prowler 5.15.1__py3-none-any.whl → 5.16.1__py3-none-any.whl

prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "kafka_cluster_in_transit_encryption_enabled",
-  "CheckTitle": "Ensure Kafka Cluster Encryption in Transit is Enabled",
+  "CheckTitle": "Kafka cluster has encryption in transit enabled",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "kafka",
-  "SubServiceName": "cluster",
-  "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster",
-  "Severity": "medium",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsMskCluster",
-  "Description": "Kafka clusters should have encryption in transit enabled to protect data as it travels across the network. This ensures that data is encrypted when transmitted between clients and brokers, preventing unauthorized access or data breaches.",
-  "Risk": "If encryption in transit is not enabled, data transmitted over the network could be vulnerable to eavesdropping or man-in-the-middle attacks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html",
+  "Description": "**Amazon MSK clusters** are evaluated for **encryption in transit** on both paths: **clientbroker** set to `TLS` only and **inter-broker** encryption enabled. *Serverless clusters provide this by default*.\n\nThe finding highlights clusters where client-broker traffic isn't `TLS`-only or inter-broker encryption is turned off.",
+  "Risk": "Unencrypted or mixed (`TLS_PLAINTEXT`/`PLAINTEXT`) traffic enables interception of records, credentials, and metadata, supporting **MITM**, replay, and message tampering.\n\nPlaintext inter-broker links expose replication data within the VPC, enabling **lateral movement** and topic poisoning, degrading data **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html",
+    "https://docs.aws.amazon.com/msk/latest/developerguide/msk-working-with-encryption.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/encryption-in-transit-for-msk.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kafka create-cluster --cluster-name <CLUSTER_NAME> --broker-node-group-info <NODE_JSON> --encryption-info <INFO_JSON> --kafka-version <VERSION> --number-of-broker-nodes <NUMBER>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/encryption-in-transit-for-msk.html",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_32/#terraform"
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: MSK cluster with encryption in transit enforced\nResources:\n  <example_resource_name>:\n    Type: AWS::MSK::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      KafkaVersion: <VERSION>\n      NumberOfBrokerNodes: 3\n      BrokerNodeGroupInfo:\n        ClientSubnets:\n          - <example_resource_id>\n          - <example_resource_id>\n        InstanceType: kafka.m5.large\n      EncryptionInfo:\n        EncryptionInTransit:\n          ClientBroker: TLS  # Critical: forces client-to-broker TLS only\n          InCluster: true    # Critical: enables inter-broker encryption\n```",
+      "Other": "1. In the AWS Console, go to Amazon MSK > Clusters and select your cluster\n2. Click Edit (Security)\n3. Under Encryption in transit, set Client-broker to TLS only\n4. Save changes\n5. Verify Inter-broker (in-cluster) encryption is enabled; if it is disabled (immutable), create a new cluster with:\n   - Encryption in transit: Client-broker = TLS only, Inter-broker encryption = Enabled\n   - Migrate clients to the new cluster, then decommission the old one",
+      "Terraform": "```hcl\n# Terraform: MSK cluster with encryption in transit enforced\nresource \"aws_msk_cluster\" \"<example_resource_name>\" {\n  cluster_name           = \"<example_resource_name>\"\n  kafka_version          = \"<VERSION>\"\n  number_of_broker_nodes = 3\n\n  broker_node_group_info {\n    instance_type  = \"kafka.m5.large\"\n    client_subnets = [\n      \"subnet-<example_resource_id>\",\n      \"subnet-<example_resource_id>\",\n    ]\n  }\n\n  encryption_info {\n    encryption_in_transit {\n      client_broker = \"TLS\"  # Critical: forces client-to-broker TLS only\n      in_cluster    = true    # Critical: enables inter-broker encryption\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to enable encryption in transit for Kafka clusters to protect data confidentiality and integrity.",
-      "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-working-with-encryption.html"
+      "Text": "Enforce end-to-end transport protection:\n- Require `client_broker=TLS` for all clients\n- Enable `in_cluster=true` for broker-to-broker links\n\nApply **defense in depth**: restrict network paths, prefer private connectivity, and use strong client authentication with **least privilege** authorization to limit blast radius.",
+      "Url": "https://hub.prowler.com/check/kafka_cluster_in_transit_encryption_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.metadata.json

@@ -1,26 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "kafka_cluster_is_public",
-  "CheckTitle": "Kafka Cluster Exposed to the Public",
-  "CheckType": [],
+  "CheckTitle": "Kafka cluster is not publicly accessible",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "TTPs/Initial Access",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "kafka",
