prowler-cloud 5.15.0__py3-none-any.whl → 5.16.0__py3-none-any.whl

prowler/providers/aws/services/memorydb/memorydb_cluster_auto_minor_version_upgrades/memorydb_cluster_auto_minor_version_upgrades.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "memorydb_cluster_auto_minor_version_upgrades",
-  "CheckTitle": "Ensure Memory DB clusters have minor version upgrade enabled.",
-  "CheckType": [],
+  "CheckTitle": "MemoryDB cluster has automatic minor version upgrades enabled",
+  "CheckType": [
+    "Software and Configuration Checks/Patch Management",
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "memorydb",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:memorydb:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsMemoryDb",
-  "Description": "Ensure Memory DB clusters have minor version upgrade enabled.",
-  "Risk": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.",
-  "RelatedUrl": "https://docs.aws.amazon.com/memorydb/latest/devguide/engine-versions.html",
+  "ResourceType": "Other",
+  "Description": "**MemoryDB clusters** are evaluated for the `auto_minor_version_upgrade` setting that automatically applies new minor engine versions.",
+  "Risk": "Without automatic minor upgrades, clusters may run **known-vulnerable engine versions**.\n- Exploitable CVEs enable unauthorized reads/writes (confidentiality, integrity)\n- Unpatched bugs can cause **DoS** or data loss (availability)\n- Version drift raises operational risk and slows incident response",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/memorydb/latest/devguide/engine-versions.html",
+    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws memorydb update-cluster --cluster-name <cluster-name> --auto-minor-version-upgrade ",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws memorydb update-cluster --cluster-name <cluster-name> --auto-minor-version-upgrade",
+      "NativeIaC": "```yaml\n# Enable automatic minor version upgrades for a MemoryDB cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::MemoryDB::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      ACLName: <example_acl_name>\n      NodeType: <example_node_type>\n      NumShards: 1\n      AutoMinorVersionUpgrade: true  # Critical: enables automatic minor version upgrades\n```",
+      "Other": "1. In the AWS Console, go to MemoryDB > Clusters\n2. Select the cluster <cluster-name> and click Edit\n3. Enable \"Auto minor version upgrade\"\n4. Click Save changes",
+      "Terraform": "```hcl\nresource \"aws_memorydb_cluster\" \"<example_resource_name>\" {\n  name       = \"<example_resource_name>\"\n  acl_name   = \"<example_acl_name>\"\n  node_type  = \"<example_node_type>\"\n  num_shards = 1\n\n  auto_minor_version_upgrade = true  # Critical: enables automatic minor version upgrades\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable auto minor version upgrade for all Memory DB clusters.",
-      "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades"
+      "Text": "Enable **automatic minor version upgrades** (`auto_minor_version_upgrade=true`) for all clusters. Schedule updates in a maintenance window, validate in staging, and keep rollback plans. Apply **defense in depth** with strict ACLs and monitoring to limit exposure between releases.",
+      "Url": "https://hub.prowler.com/check/memorydb_cluster_auto_minor_version_upgrades"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/redshift/redshift_cluster_enhanced_vpc_routing/redshift_cluster_enhanced_vpc_routing.metadata.json

@@ -26,7 +26,7 @@
     }
   },
   "Categories": [
-    "trustboundaries"
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/s3/s3_bucket_shadow_resource_vulnerability/s3_bucket_shadow_resource_vulnerability.metadata.json

@@ -26,7 +26,7 @@
     }
   },
   "Categories": [
-    "trustboundaries"
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.metadata.json

@@ -1,32 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "servicecatalog_portfolio_shared_within_organization_only",
-  "CheckTitle": "Service Catalog portfolios should be shared within an AWS organization only",
+  "CheckTitle": "Service Catalog portfolio is shared only within the AWS Organization",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access"
   ],
   "ServiceName": "servicecatalog",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:servicecatalog:{region}:{account-id}:portfolio/{portfolio-id}",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsServiceCatalogPortfolio",
