PyPI - prowler-cloud - Versions diffs - 5.17.1__py3-none-any.whl → 5.18.1__py3-none-any.whl - Mend

prowler-cloud 5.17.1py3-none-any.whl → 5.18.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (219) hide show

prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.metadata.json CHANGED Viewed

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_vulnerability_assessment_enabled",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account",
+  "CheckTitle": "SQL server has vulnerability assessment enabled with storage container configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.",
-  "Risk": "The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "Description": "**Azure SQL Server** has **Vulnerability Assessment** configured with a defined location to persist assessment reports and scan results",
+  "Risk": "Without **Vulnerability Assessment**, misconfigurations and excessive permissions can go unnoticed.\n\nAdversaries may exploit weak server or database settings to escalate privileges, exfiltrate data, or alter records, degrading confidentiality and integrity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/vulnerability-assessment-sql-servers.html#",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Update-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName resource_group_name -ServerName Server_Name -StorageAccountName Storage_Name_from_same_subscription_and_same_Location -ScanResultsContainerName vulnerability-assessment -RecurringScansInterval Weekly -EmailSubscriptionAdmins $true -NotificationEmail @('mail1@mail.com' , 'mail2@mail.com')",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/vulnerability-assessment-sql-servers.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-vulnerability-assessment-va-is-enabled-on-a-sql-server-by-setting-a-storage-account"
+      "CLI": "Update-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName <RESOURCE_GROUP> -ServerName <SERVER_NAME> -StorageAccountName <STORAGE_ACCOUNT_NAME> -ScanResultsContainerName <CONTAINER_NAME>",
+      "NativeIaC": "```bicep\n// Configure VA (classic) at the SQL Server level\nresource sqlServerVA 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    storageContainerPath: 'https://<example_resource_name>.blob.core.windows.net/<example_resource_name>' // CRITICAL: sets the storage container path to enable VA\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers and open <SERVER_NAME>\n2. Under Security, select Microsoft Defender for SQL (or Defender for Cloud > Microsoft Defender for SQL)\n3. In Vulnerability assessment settings, click Configure\n4. Select the Storage account and the target Container\n5. Save\n\nVerification: Open the server's Vulnerability assessment blade and confirm a storage container is shown.",
+      "Terraform": "```hcl\n# Enable server security alert policy (required by VA)\nresource \"azurerm_mssql_server_security_alert_policy\" \"<example_resource_name>\" {\n  resource_group_name = \"<example_resource_name>\"\n  server_name         = \"<example_resource_name>\"\n  state               = \"Enabled\"\n}\n\n# Configure VA (classic) with storage container\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.<example_resource_name>.id\n  storage_container_path          = \"https://<example_resource_name>.blob.core.windows.net/<example_resource_name>\" # CRITICAL: sets storage container path so the check passes\n  storage_account_access_key      = \"<example_resource_name>\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. Select a server instance 3. Click on Security Center 4. Select Configure next to Enabled at subscription-level 5. In Section Vulnerability Assessment Settings, Click Select Storage account 6. Choose Storage Account (Existing or Create New). Click Ok 7. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable and standardize **Vulnerability Assessment** across SQL servers and databases, retaining scan results in a secure repository. Run scans routinely, review findings, set `baselines`, and remediate promptly. Apply **least privilege** to report access and integrate results into change management for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/sqlserver_vulnerability_assessment_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server."

prowler/providers/azure/services/storage/storage_account_key_access_disabled/storage_account_key_access_disabled.metadata.json CHANGED Viewed

