chore(aws): enhance metadata for organizations service (#9384)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2026-01-25 02:08:11 +00:00 · 2025-12-26 12:08:30 +01:00
parent 53b5030f00
commit 4ed27e1aaa
6 changed files with 91 additions and 57 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -23,6 +23,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Storage Gateway service metadata to new format [(#9433)](https://github.com/prowler-cloud/prowler/pull/9433)
 - Update AWS Well-Architected service metadata to new format [(#9482)](https://github.com/prowler-cloud/prowler/pull/9482)
 - Update AWS SSM service metadata to new format [(#9430)](https://github.com/prowler-cloud/prowler/pull/9430)
+- Update AWS Organizations service metadata to new format [(#9384)](https://github.com/prowler-cloud/prowler/pull/9384)

 ---

--- a/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.metadata.json
+++ b/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.metadata.json
@@ -1,32 +1,38 @@
 {
  "Provider": "aws",
  "CheckID": "organizations_account_part_of_organizations",
-  "CheckTitle": "Check if account is part of an AWS Organizations",
+  "CheckTitle": "AWS account is a member of an active AWS Organization",
  "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices"
  ],
  "ServiceName": "organizations",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service::account-id:organization/organization-id",
+  "ResourceIdTemplate": "",
  "Severity": "medium",
  "ResourceType": "Other",
  "ResourceGroup": "governance",
-  "Description": "Ensure that AWS Organizations service is currently in use.",
-  "Risk": "The risk associated with not being part of an AWS Organizations is that it can lead to a lack of centralized management and control over the AWS accounts in an organization. This can make it difficult to enforce security policies consistently across all accounts, and can also result in increased costs due to inefficiencies in resource usage. Additionally, not being part of an AWS Organizations can make it harder to track and manage account usage and access.",
+  "Description": "**AWS account** membership in **AWS Organizations** with organization status `ACTIVE`.\n\nAssesses if the account is associated with an organization and that the organization state is `ACTIVE`.",
+  "Risk": "Absence of **AWS Organizations** weakens governance across accounts. Without **SCP guardrails** and centralized policy, excessive permissions, unsafe network settings, or risky services may be enabled, threatening **confidentiality** and **integrity**. Fragmented logging and response slow containment, impacting **availability** and increasing cost exposure.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html",
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_view_org.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
+      "CLI": "aws organizations create-organization",
      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Sign in to the AWS Management Console with the account to remediate\n2. Open the AWS Organizations console\n3. Click \"Create an organization\"\n4. Confirm to create (default is All features)\n5. Verify the organization status shows Active on the Settings page",
+      "Terraform": "```hcl\n# Creates an AWS Organization so this account becomes a member (status ACTIVE)\nresource \"aws_organizations_organization\" \"<example_resource_name>\" {\n  # Critical: creating this resource makes the account part of an active AWS Organization\n}\n```"
    },
    "Recommendation": {
-      "Text": "Create or Join an AWS Organization",
-      "Url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html"
+      "Text": "Operate all accounts under **AWS Organizations** (preferably with *all features*). Structure OUs, enforce **SCPs** for least privilege, and apply separation of duties between management and member accounts. Centralize logging and billing to support defense-in-depth, and routinely review org membership and policies.",
+      "Url": "https://hub.prowler.com/check/organizations_account_part_of_organizations"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.metadata.json
+++ b/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.metadata.json
@@ -1,32 +1,38 @@
 {
  "Provider": "aws",
  "CheckID": "organizations_delegated_administrators",
-  "CheckTitle": "Check if AWS Organizations delegated administrators are trusted",
+  "CheckTitle": "AWS Organization has only trusted delegated administrators",
  "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
  ],
  "ServiceName": "organizations",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service::account-id:organization/organization-id",
-  "Severity": "high",
+  "ResourceIdTemplate": "",
+  "Severity": "critical",
  "ResourceType": "Other",
  "ResourceGroup": "governance",
-  "Description": "This check verify if there are AWS Organizations delegated administrators and if they are trusted (you can define your trusted delegated administrator in Prowler configuration)",