-  "Description": "This control checks whether AWS Service Catalog shares portfolios within an organization when the integration with AWS Organizations is enabled. The control fails if portfolios aren't shared within an organization.",
-  "Risk": "Sharing Service Catalog portfolios outside of an organization may result in access granted to unintended AWS accounts, potentially exposing sensitive resources.",
-  "RelatedUrl": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html",
+  "ResourceType": "Other",
+  "Description": "**AWS Service Catalog portfolios** are assessed to confirm sharing occurs via **AWS Organizations** integration, not direct `ACCOUNT` shares. It reviews shared portfolios and identifies those targeted to individual accounts instead of organizational scopes.",
+  "Risk": "Sharing with individual accounts enables recipients to import and launch products outside centralized guardrails, inheriting launch roles. This can cause unauthorized provisioning, data exposure, and configuration drift-impacting confidentiality, integrity, and availability through misused privileges and uncontrolled costs.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws servicecatalog create-portfolio-share --portfolio-id <portfolio-id> --organization-ids <org-id>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Share Service Catalog portfolio only within the AWS Organization\nResources:\n  <example_resource_name>:\n    Type: AWS::ServiceCatalog::PortfolioShare\n    Properties:\n      PortfolioId: <example_resource_id>\n      OrganizationNode:               # CRITICAL: share within AWS Organizations\n        Type: ORGANIZATION            # Shares the portfolio with the entire org\n        Value: <example_resource_id>  # e.g., o-xxxxxxxxxx\n```",
+      "Other": "1. In the AWS Console, go to Service Catalog > Portfolios and open the target portfolio\n2. Open the Shares/Sharing tab\n3. Remove every share of Type \"Account\" (stop sharing with each account)\n4. Click Share, choose \"AWS Organizations\", set Type to \"Organization\", enter your Org ID (o-xxxxxxxxxx), and share\n5. Verify no remaining shares of Type \"Account\" exist",
+      "Terraform": "```hcl\n# Share Service Catalog portfolio only within the AWS Organization\nresource \"aws_servicecatalog_portfolio_share\" \"<example_resource_name>\" {\n  portfolio_id = \"<example_resource_id>\"\n\n  organization_node {           # CRITICAL: share within AWS Organizations\n    type  = \"ORGANIZATION\"     # Shares the portfolio with the entire org\n    value = \"<example_resource_id>\"  # e.g., o-xxxxxxxxxx\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure AWS Service Catalog to share portfolios only within your AWS Organization for more secure access management.",
-      "Url": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html"
+      "Text": "Prefer **organizational sharing** for portfolios and avoid `ACCOUNT` targets. Enforce **least privilege** on portfolio access and launch roles, and review shares regularly. Apply **separation of duties** and **defense in depth** so only governed accounts consume products and blast radius remains constrained.",
+      "Url": "https://hub.prowler.com/check/servicecatalog_portfolio_shared_within_organization_only"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/sns/sns_subscription_not_using_http_endpoints/sns_subscription_not_using_http_endpoints.metadata.json

@@ -1,26 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "sns_subscription_not_using_http_endpoints",
-  "CheckTitle": "Ensure there are no SNS subscriptions using HTTP endpoints",
-  "CheckType": [],
+  "CheckTitle": "SNS subscription uses an HTTPS endpoint",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "sns",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:sns:region:account-id:topic",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsSnsTopic",
-  "Description": "Ensure there are no SNS subscriptions using HTTP endpoints",
-  "Risk": "When you use HTTPS, messages are automatically encrypted during transit, even if the SNS topic itself isn't encrypted. Without HTTPS, a network-based attacker can eavesdrop on network traffic or manipulate it using an attack such as man-in-the-middle.",
-  "RelatedUrl": "https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit",