@@ -1,31 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "storage_account_key_access_disabled",
-  "CheckTitle": "Ensure allow storage account key access is disabled",
+  "CheckTitle": "Storage account has shared key access disabled",
   "CheckType": [],
   "ServiceName": "storage",
-  "SubServiceName": "account",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensures that access to Azure Storage Accounts using account keys is disabled, enforcing the use of Microsoft Entra ID (formerly Azure AD) for authentication.",
-  "Risk": "Using Shared Key authorization poses a security risk due to the high privileges associated with storage account keys and the difficulty in auditing such access. Disabling Shared Key access helps enforce identity-based authentication via Microsoft Entra ID, enhancing security and traceability.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent",
+  "Description": "**Azure Storage accounts** are evaluated for whether **Shared Key (account key) authorization** is disabled, requiring identity-based access via **Microsoft Entra ID** and RBAC.",
+  "Risk": "Allowing **Shared Key** undermines **confidentiality, integrity, and availability**:\n- A leaked key grants broad read/write/delete across the account\n- Access bypasses **RBAC** and Conditional Access, reducing accountability\n- Activity is hard to attribute, easing data exfiltration and tampering",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-shared-key-authorization.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group> --allow-shared-key-access false",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-shared-key-authorization.html",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Storage account with Shared Key access disabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'StorageV2'\n  sku: { name: 'Standard_LRS' }\n  properties: {\n    allowSharedKeyAccess: false // Critical: disallows Shared Key authorization to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open the target Storage account\n2. Go to Settings > Configuration\n3. Set \"Allow storage account key access\" to \"Disabled\"\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"main\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  shared_access_key_enabled = false # Critical: disables Shared Key authorization to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Disable Shared Key authorization on storage accounts to enforce the use of Microsoft Entra ID for secure, auditable access.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent"
+      "Text": "Disallow **Shared Key** and require **Microsoft Entra ID** with least-privilege RBAC for all data access.\n- Prefer user delegation SAS over account/service SAS\n- Apply Conditional Access and separation of duties\n- Monitor and phase out key-based clients; rotate and revoke unused keys",
+      "Url": "https://hub.prowler.com/check/storage_account_key_access_disabled"
     }
   },
   "Categories": [
-    "e3"
+    "identity-access",
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.metadata.json CHANGED Viewed

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "storage_blob_public_access_level_is_disabled",
-  "CheckTitle": "Ensure that the 'Public access level' is set to 'Private (no anonymous access)' for all blob containers in your storage account",
+  "CheckTitle": "Storage account has 'Allow blob public access' disabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "Severity": "high",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that the 'Public access level' configuration setting is set to 'Private (no anonymous access)' for all blob containers in your storage account in order to block anonymous access to these Microsoft Azure resources.",
-  "Risk": "A user that accesses blob containers anonymously can use constructors that do not require credentials such as shared access signatures.",
+  "Description": "**Azure Storage accounts** with **blob public access** disabled prevent containers or blobs from being set to a public access level. Setting `allow blob public access` to `false` enforces no anonymous reads across the account.",
+  "Risk": "Allowing public access permits unauthenticated users to read blob data or enumerate container contents when any container is made public, compromising confidentiality.\n\nExposed objects can be scraped at scale, enabling data exfiltration and intelligence gathering without audit attribution.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/disable-blob-anonymous-access-for-storage-accounts.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/disable-blob-anonymous-access-for-storage-accounts.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access#terraform"
+      "CLI": "az storage account update -g <RESOURCE_GROUP> -n <STORAGE_ACCOUNT_NAME> --allow-blob-public-access false",
+      "NativeIaC": "```bicep\n// Storage account with blob public access disabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'StorageV2'\n  sku: { name: 'Standard_LRS' }\n  properties: {\n    allowBlobPublicAccess: false // Critical: disables anonymous/public blob access at the account\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts and select the target account\n2. Under Settings, open Configuration\n3. Set \"Allow Blob public access\" to Disabled\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n  allow_blob_public_access = false # Critical: disables anonymous/public blob access\n}\n```"
     },
     "Recommendation": {
-      "Text": "Set 'Public access level' configuration setting to 'Private (no anonymous access)'",
-      "Url": ""
+      "Text": "Disable **blob public access** at the account and enforce authenticated access based on **least privilege**. Prefer **private endpoints** or restricted networks, use short-lived `SAS` or federated identities, and apply **RBAC** with container-level permissions. Monitor access and review exposure regularly.",
+      "Url": "https://hub.prowler.com/check/storage_blob_public_access_level_is_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_blob_versioning_is_enabled/storage_blob_versioning_is_enabled.metadata.json CHANGED Viewed