-  "SubServiceName": "cluster",
-  "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster",
-  "Severity": "high",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "critical",
   "ResourceType": "AwsMskCluster",
-  "Description": "The Kafka cluster is publicly accessible, which can expose sensitive data and increase the attack surface.",
-  "Risk": "Exposing the Kafka cluster to the public can lead to unauthorized access, data breaches, and potential security threats.",
-  "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/client-access.html",
+  "Description": "**Amazon MSK clusters** with broker endpoints **exposed to the public Internet**.\n\nServerless clusters are private by default; provisioned clusters are evaluated for their `public access` configuration.",
+  "Risk": "Public brokers erode **CIA**:\n- **Confidentiality**: unauthorized consumers can read topics\n- **Integrity**: rogue producers inject or alter events\n- **Availability**: floods or scans strain brokers\n\nThis enables metadata enumeration, data exfiltration, stream poisoning, and costly egress.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/public-access-msk-cluster.html",
+    "https://docs.aws.amazon.com/msk/latest/developerguide/client-access.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kafka update-connectivity --cluster-arn cluster_arn --current-version kafka_version --connectivity-info '{\"PublicAccess\": {\"Type\": \"DISABLED\"}}'",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/public-access-msk-cluster.html",
-      "Terraform": ""
+      "CLI": "aws kafka update-connectivity --cluster-arn <CLUSTER_ARN> --current-version <CURRENT_CLUSTER_VERSION> --connectivity-info '{\"PublicAccess\":{\"Type\":\"DISABLED\"}}'",
+      "NativeIaC": "```yaml\n# CloudFormation: ensure MSK cluster is not publicly accessible\nResources:\n  <example_resource_name>:\n    Type: AWS::MSK::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      KafkaVersion: \"2.8.1\"\n      NumberOfBrokerNodes: 2\n      BrokerNodeGroupInfo:\n        ClientSubnets:\n          - <example_subnet_id_1>\n          - <example_subnet_id_2>\n        InstanceType: kafka.t3.small\n        ConnectivityInfo:\n          PublicAccess:\n            Type: DISABLED  # Critical: disables public access to brokers\n```",
+      "Other": "1. Open the Amazon MSK console\n2. Select your cluster and go to the Properties tab\n3. In Network settings, click Edit public access\n4. Set Public access to Disabled (Off)\n5. Click Save changes",
+      "Terraform": "```hcl\n# Terraform: ensure MSK cluster is not publicly accessible\nresource \"aws_msk_cluster\" \"<example_resource_name>\" {\n  cluster_name           = \"<example_resource_name>\"\n  kafka_version          = \"2.8.1\"\n  number_of_broker_nodes = 2\n\n  broker_node_group_info {\n    client_subnets = [\n      \"<example_subnet_id_1>\",\n      \"<example_subnet_id_2>\",\n    ]\n    instance_type = \"kafka.t3.small\"\n\n    connectivity_info {\n      public_access {\n        type = \"DISABLED\"  # Critical: disables public access to brokers\n      }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to restrict access to the Kafka cluster to only authorized entities. Enable encryption for data in transit and at rest to protect sensitive information.",
-      "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html"
+      "Text": "Keep brokers private within the VPC by disabling public access and limiting exposure to trusted networks.\n\nEnforce strong auth (SASL/IAM, SASL/SCRAM, or mTLS), require TLS, and apply Kafka ACLs. Provide access via VPN, bastion, or private networking (peering/Transit Gateway). Apply **least privilege** and monitor broker connections.",
+      "Url": "https://hub.prowler.com/check/kafka_cluster_is_public"
     }
   },
   "Categories": [

prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "kafka_cluster_mutual_tls_authentication_enabled",
-  "CheckTitle": "Ensure Mutual TLS Authentication is Enabled for Kafka Cluster",
-  "CheckType": [],
+  "CheckTitle": "Kafka cluster has TLS authentication enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access"
+  ],
   "ServiceName": "kafka",
-  "SubServiceName": "cluster",
-  "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster",
-  "Severity": "medium",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsMskCluster",
-  "Description": "Mutual TLS Authentication ensures that both the client and the server are authenticated, providing an additional layer of security for communication within the Kafka cluster.",
-  "Risk": "Without Mutual TLS Authentication, the cluster is vulnerable to man-in-the-middle attacks, and unauthorized clients may be able to access the cluster.",
-  "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html",
+  "Description": "Amazon MSK clusters enforce **client authentication** on client-to-broker connections. Serverless clusters use TLS-based authentication by default; provisioned clusters must have **mutual TLS (mTLS)** explicitly enabled.",
