chore(aws): enhance metadata for fsx service (#9006)

Co-authored-by: Sergio Garcia <hello@mistercloudsec.com>
2025-12-19 05:17:47 +00:00 · 2025-10-29 19:11:53 +01:00
parent 6ff559c0d4
commit 25c823076f
4 changed files with 59 additions and 37 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -71,6 +71,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS CloudFront service metadata to new format [(#8829)](https://github.com/prowler-cloud/prowler/pull/8829)
 - Deprecate user authentication for M365 provider [(#8865)](https://github.com/prowler-cloud/prowler/pull/8865)
 - Update AWS EFS service metadata to new format [(#8889)](https://github.com/prowler-cloud/prowler/pull/8889)
+- Update AWS FSx service metadata to new format [(#9006)](https://github.com/prowler-cloud/prowler/pull/9006)
 - Update AWS Glacier service metadata to new format [(#9007)](https://github.com/prowler-cloud/prowler/pull/9007)


--- a/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json
+++ b/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json
@@ -1,31 +1,38 @@
 {
  "Provider": "aws",
  "CheckID": "fsx_file_system_copy_tags_to_backups_enabled",
-  "CheckTitle": "Check if FSx file systems are configured to copy tags to backups.",
+  "CheckTitle": "FSx file system has copy tags to backups enabled",
  "CheckType": [
-    "Software and Configuration Checks/Vulnerabilities"
+    "Software and Configuration Checks/AWS Security Best Practices"
  ],
  "ServiceName": "fsx",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "ResourceIdTemplate": "",
  "Severity": "low",
  "ResourceType": "AwsFSxFileSystem",
-  "Description": "Check if an Amazon FSx file system is configured to copy tags to backups. The control fails if this configuration isn't enabled.",
-  "Risk": "Without tag copying, managing and tracking your resources could be more difficult, impacting your governance and inventory management processes.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html",
+  "Description": "**Amazon FSx file systems** are evaluated for whether they copy **resource tags** to their **backups** via the `copy_tags_to_backups` setting.",
+  "Risk": "Missing tag inheritance leaves backups unclassified and outside tag-based controls, weakening confidentiality and availability. Tag-aware IAM and retention policies may not apply, enabling unauthorized access, accidental deletion, or orphaned backups that complicate recovery and inflate costs.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-2",
+    "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html",
+    "https://docs.aws.amazon.com/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "aws fsx update-file-system --file-system-id <file-system-id> --open-zfs-configuration CopyTagsToBackups=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-2",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Enable copying tags to backups for FSx OpenZFS\nResources:\n  <example_resource_name>:\n    Type: AWS::FSx::FileSystem\n    Properties:\n      FileSystemType: OPENZFS\n      OpenZFSConfiguration:\n        CopyTagsToBackups: true  # Critical: ensures tags are copied to backups (passes the check)\n```",
+      "Other": "1. Open the AWS Console and go to Amazon FSx\n2. Select your FSx file system and choose Actions > Update file system\n3. Enable Copy tags to backups\n4. Click Update to save",
+      "Terraform": "```hcl\n# Terraform: Enable copying tags to backups for FSx OpenZFS\nresource \"aws_fsx_openzfs_file_system\" \"<example_resource_name>\" {\n  subnet_ids          = [\"<subnet_id>\"]\n  deployment_type     = \"SINGLE_AZ_1\"\n  throughput_capacity = 64\n  storage_capacity    = 128\n\n  copy_tags_to_backups = true # Critical: ensures tags are copied to backups (passes the check)\n}\n```"
    },
    "Recommendation": {
-      "Text": "Configure your FSx file system to copy tags to backups to improve resource management and tracking.",
-      "Url": "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html"
+      "Text": "Enable tag copying for FSx backups and standardize mandatory tags (owner, data classification, environment).\nMap **least privilege** and lifecycle policies to these tags, enforce with automation and guardrails, and regularly audit to prevent untagged or misclassified backups.",
+      "Url": "https://hub.prowler.com/check/fsx_file_system_copy_tags_to_backups_enabled"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json
+++ b/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json
@@ -1,28 +1,33 @@
 {
  "Provider": "aws",
  "CheckID": "fsx_file_system_copy_tags_to_volumes_enabled",
-  "CheckTitle": "Check if FSx file systems are configured to copy tags to volumes.",
+  "CheckTitle": "FSx file system has copy tags to volumes enabled",
  "CheckType": [
-    "Software and Configuration Checks/Vulnerabilities"
+    "Software and Configuration Checks/AWS Security Best Practices"
  ],
  "ServiceName": "fsx",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "ResourceIdTemplate": "",
  "Severity": "low",
-  "ResourceType": "AwsFSxFileSystem",
-  "Description": "Check if an Amazon FSx file system is configured to copy tags to volumes. The control fails if this configuration isn't enabled.",
-  "Risk": "Without tag copying, managing and tracking your resources could be more difficult, impacting your governance and inventory management processes.",
-  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-openzfs-copy-tags-enabled.html",
+  "ResourceType": "Other",
+  "Description": "**Amazon FSx file systems** are configured to **copy tags to volumes** via `copy_tags_to_volumes`.\n\nIdentifies file systems where volume resources will not inherit the file system's tags.",
+  "Risk": "Without tag propagation, volumes lack consistent labels used for **ABAC**, classification, and automation. This can erode confidentiality through mis-scoped access controls and impact availability if backups or safeguards aren't applied to untagged volumes.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-1",
+    "https://docs.aws.amazon.com/config/latest/developerguide/fsx-openzfs-copy-tags-enabled.html",