+  "Description": "Amazon SNS subscriptions are evaluated for endpoint protocol. Subscriptions using `http` are identified, while **HTTPS** endpoints indicate encrypted delivery in transit.",
+  "Risk": "Using **HTTP** leaves SNS deliveries unencrypted, compromising **confidentiality** via eavesdropping. MITM attackers can modify payloads or headers, damaging **integrity**, inject malicious content into downstream systems, or capture subscription data for spoofing and unauthorized actions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html",
+    "https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Ensure SNS subscription uses HTTPS\nResources:\n  <example_resource_name>:\n    Type: AWS::SNS::Subscription\n    Properties:\n      TopicArn: <example_resource_id>\n      Protocol: https              # Critical: use HTTPS protocol to remediate HTTP usage\n      Endpoint: https://<example_endpoint>  # Critical: HTTPS endpoint URL\n```",
+      "Other": "1. Open the Amazon SNS console and go to Subscriptions\n2. Select the subscription with Protocol set to HTTP and click Delete\n3. Click Create subscription\n4. Choose the same Topic ARN, set Protocol to HTTPS, and enter your HTTPS endpoint URL\n5. Create the subscription and confirm it from your endpoint if required",
+      "Terraform": "```hcl\n# Terraform: Ensure SNS subscription uses HTTPS\nresource \"aws_sns_topic_subscription\" \"<example_resource_name>\" {\n  topic_arn = \"<example_resource_id>\"\n  protocol  = \"https\"                      # Critical: enforce HTTPS protocol\n  endpoint  = \"https://<example_endpoint>\" # Critical: HTTPS endpoint URL\n}\n```"
     },
     "Recommendation": {
-      "Text": "To enforce only encrypted connections over HTTPS, add the aws:SecureTransport condition in the IAM policy that's attached to unencrypted SNS topics. This forces message publishers to use HTTPS instead of HTTP",
-      "Url": "https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit"
+      "Text": "Require **HTTPS** for all SNS subscription endpoints. Prefer domain-based endpoints, verify SNS message signatures, and apply **least privilege**. Enforce TLS using IAM conditions like `aws:SecureTransport`, and use private connectivity (VPC endpoints) where possible for defense in depth.",
+      "Url": "https://hub.prowler.com/check/sns_subscription_not_using_http_endpoints"
     }
   },
   "Categories": [

prowler/providers/aws/services/sns/sns_topics_kms_encryption_at_rest_enabled/sns_topics_kms_encryption_at_rest_enabled.metadata.json

@@ -1,26 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "sns_topics_kms_encryption_at_rest_enabled",
-  "CheckTitle": "Ensure there are no SNS Topics unencrypted",
-  "CheckType": [],
+  "CheckTitle": "SNS topic is encrypted at rest with KMS",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Software and Configuration Checks/Industry and Regulatory Standards/ISO 27001 Controls"
+  ],
   "ServiceName": "sns",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:sns:region:account-id:topic",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsSnsTopic",
-  "Description": "Ensure there are no SNS Topics unencrypted",
-  "Risk": "If not enabled sensitive information at rest is not protected.",
-  "RelatedUrl": "https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html",
+  "Description": "**Amazon SNS topics** are assessed for **server-side encryption** with **AWS KMS**. Topics lacking a configured KMS key (e.g., missing `kms_master_key_id`) are identified as unencrypted at rest.",
+  "Risk": "Without KMS-backed SSE, SNS stores message bodies unencrypted at rest, undermining **confidentiality**.\n\nPrivileged insiders or compromised service components could access plaintext during persistence windows, causing data exposure. You also lose KMS controls such as key policies, rotation, and detailed audit trails.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/SNS/topic-encrypted-with-kms-customer-master-keys.html",
+    "https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws sns set-topic-attributes --topic-arn <TOPIC_ARN> --attribute-name 'KmsMasterKeyId' --attribute-value <KEY>",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_15#cloudformation",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/SNS/topic-encrypted-with-kms-customer-master-keys.html",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_15#terraform"
