prowler-cloud 5.14.2__py3-none-any.whl → 5.15.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (327) hide show
  1. dashboard/assets/images/providers/alibabacloud_provider.png +0 -0
  2. dashboard/compliance/cis_2_0_alibabacloud.py +24 -0
  3. dashboard/lib/layouts.py +1 -0
  4. dashboard/pages/compliance.py +8 -2
  5. dashboard/pages/overview.py +52 -1
  6. prowler/CHANGELOG.md +59 -21
  7. prowler/__main__.py +34 -0
  8. prowler/compliance/alibabacloud/__init__.py +0 -0
  9. prowler/compliance/alibabacloud/cis_2.0_alibabacloud.json +1833 -0
  10. prowler/compliance/aws/iso27001_2013_aws.json +158 -158
  11. prowler/compliance/aws/soc2_aws.json +100 -0
  12. prowler/compliance/azure/rbi_cyber_security_framework_azure.json +248 -0
  13. prowler/compliance/azure/soc2_azure.json +87 -1
  14. prowler/compliance/gcp/soc2_gcp.json +82 -1
  15. prowler/config/config.py +2 -1
  16. prowler/lib/check/check.py +4 -0
  17. prowler/lib/check/models.py +23 -0
  18. prowler/lib/check/utils.py +1 -1
  19. prowler/lib/cli/parser.py +3 -2
  20. prowler/lib/outputs/compliance/cis/cis_alibabacloud.py +106 -0
  21. prowler/lib/outputs/compliance/cis/models.py +35 -0
  22. prowler/lib/outputs/finding.py +16 -0
  23. prowler/lib/outputs/html/html.py +67 -0
  24. prowler/lib/outputs/outputs.py +2 -0
  25. prowler/lib/outputs/summary_table.py +3 -0
  26. prowler/providers/alibabacloud/__init__.py +0 -0
  27. prowler/providers/alibabacloud/alibabacloud_provider.py +872 -0
  28. prowler/providers/alibabacloud/config.py +41 -0
  29. prowler/providers/alibabacloud/exceptions/__init__.py +0 -0
  30. prowler/providers/alibabacloud/exceptions/exceptions.py +116 -0
  31. prowler/providers/alibabacloud/lib/__init__.py +0 -0
  32. prowler/providers/alibabacloud/lib/arguments/__init__.py +0 -0
  33. prowler/providers/alibabacloud/lib/arguments/arguments.py +58 -0
  34. prowler/providers/alibabacloud/lib/mutelist/__init__.py +0 -0
  35. prowler/providers/alibabacloud/lib/mutelist/mutelist.py +175 -0
  36. prowler/providers/alibabacloud/lib/service/__init__.py +0 -0
  37. prowler/providers/alibabacloud/lib/service/service.py +113 -0
  38. prowler/providers/alibabacloud/models.py +266 -0
  39. prowler/providers/alibabacloud/services/__init__.py +0 -0
  40. prowler/providers/alibabacloud/services/actiontrail/__init__.py +0 -0
  41. prowler/providers/alibabacloud/services/actiontrail/actiontrail_client.py +6 -0
  42. prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/__init__.py +0 -0
  43. prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json +39 -0
  44. prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.py +81 -0
  45. prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/__init__.py +0 -0
  46. prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json +40 -0
  47. prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.py +119 -0
  48. prowler/providers/alibabacloud/services/actiontrail/actiontrail_service.py +110 -0
  49. prowler/providers/alibabacloud/services/cs/__init__.py +0 -0
  50. prowler/providers/alibabacloud/services/cs/cs_client.py +4 -0
  51. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/__init__.py +0 -0
  52. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json +38 -0
  53. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.py +26 -0
  54. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/__init__.py +0 -0
  55. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json +38 -0
  56. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.py +62 -0
  57. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json +38 -0
  58. prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.py +62 -0
  59. prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/__init__.py +0 -0
  60. prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json +39 -0
  61. prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.py +26 -0
  62. prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/__init__.py +0 -0
  63. prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json +39 -0
  64. prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.py +26 -0
  65. prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/__init__.py +0 -0
  66. prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json +40 -0
  67. prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.py +26 -0
  68. prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/__init__.py +0 -0
  69. prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json +39 -0
  70. prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.py +26 -0
  71. prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/__init__.py +0 -0
  72. prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json +39 -0
  73. prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.py +26 -0
  74. prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/__init__.py +0 -0
  75. prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json +40 -0
  76. prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.py +28 -0
  77. prowler/providers/alibabacloud/services/cs/cs_service.py +354 -0
  78. prowler/providers/alibabacloud/services/ecs/__init__.py +0 -0
  79. prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/__init__.py +0 -0
  80. prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json +38 -0
  81. prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.py +38 -0
  82. prowler/providers/alibabacloud/services/ecs/ecs_client.py +4 -0
  83. prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/__init__.py +0 -0
  84. prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json +41 -0
  85. prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.py +47 -0
  86. prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/__init__.py +0 -0
  87. prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json +38 -0
