PyPI - prowler - Versions diffs - 5.17.1__py3-none-any.whl → 5.18.0__py3-none-any.whl - Mend

prowler 5.17.1py3-none-any.whl → 5.18.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (219) hide show

prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.metadata.json CHANGED Viewed

@@ -1,27 +1,31 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_minimum_tls_version_12",
-  "CheckTitle": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'",
+  "CheckTitle": "Storage account minimum TLS version is 1.2",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'",
-  "Risk": "TLS versions 1.0 and 1.1 are known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses and attacks such as POODLE and BEAST",
+  "Description": "**Azure Storage accounts** enforce a `minimum TLS version` of `1.2` for client connections to data services",
+  "Risk": "Allowing TLS `1.0`/`1.1` enables protocol downgrades and exploitation of known flaws (e.g., BEAST), weakening **confidentiality** and **integrity**. Attackers can intercept or modify data in transit and harvest credentials via weakened cipher suites.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/minimum-tls-version.html",
+    "https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/azure/azure-storage-policies/bc_azr_storage_2",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-storage-policies/bc_azr_storage_2#terraform"
+      "CLI": "az storage account update --resource-group <RESOURCE_GROUP> --name <STORAGE_ACCOUNT_NAME> --min-tls-version TLS1_2",
+      "NativeIaC": "```bicep\n// Storage account with minimum TLS 1.2\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'StorageV2'\n  sku: {\n    name: 'Standard_LRS'\n  }\n  properties: {\n    minimumTlsVersion: 'TLS1_2' // CRITICAL: Enforces minimum TLS 1.2 to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure Portal, go to Storage accounts and open your account\n2. Select Settings > Configuration\n3. Set Minimum TLS version to Version 1.2\n4. Click Save",
+      "Terraform": "```hcl\n# Storage account with minimum TLS 1.2\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  min_tls_version = \"TLS1_2\" # CRITICAL: Enforces minimum TLS 1.2 to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that all your Microsoft Azure Storage accounts are using the latest available version of the TLS protocol.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/minimum-tls-version.html"
+      "Text": "Set the storage account `minimum TLS version` to at least `1.2` (prefer `1.3` where supported) and disable legacy protocols. Apply **defense in depth** by restricting network access, using **least privilege** credentials, and monitoring handshake failures to identify outdated clients.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_minimum_tls_version_12"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.metadata.json CHANGED Viewed

