prowler-cloud 5.15.1__py3-none-any.whl → 5.16.0__py3-none-any.whl

prowler/providers/aws/services/waf/waf_global_webacl_with_rules/waf_global_webacl_with_rules.metadata.json

@@ -1,28 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "waf_global_webacl_with_rules",
-  "CheckTitle": "Check if AWS WAF Classic Global WebACL has at least one rule or rule group.",
+  "CheckTitle": "AWS WAF Classic global Web ACL has at least one rule or rule group",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "waf",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:waf:account-id:webacl/web-acl-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsWafWebAcl",
-  "Description": "Ensure that every AWS WAF Classic Global WebACL contains at least one rule or rule group.",
-  "Risk": "An empty AWS WAF Classic Global web ACL allows all web traffic to bypass inspection, potentially exposing resources to unauthorized access and attacks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html",
+  "Description": "**AWS WAF Classic global web ACLs** are evaluated for the presence of at least one **rule** or **rule group** that inspects HTTP(S) requests",
+  "Risk": "With no rules, the web ACL relies solely on its default action. If `allow`, hostile traffic reaches origins uninspected; if `block`, legitimate traffic can be denied.\n- SQLi/XSS can expose data (confidentiality)\n- Malicious requests can alter state (integrity)\n- Bots and scraping can drain resources (availability)",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-8",
+    "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-editing.html",
+    "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws waf update-web-acl --web-acl-id <your-web-acl-id> --change-token <your-change-token> --updates '[{\"Action\":\"INSERT\",\"ActivatedRule\":{\"Priority\":1,\"RuleId\":\"<your-rule-id>\",\"Action\":{\"Type\":\"BLOCK\"}}}]' --default-action Type=ALLOW --region <your-region>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-8",
-      "Terraform": ""
+      "CLI": "aws waf update-web-acl --web-acl-id <WEB_ACL_ID> --change-token <CHANGE_TOKEN> --updates '[{\"Action\":\"INSERT\",\"ActivatedRule\":{\"Priority\":1,\"RuleId\":\"<RULE_ID>\",\"Action\":{\"Type\":\"BLOCK\"}}}]'",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::WAF::WebACL\n    Properties:\n      Name: <example_resource_name>\n      MetricName: <example_metric_name>\n      DefaultAction:\n        Type: ALLOW\n      Rules:\n        - Action:\n            Type: BLOCK\n          Priority: 1\n          RuleId: <example_rule_id>  # Critical: Adds a rule so the Web ACL is not empty\n          # This ensures the Web ACL has at least one rule, changing FAIL to PASS\n```",
+      "Other": "1. Open the AWS console and go to WAF\n2. In the left menu, click Switch to AWS WAF Classic\n3. At the top, set Filter to Global (CloudFront)\n4. Click Web ACLs and select your web ACL\n5. On the Rules tab, click Edit web ACL\n6. In Rules, select an existing rule or rule group and click Add rule to web ACL\n7. Click Save changes",
+      "Terraform": "```hcl\nresource \"aws_waf_web_acl\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  metric_name = \"<example_metric_name>\"\n\n  default_action {\n    type = \"ALLOW\"\n  }\n\n  rules { # Critical: Adds at least one rule so the Web ACL is not empty\n    priority = 1\n    rule_id  = \"<example_rule_id>\"\n    type     = \"REGULAR\"\n    action {\n      type = \"BLOCK\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that every AWS WAF Classic Global web ACL includes at least one rule or rule group to monitor and control web traffic effectively.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-editing.html"
+      "Text": "Populate each global web ACL with effective protections:\n- Use rule groups and targeted rules (managed, rate-based, IP sets)\n- Apply least privilege: default `block` where feasible; explicitly `allow` required traffic\n- Layer defenses and enable logging to tune policies\n- *Consider migrating to WAFv2*",
+      "Url": "https://hub.prowler.com/check/waf_global_webacl_with_rules"
     }
   },
   "Categories": [],