+      "CLI": "aws sns set-topic-attributes --topic-arn <TOPIC_ARN> --attribute-name KmsMasterKeyId --attribute-value alias/aws/sns",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable SSE for an SNS topic\nResources:\n  <example_resource_name>:\n    Type: AWS::SNS::Topic\n    Properties:\n      KmsMasterKeyId: alias/aws/sns  # Critical: Enables encryption at rest with AWS managed KMS key\n```",
+      "Other": "1. Open the AWS Console and go to Amazon SNS > Topics\n2. Select the topic and click Edit\n3. Under Encryption, enable encryption and choose the AWS managed key for SNS (alias/aws/sns)\n4. Click Save changes",
+      "Terraform": "```hcl\n# Enable SSE for an SNS topic\nresource \"aws_sns_topic\" \"<example_resource_name>\" {\n  name               = \"<example_resource_name>\"\n  kms_master_key_id  = \"alias/aws/sns\" # Critical: Enables encryption at rest\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use Amazon SNS with AWS KMS.",
-      "Url": "https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html"
+      "Text": "Enable **server-side encryption** on all SNS topics with **AWS KMS**; prefer **customer-managed keys** for control.\n\nApply **least privilege** on key use, enforce rotation, and monitor key/access logs. Minimize sensitive data in messages and use end-to-end encryption *where feasible* to add defense in depth.",
+      "Url": "https://hub.prowler.com/check/sns_topics_kms_encryption_at_rest_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "sns_topics_not_publicly_accessible",
-  "CheckTitle": "Check if SNS topics have policy set as Public",
-  "CheckType": [],
+  "CheckTitle": "SNS topic is not publicly accessible",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure",
+    "TTPs/Initial Access"
+  ],
   "ServiceName": "sns",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:sns:region:account-id:topic",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsSnsTopic",
-  "Description": "Check if SNS topics have policy set as Public",
-  "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html",
+  "Description": "**SNS topic policies** are analyzed for **public principals** (e.g., `*`). Topics that grant access without restrictive conditions such as `aws:SourceArn`, `aws:SourceAccount`, `aws:PrincipalOrgID`, or `sns:Endpoint` scoping are treated as publicly accessible.",
+  "Risk": "**Public SNS topics** allow anyone or unknown accounts to:\n- **Subscribe** and siphon messages (confidentiality)\n- **Publish** spoofed payloads that alter workflows (integrity)\n- **Flood** messages causing outages and costs (availability)\nThey also enable cross-account abuse and bypass expected trust boundaries.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/SNS/topics-everyone-publish.html",
+    "https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/SNS/topics-everyone-publish.html",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-sns-topic-policy-is-not-public-by-only-allowing-specific-services-or-principals-to-access-it#terraform"
+      "CLI": "aws sns set-topic-attributes --topic-arn <TOPIC_ARN> --attribute-name Policy --attribute-value '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<ACCOUNT_ID>:root\"},\"Action\":\"sns:Publish\",\"Resource\":\"<TOPIC_ARN>\"}]}'",
+      "NativeIaC": "```yaml\n# CloudFormation: restrict SNS topic policy to the account (not public)\nResources:\n  <example_resource_name>:\n    Type: AWS::SNS::TopicPolicy\n    Properties:\n      Topics:\n        - arn:aws:sns:<region>:<account_id>:<example_resource_name>\n      PolicyDocument:\n        Version: '2012-10-17'\n        Statement:\n          - Effect: Allow\n            Action: sns:Publish\n            Resource: arn:aws:sns:<region>:<account_id>:<example_resource_name>\n            Principal:\n              AWS: arn:aws:iam::<account_id>:root  # Critical: restrict to account root to remove public access\n```",
+      "Other": "1. Open the Amazon SNS console and select Topics\n2. Choose the topic and go to the Access policy tab\n3. Edit the policy and remove any Principal set to \"*\" (Everyone/Public)\n4. Add a statement allowing only your account root: Principal = arn:aws:iam::<ACCOUNT_ID>:root with Action sns:Publish and Resource set to the topic ARN\n5. Save changes",