@@ -1,31 +1,39 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_private_endpoints_in_storage_accounts",
-  "CheckTitle": "Ensure Private Endpoints are used to access Storage Accounts",
+  "CheckTitle": "Storage account has private endpoint connections",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.",
-  "Risk": "Storage accounts that are not configured to use Private Endpoints are accessible over the public internet. This can lead to data exfiltration and other security issues.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints",
+  "Description": "**Azure Storage accounts** are evaluated for the presence of **Private Endpoint** connections. When configured, traffic flows over a VNet private IP via Private Link; when absent, access occurs through the storage account's public endpoint.",
+  "Risk": "Relying on the **public endpoint** widens exposure:\n- Confidentiality: higher risk of key/SAS compromise and unauthorized reads\n- Integrity: abused creds enable writes/deletes\n- Availability: subject to DDoS and internet scanning\nIt can also bypass egress controls, easing covert data exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints",
+    "https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal",
+    "https://learn.microsoft.com/en-us/answers/questions/659055/private-endpoint-to-azure-blob-storage-from-on-pre",
+    "https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-endpoints",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/private-endpoints.html#"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/private-endpoints.html#",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Create a Private Endpoint for a Storage Account to add a private endpoint connection (PASS)\nparam storageAccountId string  // ID of Microsoft.Storage/storageAccounts\nparam subnetId string          // ID of the subnet to host the Private Endpoint\n\nresource pe 'Microsoft.Network/privateEndpoints@2023-05-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    subnet: { id: subnetId }\n    privateLinkServiceConnections: [\n      {\n        name: 'conn'\n        properties: {\n          privateLinkServiceId: storageAccountId  // Critical: links the Private Endpoint to the storage account\n          groupIds: ['blob']                      // Critical: targets Blob subresource, creating the private endpoint connection\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts > select your account\n2. Under Security + networking, choose Networking > Private endpoint connections\n3. Click + Private endpoint > Create\n4. Resource type: Microsoft.Storage/storageAccounts; Resource: your account; Target subresource: blob\n5. Select the Virtual network and Subnet, then Review + create > Create",
+      "Terraform": "```hcl\n# Create a Private Endpoint for a Storage Account to add a private endpoint connection (PASS)\nvariable \"resource_group_name\" { type = string }\nvariable \"location\" { type = string }\nvariable \"subnet_id\" { type = string }\nvariable \"storage_account_id\" { type = string }\n\nresource \"azurerm_private_endpoint\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = var.resource_group_name\n  location            = var.location\n  subnet_id           = var.subnet_id\n\n  private_service_connection {\n    name                           = \"conn\"\n    private_connection_resource_id = var.storage_account_id  # Critical: links to the storage account\n    subresource_names              = [\"blob\"]                # Critical: targets Blob subresource to create the connection\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use Private Endpoints to access Storage Accounts",
-      "Url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints"
+      "Text": "Prefer **Private Endpoints** for storage access and minimize public exposure:\n- Limit or disable `Public network access`\n- Use private DNS so names resolve to private IPs\n- Enforce **least privilege** and **defense in depth** with segmentation and logging\n- Monitor access and rotate keys/SAS *as part of routine hygiene*.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_private_endpoints_in_storage_accounts"
     }
   },
   "Categories": [
-    "encryption"
+    "internet-exposed",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.metadata.json CHANGED Viewed

@@ -1,31 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "storage_ensure_soft_delete_is_enabled",
-  "CheckTitle": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage",
+  "CheckTitle": "Storage account has soft delete for containers enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.",
-  "Risk": "Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the Retention policies ranging from 7 days to 365 days.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+  "Description": "**Azure Storage accounts** have **container soft delete** enabled via a retention policy that keeps deleted containers for a set period.",
+  "Risk": "Without this, container deletions are permanent, reducing **availability** and **integrity**. A compromised user or faulty automation could erase entire datasets, forcing slow restores from backups and extending RTO/RPO, with potential downstream app outages.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete.html#",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-overview",
+    "https://learn.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/enable-soft-delete.html#",
-      "Terraform": ""
+      "CLI": "az storage account blob-service-properties update --resource-group <example_resource_name> --account-name <example_resource_name> --enable-container-delete-retention true --container-delete-retention-days 7",
+      "NativeIaC": "```bicep\n// Enable container soft delete on the storage account\nresource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-04-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    containerDeleteRetentionPolicy: {\n      enabled: true // Critical: enables soft delete for containers\n      days: 7       // Required when enabled\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open <storage account>\n2. Under Data management, select Data protection\n3. In the Containers section, turn on Soft delete for containers and set Retention (days) to a value (e.g., 7)\n4. Click Save",
+      "Terraform": "```hcl\n# Enable container soft delete on the storage account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  blob_properties {\n    container_delete_retention_policy {\n      enabled = true  # Critical: enables soft delete for containers\n      days    = 7     # Required when enabled\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Check soft delete for both blobs and containers. Set the retention period to a sufficient length for your organization",
-      "Url": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete"
+      "Text": "Enable **container soft delete** and choose a retention window (`7-365` days) that meets your RPO. Pair with **blob soft delete** and **versioning** for layered recovery. Enforce **least privilege** on delete actions and apply resource **locks** to prevent destructive changes.",
+      "Url": "https://hub.prowler.com/check/storage_ensure_soft_delete_is_enabled"
     }
   },
   "Categories": [
-    "encryption"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_geo_redundant_enabled/storage_geo_redundant_enabled.metadata.json CHANGED Viewed