  88. prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.py +50 -0
  89. prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/__init__.py +0 -0
  90. prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json +38 -0
  91. prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.py +34 -0
  92. prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/__init__.py +0 -0
  93. prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json +39 -0
  94. prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.py +68 -0
  95. prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/__init__.py +0 -0
  96. prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json +39 -0
  97. prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.py +68 -0
  98. prowler/providers/alibabacloud/services/ecs/ecs_service.py +380 -0
  99. prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/__init__.py +0 -0
  100. prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json +38 -0
  101. prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.py +38 -0
  102. prowler/providers/alibabacloud/services/ecs/lib/security_groups.py +23 -0
  103. prowler/providers/alibabacloud/services/oss/__init__.py +0 -0
  104. prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/__init__.py +0 -0
  105. prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json +39 -0
  106. prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.py +37 -0
  107. prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/__init__.py +0 -0
  108. prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json +39 -0
  109. prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.py +89 -0
  110. prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/__init__.py +0 -0
  111. prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json +38 -0
  112. prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.py +87 -0
  113. prowler/providers/alibabacloud/services/oss/oss_client.py +4 -0
  114. prowler/providers/alibabacloud/services/oss/oss_service.py +317 -0
  115. prowler/providers/alibabacloud/services/ram/__init__.py +0 -0
  116. prowler/providers/alibabacloud/services/ram/ram_client.py +4 -0
  117. prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/__init__.py +0 -0
  118. prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json +39 -0
  119. prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.py +33 -0
  120. prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/__init__.py +0 -0
  121. prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json +39 -0
  122. prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.py +32 -0
  123. prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/__init__.py +0 -0
  124. prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json +39 -0
  125. prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.py +32 -0
  126. prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/__init__.py +0 -0
  127. prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json +39 -0
  128. prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.py +35 -0
  129. prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/__init__.py +0 -0
  130. prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json +39 -0
  131. prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.py +30 -0
  132. prowler/providers/alibabacloud/services/ram/ram_password_policy_number/__init__.py +0 -0
  133. prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json +39 -0
  134. prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/__init__.py +0 -0
  135. prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json +39 -0
  136. prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.py +35 -0
  137. prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/__init__.py +0 -0
  138. prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json +39 -0
  139. prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.py +34 -0
  140. prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/__init__.py +0 -0
  141. prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json +39 -0
  142. prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.py +32 -0
  143. prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/__init__.py +0 -0
  144. prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json +39 -0
  145. prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.py +35 -0
  146. prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/__init__.py +0 -0
  147. prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json +39 -0
  148. prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.py +73 -0
  149. prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/__init__.py +0 -0
  150. prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json +39 -0
  151. prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.py +58 -0
  152. prowler/providers/alibabacloud/services/ram/ram_service.py +478 -0
  153. prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/__init__.py +0 -0
  154. prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json +39 -0
  155. prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.py +56 -0
  156. prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/__init__.py +0 -0
  157. prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json +39 -0
  158. prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.py +36 -0
  159. prowler/providers/alibabacloud/services/rds/__init__.py +0 -0
  160. prowler/providers/alibabacloud/services/rds/rds_client.py +4 -0
  161. prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/__init__.py +0 -0
  162. prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json +39 -0
  163. prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.py +36 -0
  164. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/__init__.py +0 -0
  165. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json +39 -0