+      "Terraform": "```hcl\n# Restrict SNS topic policy to the account (not public)\nresource \"aws_sns_topic_policy\" \"<example_resource_name>\" {\n  arn    = \"<TOPIC_ARN>\"\n  policy = jsonencode({\n    Version   = \"2012-10-17\"\n    Statement = [{\n      Effect    = \"Allow\"\n      Action    = \"sns:Publish\"\n      Resource  = \"<TOPIC_ARN>\"\n      Principal = { AWS = \"arn:aws:iam::<ACCOUNT_ID>:root\" } # Critical: restrict principal to the account to remove public access\n    }]\n  })\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure there is a business requirement for service to be public.",
-      "Url": "https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html"
+      "Text": "Restrict the **topic policy** to specific principals and minimal actions:\n- Avoid `Principal:*`\n- Allow only needed actions (e.g., `sns:Publish`)\n- Add conditions like `aws:SourceArn`, `aws:SourceAccount`, `aws:PrincipalOrgID`, or `sns:Endpoint`\nApply **least privilege**, separate duties, and review policies regularly.",
+      "Url": "https://hub.prowler.com/check/sns_topics_not_publicly_accessible"
     }
   },
   "Categories": [

prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.metadata.json

@@ -1,26 +1,32 @@
 {
   "Provider": "aws",
   "CheckID": "trustedadvisor_errors_and_warnings",
-  "CheckTitle": "Check Trusted Advisor for errors and warnings.",
-  "CheckType": [],
+  "CheckTitle": "Trusted Advisor check has no errors or warnings",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "trustedadvisor",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:service:region:account-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "Other",
-  "Description": "Check Trusted Advisor for errors and warnings.",
-  "Risk": "Improve the security of your application by closing gaps, enabling various AWS security features and examining your permissions.",
-  "RelatedUrl": "https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/",
+  "Description": "**AWS Trusted Advisor** check statuses are assessed to identify items in `warning` or `error`. The finding reflects the state reported by Trusted Advisor across categories such as **Security**, **Fault Tolerance**, **Service Limits**, and **Cost**, indicating where configurations or quotas require attention.",
+  "Risk": "Unaddressed **warnings/errors** can leave misconfigurations that impact CIA:\n- **Confidentiality**: public access or weak auth exposes data\n- **Integrity**: overly permissive settings allow unwanted changes\n- **Availability**: limit exhaustion or poor resilience triggers outages\nThey can also increase unnecessary cost.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/TrustedAdvisor/checks.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/TrustedAdvisor/checks.html",
+      "Other": "1. Sign in to the AWS Console and open Trusted Advisor\n2. Go to Checks and filter Status to Warning and Error\n3. Open each failing check and click View details/Recommended actions\n4. Apply the listed fix to the affected resources\n5. Click Refresh on the check and repeat until all checks show OK",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Review and act upon its recommendations.",
-      "Url": "https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/"
+      "Text": "Adopt a continuous process to remediate Trusted Advisor findings:\n- Prioritize **`error`** then `warning`\n- Assign ownership and SLAs\n- Integrate alerts with workflows\n- Enforce **least privilege**, segmentation, encryption, MFA, and tested backups\n- Reassess regularly to confirm fixes and prevent regression",
+      "Url": "https://hub.prowler.com/check/trustedadvisor_errors_and_warnings"
     }
   },
   "Categories": [],

prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "trustedadvisor_premium_support_plan_subscribed",
-  "CheckTitle": "Check if a Premium support plan is subscribed",
-  "CheckType": [],
+  "CheckTitle": "AWS account is subscribed to an AWS Premium Support plan",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "trustedadvisor",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:iam::AWS_ACCOUNT_NUMBER:root",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "Other",
-  "Description": "Check if a Premium support plan is subscribed.",
-  "Risk": "Ensure that the appropriate support level is enabled for the necessary AWS accounts. For example, if an AWS account is being used to host production systems and environments, it is highly recommended that the minimum AWS Support Plan should be Business.",
-  "RelatedUrl": "https://aws.amazon.com/premiumsupport/plans/",
+  "Description": "**AWS account** is subscribed to an **AWS Premium Support plan** (e.g., Business or Enterprise)",