prowler/providers/aws/services/waf/waf_regional_rule_with_conditions/waf_regional_rule_with_conditions.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "waf_regional_rule_with_conditions",
-  "CheckTitle": "AWS WAF Classic Regional Rules Should Have at Least One Condition.",
+  "CheckTitle": "AWS WAF Classic Regional rule has at least one condition",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "waf",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:waf-regional:region:account-id:rule/rule-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsWafRegionalRule",
-  "Description": "Ensure that every AWS WAF Classic Regional Rule contains at least one condition.",
-  "Risk": "An AWS WAF Classic Regional rule without any conditions cannot inspect or filter traffic, potentially allowing malicious requests to pass unchecked.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rule-not-empty.html",
+  "Description": "**AWS WAF Classic Regional rules** have one or more **conditions (predicates)** attached (IP, byte/regex, geo, size, SQLi/XSS) to define which requests the rule evaluates",
+  "Risk": "An empty rule never matches, letting traffic bypass that control. This weakens defense-in-depth and can impact **confidentiality** (data exfiltration), **integrity** (SQLi/XSS), and **availability** (missing rate/size limits), depending on Web ACL order and default action.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-editing.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-2",
+    "https://docs.aws.amazon.com/config/latest/developerguide/waf-regional-rule-not-empty.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws waf-regional update-rule --rule-id <your-rule-id> --change-token <your-change-token> --updates '[{\"Action\":\"INSERT\",\"Predicate\":{\"Negated\":false,\"Type\":\"IPMatch\",\"DataId\":\"<your-ipset-id>\"}}]' --region <your-region>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-2",
-      "Terraform": ""
+      "CLI": "aws waf-regional update-rule --rule-id <example_rule_id> --change-token $(aws waf-regional get-change-token --query ChangeToken --output text) --updates '[{\"Action\":\"INSERT\",\"Predicate\":{\"Negated\":false,\"Type\":\"IPMatch\",\"DataId\":\"<example_ipset_id>\"}}]'",
+      "NativeIaC": "```yaml\n# Add at least one condition to a WAF Classic Regional Rule\nResources:\n  <example_resource_name>:\n    Type: AWS::WAFRegional::Rule\n    Properties:\n      Name: <example_resource_name>\n      MetricName: <example_metric_name>\n      Predicates:\n        - Negated: false         # CRITICAL: ensures the predicate is applied as-is\n          Type: IPMatch          # CRITICAL: predicate type\n          DataId: <example_ipset_id>  # CRITICAL: attaches an existing IP set as a condition\n```",
+      "Other": "1. Open the AWS Console and go to AWS WAF, then select Switch to AWS WAF Classic\n2. In the left pane, choose Regional and click Rules\n3. Select the target rule and choose Add rule\n4. Click Add condition, set When a request to does, choose IP match (or another type), and select an existing condition (e.g., an IP set)\n5. Click Update to save the rule with the condition",
+      "Terraform": "```hcl\n# WAF Classic Regional rule with at least one condition\nresource \"aws_wafregional_rule\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  metric_name = \"<example_metric_name>\"\n\n  predicate {                        \n    data_id = \"<example_ipset_id>\"  # CRITICAL: attaches existing IP set as the condition\n    type    = \"IPMatch\"             # CRITICAL: predicate type\n    negated = false                  # CRITICAL: apply condition directly\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that every AWS WAF Classic Regional rule has at least one condition to properly inspect and manage web traffic.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-editing.html"
+      "Text": "Define precise **conditions** for each rule (e.g., IP, pattern, geo, size) and avoid placeholder rules. Apply **least privilege** filtering, review rule order, and use layered controls for **defense in depth**. Regularly validate and monitor rule effectiveness.",
+      "Url": "https://hub.prowler.com/check/waf_regional_rule_with_conditions"
     }
   },
   "Categories": [],