  166. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.py +29 -0
  167. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/__init__.py +0 -0
  168. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json +39 -0
  169. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.py +29 -0
  170. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/__init__.py +0 -0
  171. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json +38 -0
  172. prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.py +29 -0
  173. prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/__init__.py +0 -0
  174. prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json +39 -0
  175. prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.py +32 -0
  176. prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/__init__.py +0 -0
  177. prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json +39 -0
  178. prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.py +41 -0
  179. prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/__init__.py +0 -0
  180. prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json +39 -0
  181. prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.py +30 -0
  182. prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/__init__.py +0 -0
  183. prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json +39 -0
  184. prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.py +32 -0
  185. prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/__init__.py +0 -0
  186. prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json +39 -0
  187. prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.py +38 -0
  188. prowler/providers/alibabacloud/services/rds/rds_service.py +274 -0
  189. prowler/providers/alibabacloud/services/securitycenter/__init__.py +0 -0
  190. prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/__init__.py +0 -0
  191. prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json +43 -0
  192. prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.py +48 -0
  193. prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/__init__.py +0 -0
  194. prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json +42 -0
  195. prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.py +48 -0
  196. prowler/providers/alibabacloud/services/securitycenter/securitycenter_client.py +6 -0
  197. prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/__init__.py +0 -0
  198. prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json +42 -0
  199. prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.py +65 -0
  200. prowler/providers/alibabacloud/services/securitycenter/securitycenter_service.py +394 -0
  201. prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/__init__.py +0 -0
  202. prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json +39 -0
  203. prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.py +68 -0
  204. prowler/providers/alibabacloud/services/sls/__init__.py +0 -0
  205. prowler/providers/alibabacloud/services/sls/sls_client.py +4 -0
  206. prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/__init__.py +0 -0
  207. prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json +39 -0
  208. prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.py +50 -0
  209. prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/__init__.py +0 -0
  210. prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json +39 -0
  211. prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.py +48 -0
  212. prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/__init__.py +0 -0
  213. prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json +38 -0
  214. prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.py +32 -0
  215. prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/__init__.py +0 -0
  216. prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json +39 -0
  217. prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.py +44 -0
  218. prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/__init__.py +0 -0
  219. prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json +39 -0
  220. prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.py +49 -0
  221. prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/__init__.py +0 -0
  222. prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json +39 -0
  223. prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.py +57 -0
  224. prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/__init__.py +0 -0
  225. prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json +39 -0
  226. prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.py +48 -0
  227. prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/__init__.py +0 -0
  228. prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json +39 -0
  229. prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.py +54 -0
  230. prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/__init__.py +0 -0
  231. prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json +39 -0
  232. prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.py +72 -0
  233. prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/__init__.py +0 -0
  234. prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json +39 -0
  235. prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.py +50 -0
  236. prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/__init__.py +0 -0
  237. prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json +39 -0
  238. prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.py +56 -0
  239. prowler/providers/alibabacloud/services/sls/sls_service.py +137 -0
  240. prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/__init__.py +0 -0
  241. prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json +39 -0
  242. prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.py +56 -0