+  "Risk": "Without **Premium Support**, critical incidents face slower response, reducing **availability** and delaying containment of security events. Limited Trusted Advisor coverage lets **misconfigurations** persist, risking **data exposure** and **privilege misuse**. Lack of expert guidance increases change risk during production impacts.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Support/support-plan.html",
+    "https://aws.amazon.com/premiumsupport/plans/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Support/support-plan.html",
+      "Other": "1. Sign in to the AWS Management Console as the account root user\n2. Open https://console.aws.amazon.com/support/home#/plans\n3. Click \"Change plan\"\n4. Select \"Business Support\" (or higher) and click \"Continue\"\n5. Review and confirm the upgrade",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "It is recommended that you subscribe to the AWS Business Support tier or higher for all of your AWS production accounts. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Support/support-plan.html"
+      "Text": "Adopt **Business** or higher for production and mission-critical accounts.\n- Integrate Support into IR with defined contacts/severity\n- Enforce **least privilege** for case access\n- Use Trusted Advisor for proactive hardening\n- If opting out, ensure an equivalent 24/7 support and escalation path",
+      "Url": "https://hub.prowler.com/check/trustedadvisor_premium_support_plan_subscribed"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.metadata.json

@@ -26,7 +26,7 @@
     }
   },
   "Categories": [
-    "trustboundaries"
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.metadata.json

@@ -26,7 +26,7 @@
     }
   },
   "Categories": [
-    "trustboundaries"
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/waf/waf_global_rule_with_conditions/waf_global_rule_with_conditions.metadata.json

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "waf_global_rule_with_conditions",
-  "CheckTitle": "AWS WAF Classic Global Rules Should Have at Least One Condition.",
+  "CheckTitle": "AWS WAF Classic Global rule has at least one condition",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "waf",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:waf:account-id:rule/rule-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsWafRule",
-  "Description": "Ensure that every AWS WAF Classic Global Rule contains at least one condition.",
-  "Risk": "An AWS WAF Classic Global rule without any conditions cannot inspect or filter traffic, potentially allowing malicious requests to pass unchecked.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rule-not-empty.html",
+  "Description": "**AWS WAF Classic global rules** contain at least one **condition** that matches HTTP(S) requests the rule evaluates for action (e.g., `allow`, `block`, `count`).",
+  "Risk": "**No-condition rules** never match traffic, providing no filtering. Malicious requests (SQLi/XSS, bots) can reach origins, impacting **confidentiality** (data exfiltration), **integrity** (tampering), and **availability** (service disruption). They may also create a false sense of coverage.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-editing.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-6",
+    "https://docs.aws.amazon.com/config/latest/developerguide/waf-global-rule-not-empty.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws waf update-rule --rule-id <your-rule-id> --change-token <your-change-token> --updates '[{\"Action\":\"INSERT\",\"Predicate\":{\"Negated\":false,\"Type\":\"IPMatch\",\"DataId\":\"<your-ipset-id>\"}}]' --region <your-region>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-6",
-      "Terraform": ""
+      "CLI": "aws waf update-rule --rule-id <example_resource_id> --change-token <example_change_token> --updates '[{\"Action\":\"INSERT\",\"Predicate\":{\"Negated\":false,\"Type\":\"IPMatch\",\"DataId\":\"<example_resource_id>\"}}]' --region us-east-1",
+      "NativeIaC": "```yaml\n# CloudFormation: ensure the WAF Classic Global rule has at least one condition\nResources:\n  <example_resource_name>:\n    Type: AWS::WAF::Rule\n    Properties:\n      Name: <example_resource_name>\n      MetricName: <example_metric_name>\n      # Critical: add at least one predicate (condition) so the rule is not empty\n      Predicates:\n        - Negated: false  # evaluate as-is\n          Type: IPMatch\n          DataId: <example_resource_id>  # existing IPSet ID\n```",