prowler/providers/aws/services/waf/waf_regional_rulegroup_not_empty/waf_regional_rulegroup_not_empty.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "waf_regional_rulegroup_not_empty",
-  "CheckTitle": "Check if AWS WAF Classic Regional rule group has at least one rule.",
+  "CheckTitle": "AWS WAF Classic Regional rule group has at least one rule",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "waf",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:waf::account-id:rulegroup/rule-group-name/rule-group-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsWafRegionalRuleGroup",
-  "Description": "Ensure that every AWS WAF Classic Regional rule group contains at least one rule.",
-  "Risk": "A WAF Classic Regional rule group without any rules allows all incoming traffic to bypass inspection, increasing the risk of unauthorized access and potential attacks on resources.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html",
+  "Description": "**AWS WAF Classic Regional rule groups** are evaluated to confirm they contain at least one **rule**. Groups with no rule entries are considered empty.",
+  "Risk": "An empty rule group contributes no filtering in a web ACL, letting requests bypass inspection within that group. This erodes **defense in depth** and can enable injection, brute-force, or bot traffic to reach applications, threatening **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/cli/latest/reference/waf-regional/update-rule-group.html",
+    "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-3"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws waf-regional update-rule-group --rule-group-id <rule-group-id> --updates Action=INSERT,ActivatedRule={Priority=1,RuleId=<rule-id>,Action={Type=BLOCK}} --change-token <change-token> --region <region>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-3",
-      "Terraform": ""
+      "CLI": "aws waf-regional update-rule-group --rule-group-id <rule-group-id> --updates Action=INSERT,ActivatedRule={Priority=1,RuleId=<rule-id>,Action={Type=BLOCK}} --change-token <change-token>",
+      "NativeIaC": "```yaml\n# CloudFormation: Ensure WAF Classic Regional Rule Group has at least one rule\nResources:\n  <example_resource_name>:\n    Type: AWS::WAFRegional::RuleGroup\n    Properties:\n      Name: <example_resource_name>\n      MetricName: <example_resource_name>\n      ActivatedRules:\n        - Priority: 1  # Critical: adds a rule so the rule group is not empty\n          RuleId: <example_resource_id>  # Critical: references an existing rule to include in the group\n          Action:\n            Type: BLOCK\n```",
+      "Other": "1. In the AWS Console, go to AWS WAF & Shield and switch to AWS WAF Classic\n2. Select the correct Region, then choose Rule groups\n3. Open the target rule group and click Edit rule group\n4. Click Add rule to rule group, select an existing rule, choose an action (e.g., BLOCK), and click Update\n5. Save changes to ensure the rule group contains at least one rule",
+      "Terraform": "```hcl\n# Ensure WAF Classic Regional Rule Group has at least one rule\nresource \"aws_wafregional_rule_group\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  metric_name = \"<example_resource_name>\"\n\n  # Critical: adds a rule so the rule group is not empty\n  activated_rule {\n    priority = 1\n    rule_id  = \"<example_resource_id>\"  # existing rule ID\n    action {\n      type = \"BLOCK\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that every AWS WAF Classic Regional rule group contains at least one rule to enforce traffic inspection and defined actions such as allow, block, or count.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-rule-group-editing.html"
+      "Text": "Apply **least privilege**: populate each rule group with vetted rules aligned to your threat model, using `ALLOW`, `BLOCK`, or `COUNT` actions as appropriate. Remove or disable unused groups to avoid false assurance. Validate behavior in staging and monitor metrics to maintain **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/waf_regional_rulegroup_not_empty"
     }
   },
   "Categories": [],

prowler/providers/aws/services/waf/waf_regional_webacl_with_rules/waf_regional_webacl_with_rules.metadata.json