@@ -1,30 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "storage_blob_versioning_is_enabled",
-  "CheckTitle": "Ensure Blob Versioning is Enabled on Azure Blob Storage Accounts",
+  "CheckTitle": "Storage account has blob versioning enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that blob versioning is enabled on Azure Blob Storage accounts to automatically retain previous versions of objects.",
-  "Risk": "Without blob versioning, accidental or malicious changes to blobs cannot be easily recovered, leading to potential data loss.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable",
+  "Description": "**Azure Storage accounts** have **blob versioning** enabled (`IsVersioningEnabled`) to automatically retain previous versions of blobs created by updates or deletes",
+  "Risk": "Without **blob versioning**:\n- **Integrity**: overwrites can't be reverted\n- **Availability**: deletes or ransomware remove usable copies\n- **Forensics**: no immutable history for investigation and scoped recovery\n\nMistakes or compromised identities can cause irreversible object loss and wider impact.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-overview",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-versioning-for-blobs.html",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/versions-manage-dotnet"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account blob-service-properties update --resource-group <resource_group> --account-name <storage-account> --enable-versioning true",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-versioning-for-blobs.html",
-      "Terraform": "resource \"azurerm_storage_account\" \"example\" {\n  name                     = \"examplestorageacct\"\n  resource_group_name      = azurerm_resource_group.example.name\n  location                 = azurerm_resource_group.example.location\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  blob_properties {\n    versioning_enabled = true\n  }\n}\n"
+      "NativeIaC": "```bicep\n// Enable blob versioning on an existing storage account\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    isVersioningEnabled: true // Critical: enables blob versioning to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Under Data management, select Data protection\n3. In Tracking, set Enable versioning for blobs to Enabled\n4. Click Save",
+      "Terraform": "```hcl\n# Enable blob versioning on a Storage Account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<example_resource_name>\"\n  sku_name            = \"Standard_LRS\"\n\n  blob_properties {\n    versioning_enabled = true # Critical: enables blob versioning to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable blob versioning for all Azure Storage accounts that store critical or sensitive data.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-enable"
+      "Text": "Enable **blob versioning** for accounts holding critical data. Pair with **blob soft delete** and lifecycle rules to retain and age off versions. Enforce **least privilege** on write and version-delete actions, and monitor access. *For high-churn data*, isolate into separate accounts with tailored retention to balance security and cost.",
+      "Url": "https://hub.prowler.com/check/storage_blob_versioning_is_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_cross_tenant_replication_disabled/storage_cross_tenant_replication_disabled.metadata.json CHANGED Viewed

