prowler-cloud 5.17.1__py3-none-any.whl → 5.18.0__py3-none-any.whl

prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "appinsights_ensure_is_configured",
-  "CheckTitle": "Ensure Application Insights are Configured.",
+  "CheckTitle": "Subscription has at least one Application Insights resource configured",
   "CheckType": [],
   "ServiceName": "appinsights",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "Microsoft.Insights/components",
+  "ResourceType": "microsoft.insights/components",
   "ResourceGroup": "monitoring",
-  "Description": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.",
-  "Risk": "Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much larger logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
+  "Description": "**Azure subscription** contains at least one **Application Insights** resource collecting application telemetry (metrics, traces, logs) for monitored workloads.\n\nThe check determines whether telemetry collection exists at the subscription level, indicating that application monitoring is configured.",
+  "Risk": "If **Application Insights** is missing, applications run with reduced **observability**, limiting detection of anomalies and attacks.\n\nThis undermines **integrity** and accountability (fewer traces), degrades **availability** by slowing troubleshooting, and increases exposure to undetected data exfiltration or injection at the app layer.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
+    "https://www.tenable.com/audits/items/CIS_Microsoft_Azure_Foundations_v2.0.0_L2.audit:8a7a608d180042689ad9d3f16aa359f1"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az monitor app-insights component create --app <app name> --resource-group <resource group name> --location <location> --kind 'web' --retention-time <INT days to retain logs> --workspace <log analytics workspace ID> -- subscription <subscription ID>",
-      "NativeIaC": "",
-      "Other": "https://www.tenable.com/audits/items/CIS_Microsoft_Azure_Foundations_v2.0.0_L2.audit:8a7a608d180042689ad9d3f16aa359f1",
-      "Terraform": ""
+      "CLI": "az monitor app-insights component create --app <APP_NAME> --resource-group <RESOURCE_GROUP> --location <LOCATION> --application-type web --subscription <SUBSCRIPTION_ID>",
+      "NativeIaC": "```bicep\n// Create a minimal Application Insights resource\nresource appInsights 'Microsoft.Insights/components@2020-02-02' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  properties: {\n    Application_Type: 'web' // Critical: creates the App Insights component required to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Azure Monitor > Application Insights\n2. Click Create\n3. Select a Subscription and Resource group\n4. Enter a Name and choose a Region\n5. Click Review + create, then Create\n6. Verify the resource appears under Application Insights in the selected subscription",
+      "Terraform": "```hcl\n# Critical: This resource creates an Application Insights component to satisfy the check\nresource \"azurerm_application_insights\" \"main\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<location>\"\n  resource_group_name = \"<example_resource_name>\"\n  application_type    = \"web\" # Critical: ensures creation of the component\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Navigate to Application Insights 2. Under the Basics tab within the PROJECT DETAILS section, select the Subscription 3. Select the Resource group 4. Within the INSTANCE DETAILS, enter a Name 5. Select a Region 6. Next to Resource Mode, select Workspace-based 7. Within the WORKSPACE DETAILS, select the Subscription for the log analytics workspace 8. Select the appropriate Log Analytics Workspace 9. Click Next:Tags > 10. Enter the appropriate Tags as Name, Value pairs. 11. Click Next:Review+Create 12. Click Create.",
-      "Url": ""
+      "Text": "Deploy **Application Insights** for all critical workloads and centralize data in a **Log Analytics workspace**. Configure actionable alerts and dashboards, enforce **least privilege** on telemetry, and set retention/export policies. Use private connectivity and appropriate sampling, and integrate with SIEM for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/appinsights_ensure_is_configured"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service."

prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "containerregistry_admin_user_disabled",
-  "CheckTitle": "Ensure admin user is disabled for Azure Container Registry",
+  "CheckTitle": "Container Registry admin user is disabled",
   "CheckType": [],
   "ServiceName": "containerregistry",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "ContainerRegistry",
+  "ResourceType": "microsoft.containerregistry/registries",
   "ResourceGroup": "container",
-  "Description": "Ensure that the admin user is disabled and Role-Based Access Control (RBAC) is used instead since it could grant unrestricted access to the registry",
-  "Risk": "If the admin user is enabled, it may lead to unauthorized access to the container registry and its resources, which could compromise the confidentiality, integrity, and availability of the images stored within.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account",
+  "Description": "**Azure Container Registry** admin account configuration, confirming the built-in **admin user** is disabled so access relies on Microsoft Entra-based **RBAC** identities and scoped roles.",
+  "Risk": "Using a shared, always-valid **admin credential** grants full push/pull and lacks attribution. Compromise enables unauthorized image pulls (confidentiality), malicious pushes or tag changes (integrity), and deletions or lockout (availability), enabling supply-chain attacks and lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az acr update --name <RegistryName> --resource-group <ResourceGroupName> --admin-enabled false",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Azure Container Registry with admin user disabled\nresource acr 'Microsoft.ContainerRegistry/registries@2025-11-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: {\n    name: '<SKU_NAME>'\n  }\n  properties: {\n    adminUserEnabled: false // Critical: disables the admin user to pass the check\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Container registries and select your registry\n2. Under Settings, open Access keys\n3. Set Admin user to Disabled\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_container_registry\" \"example\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<location>\"\n  sku                 = \"<SKU_NAME>\"\n\n  admin_enabled = false # Critical: disables ACR admin user to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Disable the admin user on Azure Container Registry through the Azure Portal: 1. Navigate to your Container Registry. 2. In the settings, select 'Access keys'. 3. Ensure the 'Admin user' checkbox is not ticked. For all actions relying on registry access, switch to using Role-Based Access Control.",
-      "Url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account"
+      "Text": "Disable the **admin account** and require Microsoft Entra-backed **RBAC**. Assign least-privilege roles to users, service principals, or managed identities. Prefer short-lived credentials, rotate any residual secrets, and apply defense-in-depth with network restrictions and continuous auditing of registry access.",
+      "Url": "https://hub.prowler.com/check/containerregistry_admin_user_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access",
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "The transition away from using the admin user to RBAC will facilitate a more secure and manageable access model, minimizing the potential risk of unauthorized access to your container images."

prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "containerregistry_not_publicly_accessible",
-  "CheckTitle": "Restrict public network access to the Container Registry",
+  "CheckTitle": "Container Registry public network access is disabled",
   "CheckType": [],
   "ServiceName": "containerregistry",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "ContainerRegistry",
+  "ResourceType": "microsoft.containerregistry/registries",
   "ResourceGroup": "container",
-  "Description": "Ensure that public network access to the Azure Container Registry is restricted.",
-  "Risk": "Public accessibility exposes the Container Registry to potential attacks, unauthorized usage, and data breaches. Restricting access minimizes the surface area for attacks and ensures that only authorized networks can access the registry.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-access-selected-networks",
+  "Description": "**Azure Container Registry** configuration indicates whether the registry permits **unrestricted public access** based on the `Public network access` setting.",
+  "Risk": "**Internet-exposed ACR** expands attack paths impacting **CIA**:\n- Confidentiality: unauthorized image pulls leak code/secrets\n- Integrity: compromised creds allow tampered image pushes (supply-chain)\n- Availability: pull storms or scans exhaust quotas, causing outages and cost spikes",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ContainerRegistry/disable-public-access.html",
+    "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-access-selected-networks"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az acr update --name <registry-name> --default-action Deny",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az acr update --name <registry-name> --public-network-enabled false",
+      "NativeIaC": "```bicep\n// Azure Container Registry with public network access disabled\nresource <example_resource_name> 'Microsoft.ContainerRegistry/registries@2025-11-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: {\n    name: 'Basic'\n  }\n  properties: {\n    publicNetworkAccess: 'Disabled' // Critical: disables the public endpoint to prevent unrestricted access\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to your Container Registry\n2. Select Settings > Networking\n3. On Public access, set Allow public network access to Disabled\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_container_registry\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<location>\"\n  sku                 = \"Basic\"\n\n  public_network_access_enabled = false # Critical: disables public endpoint to block unrestricted access\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that the necessary virtual network configurations or IP rules are in place to allow access from required services once public access is restricted. Review the network access settings regularly to maintain a secure environment. To restrict public network access to your Azure Container Registry: 1. Navigate to your Container Registry in the Azure Portal. 2. Under 'Settings'->'Networking', configure the 'Public network access' settings to 'Disabled'. 3. Set up virtual network service endpoints or private endpoints as needed for secure access. 4. Review and adjust IP access rules as necessary.",
-      "Url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-access-selected-networks"
+      "Text": "Set `Public network access` to `Disabled` and use **Private Link** for registry access.\n\nIf public reachability is required, allow only **selected IPs**, enforce **least privilege** and token rotation, and apply **defense in depth** (egress control, network segmentation, logging of push/pull events).",
+      "Url": "https://hub.prowler.com/check/containerregistry_not_publicly_accessible"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This feature is only available for Premium SKU registries."

prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "containerregistry_uses_private_link",
-  "CheckTitle": "Ensure to use a private link for accessing the Azure Container Registry",
+  "CheckTitle": "Container Registry uses a private endpoint (Private Link)",
   "CheckType": [],
   "ServiceName": "containerregistry",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "ContainerRegistry",
+  "Severity": "high",
+  "ResourceType": "microsoft.containerregistry/registries",
   "ResourceGroup": "container",
-  "Description": "Ensure that a private link is used for accessing the Azure Container Registry to enhance security and restrict access to the registry over the public internet.",
-  "Risk": "Without using a private link, the Azure Container Registry may be exposed to the public internet, increasing the risk of unauthorized access and potential data breaches.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/private-link/private-link-overview",
+  "Description": "**Azure Container Registry** access via **Private Endpoints** (Azure Private Link). Registries with `private endpoint connections` use private IPs; others rely on the public endpoint.",
+  "Risk": "Publicly reachable registries expand attack surface for **credential stuffing**, token abuse, and scanning. A compromise enables unauthorized pull/push, causing image **data leakage** and **supply-chain tampering**. Public routing weakens network isolation, impacting the **confidentiality** and **integrity** of images and metadata.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/private-link/private-link-overview",
+    "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-vnet",
+    "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az network private-endpoint create  --connection-name <ConnectionName> --resource-group <ResourceGroupName> --name <Name> --private-connection-resource-id <RegistryId> --vnet-name <VnetName> --subnet <SubnetName> --group-ids registry",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az network private-endpoint create --resource-group <example_resource_name> --name <example_resource_name> --vnet-name <example_resource_name> --subnet <example_resource_name> --private-connection-resource-id <example_resource_id> --group-ids registry --connection-name <example_resource_name>",
+      "NativeIaC": "```bicep\n// Create a Private Endpoint to ACR\nresource privateEndpoint 'Microsoft.Network/privateEndpoints@2025-05-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    subnet: {\n      id: '<example_subnet_id>'\n    }\n    privateLinkServiceConnections: [\n      {\n        name: '<example_resource_name>'\n        properties: {\n          privateLinkServiceId: '<example_resource_id>' // Critical: ACR resource ID to connect\n          groupIds: ['registry']                        // Critical: Target the 'registry' subresource to enable Private Link\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Container registries > select your registry\n2. Navigate to Settings > Networking > Private endpoints tab\n3. Click + Private endpoint, enter a name, select your VNet and Subnet\n4. Set Resource type to Microsoft.ContainerRegistry/registries and Target subresource to registry\n5. Click Review + create, then Create",
+      "Terraform": "```hcl\nresource \"azurerm_private_endpoint\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<location>\"\n  resource_group_name = \"<example_resource_name>\"\n  subnet_id           = \"<example_subnet_id>\"\n\n  private_service_connection {\n    name                           = \"<example_resource_name>\"\n    private_connection_resource_id = \"<example_resource_id>\" # Critical: ACR resource ID\n    subresource_names              = [\"registry\"]            # Critical: Target 'registry' subresource to enable Private Link\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create a private link for Azure Container Registry through the Azure Portal: 1. Navigate to your Container Registry. 2. In the settings, select 'Networking'. 3. Select 'Private access'. 4. Configure a private endpoint for the registry.",
-      "Url": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link"
+      "Text": "Use **Private Link** with **private endpoints** and set `Public network access: Disabled`.\n- Restrict access to trusted VNets/subnets\n- Prefer private endpoints over service endpoints\n- Enforce **least privilege** on registry actions\n- Configure private DNS for the registry FQDN\n- Monitor access logs for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/containerregistry_uses_private_link"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This feature is only available for Premium SKU registries."

prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "cosmosdb_account_firewall_use_selected_networks",
-  "CheckTitle": "Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks",
+  "CheckTitle": "Cosmos DB account firewall allows access only from selected networks",
   "CheckType": [],
   "ServiceName": "cosmosdb",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "CosmosDB",
+  "ResourceType": "microsoft.documentdb/databaseaccounts",
   "ResourceGroup": "database",
-  "Description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.",
-  "Risk": "Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints",
+  "Description": "**Azure Cosmos DB accounts** limit connectivity to **selected networks** using virtual network rules and/or IP allowlists rather than permitting access from all networks.\n\nThe evaluation determines whether the account's network firewall enforces this restriction.",
+  "Risk": "Access from all networks enlarges the attack surface. If keys or tokens are exposed or privileges are misconfigured, attackers anywhere can read or modify data, harming **confidentiality** and **integrity**.\n\nWeak segmentation also enables SSRF/pivot paths from Azure services and can impact **availability** through abuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint",
+    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az cosmosdb database list / az cosmosdb show <database id> **isVirtualNetworkFilterEnabled should be set to true**",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az cosmosdb network-rule add -g <RESOURCE_GROUP> -n <ACCOUNT_NAME> --subnet <example_resource_id>",
+      "NativeIaC": "```bicep\n// Enable selected networks only by turning on VNet filter and adding one allowed subnet\nresource cosmos 'Microsoft.DocumentDB/databaseAccounts@2025-10-15' = {\n  name: '<example_resource_name>'\n  location: '<LOCATION>'\n  properties: {\n    databaseAccountOfferType: 'Standard'\n    locations: [{ locationName: '<LOCATION>'; failoverPriority: 0 }]\n    isVirtualNetworkFilterEnabled: true // CRITICAL: Enables VNet firewall (selected networks only)\n    virtualNetworkRules: [\n      {\n        id: '<example_resource_id>' // CRITICAL: Subnet resource ID allowed to access the account\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, open your Cosmos DB account\n2. Go to Settings > Networking\n3. Select Selected networks\n4. Click Add existing virtual network, choose the VNet and Subnet, then click Enable and Add\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Cosmos DB VNet firewall and allow a specific subnet\nresource \"azurerm_cosmosdb_account\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = azurerm_resource_group.<example_resource_name>.location\n  resource_group_name = azurerm_resource_group.<example_resource_name>.name\n  offer_type          = \"Standard\"\n  kind                = \"GlobalDocumentDB\"\n\n  consistency_policy { consistency_level = \"Session\" }\n  geo_location { location = azurerm_resource_group.<example_resource_name>.location failover_priority = 0 }\n\n  is_virtual_network_filter_enabled = true  # CRITICAL: Enforces selected networks only\n  virtual_network_rule {\n    id = \"<example_resource_id>\"           # CRITICAL: Subnet resource ID allowed to access the account\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select a Cosmos DB account to audit. 4. Select Networking. 5. Under Public network access, select Selected networks. 6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network. 7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create. 8. Click Save.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal"
+      "Text": "Set network access to `Selected networks` with **least privilege**:\n- Prefer **private endpoints** or VNet service endpoints with subnet ACLs\n- Keep IP allowlists minimal; avoid `0.0.0.0`\n- *When feasible*, set `publicNetworkAccess=Disabled` with Private Link\n- Apply **defense in depth** and monitor access and firewall changes",
+      "Url": "https://hub.prowler.com/check/cosmosdb_account_firewall_use_selected_networks"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Failure to whitelist the correct networks will result in a connection loss."

prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "cosmosdb_account_use_aad_and_rbac",
-  "CheckTitle": "Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible.",
+  "CheckTitle": "Cosmos DB account has local authentication disabled and uses Azure AD authentication with Azure RBAC",
   "CheckType": [],
   "ServiceName": "cosmosdb",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "CosmosDB",
+  "Severity": "high",
+  "ResourceType": "microsoft.documentdb/databaseaccounts",
   "ResourceGroup": "database",
-  "Description": "Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.",
-  "Risk": "AAD client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. AAD does not require this.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control",
+  "Description": "**Azure Cosmos DB accounts** configured to use **Microsoft Entra ID** with **Azure RBAC** by disabling key-based credentials (`disableLocalAuth=true`). Clients authenticate with identities rather than account keys.",
+  "Risk": "With local/key-based auth enabled, **long-lived account keys** can be leaked or shared, enabling unauthorized reads/writes and tampering. Access bypasses **MFA** and granular **RBAC**, hindering rotation/revocation and increasing persistence and lateral movement risks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-connect-role-based-access-control?pivots=azure-cli"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az resource update --resource-group <RESOURCE_GROUP> --name <COSMOS_ACCOUNT_NAME> --resource-type Microsoft.DocumentDB/databaseAccounts --set properties.disableLocalAuth=true",
+      "NativeIaC": "```bicep\n// Bicep: Disable local (key-based) auth on a Cosmos DB account\nresource account 'Microsoft.DocumentDB/databaseAccounts@2025-10-15' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'GlobalDocumentDB'\n  properties: {\n    databaseAccountOfferType: 'Standard'\n    locations: [{ locationName: resourceGroup().location }]\n    disableLocalAuth: true // Critical: Disables key-based auth to enforce Entra ID + Azure RBAC\n  }\n}\n```",
+      "Other": "1. Sign in to the Azure portal and open your Cosmos DB account\n2. In the left menu, select Keys\n3. Turn on Disable key-based authentication (Disable local authentication)\n4. Click Save",
+      "Terraform": "```hcl\n# Terraform: Disable local (key-based) auth on a Cosmos DB account\nresource \"azurerm_cosmosdb_account\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<example_resource_name>\"\n  offer_type          = \"Standard\"\n  kind                = \"GlobalDocumentDB\"\n\n  geo_location {\n    location          = \"<example_resource_name>\"\n    failover_priority = 0\n  }\n\n  local_authentication_disabled = true # Critical: Disables key-based auth to enforce Entra ID + RBAC\n}\n```"
     },
     "Recommendation": {
-      "Text": "Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens. Create an Azure Active Directory (AAD) identity for each of these resources: For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities. For non-Azure resources, create an AAD identity. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step. You can use the az resource update powershell command: $cosmosdbname = 'cosmos-db-account-name' $resourcegroup = 'resource-group-name' $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest- include-preview",
-      "Url": "https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control"
+      "Text": "Disable local authentication by setting `disableLocalAuth=true` and require **Entra ID + Azure RBAC** for control and data access. Use **managed identities**, apply **least privilege** roles, retire shared keys, and enforce **zero trust** with conditional access and short-lived credentials.",
+      "Url": "https://hub.prowler.com/check/cosmosdb_account_use_aad_and_rbac"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access",
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "cosmosdb_account_use_private_endpoints",
-  "CheckTitle": "Ensure That Private Endpoints Are Used Where Possible",
+  "CheckTitle": "Cosmos DB account uses private endpoint connections",
   "CheckType": [],
   "ServiceName": "cosmosdb",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "CosmosDB",