@@ -1,28 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "waf_regional_webacl_with_rules",
-  "CheckTitle": "Check if AWS WAF Classic Regional WebACL has at least one rule or rule group.",
+  "CheckTitle": "AWS WAF Classic Regional Web ACL has at least one rule or rule group",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "waf",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:waf-regional:region:account-id:webacl/web-acl-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsWafRegionalWebAcl",
-  "Description": "Ensure that every AWS WAF Classic Regional WebACL contains at least one rule or rule group.",
-  "Risk": "An empty AWS WAF Classic Regional web ACL allows all web traffic to bypass inspection, potentially exposing resources to unauthorized access and attacks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html",
+  "Description": "**AWS WAF Classic Regional web ACL** contains at least one **rule** or **rule group** to inspect and act on HTTP(S) requests. An ACL with no entries is considered empty.",
+  "Risk": "With no rules, the web ACL performs no inspection, letting malicious traffic through.\n- **Confidentiality**: data exposure via SQLi/XSS\n- **Integrity**: unauthorized actions or tampering\n- **Availability**: abuse/bot traffic causing degradation or denial",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-4",
+    "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-editing.html",
+    "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws waf-regional update-web-acl --web-acl-id <your-web-acl-id> --change-token <your-change-token> --updates '[{\"Action\":\"INSERT\",\"ActivatedRule\":{\"Priority\":1,\"RuleId\":\"<your-rule-id>\",\"Action\":{\"Type\":\"BLOCK\"}}}]' --default-action Type=ALLOW --region <your-region>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-4",
-      "Terraform": ""
+      "CLI": "aws waf-regional update-web-acl --web-acl-id <your-web-acl-id> --change-token $(aws waf-regional get-change-token --query 'ChangeToken' --output text) --updates '[{\"Action\":\"INSERT\",\"ActivatedRule\":{\"Priority\":1,\"RuleId\":\"<your-rule-id>\",\"Action\":{\"Type\":\"BLOCK\"}}}]'",
+      "NativeIaC": "```yaml\n# CloudFormation: Ensure the Web ACL has at least one rule\nResources:\n  <example_resource_name>:\n    Type: AWS::WAFRegional::WebACL\n    Properties:\n      Name: \"<example_resource_name>\"\n      MetricName: \"<example_resource_name>\"\n      DefaultAction:\n        Type: ALLOW\n      # Critical: adding any rule to the Web ACL makes it non-empty and passes the check\n      Rules:\n        - Action:\n            Type: BLOCK\n          Priority: 1\n          RuleId: \"<example_resource_id>\"  # Rule to insert into the Web ACL\n```",
+      "Other": "1. Open the AWS Console and go to AWS WAF\n2. In the left pane, click Web ACLs and switch to AWS WAF Classic if prompted\n3. Select the Regional Web ACL and open the Rules tab\n4. Click Edit web ACL\n5. In Rules, select an existing rule or rule group and choose Add rule to web ACL\n6. Click Save changes",
+      "Terraform": "```hcl\n# Terraform: Ensure the Web ACL has at least one rule\nresource \"aws_wafregional_web_acl\" \"<example_resource_name>\" {\n  name        = \"<example_resource_name>\"\n  metric_name = \"<example_resource_name>\"\n\n  default_action {\n    type = \"ALLOW\"\n  }\n\n  # Critical: add at least one rule so the Web ACL is not empty\n  rules {\n    priority = 1\n    rule_id  = \"<example_resource_id>\"\n    action {\n      type = \"BLOCK\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that every AWS WAF Classic Regional web ACL includes at least one rule or rule group to monitor and control web traffic effectively.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-editing.html"
+      "Text": "Populate each web ACL with at least one **rule** or **rule group** that inspects requests and enforces **least privilege**. Apply defense in depth by combining managed and custom rules, include rate controls where appropriate, and review regularly. *Default to blocking undesired traffic; only permit required patterns*.",
+      "Url": "https://hub.prowler.com/check/waf_regional_webacl_with_rules"
     }
   },
   "Categories": [],

prowler/providers/aws/services/wafv2/wafv2_webacl_logging_enabled/wafv2_webacl_logging_enabled.metadata.json