+  "Risk": "Without **mTLS**, adversaries can impersonate clients or intercept sessions, compromising **confidentiality** and **integrity**. Unauthorized producers/consumers can read or alter topics, poison data streams, and flood brokers, degrading **availability** and impacting downstream systems.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-mutual-tls-authentication-for-kafka-clients.html",
+    "https://docs.aws.amazon.com/msk/latest/developerguide/msk-update-security.html",
+    "https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-mutual-tls-authentication-for-kafka-clients.html",
-      "Terraform": ""
+      "CLI": "aws kafka update-security --cluster-arn <CLUSTER_ARN> --current-version <CURRENT_VERSION> --client-authentication 'Tls={CertificateAuthorityArnList=[\"<ACM_PCA_ARN>\"]}' --encryption-info 'EncryptionInTransit={ClientBroker=TLS}'",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable mTLS for an MSK cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::MSK::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      KafkaVersion: <example_kafka_version>\n      NumberOfBrokerNodes: 2\n      BrokerNodeGroupInfo:\n        InstanceType: kafka.m5.large\n        ClientSubnets:\n          - <subnet_id_1>\n          - <subnet_id_2>\n      ClientAuthentication:\n        Tls:\n          CertificateAuthorityArnList:\n            - <acm_pca_arn>  # CRITICAL: Enables mutual TLS using this Private CA\n      EncryptionInfo:\n        EncryptionInTransit:\n          ClientBroker: TLS  # CRITICAL: Required when enabling mTLS\n```",
+      "Other": "1. In the AWS Console, go to Amazon MSK > Clusters and select the provisioned cluster (state must be ACTIVE)\n2. Choose Actions > Update security (or Security > Edit)\n3. Under Client authentication, enable TLS and add your AWS Private CA ARN(s)\n4. Under Encryption in transit, set Client-broker to TLS\n5. Save/Update and wait for the update to complete",
+      "Terraform": "```hcl\n# Terraform: Enable mTLS for an MSK cluster\nresource \"aws_msk_cluster\" \"<example_resource_name>\" {\n  cluster_name           = \"<example_resource_name>\"\n  kafka_version          = \"<example_kafka_version>\"\n  number_of_broker_nodes = 2\n\n  broker_node_group_info {\n    instance_type  = \"kafka.m5.large\"\n    client_subnets = [\"<subnet_id_1>\", \"<subnet_id_2>\"]\n  }\n\n  client_authentication {\n    tls {\n      certificate_authority_arns = [\"<acm_pca_arn>\"]  # CRITICAL: Enables mutual TLS with this Private CA\n    }\n  }\n\n  encryption_info {\n    encryption_in_transit {\n      client_broker = \"TLS\"  # CRITICAL: Required when enabling mTLS\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to enable Mutual TLS Authentication for your Kafka cluster to ensure secure communication between clients and brokers.",
-      "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-update-security.html"
+      "Text": "Enable **mutual TLS** for client-broker traffic and disable `PLAINTEXT` listeners. Issue short-lived client certificates from a managed CA with rotation. Apply **least privilege** using Kafka ACLs, restrict network access to trusted sources, and monitor authentication events as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/kafka_cluster_mutual_tls_authentication_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.metadata.json

@@ -1,29 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "kafka_cluster_unrestricted_access_disabled",
-  "CheckTitle": "Ensure Kafka Cluster has unrestricted access disabled",
-  "CheckType": [],
+  "CheckTitle": "Kafka cluster requires authentication",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access",
+    "Effects/Data Exposure"
+  ],
   "ServiceName": "kafka",
-  "SubServiceName": "cluster",
-  "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster",
-  "Severity": "high",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "critical",
   "ResourceType": "AwsMskCluster",
-  "Description": "Kafka Clusters should not have unrestricted access enabled. Unrestricted access allows anyone to access the Kafka Cluster without any authentication. It is recommended to disable unrestricted access to prevent unauthorized access to the Kafka Cluster.",
-  "Risk": "Unrestricted access to Kafka Clusters can lead to unauthorized access to the cluster and its data. It is recommended to restrict access to Kafka Clusters to only authorized entities.",
-  "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-configure-security.html",
+  "Description": "Amazon MSK clusters are evaluated for **unauthenticated client access**. Serverless clusters inherently require authentication; provisioned clusters are checked for configurations that allow **unrestricted connections** rather than authenticated clients.",
+  "Risk": "Allowing **unauthenticated access** lets anyone connect and:\n- Read sensitive topics (confidentiality)\n- Publish or alter data (integrity)\n- Overload brokers and consumers (availability)\n\nThis enables message exfiltration, stream poisoning, and abuse of trusted data pipelines.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/msk/latest/developerguide/msk-configure-security.html",