+  "Severity": "high",
+  "ResourceType": "microsoft.documentdb/databaseaccounts",
   "ResourceGroup": "database",
-  "Description": "Private endpoints limit network traffic to approved sources.",
-  "Risk": "For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints",
+  "Description": "**Azure Cosmos DB accounts** are assessed for **private endpoint connections** that keep data-plane traffic on private IPs within authorized virtual networks.",
+  "Risk": "Without **private endpoints**, access may use public endpoints or broad IP rules, enabling:\n- interception and credential replay\n- unauthorized queries and data exfiltration\n- lateral movement via exposed paths\n\nThis degrades **confidentiality** and can impact **availability** under abusive traffic.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints?tabs=arm-bicep",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/CosmosDB/use-private-endpoints.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az network private-endpoint create --name <example_resource_name> --resource-group <example_resource_name> --vnet-name <example_resource_name> --subnet <example_resource_name> --private-connection-resource-id /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<example_resource_name>/providers/Microsoft.DocumentDB/databaseAccounts/<example_resource_name> --group-ids Sql --connection-name <example_resource_name>",
+      "NativeIaC": "```bicep\n// Create a Private Endpoint to a Cosmos DB account (adds a private endpoint connection)\nresource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    subnet: { id: '<example_subnet_id>' }\n    privateLinkServiceConnections: [\n      {\n        name: 'conn'\n        properties: {\n          privateLinkServiceId: '<example_cosmosdb_account_id>' // CRITICAL: attaches PE to the Cosmos DB account\n          groupIds: ['Sql'] // CRITICAL: targets Cosmos DB NoSQL subresource so the connection is created\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, open your Cosmos DB account\n2. Go to Networking > Private access\n3. Click + Private endpoint\n4. Resource type: Microsoft.AzureCosmosDB/databaseAccounts; Resource: select your account; Target subresource: Sql\n5. Select your Virtual network and Subnet\n6. Click Review + create, then Create\n7. Verify the private endpoint connection appears under Networking > Private access",
+      "Terraform": "```hcl\n# Create a Private Endpoint to a Cosmos DB account (adds a private endpoint connection)\nresource \"azurerm_private_endpoint\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<location>\"\n  resource_group_name = \"<example_resource_name>\"\n  subnet_id           = \"<example_subnet_id>\"\n\n  private_service_connection {\n    name                           = \"<example_resource_name>\"\n    private_connection_resource_id = \"<example_cosmosdb_account_id>\" # CRITICAL: Cosmos DB account ID\n    subresource_names              = [\"Sql\"]                           # CRITICAL: targets Cosmos DB subresource to create the connection\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select the Azure Cosmos DB account. 4. Select Networking. 5. Select Private access. 6. Click + Private Endpoint. 7. Provide a Name. 8. Click Next. 9. From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts. 10. From the Resource drop down, select the Cosmos DB account. 11. Click Next. 12. Provide appropriate Virtual Network details. 13. Click Next. 14. Provide appropriate DNS details. 15. Click Next. 16. Optionally provide Tags. 17. Click Next : Review + create. 18. Click Create.",
-      "Url": "https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal"
+      "Text": "Adopt **Azure Private Link** for Cosmos DB:\n- Create private endpoints for required subresources\n- Link a private DNS zone so clients resolve to private IPs\n- Set `PublicNetworkAccess=Disabled`; keep tight firewall rules\n- Allow only needed VNets/subnets; apply NSGs\n- Enforce least privilege and monitor access patterns",
+      "Url": "https://hub.prowler.com/check/cosmosdb_account_use_private_endpoints"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Only whitelisted services will have access to communicate with the Cosmos DB."