@@ -1,28 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "wafv2_webacl_logging_enabled",
-  "CheckTitle": "Check if AWS WAFv2 WebACL logging is enabled",
+  "CheckTitle": "AWS WAFv2 Web ACL has logging enabled",
   "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "wafv2",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:wafv2:region:account-id:webacl/webacl-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsWafv2WebAcl",
-  "Description": "Check if AWS WAFv2 logging is enabled",
-  "Risk": "Enabling AWS WAFv2 logging helps monitor and analyze traffic patterns for enhanced security.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/logging.html",
+  "Description": "**AWS WAFv2 Web ACLs** with **logging** capture details of inspected requests and rule evaluations. The assessment determines for each Web ACL whether logging is configured to record traffic analyzed by that ACL.",
+  "Risk": "Without **WAF logging**, visibility into allowed/blocked requests is lost, degrading detection and response. **SQLi**, **credential stuffing**, and **bot/DDoS probes** can go unnoticed, risking data exposure (C), undetected rule misuse (I), and service instability from unseen abuse (A).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/WAF/enable-web-acls-logging.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-11",
+    "https://docs.aws.amazon.com/cli/latest/reference/wafv2/put-logging-configuration.html",
+    "https://docs.aws.amazon.com/waf/latest/developerguide/logging.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws wafv2 update-web-acl-logging-configuration --scope REGIONAL --web-acl-arn arn:partition:wafv2:region:account-id:webacl/webacl-id --logging-configuration '{\"LogDestinationConfigs\": [\"arn:partition:logs:region:account-id:log-group:log-group-name\"]}'",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_33#terraform",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-11",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/WAF/enable-web-acls-logging.html"
+      "CLI": "aws wafv2 put-logging-configuration --logging-configuration ResourceArn=<WEB_ACL_ARN>,LogDestinationConfigs=<DESTINATION_ARN>",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable logging for a WAFv2 Web ACL\nResources:\n  <example_resource_name>:\n    Type: AWS::WAFv2::LoggingConfiguration\n    Properties:\n      ResourceArn: arn:aws:wafv2:<region>:<account-id>:regional/webacl/<example_resource_name>/<example_resource_id>  # CRITICAL: target Web ACL to log\n      LogDestinationConfigs:  # CRITICAL: where logs are sent\n        - arn:aws:logs:<region>:<account-id>:log-group:aws-waf-logs-<example_resource_name>\n```",
+      "Other": "1. In the AWS Console, go to AWS WAF & Shield > Web ACLs\n2. Select the target Web ACL\n3. Open the Logging and metrics (or Logging) section and click Enable logging\n4. Choose a log destination (CloudWatch Logs log group, S3 bucket, or Kinesis Data Firehose)\n5. Click Save to enable logging",
+      "Terraform": "```hcl\n# Enable logging for a WAFv2 Web ACL\nresource \"aws_wafv2_web_acl_logging_configuration\" \"<example_resource_name>\" {\n  resource_arn           = \"<example_resource_arn>\"                 # CRITICAL: target Web ACL ARN\n  log_destination_configs = [\"<example_destination_arn>\"]           # CRITICAL: log destination ARN\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable AWS WAFv2 logging for your Web ACLs to monitor and analyze traffic patterns effectively.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/logging.html"
+      "Text": "Enable **logging** on all WAFv2 Web ACLs to a centralized destination. Apply **least privilege** for log delivery, **redact sensitive fields**, and filter to retain high-value events. Integrate with monitoring/SIEM for **alerting and correlation**, and review routinely as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/wafv2_webacl_logging_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/wafv2/wafv2_webacl_rule_logging_enabled/wafv2_webacl_rule_logging_enabled.metadata.json