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "storage_cross_tenant_replication_disabled",
-  "CheckTitle": "Ensure cross-tenant replication is disabled",
+  "CheckTitle": "Storage account has cross-tenant replication disabled",
   "CheckType": [],
   "ServiceName": "storage",
-  "SubServiceName": "account",
+  "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that cross-tenant replication is not enabled on Azure Storage Accounts to prevent unintended replication of data across tenant boundaries.",
-  "Risk": "If cross-tenant replication is enabled, sensitive data could be inadvertently replicated across tenants, increasing the risk of data leakage, unauthorized access, or non-compliance with data governance and privacy policies.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal",
+  "Description": "**Azure Storage accounts** are assessed for whether **cross-tenant object replication** is disallowed via `AllowCrossTenantReplication=false`, limiting replication policies to the same tenant.",
+  "Risk": "Permitting cross-tenant replication can copy sensitive blobs into external tenants, undermining **confidentiality**. A compromised or mismanaged destination enables **data exfiltration**; mirrored updates/deletes can impact **integrity** and retention, complicating auditability and incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-cross-tenant-replication.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group> --default-to-oauth-authentication true --allow-cross-tenant-replication false",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/disable-cross-tenant-replication.html",
-      "Terraform": ""
+      "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group> --allow-cross-tenant-replication false",
+      "NativeIaC": "```bicep\n// Disables cross-tenant replication on the storage account\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  sku: {\n    name: 'Standard_LRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    allowCrossTenantReplication: false // Critical: disallow cross-tenant object replication\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Under Data management, select Object replication\n3. Click Advanced settings\n4. Uncheck Allow cross-tenant replication\n5. Click OK/Save\n6. If the option is unavailable, delete any existing cross-tenant object replication policies first, then retry",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"main\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  cross_tenant_replication_enabled = false # Critical: disallow cross-tenant object replication\n}\n```"
     },
     "Recommendation": {
-      "Text": "Disable Cross Tenant Replication on storage accounts to ensure that data remains within tenant boundaries unless explicitly shared, reducing the risk of data leakage and unauthorized access.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal"
+      "Text": "Enforce `AllowCrossTenantReplication=false` and keep replication within the same tenant. Apply **least privilege** and **separation of duties** for replication management, backed by **policy-based governance** to prevent drift. *If cross-tenant transfer is required*, use formal data-sharing controls, monitoring, and time-bound approvals.",
+      "Url": "https://hub.prowler.com/check/storage_cross_tenant_replication_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.metadata.json CHANGED Viewed

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "storage_default_network_access_rule_is_denied",
-  "CheckTitle": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny",
+  "CheckTitle": "Storage account default network access rule is set to Deny",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "Severity": "high",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access toselected networks, the default action must be changed.",
-  "Risk": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtualnetworks, allowing a secure network boundary for specific applications to be built.Access can also be granted to public internet IP address ranges to enable connectionsfrom specific internet or on-premises clients. When network rules are configured, onlyapplications from allowed networks can access a storage account. When calling from anallowed network, applications continue to require proper authorization (a valid accesskey or SAS token) to access the storage account.",
+  "Description": "**Azure Storage accounts** configure the **default network access rule** to `Deny`, so the **public endpoint** only accepts traffic from explicitly allowed virtual networks, IP ranges, or private endpoints",
+  "Risk": "With the default action set to `Allow`, the public endpoint is reachable from any network. This removes a network boundary, so **stolen access keys** or leaked **SAS tokens** can be abused from anywhere, enabling **data exfiltration**, tampering, and destructive writes-impacting confidentiality, integrity, and availability.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-set-default-access",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/restrict-default-network-access.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --default-action Deny",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/restrict-default-network-access.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny#terraform"
+      "CLI": "az storage account update --name <STORAGE_ACCOUNT_NAME> --resource-group <RESOURCE_GROUP_NAME> --default-action Deny",
+      "NativeIaC": "```bicep\n// Set default network access to Deny for a Storage Account\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  properties: {\n    networkAcls: {\n      defaultAction: 'Deny' // Critical: sets default network access to Deny so the check passes\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open your Storage account\n2. Go to Security + networking > Networking\n3. Under Public network access, select Enable > Enabled from selected virtual networks and IP addresses\n4. Click Save\n\nThis sets the default network access rule to Deny",
+      "Terraform": "```hcl\n# Set default network access to Deny on an existing Storage Account\nresource \"azurerm_storage_account_network_rules\" \"<example_resource_name>\" {\n  storage_account_id = \"<example_resource_id>\"\n  default_action     = \"Deny\" # Critical: sets default network access to Deny so the check passes\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click the Firewalls and virtual networks heading. 4. Ensure that you have elected to allow access from Selected networks 5. Add rules to allow traffic from specific network. 6. Click Save to apply your changes.",
-      "Url": ""
+      "Text": "Set the default network access to `Deny` and permit only required sources: selected VNets, specific IP ranges, or preferably **private endpoints**. Apply **least privilege**, minimize service bypass, and use short-lived, scoped SAS to limit blast radius if credentials leak.",
+      "Url": "https://hub.prowler.com/check/storage_default_network_access_rule_is_denied"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours."