+      "Other": "1. Open the AWS Console > AWS WAF, then click Switch to AWS WAF Classic\n2. In Global (CloudFront) scope, go to Rules and select the target rule\n3. Click Edit (or Add rule) > Add condition\n4. Choose a condition type (e.g., IP match), select an existing condition, set it to does (not negated)\n5. Click Update/Save to apply\n",
+      "Terraform": "```hcl\n# Ensure the WAF Classic Global rule has at least one condition\nresource \"aws_waf_rule\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  metric_name = \"<example_metric_name>\"\n\n  # Critical: add at least one predicate (condition) so the rule is not empty\n  predicate {\n    data_id = \"<example_resource_id>\"  # existing IPSet ID\n    negated = false\n    type    = \"IPMatch\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that every AWS WAF Classic Global rule has at least one condition to properly inspect and manage web traffic.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-editing.html"
+      "Text": "Attach at least one precise **condition** to every rule, aligned to known threats and application context. Apply **least privilege** for traffic, use managed rule groups for **defense in depth**, and routinely review rules to remove placeholders. *If on Classic*, plan migration to WAFv2.",
+      "Url": "https://hub.prowler.com/check/waf_global_rule_with_conditions"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/waf/waf_global_rulegroup_not_empty/waf_global_rulegroup_not_empty.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "waf_global_rulegroup_not_empty",
-  "CheckTitle": "Check if AWS WAF Classic Global rule group has at least one rule.",
+  "CheckTitle": "AWS WAF Classic global rule group has at least one rule",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "waf",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:waf::account-id:rulegroup/rule-group-name/rule-group-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsWafRuleGroup",
-  "Description": "Ensure that every AWS WAF Classic Global rule group contains at least one rule.",
-  "Risk": "A WAF Classic Global rule group without any rules allows all incoming traffic to bypass inspection, increasing the risk of unauthorized access and potential attacks on resources.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html",
+  "Description": "**AWS WAF Classic global rule groups** are assessed for the presence of **one or more rules**. Empty groups are identified even when referenced by a web ACL, meaning the group adds no match logic.",
+  "Risk": "An empty rule group performs no inspection, so web requests pass without WAF scrutiny. This creates blind spots enabling:\n- **Confidentiality**: data exfiltration via SQLi/XSS\n- **Integrity**: parameter tampering\n- **Availability**: bot abuse and layer-7 DoS\n\nIt also creates a false sense of protection when attached.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-7",
+    "https://docs.aws.amazon.com/waf/latest/developerguide/classic-rule-group-editing.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws waf update-rule-group --rule-group-id <rule-group-id> --updates Action=INSERT,ActivatedRule={Priority=1,RuleId=<rule-id>,Action={Type=BLOCK}} --change-token <change-token> --region <region>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-7",
-      "Terraform": ""
+      "CLI": "aws waf update-rule-group --rule-group-id <rule-group-id> --updates Action=INSERT,ActivatedRule={Priority=1,RuleId=<rule-id>,Action={Type=BLOCK}} --change-token <change-token> --region us-east-1",
+      "NativeIaC": "```yaml\n# CloudFormation: ensure the WAF Classic global rule group has at least one rule\nResources:\n  <example_resource_name>:\n    Type: AWS::WAF::RuleGroup\n    Properties:\n      Name: <example_resource_name>\n      MetricName: examplemetric\n      ActivatedRules:\n        - Priority: 1                 # Critical: adds a rule to the group (makes it non-empty)\n          RuleId: <example_resource_id>  # Critical: ID of the existing rule to add\n          Action:\n            Type: BLOCK              # Critical: required action when activating the rule\n```",
+      "Other": "1. Open the AWS Console and go to AWS WAF, then switch to AWS WAF Classic\n2. At the top, set scope to Global (CloudFront)\n3. Go to Rule groups and select the target rule group\n4. Click Edit rule group\n5. Select an existing rule, choose its action (e.g., BLOCK), and click Add rule to rule group\n6. Click Update to save",