-  "Risk": "The risk associated with having untrusted delegated administrators within an AWS Organizations is that they may have the ability to access and make changes to sensitive data and resources within an organization's AWS accounts. This can result in unauthorized access or data breaches, which can lead to financial losses, damage to reputation, and legal liabilities. It's important to carefully vet and monitor AWS Organizations delegated administrators to ensure that they are trustworthy and have a legitimate need for access to the organization's resources.",
+  "Description": "**AWS Organizations delegated administrators** are compared against a predefined **trusted list** to identify delegations that are not explicitly approved. The evaluation also notes when no delegated administrators exist.",
+  "Risk": "Unapproved delegated administrators can alter **SCPs**, invite/move accounts, and create privileged roles, enabling **privilege escalation**. This undermines guardrails, risking loss of **integrity**, exposure of **confidentiality** across accounts, and impacts **availability** through organization-wide policy changes.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to the AWS Management Console with the organization management account\n2. Open AWS Organizations\n3. In the left pane, select **Delegated administrators**\n4. Select the untrusted account (by Account ID) from the list\n5. For each service shown for that account, choose **Deregister delegated administrator** and confirm\n6. Repeat for all untrusted accounts until only trusted accounts (or none) remain",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Review delegated administrators",
-      "Url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html"
+      "Text": "Restrict delegation to vetted accounts using **least privilege** and **separation of duties**. Maintain a centrally governed **approved allowlist**, review it regularly, and remove unused delegations. Enforce **strong authentication** for admin roles and monitor Organizations policy changes for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/organizations_delegated_administrators"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json
+++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json
@@ -1,30 +1,40 @@
 {
  "Provider": "aws",
  "CheckID": "organizations_opt_out_ai_services_policy",
-  "CheckTitle": "Ensure that AWS Organizations opt-out of AI services policy is enabled and disallow child-accounts to overwrite this policy.",
-  "CheckType": [],
+  "CheckTitle": "AWS Organization has opted out of all AI services and child accounts cannot override the policy",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
+  ],
  "ServiceName": "organizations",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service::account-id:organization/organization-id",
-  "Severity": "low",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
  "ResourceType": "Other",
  "ResourceGroup": "governance",
-  "Description": "This control checks whether the AWS Organizations opt-out of AI services policy is enabled and whether child-accounts are disallowed to overwrite this policy. The control fails if the policy is not enabled or if child-accounts are not disallowed to overwrite this policy.",
-  "Risk": "By default, AWS may be using your data to train its AI models. This may include data from your AWS CloudTrail logs, AWS Config rules, and AWS GuardDuty findings. If you opt out of AI services, AWS will not use your data to train its AI models.",
-  "RelatedUrl": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_all.html",
+  "Description": "**AWS Organizations** is assessed for an AI services opt-out policy that sets `services.default.opt_out_policy` to `optOut` and blocks child overrides via `@@operators_allowed_for_child_policies` set to `@@none`.",
+  "Risk": "Without an enforced opt-out, AI services may store and use your content for model training, weakening **confidentiality** and **data sovereignty**. If child accounts can override, they can re-enable data use, risking unintended cross-Region retention and exposure of logs, documents, or code processed by these services.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/organizations/latest/userguide/disable-policy-type.html",
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_all.html",
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Opt out of all AI services and prevent child overrides\nResources:\n  AiServicesOptOutPolicy:\n    Type: AWS::Organizations::Policy\n    Properties:\n      Name: <example_resource_name>\n      Type: AISERVICES_OPT_OUT_POLICY\n      Content: |\n        { \"services\": { \"default\": { \"opt_out_policy\": { \"@@assign\": \"optOut\", \"@@operators_allowed_for_child_policies\": [\"@@none\"] } } } }\n        # Critical: @@assign \"optOut\" opts out org-wide; @@operators... [\"@@none\"] blocks child overrides\n      TargetIds:\n        - <example_resource_id> # Critical: attach to the organization root (e.g., r-xxxx)\n```",
+      "Other": "1. In the AWS Management Console, open AWS Organizations using the management account\n2. Go to Policies > AI services opt-out\n3. Click Opt out from all services and confirm\n4. Verify the policy is attached to the Root and shows default -> opt_out_policy -> @@assign: optOut with @@operators_allowed_for_child_policies set to [\"@@none\"]",
