From 6158c161085750da417f5627906bd76c2fbb0106 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <pepe@prowler.com>
Date: Fri, 12 Dec 2025 15:14:26 +0100
Subject: [PATCH] feat(categories): add privilege-escalation and ec2-imdsv1
 (#9537)

---
 docs/developer-guide/check-metadata-guidelines.mdx          | 2 ++
 prowler/CHANGELOG.md                                        | 6 ++++++
 .../ec2_instance_account_imdsv2_enabled.metadata.json       | 3 ++-
 .../ec2_instance_imdsv2_enabled.metadata.json               | 4 +++-
 ..._inline_policy_allows_privilege_escalation.metadata.json | 4 +++-
 .../iam_policy_allows_privilege_escalation.metadata.json    | 4 +++-
 6 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/docs/developer-guide/check-metadata-guidelines.mdx b/docs/developer-guide/check-metadata-guidelines.mdx
index 2b6524bcc6..7bc335c3de 100644
--- a/docs/developer-guide/check-metadata-guidelines.mdx
+++ b/docs/developer-guide/check-metadata-guidelines.mdx
@@ -213,3 +213,5 @@ Also is important to keep all code examples as short as possible, including the
 | software-supply-chain   | Detects or prevents tampering, unauthorized packages, or third-party risks in software supply chain                                                                                               |
 | e3                      | M365-specific controls enabled by or dependent on an E3 license (e.g., baseline security policies, conditional access)                                                                            |
 | e5                      | M365-specific controls enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
+| privilege-escalation    | Detects IAM policies or permissions that allow identities to elevate their privileges beyond their intended scope, potentially gaining administrator or higher-level access through specific action combinations |
+| ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
\ No newline at end of file
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index f61a55b426..6f5b972e11 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to the **Prowler SDK** are documented in this file.
 
+## [5.16.0] (Prowler UNRELEASED)
+
+### Added
+
+- `privilege-escalation` and `ec2-imdsv1` categories for AWS checks [(#9536)](https://github.com/prowler-cloud/prowler/pull/9536)
+
 ## [5.15.1] (Prowler UNRELEASED)
 
 ### Fixed
diff --git a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
index f4148a9486..799e4a07f9 100644
--- a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
@@ -26,7 +26,8 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "ec2-imdsv1"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
index 3f613e6421..37c3afbf61 100644
--- a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
@@ -25,7 +25,9 @@
       "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "ec2-imdsv1"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json b/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json
index 47f43cda3d..a4be77babf 100644
--- a/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json
+++ b/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json
@@ -26,7 +26,9 @@
       "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "privilege-escalation"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
diff --git a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.metadata.json b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.metadata.json
index 8947a77bea..bca99ee6f8 100644
--- a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.metadata.json
+++ b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.metadata.json
@@ -27,7 +27,9 @@
       "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "privilege-escalation"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "CAF Security Epic: IAM"