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "storage_geo_redundant_enabled",
-  "CheckTitle": "Ensure geo-redundant storage (GRS) is enabled on critical Azure Storage Accounts",
+  "CheckTitle": "Azure Storage account uses geo-redundant replication (GRS, GZRS, RA-GRS, or RA-GZRS)",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "AzureStorageAccount",
+  "Severity": "medium",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Geo-redundant storage (GRS) must be enabled on critical Azure Storage Accounts to ensure data durability and availability in the event of a regional outage. GRS replicates data within the primary region and asynchronously to a secondary region, offering enhanced resilience and supporting disaster recovery strategies.",
-  "Risk": "Without GRS, critical data may be lost or become unavailable during a regional outage, compromising data durability and disaster recovery efforts.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy",
+  "Description": "**Azure Storage accounts** configured for **geo-redundant replication** via `Standard_GRS`, `Standard_GZRS`, `Standard_RAGRS`, or `Standard_RAGZRS`.\n\nThe setting indicates data is copied to a paired secondary region, with `RA-*` allowing read access during primary-region unavailability.",
+  "Risk": "Absent **geo-replication**, data resides in one region, undermining **availability** and **durability** during regional failures. Disasters can cause prolonged downtime or unrecoverable loss. With geo-replication but without `RA-*`, the secondary is unreadable, increasing RTO and interrupting business continuity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-geo-redundant-storage.html",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy",
+    "https://learn.microsoft.com/en-us/azure/storage/common/redundancy-migration"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account update --name <storage-account-name> --resource-group <resource-group-name> --sku Standard_GRS",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/enable-geo-redundant-storage.html",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Storage account with geo-redundant replication enabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<example_location>'\n  kind: 'StorageV2'\n  sku: {\n    name: 'Standard_GRS' // Critical: enables geo-redundant replication (GRS) to pass the check\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Under Data management, select Redundancy\n3. Change Redundancy to GRS, GZRS, RA-GRS, or RA-GZRS\n4. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"example\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_group_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"GRS\" # Critical: enables geo-redundant replication to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable geo-redundant storage (GRS) for critical Azure Storage Accounts to ensure data durability and availability across regional failures.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy"
+      "Text": "Adopt **GRS/GZRS** for critical workloads (prefer `Standard_GZRS` where supported) to achieve cross-region resilience. *If read continuity is required*, use `Standard_RAGRS` or `Standard_RAGZRS`. Define RPO/RTO, regularly test failover, and design for **defense in depth** across regions and zones.",
+      "Url": "https://hub.prowler.com/check/storage_geo_redundant_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.metadata.json CHANGED Viewed

@@ -1,27 +1,31 @@
 {
   "Provider": "azure",
   "CheckID": "storage_infrastructure_encryption_is_enabled",
-  "CheckTitle": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' ",
+  "CheckTitle": "Storage account has infrastructure encryption enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "AzureRole",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "IAM",
-  "Description": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' ",
-  "Risk": "Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised",
+  "Description": "**Azure Storage accounts** have **infrastructure encryption** enabled, providing **double encryption at rest** alongside service-level encryption (`requireInfrastructureEncryption=true`).",
+  "Risk": "Without this second layer, compromise of the service-level key or algorithm can expose stored data, degrading **confidentiality** and weakening **defense in depth**. Insider misuse or key theft is more likely to yield readable blobs, files, or tables.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/infrastructure-encryption.html",
+    "https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Storage account with infrastructure encryption enabled\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: {\n    name: 'Standard_LRS'\n  }\n  kind: 'StorageV2'\n  properties: {\n    encryption: {\n      keySource: 'Microsoft.Storage'\n      requireInfrastructureEncryption: true // Critical: enables infrastructure-level encryption (double encryption)\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts and click Create\n2. Choose a supported type (StorageV2 or a premium blob/page/file account)\n3. Open the Encryption tab and set Enable infrastructure encryption to Enabled\n4. Click Review + create, then Create\n5. Migrate data from the old account to this new account and decommission the old one (infrastructure encryption cannot be enabled on existing accounts)",
+      "Terraform": "```hcl\n# Storage account with infrastructure encryption enabled\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  infrastructure_encryption_enabled = true # Critical: enables infrastructure-level encryption (double encryption)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.",
-      "Url": ""
+      "Text": "Enable **infrastructure encryption** for accounts or scopes handling sensitive data to strengthen **defense in depth**. Plan it at creation, as the setting is immutable. Maintain strong key hygiene for service-level encryption (use CMK where appropriate, rotate, restrict access) and enforce guardrails with policy.",
+      "Url": "https://hub.prowler.com/check/storage_infrastructure_encryption_is_enabled"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.metadata.json CHANGED Viewed