  243. prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/__init__.py +0 -0
  244. prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json +39 -0
  245. prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.py +57 -0
  246. prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/__init__.py +0 -0
  247. prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json +39 -0
  248. prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.py +52 -0
  249. prowler/providers/alibabacloud/services/vpc/__init__.py +0 -0
  250. prowler/providers/alibabacloud/services/vpc/vpc_client.py +4 -0
  251. prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/__init__.py +0 -0
  252. prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json +39 -0
  253. prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +30 -0
  254. prowler/providers/alibabacloud/services/vpc/vpc_service.py +102 -0
  255. prowler/providers/aws/aws_regions_by_service.json +20 -0
  256. prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json +1 -3
  257. prowler/providers/aws/services/apigateway/apigateway_service.py +4 -1
  258. prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.metadata.json +1 -1
  259. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +1 -2
  260. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +1 -2
  261. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +1 -2
  262. prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +1 -2
  263. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +1 -2
  264. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +1 -2
  265. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +1 -2
  266. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +1 -2
  267. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +1 -2
  268. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +1 -2
  269. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +1 -2
  270. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +1 -2
  271. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +1 -2
  272. prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +0 -1
  273. prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.metadata.json +16 -10
  274. prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.metadata.json +23 -14
  275. prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.metadata.json +19 -13
  276. prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.metadata.json +18 -12
  277. prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.metadata.json +24 -13
  278. prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json +20 -14
  279. prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.metadata.json +18 -9
  280. prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.metadata.json +18 -11
  281. prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.metadata.json +21 -12
  282. prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.metadata.json +21 -13
  283. prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.metadata.json +24 -13
  284. prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.metadata.json +21 -13
  285. prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.metadata.json +23 -14
  286. prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.metadata.json +20 -12
  287. prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.metadata.json +17 -12
  288. prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.metadata.json +22 -13
  289. prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.metadata.json +21 -12
  290. prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.metadata.json +23 -14
  291. prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.metadata.json +22 -13
  292. prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.metadata.json +20 -12
  293. prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.metadata.json +21 -13
  294. prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.metadata.json +23 -13
  295. prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json +20 -13
  296. prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.metadata.json +22 -14
  297. prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.metadata.json +26 -14
  298. prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.metadata.json +22 -13
  299. prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.metadata.json +25 -14
  300. prowler/providers/common/provider.py +12 -0
  301. prowler/providers/gcp/services/accesscontextmanager/__init__.py +0 -0
  302. prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_client.py +6 -0
  303. prowler/providers/gcp/services/accesscontextmanager/accesscontextmanager_service.py +101 -0
  304. prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +10 -0
  305. prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +13 -0
  306. prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/__init__.py +0 -0
  307. prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.metadata.json +36 -0
  308. prowler/providers/gcp/services/cloudstorage/cloudstorage_uses_vpc_service_controls/cloudstorage_uses_vpc_service_controls.py +67 -0
  309. prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/__init__.py +0 -0
  310. prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.metadata.json +36 -0
  311. prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.py +35 -0
  312. prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/__init__.py +0 -0
  313. prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.metadata.json +36 -0
  314. prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.py +29 -0
  315. prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/__init__.py +0 -0
  316. prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.metadata.json +37 -0
  317. prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.py +32 -0