@@ -1,28 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "wafv2_webacl_rule_logging_enabled",
-  "CheckTitle": "Check if AWS WAFv2 WebACL rule or rule group has Amazon CloudWatch metrics enabled.",
+  "CheckTitle": "AWS WAFv2 Web ACL has Amazon CloudWatch metrics enabled for all rules and rule groups",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "wafv2",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:wafv2:region:account-id:webacl/webacl-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsWafv2RuleGroup",
-  "Description": "This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled.",
-  "Risk": "Without CloudWatch Metrics enabled on AWS WAF rules or rule groups, it's challenging to monitor traffic flow effectively. This reduces visibility into potential security threats, such as malicious activities or unusual traffic patterns.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/APIReference/API_UpdateRuleGroup.html",
+  "ResourceType": "AwsWafv2WebAcl",
+  "Description": "**AWS WAFv2 Web ACLs** are assessed to confirm that every associated **rule** and **rule group** has **CloudWatch metrics** enabled for visibility into rule evaluations and traffic",
+  "Risk": "Absent **CloudWatch metrics**, WAF telemetry is lost, masking spikes, rule bypasses, and misconfigurations. This delays detection of SQLi/XSS probes and bot floods, risking data confidentiality, request integrity, and application availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000233644-ensure-aws-wafv2-webacl-rule-or-rule-group-has-amazon-cloudwatch-metrics-enabled",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-12"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws wafv2 update-rule-group --id <rule-group-id> --scope <scope> --name <rule-group-name> --cloudwatch-metrics-enabled true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-12",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable CloudWatch metrics on WAFv2 Web ACL rules\nResources:\n  <example_resource_name>:\n    Type: AWS::WAFv2::WebACL\n    Properties:\n      Name: <example_resource_name>\n      Scope: REGIONAL\n      DefaultAction:\n        Allow: {}\n      VisibilityConfig:\n        SampledRequestsEnabled: true\n        CloudWatchMetricsEnabled: true\n        MetricName: <metric_name>\n      Rules:\n        - Name: <example_rule_name>\n          Priority: 1\n          Statement:\n            ManagedRuleGroupStatement:\n              VendorName: AWS\n              Name: AWSManagedRulesCommonRuleSet\n          OverrideAction:\n            None: {}\n          VisibilityConfig:\n            SampledRequestsEnabled: true\n            CloudWatchMetricsEnabled: true  # Critical: enables CloudWatch metrics for this rule\n            MetricName: <rule_metric_name>  # Required with CloudWatch metrics\n```",
+      "Other": "1. In AWS Console, go to AWS WAF & Shield > Web ACLs, select the Web ACL\n2. Open the Rules tab, edit each rule, and enable CloudWatch metrics (Visibility configuration > CloudWatch metrics enabled), then Save\n3. For rule groups: go to AWS WAF & Shield > Rule groups, select the rule group, edit Visibility configuration, enable CloudWatch metrics, then Save",
+      "Terraform": "```hcl\n# Terraform: Enable CloudWatch metrics on WAFv2 Web ACL rules\nresource \"aws_wafv2_web_acl\" \"<example_resource_name>\" {\n  name  = \"<example_resource_name>\"\n  scope = \"REGIONAL\"\n\n  default_action { allow {} }\n\n  visibility_config {\n    cloudwatch_metrics_enabled = true\n    metric_name                = \"<metric_name>\"\n    sampled_requests_enabled   = true\n  }\n\n  rule {\n    name     = \"<example_rule_name>\"\n    priority = 1\n\n    statement {\n      managed_rule_group_statement {\n        vendor_name = \"AWS\"\n        name        = \"AWSManagedRulesCommonRuleSet\"\n      }\n    }\n\n    override_action { none {} }\n\n    visibility_config {\n      cloudwatch_metrics_enabled = true  # Critical: enables CloudWatch metrics for this rule\n      metric_name                = \"<rule_metric_name>\"  # Required with CloudWatch metrics\n      sampled_requests_enabled   = true\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that CloudWatch Metrics are enabled for AWS WAF rules and rule groups. This provides detailed insights into traffic, enabling timely identification of security risks.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/APIReference/API_UpdateWebACL.html"
+      "Text": "Enable **CloudWatch metrics** for all WAF rules and rule groups (*including managed rule groups*). Use consistent metric names, centralize dashboards and alerts, and review trends to validate rule efficacy. Integrate with a SIEM for **defense in depth** and tune rules based on telemetry.",
+      "Url": "https://hub.prowler.com/check/wafv2_webacl_rule_logging_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/wafv2/wafv2_webacl_with_rules/wafv2_webacl_with_rules.metadata.json