@@ -1,31 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "storage_key_rotation_90_days",
-  "CheckTitle": "Ensure that Storage Account Access Keys are Periodically Regenerated",
+  "CheckTitle": "Storage account has access key expiration period set to 90 days or less",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that Storage Account Access Keys are Periodically Regenerated",
-  "Risk": "If the access keys are not regenerated periodically, the likelihood of accidental exposures increases, which can lead to unauthorized access to your storage account resources.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
+  "Description": "**Azure Storage accounts** must define a `key expiration period` for access-key rotation, with a maximum of `90` days. The evaluation looks for accounts lacking this setting or exceeding that limit.",
+  "Risk": "Long-lived storage access keys undermine **confidentiality** and **integrity**: a leaked or reused key grants full data access and can sign SAS tokens. Extended validity enables persistent unauthorized access, data exfiltration, and tampering, and complicates revocation and incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal#regenerate-storage-access-keys",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/regenerate-storage-account-access-keys-periodically.html#"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/StorageAccounts/regenerate-storage-account-access-keys-periodically.html#",
-      "Terraform": ""
+      "CLI": "az storage account update --name <STORAGE_ACCOUNT_NAME> --resource-group <RESOURCE_GROUP_NAME> --key-exp-days 90",
+      "NativeIaC": "```bicep\n// Set key expiration period to 90 days or less\nresource stg 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  properties: {\n    keyPolicy: {\n      keyExpirationPeriodInDays: 90 // CRITICAL: enforces rotation reminder at 90 days to pass the check\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to your storage account\n2. Navigate to Security + networking > Access keys\n3. Click Set rotation reminder\n4. Enable key rotation reminders and set the period to 90 days or less\n5. Click Save\n6. If Set rotation reminder is disabled, first regenerate both keys (Regenerate for key1, then key2), then repeat steps 3-5",
+      "Terraform": "```hcl\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_resource_name>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  key_policy {\n    key_expiration_period_in_days = 90 # CRITICAL: sets key expiration period to 90 days to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that Azure Storage account access keys are regenerated every 90 days in order to decrease the likelihood of accidental exposures and protect your storage account resources against unauthorized access.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal#regenerate-storage-access-keys"
+      "Text": "Enforce a `key expiration period` of `<= 90` days and automate rotation. Prefer **Microsoft Entra ID** with managed identities over Shared Key; when SAS is needed, use user-delegation SAS. Apply **least privilege**, minimize key distribution, monitor usage, rotate on suspected exposure, and disable Shared Key when feasible.",
+      "Url": "https://hub.prowler.com/check/storage_key_rotation_90_days"
     }
   },
   "Categories": [
-    "encryption"
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.metadata.json CHANGED Viewed