  318. prowler/providers/gcp/services/compute/compute_service.py +16 -0
  319. prowler/providers/github/services/repository/repository_immutable_releases_enabled/__init__.py +0 -0
  320. prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.metadata.json +33 -0
  321. prowler/providers/github/services/repository/repository_immutable_releases_enabled/repository_immutable_releases_enabled.py +41 -0
  322. prowler/providers/github/services/repository/repository_service.py +52 -0
  323. {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.1.dist-info}/METADATA +40 -22
  324. {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.1.dist-info}/RECORD +327 -74
  325. {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.1.dist-info}/LICENSE +0 -0
  326. {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.1.dist-info}/WHEEL +0 -0
  327. {prowler_cloud-5.14.2.dist-info → prowler_cloud-5.15.1.dist-info}/entry_points.txt +0 -0
prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json ADDED
@@ -0,0 +1,39 @@
1
+ {
2
+ "Provider": "alibabacloud",
3
+ "CheckID": "ram_policy_no_administrative_privileges",
4
+ "CheckTitle": "RAM policies that allow full \"*:*\" administrative privileges are not created",
5
+ "CheckType": [
6
+ "Abnormal account",
7
+ "Cloud threat detection"
8
+ ],
9
+ "ServiceName": "ram",
10
+ "SubServiceName": "",
11
+ "ResourceIdTemplate": "acs:ram::account-id:policy/{policy-name}",
12
+ "Severity": "critical",
13
+ "ResourceType": "AlibabaCloudRAMPolicy",
14
+ "Description": "**RAM policies** represent permissions that can be granted to users, groups, or roles. It is recommended to grant **least privilege**—that is, granting only the permissions required to perform tasks.\n\nDetermine what users need to do and then create policies with permissions that only fit those tasks, instead of allowing full administrative privileges.",
15
+ "Risk": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary. Providing **full administrative privileges** exposes your resources to potentially unwanted actions.\n\nRAM policies with `\"Effect\": \"Allow\"`, `\"Action\": \"*\"`, and `\"Resource\": \"*\"` should be prohibited.",
16
+ "RelatedUrl": "",
17
+ "AdditionalURLs": [
18
+ "https://www.alibabacloud.com/help/doc-detail/93733.htm",
19
+ "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/policies-with-full-administrative-privileges.html"
20
+ ],
21
+ "Remediation": {
22
+ "Code": {
23
+ "CLI": "aliyun ram DetachPolicyFromUser --PolicyName <policy_name> --PolicyType Custom --UserName <ram_user>",
24
+ "NativeIaC": "",
25
+ "Other": "",
26
+ "Terraform": ""
27
+ },
28
+ "Recommendation": {
29
+ "Text": "1. Log on to the **RAM Console**\n2. Choose **Permissions** > **Policies**\n3. From the Policy Type drop-down list, select **Custom Policy**\n4. In the Policy Name column, click the name of the target policy\n5. In the Policy Document section, edit the policy to remove the statement with full administrative privileges, or remove the policy from any RAM users, user groups, or roles that have this policy attached",
30
+ "Url": "https://hub.prowler.com/check/ram_policy_no_administrative_privileges"
31
+ }
32
+ },
33
+ "Categories": [
34
+ "identity-access"
35
+ ],
36
+ "DependsOn": [],
37
+ "RelatedTo": [],
38
+ "Notes": ""
39
+ }
prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.py ADDED
@@ -0,0 +1,73 @@
1
+ from prowler.lib.check.models import Check, CheckReportAlibabaCloud
2
+ from prowler.providers.alibabacloud.services.ram.ram_client import ram_client
3
+
4
+
5
+ def check_admin_access(policy_document: dict) -> bool:
6
+ """
7
+ Check if the policy document allows full administrative privileges.
8
+
9
+ Args:
10
+ policy_document: The policy document as a dictionary.
11
+
12
+ Returns:
13
+ bool: True if the policy allows admin access (Effect: Allow, Action: *, Resource: *), False otherwise.
14
+ """
15
+ if not policy_document:
16
+ return False
17
+
18
+ statements = policy_document.get("Statement", [])
19
+ if not isinstance(statements, list):
20
+ statements = [statements]
21
+
22
+ for statement in statements:
23
+ effect = statement.get("Effect")
24
+ action = statement.get("Action")
25
+ resource = statement.get("Resource")
26
+
27
+ # Check if statement has Effect: Allow, Action: *, Resource: *
28
+ if effect == "Allow":
29
+ # Action can be a string or a list
30
+ actions = action if isinstance(action, list) else [action] if action else []
31
+ # Resource can be a string or a list
32
+ resources = (
33
+ resource
34
+ if isinstance(resource, list)
35
+ else [resource] if resource else []
36
+ )
37
+
38
+ # Check if Action contains "*" and Resource contains "*"
39
+ if "*" in actions and "*" in resources:
40
+ return True
41
+
42
+ return False
43
+
44
+
45
+ class ram_policy_no_administrative_privileges(Check):
46
+ """Check if RAM policies that allow full '*:*' administrative privileges are not created."""
47
+
48
+ def execute(self) -> list[CheckReportAlibabaCloud]:
49
+ findings = []
50
+
51
+ for policy in ram_client.policies.values():
52
+ # Check only for custom policies that are attached
53
+ if policy.policy_type == "Custom" and policy.attachment_count > 0:
54
+ report = CheckReportAlibabaCloud(
55
+ metadata=self.metadata(), resource=policy
56
+ )
57
+ report.region = ram_client.region
58
+ report.resource_id = policy.name
59
+ report.resource_arn = (
60
+ f"acs:ram::{ram_client.audited_account}:policy/{policy.name}"
61
+ )
62
+
63
+ report.status = "PASS"
64
+ report.status_extended = f"Custom policy {policy.name} is attached but does not allow '*:*' administrative privileges."
65
+
66
+ if policy.document:
67
+ if check_admin_access(policy.document):
68
+ report.status = "FAIL"
69
+ report.status_extended = f"Custom policy {policy.name} is attached and allows '*:*' administrative privileges."