+      "Terraform": "```hcl\n# Enable AI services opt-out policy type\nresource \"aws_organizations_organization\" \"<example_resource_name>\" {\n  enabled_policy_types = [\"AISERVICES_OPT_OUT_POLICY\"]  # Critical: allow AI opt-out policies\n}\n\n# Create the AI opt-out policy\nresource \"aws_organizations_policy\" \"<example_resource_name>\" {\n  name    = \"<example_resource_name>\"\n  type    = \"AISERVICES_OPT_OUT_POLICY\"\n  content = <<JSON\n{ \"services\": { \"default\": { \"opt_out_policy\": { \"@@assign\": \"optOut\", \"@@operators_allowed_for_child_policies\": [\"@@none\"] } } } }\nJSON\n  # Critical: @@assign \"optOut\" opts out; @@operators... [\"@@none\"] prevents child overrides\n}\n\n# Attach policy to the org root\nresource \"aws_organizations_policy_attachment\" \"<example_resource_name>\" {\n  policy_id = aws_organizations_policy.<example_resource_name>.id\n  target_id = aws_organizations_organization.<example_resource_name>.roots[0].id  # Critical: attach to root\n}\n```"
    },
    "Recommendation": {
-      "Text": "Artificial Intelligence (AI) services opt-out policies enable you to control whether AWS AI services can store and use your content. Enable the AWS Organizations opt-out of AI services policy and disallow child-accounts to overwrite this policy.",
-      "Url": "https://docs.aws.amazon.com/organizations/latest/userguide/disable-policy-type.html"
+      "Text": "Establish an org-wide AI services opt-out: set the default to `optOut` and prohibit child policy overrides (`@@none`). Apply at the highest scope, gate exceptions through change control, and review periodically. Align with **least privilege** and **data minimization** to prevent unintended content sharing with managed AI services.",
+      "Url": "https://hub.prowler.com/check/organizations_opt_out_ai_services_policy"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "gen-ai"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.metadata.json
+++ b/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.metadata.json
@@ -1,32 +1,38 @@
 {
  "Provider": "aws",
  "CheckID": "organizations_scp_check_deny_regions",
-  "CheckTitle": "Check if AWS Regions are restricted with SCP policies",
+  "CheckTitle": "AWS Organization restricts operations to only the configured AWS Regions with SCP policies",
  "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
  ],
  "ServiceName": "organizations",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service::account-id:organization/organization-id",
-  "Severity": "low",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
  "ResourceType": "Other",
  "ResourceGroup": "governance",
-  "Description": "As best practice, AWS Regions should be restricted and only allow the ones that are needed.",
-  "Risk": "The risk associated with not restricting AWS Regions with Service Control Policies (SCPs) is that it can lead to unauthorized access or use of resources in regions that are not intended for use. This can result in increased costs due to inefficiencies in resource usage and can also expose sensitive data to unauthorized access or breaches. By restricting access to AWS Regions with SCP policies, organizations can help ensure that only authorized personnel have access to the resources they need, while minimizing the risk of security breaches and compliance violations.",
+  "Description": "**AWS Organizations SCPs** limit account actions to approved regions using conditions on `aws:RequestedRegion`.\n\nThis evaluates whether policies exist and fully restrict access to the configured allowlist, rather than only some regions.",
+  "Risk": "Without comprehensive Region limits, users or attackers can deploy resources in ungoverned locations, bypassing monitoring and guardrails.\n\nImpacts:\n- Data outside approved jurisdictions (confidentiality)\n- Policy gaps and drift (integrity)\n- IR blind spots and unexpected cost (availability)",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: SCP denying requests outside approved regions\nResources:\n  <example_resource_name>Policy:\n    Type: AWS::Organizations::Policy\n    Properties:\n      Name: <example_resource_name>\n      Type: SERVICE_CONTROL_POLICY\n      Content:\n        Version: '2012-10-17'\n        Statement:\n          - Effect: Deny\n            Action: \"*\"\n            Resource: \"*\"\n            Condition:\n              StringNotEquals:\n                aws:RequestedRegion:\n                  - <REGION_1>  # Critical: only these regions are allowed; others are denied\n                  - <REGION_2>\n\n  <example_resource_name>Attachment:\n    Type: AWS::Organizations::PolicyAttachment\n    Properties:\n      PolicyId: !Ref <example_resource_name>Policy\n      TargetId: <example_resource_id>  # Critical: attach SCP to the root/OU/account\n```",
+      "Other": "1. In the AWS Management Console, go to AWS Organizations\n2. In Policies, ensure Service control policies are Enabled (click Enable if needed)\n3. Go to Policies > Service control policies > Create policy\n4. Paste this JSON as the policy content and save:\n   {\n     \"Version\": \"2012-10-17\",\n     \"Statement\": [{\n       \"Effect\": \"Deny\",\n       \"Action\": \"*\",\n       \"Resource\": \"*\",\n       \"Condition\": {\"StringNotEquals\": {\"aws:RequestedRegion\": [\"<REGION_1>\", \"<REGION_2>\"]}}\n     }]\n   }\n5. Attach the policy to the organization root (r-xxxx), target OU, or specific account\n6. Verify the policy is attached and shows as Applied to the intended target",