@@ -1,27 +1,31 @@
 {
   "Provider": "azure",
   "CheckID": "storage_secure_transfer_required_is_enabled",
-  "CheckTitle": "Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol.",
+  "CheckTitle": "Storage account has secure transfer required enabled",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "Severity": "high",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol.",
-  "Risk": "Requests to the storage account sent outside of a secure connection can be eavesdropped",
+  "Description": "**Azure Storage accounts** are evaluated for **secure transfer enforcement**, requiring all client requests to use `HTTPS` only (`enableHttpsTrafficOnly`) and blocking `HTTP`.",
+  "Risk": "Allowing `HTTP` to storage endpoints enables **man-in-the-middle** and **TLS-stripping** attacks.\nIntercepted traffic can expose credentials, SAS tokens, or data (**confidentiality**) and allow request tampering (**integrity**), leading to unauthorized access and **data exfiltration**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/secure-transfer-required.html",
+    "https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account update --name <STORAGE_ACCOUNT_NAME> --https-only true",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/secure-transfer-required.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-storage-account-enables-secure-transfer"
+      "CLI": "az storage account update -g <RESOURCE_GROUP> -n <STORAGE_ACCOUNT_NAME> --https-only true",
+      "NativeIaC": "```bicep\n// Enable secure transfer (HTTPS only) on a Storage Account\nresource <example_resource_name> 'Microsoft.Storage/storageAccounts@2023-01-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  sku: { name: 'Standard_LRS' }\n  kind: 'StorageV2'\n  properties: {\n    supportsHttpsTrafficOnly: true // Critical: require HTTPS-only (secure transfer)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Storage accounts and select the account\n2. Under Settings, open Configuration\n3. Set Secure transfer required to Enabled\n4. Click Save",
+      "Terraform": "```hcl\n# Enable secure transfer (HTTPS only) on a Storage Account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  enable_https_traffic_only = true # Critical: require HTTPS-only (secure transfer)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable data encryption in transit.",
-      "Url": ""
+      "Text": "Enforce **HTTPS-only** on all storage accounts (`enableHttpsTrafficOnly`) and use modern TLS.\nApply **least privilege** to SAS and keys, rotate if exposure is suspected, and use **defense in depth**: prefer private endpoints, restrict public access, block `HTTP` at network controls, and ensure all clients use `https://` endpoints.",
+      "Url": "https://hub.prowler.com/check/storage_secure_transfer_required_is_enabled"
     }
   },
   "Categories": [

prowler/providers/azure/services/storage/storage_smb_channel_encryption_with_secure_algorithm/storage_smb_channel_encryption_with_secure_algorithm.metadata.json CHANGED Viewed

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "storage_smb_channel_encryption_with_secure_algorithm",
-  "CheckTitle": "Ensure SMB channel encryption uses a secure algorithm for SMB file shares",
+  "CheckTitle": "Storage account uses AES-256-GCM for SMB channel encryption on file shares",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}/fileServices/default",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Implement SMB channel encryption with a secure algorithm for SMB file shares to ensure data confidentiality and integrity in transit.",
-  "Risk": "Not using the recommended SMB channel encryption may expose data transmitted over SMB channels to unauthorized interception and tampering.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares",
+  "Description": "**Azure Storage file shares (SMB)** are evaluated for **SMB channel encryption** and whether the allowed ciphers include the recommended `AES-256-GCM`.\n\nThis identifies if encryption is configured and a secure algorithm is present in the SMB settings for file shares within the storage account.",
+  "Risk": "Missing or weak SMB channel encryption undermines **confidentiality** and **integrity**. On-path attackers could read sensitive files, capture hashes, or modify data in transit. Allowing legacy ciphers increases downgrade risks and can facilitate **lateral movement**, eroding trust boundaries across networks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/check-for-smb-channel-encryption-type.html",
+    "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal#smb-security-settings",
+    "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --channel-encryption AES-256-GCM",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Bicep: enforce AES-256-GCM for SMB channel encryption on the storage account's File Service\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource fileService 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  name: 'default'\n  parent: sa\n  properties: {\n    protocolSettings: {\n      smb: {\n        channelEncryption: [ 'AES-256-GCM' ] // CRITICAL: Allows AES-256-GCM for SMB channel encryption to pass the check\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open your storage account\n2. Go to Data storage > File shares\n3. Under File share settings, click Security\n4. Select Custom\n5. Under SMB channel encryption, select AES-256-GCM\n6. Click Save",
+      "Terraform": "```hcl\n# Set SMB channel encryption to AES-256-GCM on the storage account\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<example_location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  share_properties {\n    smb {\n      channel_encryption_type = \"AES256_GCM\" # CRITICAL: Enables AES-256-GCM for SMB channel encryption\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use the portal, CLI or PowerShell to set the SMB channel encryption to a secure algorithm.",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal#smb-security-settings"
+      "Text": "Enforce **defense in depth** by restricting SMB channel encryption to `AES-256-GCM` on SMB `3.1.1`, removing weaker options.\n\n- Prefer private access (private endpoints/VPN)\n- Require secure transfer and modern TLS\n- Apply **least privilege** on shares\n- Validate client support and monitor connections during rollout",
+      "Url": "https://hub.prowler.com/check/storage_smb_channel_encryption_with_secure_algorithm"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This check passes if SMB channel encryption is set to a secure algorithm."