+    "https://docs.aws.amazon.com/msk/latest/developerguide/security.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/unrestricted-access-to-brokers.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kafka update-security --region region_name --cluster-arn cluster_arn --current-version kafka_version_of_cluster --client-authentication 'Unauthenticated={Enabled=false}'",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/unrestricted-access-to-brokers.html",
-      "Terraform": ""
+      "CLI": "aws kafka update-security --cluster-arn <example_resource_arn> --current-version <example_current_version> --client-authentication 'Unauthenticated={Enabled=false}'",
+      "NativeIaC": "```yaml\n# CloudFormation: Disable unauthenticated client access for MSK\nResources:\n  <example_resource_name>:\n    Type: AWS::MSK::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      KafkaVersion: <example_kafka_version>\n      NumberOfBrokerNodes: 2\n      BrokerNodeGroupInfo:\n        InstanceType: <example_instance_type>\n        ClientSubnets:\n          - <subnet_id_1>\n          - <subnet_id_2>\n        StorageInfo:\n          EbsStorageInfo:\n            VolumeSize: 1000\n      ClientAuthentication:\n        Unauthenticated:\n          Enabled: false  # CRITICAL: Disables unauthenticated client access\n```",
+      "Other": "1. Open the AWS Console and go to Amazon MSK\n2. Select your cluster and open the Security tab\n3. Click Edit under Client authentication\n4. Turn off/clear Unauthenticated access\n5. Save changes to apply the update",
+      "Terraform": "```hcl\n# Terraform: Disable unauthenticated client access for MSK\nresource \"aws_msk_cluster\" \"<example_resource_name>\" {\n  cluster_name           = \"<example_resource_name>\"\n  kafka_version          = \"<example_kafka_version>\"\n  number_of_broker_nodes = 2\n\n  broker_node_group_info {\n    instance_type   = \"<example_instance_type>\"\n    client_subnets  = [\"<subnet_id_1>\", \"<subnet_id_2>\"]\n    ebs_volume_size = 1000\n  }\n\n  client_authentication {\n    unauthenticated = false  # CRITICAL: Disables unauthenticated client access\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to restrict access to Kafka Clusters to only authorized entities. Ensure that the Kafka Cluster's security settings are properly configured to prevent unauthorized access.",
-      "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/security.html"
+      "Text": "Disable **unauthenticated access** and require **strong client authentication** (mTLS or IAM/SASL).\n- Enforce **least privilege** with scoped ACLs\n- Restrict network paths via private connectivity and tight security groups\n- Encrypt in transit, monitor access, and rotate credentials regularly",
+      "Url": "https://hub.prowler.com/check/kafka_cluster_unrestricted_access_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.metadata.json

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "kafka_cluster_uses_latest_version",
-  "CheckTitle": "MSK cluster should use the latest version.",
+  "CheckTitle": "MSK cluster uses the latest Kafka version or is serverless with AWS-managed version",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/Patch Management",
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "kafka",
-  "SubServiceName": "cluster",
-  "ResourceIdTemplate": "arn:partition:kafka:region:account-id:cluster",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsMskCluster",
-  "Description": "Ensure that your Amazon Managed Streaming for Apache Kafka (MSK) cluster is using the latest version to benefit from the latest security features, bug fixes, and performance improvements.",
-  "Risk": "Running an outdated version of Amazon MSK may expose your cluster to security vulnerabilities, bugs, and performance issues.",
-  "RelatedUrl": "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-databases.html",
+  "Description": "**Amazon MSK clusters** are evaluated for use of the latest supported **Apache Kafka version**. Provisioned clusters are compared to the most recent release, while **serverless clusters** are treated as automatically managed for versioning.",
+  "Risk": "Outdated Kafka enables exploitation of known flaws and weak cryptography, risking data exposure or tampering (**confidentiality/integrity**). Missing fixes increase broker crashes and partition instability (**availability**). After end of support, silent auto-upgrades can trigger unexpected behavior and compatibility issues.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/msk/latest/developerguide/version-support.html#version-upgrades",
+    "https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-databases.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-apache-kafka-latest-security-features.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kafka update-cluster-configuration --cluster-arn <arn_cluster> --current-version <current_version> --target-version <latest_version>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MSK/enable-apache-kafka-latest-security-features.html",
-      "Terraform": ""
+      "CLI": "aws kafka update-cluster-kafka-version --cluster-arn <example_resource_id> --current-version <current_version> --target-kafka-version <latest_version>",
