled for Cloud Storage."
|
|
52
|
+
# GCP stores resources by project number, not project ID
|
|
53
|
+
project_resource_id = f"projects/{project.number}"
|
|
54
|
+
|
|
55
|
+
if project_resource_id in protected_projects:
|
|
56
|
+
report.status = "PASS"
|
|
57
|
+
report.status_extended = f"Project {project.id} has VPC Service Controls enabled for Cloud Storage in perimeter {protected_projects[project_resource_id]}."
|
|
58
|
+
elif (
|
|
59
|
+
project.id
|
|
60
|
+
in cloudstorage_client.vpc_service_controls_protected_projects
|
|
61
|
+
):
|
|
62
|
+
report.status = "PASS"
|
|
63
|
+
report.status_extended = f"Project {project.id} has VPC Service Controls enabled for Cloud Storage in undetermined perimeter (verified by API access restriction)."
|
|
64
|
+
|
|
65
|
+
findings.append(report)
|
|
66
|
+
|
|
67
|
+
return findings
|
|
File without changes
|