+    "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "aws fsx update-file-system --file-system-id <file-system-id> --open-zfs-configuration CopyTagsToVolumes=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-1",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Enable copying tags to volumes for FSx for OpenZFS\nResources:\n  <example_resource_name>:\n    Type: AWS::FSx::FileSystem\n    Properties:\n      FileSystemType: OPENZFS\n      SubnetIds:\n        - <example_resource_id>\n      OpenZFSConfiguration:\n        DeploymentType: SINGLE_AZ_1\n        ThroughputCapacity: 64\n        CopyTagsToVolumes: true  # Critical: ensures volumes inherit file system tags\n```",
+      "Other": "1. Open the AWS Console and go to Amazon FSx\n2. Select your FSx for OpenZFS file system\n3. Click Actions > Update file system\n4. Set Copy tags to volumes to On\n5. Click Update to save",
+      "Terraform": "```hcl\n# FSx for OpenZFS with copy tags to volumes enabled\nresource \"aws_fsx_openzfs_file_system\" \"<example_resource_name>\" {\n  deployment_type      = \"SINGLE_AZ_1\"\n  subnet_ids           = [\"<example_resource_id>\"]\n  throughput_capacity  = 64\n  copy_tags_to_volumes = true  # Critical: ensures volumes inherit file system tags\n}\n```"
    },
    "Recommendation": {
-      "Text": "Configure your FSx file system to copy tags to volumes to improve resource management and tracking.",
-      "Url": "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html"
+      "Text": "Enable `copy_tags_to_volumes` and adopt a **mandatory tagging policy** (owner, environment, data class). Apply **least privilege/ABAC** using tags and integrate tags into backup, retention, and monitoring workflows to enforce **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/fsx_file_system_copy_tags_to_volumes_enabled"
    }
  },
  "Categories": [],
--- a/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json
+++ b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json
@@ -1,30 +1,39 @@
 {
  "Provider": "aws",
  "CheckID": "fsx_windows_file_system_multi_az_enabled",
-  "CheckTitle": "Check if FSx Windows file systems are configured with Multi-AZ.",
-  "CheckType": [],
+  "CheckTitle": "FSx Windows file system is configured for Multi-AZ deployment",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Denial of Service"
+  ],
  "ServiceName": "fsx",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "ResourceIdTemplate": "",
  "Severity": "low",
-  "ResourceType": "AwsFSxFileSystem",
-  "Description": "Check if FSx Windows file systems are configured with Multi-AZ. The control fails if this configuration isn't enabled.",
-  "Risk": "Relative to Single-AZ deployment, Multi-AZ deployments provide enhanced durability by further replicating data across AZs, and enhanced availability during planned system maintenance and unplanned service disruption by failing over automatically to the standby AZ. This allows you to continue accessing your data, and helps to protect your data against instance failure and AZ disruption.",
-  "RelatedUrl": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html",
+  "ResourceType": "Other",
+  "Description": "**FSx for Windows File Server** file systems are evaluated for **Multi-AZ deployment**, determined when `SubnetIds` include more than one subnet in different Availability Zones.",
+  "Risk": "Using **Single-AZ** creates a **single point of failure**. AZ outages, server failures, or maintenance can cause extended file share downtime, impacting availability. Crash scenarios may leave data inconsistent, threatening **integrity**, and recovery may rely on backups, increasing **RTO/RPO**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/dfs-r.html",
+    "https://docs.aws.amazon.com/fsx/latest/APIReference/API_WindowsFileSystemConfiguration.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html",
+    "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Create FSx for Windows File Server with Multi-AZ\nResources:\n  <example_resource_name>:\n    Type: AWS::FSx::FileSystem\n    Properties:\n      FileSystemType: WINDOWS\n      StorageCapacity: 32\n      SubnetIds:\n        - <example_subnet_id_1>  # CRITICAL: two subnets -> Multi-AZ across AZs\n        - <example_subnet_id_2>  # CRITICAL: two subnets -> Multi-AZ across AZs\n      WindowsConfiguration:\n        ThroughputCapacity: 8\n        DeploymentType: MULTI_AZ_1  # CRITICAL: enables Multi-AZ deployment\n        PreferredSubnetId: <example_subnet_id_1>\n```",
+      "Other": "1. In AWS Console, go to FSx > Create file system > Amazon FSx for Windows File Server\n2. Set Deployment type to Multi-AZ\n3. Select two Subnets in different Availability Zones\n4. Set minimal required capacity/throughput and Create\n5. Migrate data to the new file system and repoint clients to its DNS name\n6. Delete the old Single-AZ file system",
+      "Terraform": "```hcl\n# Terraform: FSx for Windows File Server configured for Multi-AZ\nresource \"aws_fsx_windows_file_system\" \"<example_resource_name>\" {\n  storage_capacity    = 32\n  subnet_ids          = [\"<example_subnet_id_1>\", \"<example_subnet_id_2>\"] # CRITICAL: two subnets in different AZs\n  throughput_capacity = 8\n  deployment_type     = \"MULTI_AZ_1\"                                      # CRITICAL: enables Multi-AZ deployment\n  preferred_subnet_id = \"<example_subnet_id_1>\"\n}\n```"
    },
    "Recommendation": {
-      "Text": "Configure your FSx Windows file system to be highly available with ENIs in Multiple AZs.",
-      "Url": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html"
+      "Text": "Prefer `MULTI_AZ_1` for production to uphold **high availability** and avoid AZ-level single points of failure. Apply **resilience** and **defense in depth**: design to tolerate AZ loss, capacity-plan for failover, and test failover regularly. *If Single-AZ is unavoidable*, limit to noncritical or app-replicated workloads and keep frequent, verified backups.",
+      "Url": "https://hub.prowler.com/check/fsx_windows_file_system_multi_az_enabled"
    }
  },
  "Categories": [
-    "redundancy"
+    "resilience"
  ],
  "DependsOn": [],
  "RelatedTo": [],