+      "NativeIaC": "```yaml\n# CloudFormation: Upgrade MSK cluster to latest Kafka version\nResources:\n  <example_resource_name>:\n    Type: AWS::MSK::Cluster\n    Properties:\n      ClusterName: <example_resource_name>\n      KafkaVersion: <latest_version>  # CRITICAL: set to the latest Kafka version to pass the check\n      NumberOfBrokerNodes: 2\n      BrokerNodeGroupInfo:\n        InstanceType: kafka.m5.large\n        ClientSubnets:\n          - <example_resource_id>\n          - <example_resource_id>\n```",
+      "Other": "1. Open the AWS Management Console and go to Amazon MSK\n2. Select your cluster and choose Actions > Update cluster\n3. In Kafka version, select the latest available version\n4. Review and start the upgrade (Update/Start upgrade)\n5. Wait until the operation completes and the cluster status returns to Active",
+      "Terraform": "```hcl\n# Terraform: Upgrade MSK cluster to latest Kafka version\nresource \"aws_msk_cluster\" \"<example_resource_name>\" {\n  cluster_name           = \"<example_resource_name>\"\n  kafka_version          = \"<latest_version>\"  # CRITICAL: set to the latest Kafka version to pass the check\n  number_of_broker_nodes = 2\n\n  broker_node_group_info {\n    instance_type  = \"kafka.m5.large\"\n    client_subnets = [\"<example_resource_id>\", \"<example_resource_id>\"]\n\n    storage_info {\n      ebs_storage_info { volume_size = 1000 }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "To upgrade your Amazon MSK cluster to the latest version, use the AWS Management Console, AWS CLI, or SDKs to update the cluster configuration. For more information, refer to the official Amazon MSK documentation.",
-      "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/version-support.html#version-upgrades"
+      "Text": "Adopt a controlled upgrade strategy:\n- Track MSK version support and upgrade before end of support\n- Test in staging and schedule maintenance windows\n- Use blue/green or rolling upgrades to reduce downtime\n- Validate client compatibility and security settings\n- Consider serverless MSK if automatic versioning fits your risk model",
+      "Url": "https://hub.prowler.com/check/kafka_cluster_uses_latest_version"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.metadata.json

@@ -1,28 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "kafka_connector_in_transit_encryption_enabled",
-  "CheckTitle": "MSK Connect connectors should be encrypted in transit",
+  "CheckTitle": "MSK Connect connector has encryption in transit enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "kafka",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:kafkaconnect:{region}:{account-id}:connector/{connector-name}/{connector-id}",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "Other",
-  "Description": "This control checks whether an Amazon MSK Connect connector is encrypted in transit. This control fails if the connector isn't encrypted in transit.",
-  "Risk": "Data in transit can be intercepted or eavesdropped on by unauthorized users. Ensuring encryption in transit helps to protect sensitive data as it moves between nodes in a network or from your MSK cluster to connected applications.",
-  "RelatedUrl": "https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect.html",
+  "Description": "**MSK Connect connectors** are evaluated for **in-transit encryption** using `TLS` on client connections to Kafka brokers and connected systems.",
+  "Risk": "Without **TLS**, data streams can be **intercepted** or **modified** in transit. Attackers on the path can perform **man-in-the-middle**, replay, or message **tampering**, exposing records and secrets. This degrades **confidentiality** and **integrity** and can enable unauthorized access to downstream systems.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect.html",
+    "https://docs.aws.amazon.com/msk/latest/developerguide/mkc-create-connector-intro.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kafkaconnect create-connector --encryption-in-transit-config 'EncryptionInTransitType=TLS'",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html#msk-3",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: MSK Connect connector with in-transit encryption enabled\nResources:\n  <example_resource_name>:\n    Type: AWS::KafkaConnect::Connector\n    Properties:\n      ConnectorName: <example_resource_name>\n      KafkaCluster:\n        ApacheKafkaCluster:\n          BootstrapServers: <BOOTSTRAP_SERVERS>\n          Vpc:\n            SecurityGroups: [<example_resource_id>]\n            Subnets: [<example_resource_id>]\n      KafkaClusterClientAuthentication:\n        AuthenticationType: NONE\n      KafkaClusterEncryptionInTransit:\n        EncryptionType: TLS  # Critical: enables TLS encryption in transit\n      KafkaConnectVersion: <KAFKA_CONNECT_VERSION>\n      Plugins:\n        - CustomPlugin:\n            CustomPluginArn: <example_resource_id>\n            Revision: 1\n      Capacity:\n        ProvisionedCapacity:\n          McuCount: 1\n          WorkerCount: 1\n      ServiceExecutionRoleArn: <example_resource_id>\n      ConnectorConfiguration:\n        connector.class: <CONNECTOR_CLASS>\n        tasks.max: \"1\"\n```",