+      "Terraform": "```hcl\n# Terraform: ensure the WAF Classic global rule group has at least one rule\nresource \"aws_waf_rule_group\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  metric_name = \"examplemetric\"\n\n  activated_rule {\n    priority = 1                      # Critical: adds a rule to the group (makes it non-empty)\n    rule_id  = \"<example_resource_id>\" # Critical: ID of the existing rule to add\n    action {\n      type = \"BLOCK\"                 # Critical: required action when activating the rule\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that every AWS WAF Classic Global rule group contains at least one rule to enforce traffic inspection and defined actions such as allow, block, or count.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-rule-group-editing.html"
+      "Text": "Populate each rule group with **effective rules** aligned to application threats; choose `block` or `count` actions as appropriate. Prefer **managed rule groups** as a baseline and layer custom rules for **least privilege**. Avoid placeholder groups, test in staging, and monitor metrics to tune.",
+      "Url": "https://hub.prowler.com/check/waf_global_rulegroup_not_empty"
     }
   },
   "Categories": [],

prowler/providers/aws/services/waf/waf_global_webacl_logging_enabled/waf_global_webacl_logging_enabled.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "waf_global_webacl_logging_enabled",
-  "CheckTitle": "Check if AWS WAF Classic Global WebACL has logging enabled.",
+  "CheckTitle": "AWS WAF Classic Global Web ACL has logging enabled",
   "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "waf",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:waf:account-id:webacl/web-acl-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsWafWebAcl",
-  "Description": "Ensure that every AWS WAF Classic Global WebACL has logging enabled.",
-  "Risk": "Without logging enabled, there is no visibility into traffic patterns or potential security threats, which limits the ability to troubleshoot and monitor web traffic effectively.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-incident-response.html",
+  "Description": "**AWS WAF Classic global Web ACLs** have **logging** enabled to capture evaluated web requests and rule actions for each ACL",
+  "Risk": "Without **WAF logging**, you lose **visibility** into attacks (SQLi/XSS probes, bots, brute-force) and into allow/block decisions, limiting detection and forensics. This degrades **confidentiality**, **integrity**, and **availability**, and slows incident response and tuning.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-1",
+    "https://docs.aws.amazon.com/cli/latest/reference/waf/put-logging-configuration.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws waf put-logging-configuration --logging-configuration ResourceArn=<web-acl-arn>,LogDestinationConfigs=<log-destination-arn>",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_31/",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-1",
+      "CLI": "aws waf put-logging-configuration --logging-configuration ResourceArn=<web_acl_arn>,LogDestinationConfigs=<kinesis_firehose_delivery_stream_arn>",
+      "NativeIaC": "",
+      "Other": "1. In the AWS console, create an Amazon Kinesis Data Firehose delivery stream named starting with \"aws-waf-logs-\" (for CloudFront/global, create it in us-east-1)\n2. Open the AWS WAF console and switch to AWS WAF Classic\n3. Select Filter: Global (CloudFront) and go to Web ACLs\n4. Open the target Web ACL and go to the Logging tab\n5. Click Enable logging and select the Firehose delivery stream created in step 1\n6. Click Enable/Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure logging is enabled for AWS WAF Classic Global Web ACLs to capture traffic details and maintain compliance.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html"
+      "Text": "Enable **logging** on all global Web ACLs and send records to a centralized logging platform. Apply **least privilege** to log destinations and redact sensitive fields. Monitor and alert on anomalies, and integrate logs with incident response for **defense in depth** and faster containment.",
+      "Url": "https://hub.prowler.com/check/waf_global_webacl_logging_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""