chore(mongodbatlas): enhance metadata for projects service (#9093)

Co-authored-by: Sergio Garcia <hello@mistercloudsec.com>

prowler/CHANGELOG.md

@@ -31,6 +31,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS EKS service metadata to new format [(#8890)](https://github.com/prowler-cloud/prowler/pull/8890)
 - Update AWS Elastic Beanstalk service metadata to new format [(#8934)](https://github.com/prowler-cloud/prowler/pull/8934)
 - Update AWS ElastiCache service metadata to new format [(#8933)](https://github.com/prowler-cloud/prowler/pull/8933)
+- Update MongoDB Atlas projects service metadata to new format [(#9093)](https://github.com/prowler-cloud/prowler/pull/9093)
 - Update GitHub Organization service metadata to new format [(#9094)](https://github.com/prowler-cloud/prowler/pull/9094)
 - Update AWS CodeBuild service metadata to new format [(#8851)](https://github.com/prowler-cloud/prowler/pull/8851)
 - Update GCP Artifact Registry service metadata to new format [(#9088)](https://github.com/prowler-cloud/prowler/pull/9088)

prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "projects_auditing_enabled",
-  "CheckTitle": "Ensure database auditing is enabled",
+  "CheckTitle": "MongoDB Atlas project has database auditing enabled",
   "CheckType": [],
   "ServiceName": "projects",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "MongoDBAtlasProject",
-  "Description": "Ensure database auditing is enabled to track database operations and security events",
-  "Risk": "Without auditing enabled, security events and database operations are not logged, making it difficult to detect unauthorized access or troubleshoot issues",
+  "Description": "**MongoDB Atlas projects** with **database auditing** capture database operations and administrative events. The evaluation looks for an active audit configuration and, *when present*, notes any configured `audit_filter` that scopes which events are recorded.",
+  "Risk": "Without auditing, critical actions lack traceability, reducing **detectability** and impeding **forensics**. Attackers can mask unauthorized reads/writes and privilege changes, threatening data **confidentiality** and **integrity**, and weakening non-repudiation and incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.mongodb.com/docs/manual/tutorial/configure-auditing/",
+    "https://www.mongodb.com/docs/atlas/architecture/current/auditing/",
+    "https://www.mongodb.com/docs/atlas/architecture/current/auditing-logging/?msockid=0878cc3dfa4e66a707beda0efb5a67b5",
+    "https://www.mongodb.com/docs/atlas/operator/current/ak8so-configure-audit-logs/",
+    "https://www.mongodb.com/docs/manual/core/auditing/",
+    "https://www.mongodb.com/docs/atlas/database-auditing/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "atlas auditing update --projectId <example_resource_id> --enabled",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Sign in to MongoDB Atlas and open the target project\n2. In the left sidebar, click Security > Database & Network Access, then click Advanced\n3. Toggle Database Auditing to On\n4. Click Save",
+      "Terraform": "```hcl\nresource \"mongodbatlas_auditing\" \"example\" {\n  project_id = \"<example_resource_id>\"\n  enabled    = true  # Critical: turns on project-level database auditing to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable database auditing for the MongoDB Atlas project by configuring audit filters and destinations.",
-      "Url": "https://www.mongodb.com/docs/atlas/database-auditing/"
+      "Text": "Enable **auditing** and apply least-privilege filters to capture high-risk events:\n- authentication and session activity\n- DDL/config changes\n- user/role modifications and privilege grants\n\nCentralize logs in a SIEM, enforce retention/immutability with separation of duties, restrict access, and tune `auditAuthorizationSuccess` to balance coverage vs performance.",
+      "Url": "https://hub.prowler.com/check/projects_auditing_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json

@@ -1,29 +1,34 @@
 {
   "Provider": "mongodbatlas",
   "CheckID": "projects_network_access_list_exposed_to_internet",
-  "CheckTitle": "Ensure MongoDB Atlas project network access list is not exposed to the internet",
+  "CheckTitle": "MongoDB Atlas project network access list has entries and excludes 0.0.0.0/0, ::/0, 0.0.0.0, and ::",
   "CheckType": [],
   "ServiceName": "projects",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "MongoDBAtlasProject",
-  "Description": "Ensure that MongoDB Atlas projects have properly configured network access lists that don't allow unrestricted access from anywhere on the internet. Network access lists should be configured to allow access only from specific IP addresses, CIDR blocks, or AWS security groups to minimize the attack surface.",
-  "Risk": "If a MongoDB Atlas project has network access entries that allow unrestricted access (0.0.0.0/0 or ::/0), it exposes the database to potential attacks from anywhere on the internet. This significantly increases the risk of unauthorized access, data breaches, and malicious activities.",
-  "RelatedUrl": "https://docs.atlas.mongodb.com/security/ip-access-list/",
+  "Description": "**MongoDB Atlas project network access list** configuration is evaluated for entries that allow access from anywhere (`0.0.0.0/0`, `::/0`, `0.0.0.0`, `::`) or for missing access lists, instead of restricting connections to specific IPs or CIDRs.",
+  "Risk": "Internet-wide access enables scanning, brute force, and credential stuffing against database endpoints. A successful compromise can cause data exfiltration (**confidentiality**), unauthorized writes or drops (**integrity**), and service disruption or lockout (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.atlas.mongodb.com/security/ip-access-list/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In MongoDB Atlas, open your project and go to Security > Database & Network Access > IP Access List\n2. Delete any entries equal to 0.0.0.0/0, ::/0, 0.0.0.0, or ::\n3. If the list becomes empty, click Add IP Address and add a specific IP/CIDR or an AWS Security Group (for a peered VPC)\n4. Click Save",
+      "Terraform": "```hcl\nresource \"mongodbatlas_project_ip_access_list\" \"<example_resource_name>\" {\n  project_id = \"<example_resource_id>\"\n  cidr_block = \"<ALLOWED_CIDR>\" # Critical: add a restricted CIDR (not 0.0.0.0/0 or ::/0) to ensure the list isn't empty and not open to the world\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure network access lists to allow access only from specific IP addresses, CIDR blocks, or AWS security groups. Remove any entries that allow unrestricted access (0.0.0.0/0 or ::/0) and replace them with more restrictive rules based on your application's requirements.",
-      "Url": "https://docs.atlas.mongodb.com/security/ip-access-list/"
+      "Text": "Apply **least privilege**: permit only required IPs/CIDRs or approved security groups; avoid `0.0.0.0/0` and `::/0`. Prefer **private connectivity** (VPC peering or private endpoints) over public access. Use temporary entries for short-lived admin needs and review lists regularly.",
+      "Url": "https://hub.prowler.com/check/projects_network_access_list_exposed_to_internet"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""