+      "Other": "1. In the AWS console, go to Amazon MSK > MSK Connect > Connectors\n2. Select the non-TLS connector and choose Delete (encryption setting can't be changed)\n3. Choose Create connector and select your custom plugin and cluster\n4. In the Security section, set Encryption in transit to TLS (required)\n5. Complete other required fields and Create the connector",
+      "Terraform": "```hcl\n# Terraform: MSK Connect connector with in-transit encryption enabled\nresource \"aws_mskconnect_connector\" \"<example_resource_name>\" {\n  name                  = \"<example_resource_name>\"\n  kafkaconnect_version  = \"<KAFKA_CONNECT_VERSION>\"\n\n  kafka_cluster {\n    apache_kafka_cluster {\n      bootstrap_servers = \"<BOOTSTRAP_SERVERS>\"\n      vpc {\n        security_groups = [\"<example_resource_id>\"]\n        subnets         = [\"<example_resource_id>\"]\n      }\n    }\n  }\n\n  kafka_cluster_client_authentication {\n    authentication_type = \"NONE\"\n  }\n\n  kafka_cluster_encryption_in_transit {\n    encryption_type = \"TLS\"  # Critical: enables TLS encryption in transit\n  }\n\n  capacity {\n    provisioned_capacity {\n      mcu_count    = 1\n      worker_count = 1\n    }\n  }\n\n  service_execution_role_arn = \"<example_resource_id>\"\n\n  connector_configuration = {\n    \"connector.class\" = \"<CONNECTOR_CLASS>\"\n    \"tasks.max\"       = \"1\"\n  }\n\n  plugin {\n    custom_plugin {\n      arn      = \"<example_resource_id>\"\n      revision = 1\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable encryption in transit for MSK Connect connectors to secure data as it moves across networks.",
-      "Url": "https://docs.aws.amazon.com/msk/latest/developerguide/mkc-create-connector-intro.html"
+      "Text": "Require **TLS** for all connector communications and disallow plaintext. Prefer private connectivity, validate certificates, and use modern cipher suites. Pair with **mutual authentication** and **least privilege** roles for defense-in-depth. Regularly review connector configs to avoid non-TLS endpoints.",
+      "Url": "https://hub.prowler.com/check/kafka_connector_in_transit_encryption_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/kms/kms_cmk_are_used/kms_cmk_are_used.metadata.json

@@ -1,28 +1,32 @@
 {
   "Provider": "aws",
   "CheckID": "kms_cmk_are_used",
-  "CheckTitle": "Check if there are CMK KMS keys not used.",
+  "CheckTitle": "KMS customer managed key is enabled or scheduled for deletion",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "kms",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kms:region:account-id:certificate/resource-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "low",
   "ResourceType": "AwsKmsKey",
-  "Description": "Check if there are CMK KMS keys not used.",
-  "Risk": "Unused keys may increase service cost.",
+  "Description": "**Customer-managed KMS keys** are assessed by key state. Keys in `Enabled` are considered in use. Keys not `Enabled` and not `PendingDeletion` are identified as unused, while those in `PendingDeletion` are recognized as scheduled for removal.",
+  "Risk": "Keeping **unused CMKs** increases **attack surface** and **cost**.\n\nIf such keys are re-enabled or misconfigured, they can grant unintended decryption, impacting **confidentiality**. Deleting a key mistakenly thought unused can cause **irrecoverable data loss**, harming **availability**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kms schedule-key-deletion --key-id <key_id> --pending-window-in-days 7",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws kms enable-key --key-id <key_id>",
+      "NativeIaC": "```yaml\n# CloudFormation: ensure the KMS CMK is enabled\nResources:\n  <example_resource_name>:\n    Type: AWS::KMS::Key\n    Properties:\n      Enabled: true  # Critical: enables the key so its state is \"Enabled\" (PASS)\n      KeyPolicy:\n        Version: '2012-10-17'\n        Statement:\n          - Sid: Enable IAM User Permissions\n            Effect: Allow\n            Principal:\n              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root\n            Action: 'kms:*'\n            Resource: '*'\n```",
+      "Other": "1. Sign in to the AWS Console and open Key Management Service (KMS)\n2. Go to Customer managed keys and select the affected key\n3. Choose Key actions > Enable\n4. Confirm to enable the key",
+      "Terraform": "```hcl\n# Terraform: ensure the KMS CMK is enabled\nresource \"aws_kms_key\" \"<example_resource_name>\" {\n  is_enabled = true  # Critical: sets key state to Enabled (PASS)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Before deleting a customer master key (CMK), you might want to know how many cipher-texts were encrypted under that key.",
-      "Url": "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html"
+      "Text": "Adopt a **key lifecycle**: confirm actual usage with logs, owners, and tags; keep keys `Enabled` only when required; otherwise **schedule deletion** with a waiting period.\n\nEnforce **least privilege** to enable/disable or delete keys, require approvals, and monitor KMS activity with **separation of duties**.",