prowler/providers/azure/services/storage/storage_default_to_entra_authorization_enabled/storage_default_to_entra_authorization_enabled.metadata.json CHANGED Viewed

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "storage_default_to_entra_authorization_enabled",
-  "CheckTitle": "Ensure Microsoft Entra authorization is enabled by default for Azure Storage Accounts",
+  "CheckTitle": "Storage account uses Microsoft Entra authorization by default",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
+  "Severity": "medium",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that the Azure Storage Account setting 'Default to Microsoft Entra authorization in the Azure portal' is enabled to enforce the use of Microsoft Entra ID for accessing blobs, files, queues, and tables.",
-  "Risk": "If this setting is not enabled, the Azure portal may authorize access using less secure methods such as Shared Key, increasing the risk of unauthorized data access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory",
+  "Description": "**Azure Storage accounts** with `Default to Microsoft Entra authorization in the Azure portal` use **token-based Microsoft Entra ID (Azure RBAC)** by default to access blobs, files, queues, and tables, rather than account keys",
+  "Risk": "Defaulting to **access keys/Shared Key** enables broad, non-scoped access and weak **auditing**. A stolen key grants full data access, risking **confidentiality** (exfiltration), **integrity** (unauthorized writes/deletes), and **availability** (destructive actions). It can also bypass **least privilege** and enable lateral movement via key reuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-microsoft-entra-authorization-by-default.html",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory",
+    "https://learn.microsoft.com/en-us/azure/storage/files/authorize-data-operations-portal"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group-name> --default-to-AzAd-auth true",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-microsoft-entra-authorization-by-default.html",
-      "Terraform": ""
+      "CLI": "az storage account update -g <resource-group-name> -n <storage-account-name> --set defaultToOAuthAuthentication=true",
+      "NativeIaC": "```bicep\n// Enable Microsoft Entra (Azure AD) authorization by default in the portal\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<example_location>'\n  kind: 'StorageV2'\n  sku: {\n    name: 'Standard_LRS'\n  }\n  properties: {\n    defaultToOAuthAuthentication: true // Critical: defaults portal data access to Microsoft Entra authorization\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and select your account\n2. Under Settings, select Configuration\n3. Set \"Default to Microsoft Entra authorization in the Azure portal\" to Enabled\n4. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Entra authorization by default for the storage account in the portal\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  default_to_oauth_authentication = true # Critical: defaults portal data access to Microsoft Entra authorization\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Microsoft Entra authorization by default in the Azure portal to enhance security and avoid reliance on Shared Key authentication.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory"
+      "Text": "Enable this setting so the portal uses **Microsoft Entra ID** by default. Apply **least privilege** with Azure RBAC, prefer **managed identities** and user-delegation SAS, and *where feasible* disable Shared Key use. Rotate any existing keys, and monitor access with logs to enforce **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/storage_default_to_entra_authorization_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.metadata.json CHANGED Viewed

