chore(aws): enhance metadata for servicecatalog service (#9410)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

prowler/CHANGELOG.md

@@ -15,6 +15,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS KMS service metadata to new format [(#9263)](https://github.com/prowler-cloud/prowler/pull/9263)
 - Update AWS MemoryDB service metadata to new format [(#9266)](https://github.com/prowler-cloud/prowler/pull/9266)
 - Update AWS Inspector v2 service metadata to new format [(#9260)](https://github.com/prowler-cloud/prowler/pull/9260)
+- Update AWS Service Catalog service metadata to new format [(#9410)](https://github.com/prowler-cloud/prowler/pull/9410)
 
 ---
 

prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.metadata.json

@@ -1,28 +1,32 @@
 {
   "Provider": "aws",
   "CheckID": "servicecatalog_portfolio_shared_within_organization_only",
-  "CheckTitle": "Service Catalog portfolios should be shared within an AWS organization only",
+  "CheckTitle": "Service Catalog portfolio is shared only within the AWS Organization",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access"
   ],
   "ServiceName": "servicecatalog",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:servicecatalog:{region}:{account-id}:portfolio/{portfolio-id}",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsServiceCatalogPortfolio",
-  "Description": "This control checks whether AWS Service Catalog shares portfolios within an organization when the integration with AWS Organizations is enabled. The control fails if portfolios aren't shared within an organization.",
-  "Risk": "Sharing Service Catalog portfolios outside of an organization may result in access granted to unintended AWS accounts, potentially exposing sensitive resources.",
-  "RelatedUrl": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html",
+  "ResourceType": "Other",
+  "Description": "**AWS Service Catalog portfolios** are assessed to confirm sharing occurs via **AWS Organizations** integration, not direct `ACCOUNT` shares. It reviews shared portfolios and identifies those targeted to individual accounts instead of organizational scopes.",
+  "Risk": "Sharing with individual accounts enables recipients to import and launch products outside centralized guardrails, inheriting launch roles. This can cause unauthorized provisioning, data exposure, and configuration drift-impacting confidentiality, integrity, and availability through misused privileges and uncontrolled costs.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws servicecatalog create-portfolio-share --portfolio-id <portfolio-id> --organization-ids <org-id>",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Share Service Catalog portfolio only within the AWS Organization\nResources:\n  <example_resource_name>:\n    Type: AWS::ServiceCatalog::PortfolioShare\n    Properties:\n      PortfolioId: <example_resource_id>\n      OrganizationNode:               # CRITICAL: share within AWS Organizations\n        Type: ORGANIZATION            # Shares the portfolio with the entire org\n        Value: <example_resource_id>  # e.g., o-xxxxxxxxxx\n```",
+      "Other": "1. In the AWS Console, go to Service Catalog > Portfolios and open the target portfolio\n2. Open the Shares/Sharing tab\n3. Remove every share of Type \"Account\" (stop sharing with each account)\n4. Click Share, choose \"AWS Organizations\", set Type to \"Organization\", enter your Org ID (o-xxxxxxxxxx), and share\n5. Verify no remaining shares of Type \"Account\" exist",
+      "Terraform": "```hcl\n# Share Service Catalog portfolio only within the AWS Organization\nresource \"aws_servicecatalog_portfolio_share\" \"<example_resource_name>\" {\n  portfolio_id = \"<example_resource_id>\"\n\n  organization_node {           # CRITICAL: share within AWS Organizations\n    type  = \"ORGANIZATION\"     # Shares the portfolio with the entire org\n    value = \"<example_resource_id>\"  # e.g., o-xxxxxxxxxx\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure AWS Service Catalog to share portfolios only within your AWS Organization for more secure access management.",
-      "Url": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html"
+      "Text": "Prefer **organizational sharing** for portfolios and avoid `ACCOUNT` targets. Enforce **least privilege** on portfolio access and launch roles, and review shares regularly. Apply **separation of duties** and **defense in depth** so only governed accounts consume products and blast radius remains constrained.",
+      "Url": "https://hub.prowler.com/check/servicecatalog_portfolio_shared_within_organization_only"
     }
   },
   "Categories": [