+      "Url": "https://hub.prowler.com/check/kms_cmk_are_used"
     }
   },
   "Categories": [

prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "kms_cmk_not_deleted_unintentionally",
-  "CheckTitle": "AWS KMS keys should not be deleted unintentionally",
+  "CheckTitle": "AWS KMS customer managed key is not scheduled for deletion",
   "CheckType": [
-    "Data Deletion Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
   ],
   "ServiceName": "kms",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kms:region:account-id:certificate/resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsKmsKey",
-  "Description": "Ensure there is no customer keys scheduled for deletion.",
-  "Risk": "KMS keys cannot be recovered once deleted, also, all the data under a KMS key is also permanently unrecoverable if the KMS key is deleted.",
-  "RelatedUrl": "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-scheduling-key-deletion.html",
+  "Description": "**Customer-managed KMS keys** are evaluated for the `PendingDeletion` state, indicating a scheduled deletion during the mandatory waiting period.",
+  "Risk": "A key scheduled for deletion can lead to **permanent loss of decryption capability**, degrading **availability** and **integrity** of data and workloads. Accidental or malicious scheduling enables **cryptographic erasure**, causing outages, failed restores, and broken integrations during and after the wait window.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-scheduling-key-deletion.html",
+    "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-scheduling-key-deletion.html#deleting-keys-scheduling-key-deletion-console"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kms cancel-key-deletion --key-id <key-id>",
+      "CLI": "aws kms cancel-key-deletion --key-id <KEY_ID>",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-3",
+      "Other": "1. Sign in to the AWS Management Console and open AWS KMS\n2. Go to Customer managed keys and select the key with status \"Pending deletion\"\n3. Click Key actions > Cancel key deletion\n4. Confirm to cancel; the key status will change from Pending deletion",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Cancel the deletion before the end of the period unless you really want to delete that CMK, as it will no longer be usable.",
-      "Url": "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-scheduling-key-deletion.html#deleting-keys-scheduling-key-deletion-console"
+      "Text": "Prevent unintended deletion:\n- Enforce **least privilege** and **separation of duties** for key admins\n- Require change approvals and alerts on deletion events\n- Prefer **disabling** unused keys over deleting\n- Set sufficient waiting periods and review keys in `PendingDeletion` to verify authorization",
+      "Url": "https://hub.prowler.com/check/kms_cmk_not_deleted_unintentionally"
     }
   },
   "Categories": [

prowler/providers/aws/services/kms/kms_cmk_not_multi_region/kms_cmk_not_multi_region.metadata.json

@@ -1,31 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "kms_cmk_not_multi_region",
-  "CheckTitle": "AWS KMS customer managed keys should not be multi-Region",
+  "CheckTitle": "AWS KMS customer managed key is single-Region",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "kms",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kms:region:account-id:key/resource-id",
-  "Severity": "high",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
   "ResourceType": "AwsKmsKey",
-  "Description": "Ensure that AWS KMS customer managed keys (CMKs) are not multi-region to maintain strict data control and compliance with security best practices.",
-  "Risk": "Multi-region KMS keys can increase the risk of unauthorized access and data exposure, as managing access controls and auditing across multiple regions becomes more complex. This expanded attack surface may lead to compliance violations and data breaches.",
-  "RelatedUrl": "https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#multi-region-concepts",
+  "Description": "**AWS KMS customer-managed keys** in an `Enabled` state are assessed for the `multi-Region` setting. The finding highlights keys with the `multi-Region` property enabled.",
+  "Risk": "Shared key material across Regions lets access in one Region decrypt data from another, eroding **confidentiality** and **data residency**. A misconfigured policy or weaker controls in a replica expand the blast radius. For signing/HMAC keys, compromise enables cross-Region signature forgery, impacting **integrity** and **auditability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#multi-region-concepts",
+    "https://docs.aws.amazon.com/kms/latest/developerguide/mrk-when-to-use.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kms create-key --no-multi-region",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "resource \"aws_kms_key\" \"example\" { description = \"Single-region key\" multi_region = false }"