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_azure_services_are_trusted_to_access_is_enabled",
-  "CheckTitle": "Ensure that 'Allow trusted Microsoft services to access this storage account' is enabled for storage accounts",
+  "CheckTitle": "Storage account has 'Allow trusted Microsoft services to access this storage account' enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that 'Allow trusted Microsoft services to access this storage account' is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.",
-  "Risk": "Not allowing to access storage account by Azure services the following services: Azure Backup, Azure Event Grid, Azure Site Recovery, Azure DevTest Labs, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are not granted access to your storage account",
+  "Description": "**Azure Storage account** network rules include the `AzureServices` bypass so **trusted Microsoft services** can reach the account even when firewalls restrict public access",
+  "Risk": "Without this exception, platform services relying on the account (backup, monitoring, replication) can be blocked, causing failed backups, missing logs, and stalled workflows-affecting **availability** and **integrity**. Teams may over-broaden network access to compensate, increasing **confidentiality** risk.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-trusted-microsoft-services.html",
+    "https://support.icompaas.com/support/solutions/articles/62000219788-ensure-allow-azure-services-on-the-trusted-services-list-to-access-this-storage-account-is-enabled-",
+    "https://learn.microsoft.com/en-us/azure/search/search-indexer-howto-access-trusted-service-exception"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account update --name <StorageAccountName> --resource-group <resourceGroupName> --bypass AzureServices",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-trusted-microsoft-services.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/enable-trusted-microsoft-services-for-storage-account-access#terraform"
+      "NativeIaC": "```bicep\n// Enable trusted Microsoft services on a Storage Account\nresource stg 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  kind: 'StorageV2'\n  sku: { name: 'Standard_LRS' }\n  properties: {\n    networkAcls: {\n      bypass: 'AzureServices' // CRITICAL: Allows trusted Microsoft services to bypass network rules\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and select your account\n2. Navigate to Security + networking > Networking\n3. Under Exceptions, check Allow trusted Microsoft services to access this storage account\n4. Click Save",
+      "Terraform": "```hcl\n# Enable trusted Microsoft services on a Storage Account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  network_rules {\n    bypass = [\"AzureServices\"] # CRITICAL: Allows trusted Microsoft services to bypass network rules\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "To allow these Azure services to work as intended and be able to access your storage account resources, you have to add an exception so that the trusted Microsoft Azure services can bypass your network rules",
-      "Url": ""
+      "Text": "Enable the **trusted services** exception (`AzureServices`) for storage accounts used by platform services.\n- Enforce **least privilege** with RBAC and managed identities\n- Keep networks restricted; prefer **private endpoints**\n- Monitor access and review exceptions regularly",
+      "Url": "https://hub.prowler.com/check/storage_ensure_azure_services_are_trusted_to_access_is_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.metadata.json CHANGED Viewed

@@ -1,27 +1,32 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_encryption_with_customer_managed_keys",
-  "CheckTitle": "Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys",
+  "CheckTitle": "Azure Storage account uses customer-managed keys (CMKs) for encryption",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys",
-  "Risk": "If you want to control and manage storage account contents encryption key yourself you must specify a customer-managed key",
+  "Description": "**Azure Storage accounts** use **customer-managed keys** (`CMK`) from **Key Vault/Managed HSM** for service-side encryption of data at rest, rather than platform-managed keys (`encryption_type`=`Microsoft.Keyvault`).",
+  "Risk": "Without **CMK**, keys are provider-controlled, reducing **confidentiality** and governance.\n- Cannot promptly revoke access during incidents\n- No custom rotation or separation of duties\n- Limited key-use auditing\nThis weakens data sovereignty and hinders effective crypto-shredding.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/cmk-encryption.html",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption",
+    "https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/cmk-encryption.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-storage-accounts-use-customer-managed-key-for-encryption#terraform"
+      "CLI": "az storage account update --name <STORAGE_ACCOUNT_NAME> --resource-group <RESOURCE_GROUP> --encryption-key-name <KEY_NAME> --encryption-key-source Microsoft.Keyvault --encryption-key-vault <KEY_VAULT_URI>",
+      "NativeIaC": "```bicep\n// Configure a Storage Account to use Customer-Managed Keys (CMK)\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  identity: {\n    type: 'SystemAssigned' // CRITICAL: required so the storage account can access the key vault\n  }\n  properties: {\n    encryption: {\n      keySource: 'Microsoft.Keyvault' // CRITICAL: switches encryption to CMK (Prowler checks for this)\n      keyVaultProperties: {\n        keyName: '<key_name>' // required key name\n        keyVaultUri: 'https://<example_resource_name>.vault.azure.net/' // required Key Vault URI\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open your Storage account\n2. Go to Settings > Encryption (or Security + networking > Encryption)\n3. Select Customer-managed keys\n4. Click Select a key vault and key, choose your Key Vault and key\n5. If prompted, enable System-assigned managed identity and grant the key permissions get, wrapKey, unwrapKey\n6. Click Save",
+      "Terraform": "```hcl\n# Configure a Storage Account to use Customer-Managed Keys (CMK)\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  identity {\n    type = \"SystemAssigned\" # CRITICAL: allow storage account to access Key Vault\n  }\n\n  customer_managed_key {\n    key_vault_key_id = \"<example_resource_id>\" # CRITICAL: Key Vault key ID enabling CMK (passes the check)\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.",
-      "Url": ""
+      "Text": "Adopt **CMK** with keys in Key Vault or Managed HSM. Enforce **least privilege** for the storage identity, regular **key rotation**, and **separation of duties** between key custodians and operators. Audit key usage, enable tamper-resistant key protection (soft-delete/purge protection), and plan for **key revocation/crypto-shredding**.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_encryption_with_customer_managed_keys"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_ensure_file_shares_soft_delete_is_enabled/storage_ensure_file_shares_soft_delete_is_enabled.metadata.json CHANGED Viewed