70
+
71
+ findings.append(report)
72
+
73
+ return findings
prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json ADDED
@@ -0,0 +1,39 @@
1
+ {
2
+ "Provider": "alibabacloud",
3
+ "CheckID": "ram_rotate_access_key_90_days",
4
+ "CheckTitle": "Access keys are rotated every 90 days or less",
5
+ "CheckType": [
6
+ "Unusual logon",
7
+ "Cloud threat detection"
8
+ ],
9
+ "ServiceName": "ram",
10
+ "SubServiceName": "",
11
+ "ResourceIdTemplate": "acs:ram::account-id:user/{user-name}/accesskey/{access-key-id}",
12
+ "Severity": "medium",
13
+ "ResourceType": "AlibabaCloudRAMAccessKey",
14
+ "Description": "An **access key** consists of an access key ID and a secret, which are used to sign programmatic requests that you make to Alibaba Cloud.\n\nRAM users need their own access keys to make programmatic calls from SDKs, CLIs, or direct API calls. It is recommended that all access keys be **regularly rotated**.",
15
+ "Risk": "Access keys might be compromised by leaving them in code, configuration files, on-premise and cloud storages, and then stolen by attackers.\n\n**Rotating access keys** reduces the window of opportunity for a compromised access key to be used.",
16
+ "RelatedUrl": "",
17
+ "AdditionalURLs": [
18
+ "https://www.alibabacloud.com/help/doc-detail/116401.htm",
19
+ "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/access-keys-rotation.html"
20
+ ],
21
+ "Remediation": {
22
+ "Code": {
23
+ "CLI": "aliyun ram CreateAccessKey --UserName <ram_user> && aliyun ram UpdateAccessKey --UserAccessKeyId <old_access_key_ID> --Status Inactive --UserName <ram_user> && aliyun ram DeleteAccessKey --UserAccessKeyId <old_access_key_ID> --UserName <ram_user>",
24
+ "NativeIaC": "",
25
+ "Other": "",
26
+ "Terraform": ""
27
+ },
28
+ "Recommendation": {
29
+ "Text": "1. Create a new **AccessKey pair** for rotation\n2. Update all applications and systems to use the new AccessKey pair\n3. **Disable** the original AccessKey pair\n4. Confirm that your applications and systems are working\n5. **Delete** the original AccessKey pair",
30
+ "Url": "https://hub.prowler.com/check/ram_rotate_access_key_90_days"
31
+ }
32
+ },
33
+ "Categories": [
34
+ "secrets"
35
+ ],
36
+ "DependsOn": [],
37
+ "RelatedTo": [],
38
+ "Notes": ""
39
+ }
prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.py ADDED
@@ -0,0 +1,58 @@
1
+ from datetime import datetime, timedelta, timezone
2
+
3
+ from prowler.lib.check.models import Check, CheckReportAlibabaCloud
4
+ from prowler.providers.alibabacloud.services.ram.ram_client import ram_client
5
+
6
+
7
+ class ram_rotate_access_key_90_days(Check):
8
+ """Check if access keys are rotated every 90 days or less."""
9
+
10
+ def execute(self) -> list[CheckReportAlibabaCloud]:
11
+ findings = []
12
+ # Use UTC timezone-aware datetime for consistent comparison
13
+ now = datetime.now(timezone.utc)
14
+ ninety_days_ago = now - timedelta(days=90)
15
+
16
+ for user in ram_client.users:
17
+ if user.access_keys:
18
+ for access_key in user.access_keys:
19
+ # Only check active access keys
20
+ if access_key.status == "Active":
21
+ report = CheckReportAlibabaCloud(
22
+ metadata=self.metadata(), resource=user
23
+ )
24
+ report.region = ram_client.region
25
+ report.resource_id = access_key.access_key_id
26
+ report.resource_arn = f"acs:ram::{ram_client.audited_account}:user/{user.name}/accesskey/{access_key.access_key_id}"
27
+
28
+ if access_key.create_date:
29
+ # Ensure create_date is timezone-aware for comparison
30
+ create_date = access_key.create_date
31
+ if create_date.tzinfo is None:
32
+ # If naive, assume UTC
33
+ create_date = create_date.replace(tzinfo=timezone.utc)
34
+
35
+ if create_date < ninety_days_ago:
36
+ report.status = "FAIL"
37
+ days_old = (now - create_date).days
38
+ report.status_extended = (
39
+ f"Access key {access_key.access_key_id} for user {user.name} "
40
+ f"has not been rotated in {days_old} days (more than 90 days)."
41
+ )
42
+ else:
43
+ report.status = "PASS"
44
+ days_old = (now - create_date).days
45
+ report.status_extended = (
46
+ f"Access key {access_key.access_key_id} for user {user.name} "
47
+ f"was created {days_old} days ago (within 90 days)."
48
+ )
49
+ else:
50
+ report.status = "PASS"
51
+ report.status_extended = (
52
+ f"Access key {access_key.access_key_id} for user {user.name} "
53
+ f"creation date is not available."
54
+ )
55
+
56
+ findings.append(report)
57
+
58
+ return findings