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: create a single-Region KMS key\nResources:\n  ExampleKmsKey:\n    Type: AWS::KMS::Key\n    Properties:\n      MultiRegion: false  # Critical: ensures the key is single-Region to pass the check\n      KeyPolicy:          # Minimal policy required for key creation\n        Version: '2012-10-17'\n        Statement:\n          - Effect: Allow\n            Principal:\n              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root\n            Action: 'kms:*'\n            Resource: '*'\n```",
+      "Other": "1. In the AWS Console, go to Key Management Service (KMS) > Customer managed keys\n2. Identify keys showing Multi-Region: Yes (these FAIL the check)\n3. Click Create key and ensure Multi-Region is not selected (single-Region)\n4. Update your services/aliases to use the new single-Region key\n5. Re-encrypt or rotate data to the new key where required\n6. After migration, disable the old multi-Region key and schedule its deletion",
+      "Terraform": "```hcl\n# Terraform: create a single-Region KMS key\nresource \"aws_kms_key\" \"example\" {\n  multi_region = false  # Critical: creates a single-Region key to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Identify and replace multi-region keys with single-region KMS keys to enhance security and access control.",
-      "Url": "https://docs.aws.amazon.com/kms/latest/developerguide/mrk-when-to-use.html"
+      "Text": "Prefer **single-Region keys** by default; use **multi-Region** only with a documented need. Apply **least privilege** and **separation of duties**; limit who can create or replicate such keys. Isolate per Region/tenant/workload, standardize policy and logging across Regions, and retire multi-Region keys where unnecessary.",
+      "Url": "https://hub.prowler.com/check/kms_cmk_not_multi_region"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Multi-region keys should be used only when absolutely necessary, such as for cross-region disaster recovery, and should be carefully managed with strict access controls."

prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "kms_cmk_rotation_enabled",
-  "CheckTitle": "Ensure rotation for customer created KMS CMKs is enabled.",
+  "CheckTitle": "KMS customer-managed symmetric CMK has automatic rotation enabled",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
   ],
   "ServiceName": "kms",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:kms:region:account-id:certificate/resource-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
   "ResourceType": "AwsKmsKey",
-  "Description": "Ensure rotation for customer created KMS CMKs is enabled.",
-  "Risk": "Cryptographic best practices discourage extensive reuse of encryption keys. Consequently, Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.",
-  "RelatedUrl": "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/",
+  "Description": "**Customer-managed KMS symmetric keys** in the `Enabled` state are evaluated to confirm `automatic rotation` of key material is configured",
+  "Risk": "Without **automatic rotation**, long-lived key material increases confidentiality and integrity risk. If a KMS key is exposed, attackers can unwrap data keys and decrypt stored data until the key changes. It also reduces crypto agility and may conflict with mandated rotation policies.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html",
+    "https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws kms enable-key-rotation --key-id <key_id>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-kms-have-rotation-policy#terraform"
+      "CLI": "aws kms enable-key-rotation --key-id <KEY_ID>",
+      "NativeIaC": "```yaml\n# CloudFormation: KMS key with automatic rotation enabled\nResources:\n  <example_resource_name>:\n    Type: AWS::KMS::Key\n    Properties:\n      EnableKeyRotation: true  # Critical: enables automatic rotation so the key passes the check\n      KeyPolicy:\n        Version: \"2012-10-17\"\n        Statement:\n          - Effect: Allow\n            Principal:\n              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root\n            Action: \"kms:*\"\n            Resource: \"*\"\n```",
+      "Other": "1. In the AWS Console, go to Key Management Service (KMS)\n2. Open Customer managed keys and select the enabled symmetric key\n3. Go to the Key rotation section\n4. Check Enable automatic key rotation\n5. Save changes",
+      "Terraform": "```hcl\n# KMS key with automatic rotation enabled\nresource \"aws_kms_key\" \"<example_resource_name>\" {\n  enable_key_rotation = true  # Critical: enables automatic rotation so the key passes the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "For every KMS Customer Master Keys (CMKs), ensure that Rotate this key every year is enabled.",
-      "Url": "https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html"
+      "Text": "Enable **automatic rotation** on customer-managed symmetric KMS keys and choose a rotation period that meets policy. Enforce **least privilege** and **separation of duties** for key administration versus usage. Monitor key lifecycle events and use on-demand rotation when compromise is suspected.",
+      "Url": "https://hub.prowler.com/check/kms_cmk_rotation_enabled"
     }
   },
   "Categories": [