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_file_shares_soft_delete_is_enabled",
-  "CheckTitle": "Ensure soft delete for Azure File Shares is enabled",
+  "CheckTitle": "Storage account has soft delete enabled for file shares",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that soft delete is enabled for Azure File Shares to protect against accidental or malicious deletion of important data. This feature allows deleted file shares to be retained for a specified period, during which they can be recovered before permanent deletion occurs.",
-  "Risk": "Without soft delete enabled, accidental or malicious deletions of file shares result in permanent data loss, making recovery impossible unless a separate backup mechanism is in place.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal",
+  "Description": "**Azure Storage file shares** have **soft delete** with a retention period (`days`). The evaluation determines if the storage account's file service has this setting enabled and records the retention duration applied to all shares.",
+  "Risk": "Without **soft delete**, deletions are irreversible, reducing **availability** and **integrity**. Mistakes or insiders can wipe shares, causing outages, data loss, and lengthy restores. Destructive deletes can magnify ransomware impact and block timely recovery.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete-for-file-shares.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account file-service-properties update --account-name <storage-account-name> --enable-delete-retention true --delete-retention-days <number-of-days>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete-for-file-shares.html",
-      "Terraform": ""
+      "CLI": "az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account-name> --enable-delete-retention true --delete-retention-days 7",
+      "NativeIaC": "```bicep\n// Enable soft delete for file shares on a storage account\nresource sa 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource fileSvc 'Microsoft.Storage/storageAccounts/fileServices@2022-09-01' = {\n  name: 'default'\n  parent: sa\n  properties: {\n    shareDeleteRetentionPolicy: {\n      enabled: true // CRITICAL: turns on soft delete for all file shares in this storage account\n      days: 7       // required retention period\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open <storage-account-name>\n2. Under Data storage, select File shares\n3. Set Soft delete to Enabled\n4. Set Retention period (days) to 7\n5. Click Save",
+      "Terraform": "```hcl\n# Enable soft delete for Azure File shares on a storage account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  share_properties {\n    retention_policy {\n      enabled = true  # CRITICAL: enables soft delete for file shares\n      days    = 7     # required retention period\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable soft delete for file shares on your Azure Storage Account to allow recovery of deleted shares within a configured retention period.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal"
+      "Text": "Enable **soft delete** for all Azure file shares and choose a retention window aligned to `RPO/RTO` and data criticality (e.g., `7-90` days). Apply **least privilege** to delete actions, layer **snapshots/backup** for defense in depth, consider **resource locks**, and monitor delete events for misuse.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_file_shares_soft_delete_is_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler-cloud 5.17.1__py3-none-any.whl → 5.18.1__py3-none-any.whl

prowler-cloud 5.17.1py3-none-any.whl → 5.18.1py3-none-any.whl