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "wafv2_webacl_with_rules",
-  "CheckTitle": "Check if AWS WAFv2 WebACL has at least one rule or rule group.",
+  "CheckTitle": "AWS WAFv2 Web ACL has at least one rule or rule group attached",
   "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "wafv2",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:wafv2:region:account-id:webacl/webacl-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsWafv2WebAcl",
-  "Description": "Check if AWS WAFv2 WebACL has at least one rule or rule group associated with it.",
-  "Risk": "An empty AWS WAF web ACL allows all web traffic to pass without inspection or control, exposing resources to potential security threats and attacks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html",
+  "Description": "**AWS WAFv2 web ACLs** are evaluated for the presence of at least one configured **rule** or **rule group** that defines how HTTP(S) requests are inspected and acted upon.",
+  "Risk": "Without rules, traffic is governed only by the web ACL `DefaultAction`, often allowing requests without inspection. This increases risks to **confidentiality** (data exfiltration via injection), **integrity** (XSS/parameter tampering), and **availability** (layer-7 DDoS, bot abuse).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-editing.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-10",
+    "https://support.icompaas.com/support/solutions/articles/62000233642-ensure-aws-wafv2-webacl-has-at-least-one-rule-or-rule-group"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws wafv2 update-web-acl --id <web-acl-id> --scope <scope> --default-action <default-action> --rules <rules>",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/networking-policies/bc_aws_networking_64/",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-10",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Add at least one rule to the WAFv2 WebACL\nResources:\n  <example_resource_name>:\n    Type: AWS::WAFv2::WebACL\n    Properties:\n      Scope: REGIONAL\n      DefaultAction:\n        Allow: {}\n      VisibilityConfig:\n        SampledRequestsEnabled: true\n        CloudWatchMetricsEnabled: true\n        MetricName: <example_resource_name>\n      Rules:  # CRITICAL: Adding any rule/rule group here fixes the finding by making the Web ACL non-empty\n        - Name: <example_rule_name>\n          Priority: 0\n          Statement:\n            ManagedRuleGroupStatement:\n              VendorName: AWS\n              Name: AWSManagedRulesCommonRuleSet  # Uses an AWS managed rule group\n          OverrideAction:\n            Count: {}  # Non-blocking to minimize impact\n          VisibilityConfig:\n            SampledRequestsEnabled: true\n            CloudWatchMetricsEnabled: true\n            MetricName: <example_rule_name>\n```",
+      "Other": "1. In the AWS Console, go to AWS WAF\n2. Open Web ACLs and select the failing Web ACL\n3. Go to the Rules tab and click Add rules\n4. Choose Add managed rule group, select AWS > AWSManagedRulesCommonRuleSet\n5. Set action to Count (to avoid blocking), then Add rule and Save\n6. Verify the Web ACL now shows at least one rule",
+      "Terraform": "```hcl\n# Terraform: Ensure the WAFv2 Web ACL has at least one rule\nresource \"aws_wafv2_web_acl\" \"<example_resource_name>\" {\n  name  = \"<example_resource_name>\"\n  scope = \"REGIONAL\"\n\n  default_action {\n    allow {}\n  }\n\n  visibility_config {\n    cloudwatch_metrics_enabled = true\n    metric_name                = \"<example_resource_name>\"\n    sampled_requests_enabled   = true\n  }\n\n  rule { # CRITICAL: Presence of this rule makes the Web ACL non-empty and passes the check\n    name     = \"<example_rule_name>\"\n    priority = 0\n    statement {\n      managed_rule_group_statement {\n        name        = \"AWSManagedRulesCommonRuleSet\"\n        vendor_name = \"AWS\"  # Minimal managed rule group\n      }\n    }\n    override_action { count {} } # Non-blocking\n    visibility_config {\n      cloudwatch_metrics_enabled = true\n      metric_name                = \"<example_rule_name>\"\n      sampled_requests_enabled   = true\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that each AWS WAF web ACL contains at least one rule or rule group to effectively manage and inspect incoming HTTP(S) web requests.",
-      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-editing.html"
+      "Text": "Populate each web ACL with targeted rules or managed rule groups to enforce least-privilege web access: cover common exploits (SQLi/XSS), IP reputation, and rate limits, scoped to your apps. Use a conservative `DefaultAction`, monitor metrics/logs, and continually tune-supporting **defense in depth** and **zero trust**.",
+      "Url": "https://hub.prowler.com/check/wafv2_webacl_with_rules"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py