prowler/providers/azure/services/databricks/databricks_workspace_cmk_encryption_enabled/databricks_workspace_cmk_encryption_enabled.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "databricks_workspace_cmk_encryption_enabled",
-  "CheckTitle": "Ensure Azure Databricks workspaces use customer-managed keys (CMK) for encryption at rest",
+  "CheckTitle": "Databricks workspace uses a customer-managed key (CMK) for encryption at rest",
   "CheckType": [],
   "ServiceName": "databricks",
-  "SubServiceName": "workspace",
-  "ResourceIdTemplate": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Databricks/workspaces/{workspaceName}",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureDatabricksWorkspace",
+  "ResourceType": "microsoft.databricks/workspaces",
   "ResourceGroup": "ai_ml",
-  "Description": "Checks whether Azure Databricks workspaces are configured to use customer-managed keys (CMK) for encryption at rest, providing greater control over data encryption and compliance.",
-  "Risk": "Without CMK, organizations have less control over encryption keys, which may impact regulatory compliance and increase risk of unauthorized data access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/databricks/security/keys/customer-managed-keys",
+  "Description": "**Azure Databricks workspaces** are evaluated for use of **customer-managed keys** (`CMK`) on at-rest encryption, based on the workspace's managed disk encryption configuration.",
+  "Risk": "Without **CMK**, keys are provider-controlled, degrading **confidentiality** and incident response.\n- Slower revoke/rotate during breaches\n- Weaker **separation of duties** and audit trails\n- Larger blast radius if storage or control plane is compromised",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Databricks/enable-encryption-with-cmk.html",
+    "https://learn.microsoft.com/en-us/azure/databricks/security/keys/customer-managed-keys"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az databricks workspace update --name <databricks-workspace-name> --resource-group <resource-group-name> --prepare-encryption && databricks workspace update --name <databricks-workspace-name> --resource-group <resource-group-name> --key-source 'Microsoft.KeyVault' --key-name <key-name> --key-vault <key-vault-uri> --key-version <key-version>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az databricks workspace update --name <workspace_name> --resource-group <resource_group_name> --key-source Microsoft.Keyvault --key-name <key_name> --key-vault https://<key_vault_name>.vault.azure.net/ --key-version <key_version>",
+      "NativeIaC": "```bicep\nresource ws 'Microsoft.Databricks/workspaces@2023-02-01' = {\n  name: '<example_resource_name>'\n  location: '<region>'\n  sku: {\n    name: 'premium'\n  }\n  properties: {\n    encryption: {\n      keySource: 'Microsoft.Keyvault' // CRITICAL: enables CMK from Key Vault\n      managedDiskKeyVaultProperties: { // CRITICAL: sets CMK for managed disks (encryption at rest)\n        keyVaultUri: 'https://<key_vault_name>.vault.azure.net/'\n        keyName: '<key_name>'\n        keyVersion: '<key_version>'\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to your Databricks workspace\n2. Select Settings > Encryption (or Customer-managed keys)\n3. If prompted, click Prepare encryption and wait for completion\n4. Set Key source to Microsoft Key Vault\n5. Select the Key Vault key and specific key version for managed disks\n6. Save to apply customer-managed key encryption",
+      "Terraform": "```hcl\nresource \"azurerm_databricks_workspace\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<region>\"\n  sku                 = \"premium\"\n\n  customer_managed_key_enabled      = true  # CRITICAL: enable CMK\n  managed_disk_cmk_key_vault_key_id = \"<example_resource_id>\" # CRITICAL: key ID (Key Vault key) for managed disks\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable customer-managed keys (CMK) for Databricks workspaces using Azure Key Vault to enhance control over data encryption, auditing, and compliance.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Databricks/enable-encryption-with-cmk.html"
+      "Text": "Enable `CMK` for workspace encryption via **Key Vault** or **Managed HSM** and enforce:\n- Least privilege for key usage\n- Regular rotation and retire old versions\n- Audit logging and alerts on key ops\n- Separation of duties for key vs data roles\n- Deny-by-default policies limiting scope",
+      "Url": "https://hub.prowler.com/check/databricks_workspace_cmk_encryption_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Customer-managed key (CMK) encryption is only available for Databricks workspaces on the Premium tier."

