diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 04842d394f..1c53554948 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -15,6 +15,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS KMS service metadata to new format [(#9263)](https://github.com/prowler-cloud/prowler/pull/9263) - Update AWS MemoryDB service metadata to new format [(#9266)](https://github.com/prowler-cloud/prowler/pull/9266) - Update AWS Inspector v2 service metadata to new format [(#9260)](https://github.com/prowler-cloud/prowler/pull/9260) +- Update AWS Service Catalog service metadata to new format [(#9410)](https://github.com/prowler-cloud/prowler/pull/9410) --- diff --git a/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.metadata.json b/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.metadata.json index 72211c2bdc..6a47eb9004 100644 --- a/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.metadata.json +++ b/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.metadata.json @@ -1,28 +1,32 @@ { "Provider": "aws", "CheckID": "servicecatalog_portfolio_shared_within_organization_only", - "CheckTitle": "Service Catalog portfolios should be shared within an AWS organization only", + "CheckTitle": "Service Catalog portfolio is shared only within the AWS Organization", "CheckType": [ - "Software and Configuration Checks/AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices", + "TTPs/Initial Access/Unauthorized Access" ], "ServiceName": "servicecatalog", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:servicecatalog:{region}:{account-id}:portfolio/{portfolio-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AwsServiceCatalogPortfolio", - "Description": "This control checks whether AWS Service Catalog shares portfolios within an organization when the integration with AWS Organizations is enabled. The control fails if portfolios aren't shared within an organization.", - "Risk": "Sharing Service Catalog portfolios outside of an organization may result in access granted to unintended AWS accounts, potentially exposing sensitive resources.", - "RelatedUrl": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html", + "ResourceType": "Other", + "Description": "**AWS Service Catalog portfolios** are assessed to confirm sharing occurs via **AWS Organizations** integration, not direct `ACCOUNT` shares. It reviews shared portfolios and identifies those targeted to individual accounts instead of organizational scopes.", + "Risk": "Sharing with individual accounts enables recipients to import and launch products outside centralized guardrails, inheriting launch roles. This can cause unauthorized provisioning, data exposure, and configuration drift-impacting confidentiality, integrity, and availability through misused privileges and uncontrolled costs.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html" + ], "Remediation": { "Code": { "CLI": "aws servicecatalog create-portfolio-share --portfolio-id --organization-ids ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html", - "Terraform": "" + "NativeIaC": "```yaml\n# CloudFormation: Share Service Catalog portfolio only within the AWS Organization\nResources:\n :\n Type: AWS::ServiceCatalog::PortfolioShare\n Properties:\n PortfolioId: \n OrganizationNode: # CRITICAL: share within AWS Organizations\n Type: ORGANIZATION # Shares the portfolio with the entire org\n Value: # e.g., o-xxxxxxxxxx\n```", + "Other": "1. In the AWS Console, go to Service Catalog > Portfolios and open the target portfolio\n2. Open the Shares/Sharing tab\n3. Remove every share of Type \"Account\" (stop sharing with each account)\n4. Click Share, choose \"AWS Organizations\", set Type to \"Organization\", enter your Org ID (o-xxxxxxxxxx), and share\n5. Verify no remaining shares of Type \"Account\" exist", + "Terraform": "```hcl\n# Share Service Catalog portfolio only within the AWS Organization\nresource \"aws_servicecatalog_portfolio_share\" \"\" {\n portfolio_id = \"\"\n\n organization_node { # CRITICAL: share within AWS Organizations\n type = \"ORGANIZATION\" # Shares the portfolio with the entire org\n value = \"\" # e.g., o-xxxxxxxxxx\n }\n}\n```" }, "Recommendation": { - "Text": "Configure AWS Service Catalog to share portfolios only within your AWS Organization for more secure access management.", - "Url": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html" + "Text": "Prefer **organizational sharing** for portfolios and avoid `ACCOUNT` targets. Enforce **least privilege** on portfolio access and launch roles, and review shares regularly. Apply **separation of duties** and **defense in depth** so only governed accounts consume products and blast radius remains constrained.", + "Url": "https://hub.prowler.com/check/servicecatalog_portfolio_shared_within_organization_only" } }, "Categories": [