prowler/providers/azure/services/storage/storage_smb_protocol_version_is_latest/storage_smb_protocol_version_is_latest.metadata.json CHANGED Viewed

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "storage_smb_protocol_version_is_latest",
-  "CheckTitle": "Ensure SMB protocol version for file shares is set to the latest version.",
+  "CheckTitle": "Storage account allows only the latest SMB protocol version for file shares",
   "CheckType": [],
   "ServiceName": "storage",
   "SubServiceName": "",
-  "ResourceIdTemplate": "/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}/fileServices/default",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AzureStorageAccount",
+  "ResourceType": "microsoft.storage/storageaccounts",
   "ResourceGroup": "storage",
-  "Description": "Ensure that SMB file shares are configured to use only the latest SMB protocol version.",
-  "Risk": "Allowing older SMB protocol versions may expose file shares to known vulnerabilities and security risks.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol#smb-security-settings",
+  "Description": "**Azure Storage file shares (SMB)** are configured to allow **only the latest SMB protocol version**, blocking legacy SMB versions at the storage account level",
+  "Risk": "Allowing legacy SMB versions enables **protocol downgrade** and weak cipher negotiation, reducing **confidentiality** and **integrity**. Adversaries can intercept or alter traffic, bypass strong signing/encryption, and exploit known flaws for lateral movement or credential replay",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol#smb-security-settings",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/latest-smb-protocol-version.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --versions <latest-version>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az storage account file-service-properties update --resource-group <RESOURCE_GROUP> --account-name <STORAGE_ACCOUNT_NAME> --versions SMB3.1.1",
+      "NativeIaC": "```bicep\n// Set SMB protocol to only the latest version for Azure Files\nresource fileService 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    protocolSettings: {\n      smb: {\n        versions: 'SMB3.1.1' // Critical: allow only SMB 3.1.1 (latest) to pass the check\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Storage accounts and open your storage account\n2. Navigate to Data storage > File shares\n3. Under File share settings, select Security\n4. Choose Profile: Custom, then under SMB protocol versions select only SMB 3.1.1\n5. Click Save",
+      "Terraform": "```hcl\n# Configure storage account to allow only the latest SMB version for file shares\nresource \"azurerm_storage_account\" \"<example_resource_name>\" {\n  name                     = \"<example_resource_name>\"\n  resource_group_name      = \"<example_resource_name>\"\n  location                 = \"<location>\"\n  account_tier             = \"Standard\"\n  account_replication_type = \"LRS\"\n\n  share_properties {\n    smb {\n      versions = [\"SMB3.1.1\"] # Critical: restrict to only SMB 3.1.1 (latest)\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure your Azure Storage Account file shares to allow only the latest SMB protocol version.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/StorageAccounts/latest-smb-protocol-version.html"
+      "Text": "Restrict SMB to the newest version (e.g., `SMB 3.1.1`) and disable older versions. Enforce **encryption in transit** and prefer **Kerberos** over NTLM. Validate client compatibility, apply **least privilege** on shares, and monitor access to maintain **defense in depth**",
+      "Url": "https://hub.prowler.com/check/storage_smb_protocol_version_is_latest"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler 5.17.1__py3-none-any.whl → 5.18.0__py3-none-any.whl

prowler 5.17.1py3-none-any.whl → 5.18.0py3-none-any.whl