prowler/providers/azure/services/databricks/databricks_workspace_vnet_injection_enabled/databricks_workspace_vnet_injection_enabled.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "databricks_workspace_vnet_injection_enabled",
-  "CheckTitle": "Ensure Azure Databricks workspaces are deployed in a customer-managed VNet (VNet Injection)",
+  "CheckTitle": "Databricks workspace is deployed in a customer-managed VNet (VNet Injection enabled)",
   "CheckType": [],
   "ServiceName": "databricks",
   "SubServiceName": "",
-  "ResourceIdTemplate": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Databricks/workspaces/{workspaceName}",
-  "Severity": "medium",
-  "ResourceType": "AzureDatabricksWorkspace",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "microsoft.databricks/workspaces",
   "ResourceGroup": "ai_ml",
-  "Description": "Checks whether Azure Databricks workspaces are deployed in a customer-managed Virtual Network (VNet Injection) instead of a Databricks-managed VNet.",
-  "Risk": "Using a Databricks-managed VNet limits control over network security policies, firewall configurations, and routing, increasing the risk of unauthorized access or data exfiltration.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject",
+  "Description": "**Azure Databricks workspaces** using **VNet injection** are placed in a customer-managed VNet rather than a Databricks-managed network. This evaluates whether a workspace is linked to a customer VNet.",
+  "Risk": "Using a Databricks-managed VNet limits control over routing, egress, and access boundaries, degrading **confidentiality** and **integrity**.\n- Unrestricted outbound paths enable **data exfiltration**\n- Harder to enforce **private endpoints** and NSG policies\n- Increased chance of **lateral movement** into compute nodes",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Databricks/check-for-vnet-injection.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az databricks workspace create --name <databricks-workspace-name> --resource-group <resource-group-name> --location <region> --managed-resource-group <managed-rg-name> --enable-no-public-ip true --network-security-group-rule \"NoAzureServices\" --public-network-access Disabled --custom-virtual-network-id /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az databricks workspace create --name <workspace_name> --resource-group <resource_group_name> --location <region> --sku premium --vnet /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/virtualNetworks/<vnet_name> --public-subnet <public_subnet_name> --private-subnet <private_subnet_name>",
+      "NativeIaC": "```bicep\n// Azure Databricks workspace with VNet injection enabled\nresource databricks 'Microsoft.Databricks/workspaces@2023-02-01-preview' = {\n  name: '<example_resource_name>'\n  location: '<region>'\n  sku: { name: 'premium' }\n  properties: {\n    managedResourceGroupId: '/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>'\n    parameters: {\n      customVirtualNetworkId: { // CRITICAL: Enables VNet injection by attaching your VNet\n        value: '/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Network/virtualNetworks/<example_resource_name>'\n      }\n      customPublicSubnetName: { value: '<example_resource_name>-public' } // Required: host (public) subnet name\n      customPrivateSubnetName: { value: '<example_resource_name>-private' } // Required: container (private) subnet name\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure Portal, go to Create a resource > Azure Databricks\n2. On Basics, enter workspace name, region, and resource group\n3. Open the Networking tab and select Your VNet (VNet injection)\n4. Choose your Virtual network and select the Host (public) and Container (private) subnets\n5. Click Review + create, then Create\n6. Migrate workloads to this workspace and delete the non-VNet workspace if no longer needed",
+      "Terraform": "```hcl\n# Azure Databricks workspace with VNet injection\nresource \"azurerm_databricks_workspace\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<region>\"\n  sku                 = \"premium\"\n\n  custom_parameters {\n    virtual_network_id  = \"/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Network/virtualNetworks/<example_resource_name>\" # CRITICAL: Enables VNet injection by using your VNet\n    public_subnet_name  = \"<example_resource_name>-public\"   # Required: host (public) subnet\n    private_subnet_name = \"<example_resource_name>-private\"  # Required: container (private) subnet\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Deploy Databricks workspaces into a customer-managed VNet to ensure better control over network security and compliance.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Databricks/check-for-vnet-injection.html"
+      "Text": "Deploy workspaces in a customer-managed VNet and apply **defense in depth**:\n- Enforce egress control with firewalls/NAT and UDRs\n- Prefer **private endpoints** to public access\n- Apply **least privilege** NSG rules and segregate subnets\n- Use DNS controls and monitoring to detect anomalies",
+      "Url": "https://hub.prowler.com/check/databricks_workspace_vnet_injection_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""