+      "Terraform": "```hcl\n# Terraform: SCP denying requests outside approved regions\nresource \"aws_organizations_policy\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n  type = \"SERVICE_CONTROL_POLICY\"\n  content = jsonencode({\n    Version   = \"2012-10-17\"\n    Statement = [\n      {\n        Effect   = \"Deny\"\n        Action   = \"*\"\n        Resource = \"*\"\n        Condition = {\n          StringNotEquals = {\n            \"aws:RequestedRegion\" = [\"<REGION_1>\", \"<REGION_2>\"] # Critical: only these regions are allowed; others are denied\n          }\n        }\n      }\n    ]\n  })\n}\n\nresource \"aws_organizations_policy_attachment\" \"<example_resource_name>\" {\n  policy_id = aws_organizations_policy.<example_resource_name>.id\n  target_id = \"<example_resource_id>\" # Critical: attach to the root (r-xxxx), OU (ou-xxxx), or account ID\n}\n```"
    },
    "Recommendation": {
-      "Text": "Restrict AWS Regions using SCP policies.",
-      "Url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region"
+      "Text": "Enforce Region governance with **SCPs** that allow only approved regions via `aws:RequestedRegion` conditions (deny-by-default).\n\nApply across relevant OUs and accounts, with narrow exceptions for required global services. Review often; align to least privilege, data residency, and continuous monitoring.",
+      "Url": "https://hub.prowler.com/check/organizations_scp_check_deny_regions"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.metadata.json
+++ b/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.metadata.json
@@ -1,27 +1,32 @@
 {
  "Provider": "aws",
  "CheckID": "organizations_tags_policies_enabled_and_attached",
-  "CheckTitle": "Check if an AWS Organization has tags policies enabled and attached.",
-  "CheckType": [],
+  "CheckTitle": "AWS Organization has tag policies enabled and attached",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
  "ServiceName": "organizations",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service::account-id:organization/organization-id",
-  "Severity": "medium",
+  "ResourceIdTemplate": "",
+  "Severity": "low",
  "ResourceType": "Other",
  "ResourceGroup": "governance",
-  "Description": "Check if an AWS Organization has tags policies enabled and attached.",
-  "Risk": "If an AWS Organization tags policies are not enabled and attached, it is not possible to enforce tags on AWS resources.",
+  "Description": "**AWS Organizations** tag policies are evaluated for their presence and attachment to organization targets (accounts or OUs), distinguishing between no policies, policies defined but not attached, and policies attached to at least one target.",
+  "Risk": "Absent or unattached tag policies cause inconsistent or missing tags, undermining:\n- **Confidentiality** via bypassed tag-based access conditions\n- **Integrity** through misclassified resources and drift\n- **Availability** when automation, cost routing, or incident scoping that rely on tags break",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Create and attach a Tag Policy\nResources:\n  TagPolicy:\n    Type: AWS::Organizations::Policy\n    Properties:\n      Name: <example_resource_name>\n      Type: TAG_POLICY  # Critical: defines a Tag Policy type\n      Content:\n        tags:\n          Environment:\n            tag_key:\n              \"@@assign\": \"Environment\"\n      TargetIds:\n        - <example_resource_id>  # Critical: attaches the policy to an account/OU/root\n```",
+      "Other": "1. Sign in to the AWS Management Console with the organization management account\n2. Open AWS Organizations > Policies > Tag policies\n3. If prompted, click Enable tag policies\n4. Click Create policy, enter a name, add minimal valid content (e.g., define one tag key), and create the policy\n5. Select the policy and click Attach\n6. Choose the Root, an OU, or at least one account and confirm\n7. The check passes when a tag policy exists and is attached to a target",
+      "Terraform": "```hcl\n# Create a Tag Policy\nresource \"aws_organizations_policy\" \"<example_resource_name>\" {\n  name    = \"<example_resource_name>\"\n  type    = \"TAG_POLICY\"  # Critical: defines a Tag Policy type\n  content = jsonencode({\n    tags = {\n      Environment = {\n        tag_key = { \"@@assign\" = \"Environment\" }\n      }\n    }\n  })\n}\n\n# Attach the Tag Policy to a target (Root/OU/Account)\nresource \"aws_organizations_policy_attachment\" \"<example_resource_name>\" {\n  policy_id = aws_organizations_policy.<example_resource_name>.id\n  target_id = \"<example_resource_id>\"  # Critical: attaches the policy to an account/OU/root\n}\n```"
    },
    "Recommendation": {
-      "Text": "Enable and attach AWS Organizations tags policies.",
-      "Url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html"
+      "Text": "Enable **tag policies** and attach them to relevant roots/OUs/accounts. Define mandatory keys (e.g., `Environment`, `CostCenter`) with allowed values. Apply **defense in depth** by using tags in IAM conditions and SCPs. Start with validation-only, then enforce, and continuously monitor compliance across accounts.",
+      "Url": "https://hub.prowler.com/check/organizations_tags_policies_enabled_and_attached"
    }
  },
  "Categories": [],