@@ -77,7 +77,7 @@ class CloudStorage(GCPService):
                             Bucket(
                                 name=bucket["name"],
                                 id=bucket["id"],
-                                region=bucket["location"],
+                                region=bucket["location"].lower(),
                                 uniform_bucket_level_access=bucket["iamConfiguration"][
                                     "uniformBucketLevelAccess"
                                 ]["enabled"],

prowler/providers/iac/lib/arguments/arguments.py

@@ -35,9 +35,9 @@ def init_parser(self):
         "--scanner",
         dest="scanners",
         nargs="+",
-        default=["vuln", "misconfig", "secret"],
+        default=["misconfig", "secret"],
         choices=SCANNERS_CHOICES,
-        help="Comma-separated list of scanners to scan. Default: vuln, misconfig, secret",
+        help="Comma-separated list of scanners to scan. Default: misconfig, secret",
     )
     iac_scan_subparser.add_argument(
         "--exclude-path",

prowler/providers/mongodbatlas/services/clusters/clusters_service.py

@@ -17,6 +17,28 @@ class Clusters(MongoDBAtlasService):
         super().__init__(__class__.__name__, provider)
         self.clusters = self._list_clusters()
 
+    def _extract_location(self, cluster_data: dict) -> str:
+        """
+        Extract location from cluster data and convert to lowercase
+
+        Args:
+            cluster_data: Cluster data from API
+
+        Returns:
+            str: Location in lowercase, empty string if not found
+        """
+        try:
+            replication_specs = cluster_data.get("replicationSpecs", [])
+            if replication_specs and len(replication_specs) > 0:
+                region_configs = replication_specs[0].get("regionConfigs", [])
+                if region_configs and len(region_configs) > 0:
+                    region_name = region_configs[0].get("regionName", "")
+                    if region_name:
+                        return region_name.lower()
+        except (KeyError, IndexError, AttributeError):
+            pass
+        return ""
+
     def _list_clusters(self):
         """
         List all MongoDB Atlas clusters across all projects
@@ -89,9 +111,7 @@ class Clusters(MongoDBAtlasService):
                                 "connectionStrings", {}
                             ),
                             tags=cluster_data.get("tags", []),
-                            location=cluster_data.get("replicationSpecs", {})[0]
-                            .get("regionConfigs", {})[0]
-                            .get("regionName", ""),
+                            location=self._extract_location(cluster_data),
                         )
 
                         # Use a unique key combining project_id and cluster_name

{prowler_cloud-5.15.1.dist-info → prowler_cloud-5.16.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: prowler-cloud
-Version: 5.15.1
+Version: 5.16.0
 Summary: Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.
 License: Apache-2.0
 Author: Toni de la Fuente
@@ -114,6 +114,7 @@ Description-Content-Type: text/markdown
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
   <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
   <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
+  <a href="https://insights.linuxfoundation.org/project/prowler-cloud-prowler"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=prowler-cloud-prowler"/></a>
 </p>
 <p align="center">
     <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
@@ -367,11 +368,12 @@ python prowler-cli.py -v
 # ✏️ High level architecture
 
 ## Prowler App
-**Prowler App** is composed of three key components:
+**Prowler App** is composed of four key components:
 
 - **Prowler UI**: A web-based interface, built with Next.js, providing a user-friendly experience for executing Prowler scans and visualizing results.
 - **Prowler API**: A backend service, developed with Django REST Framework, responsible for running Prowler scans and storing the generated results.
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.
+- **Prowler MCP Server**: A Model Context Protocol server that provides AI tools for Lighthouse, the AI-powered security assistant. This is a critical dependency for Lighthouse functionality.
 
 ![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)