diff --git a/docs/developer-guide/checks.mdx b/docs/developer-guide/checks.mdx index 0c9bdf154e..da469678fa 100644 --- a/docs/developer-guide/checks.mdx +++ b/docs/developer-guide/checks.mdx @@ -315,6 +315,7 @@ The type of resource being audited. This field helps categorize and organize fin - **Kubernetes**: Use types shown under `KIND` from `kubectl api-resources`. - **Oracle Cloud Infrastructure**: Use types from [Oracle Cloud Infrastructure documentation](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Search/Tasks/queryingresources_topic-Listing_Supported_Resource_Types.htm). - **OpenStack**: Use types from [OpenStack Heat resource types](https://docs.openstack.org/heat/latest/template_guide/openstack.html). +- **Alibaba Cloud**: Use types from [Alibaba Cloud ROS resource types](https://www.alibabacloud.com/help/en/ros/developer-reference/list-of-resource-types-by-service). - **Any other provider**: Use `NotDefined` due to lack of standardized resource types in their SDK or documentation. #### ResourceGroup diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index bf7809a6e9..fff5d21773 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -30,6 +30,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update Oracle Cloud Object Storage service metadata to new format [(#9379)](https://github.com/prowler-cloud/prowler/pull/9379) - Update Oracle Cloud Events service metadata to new format [(#9373)](https://github.com/prowler-cloud/prowler/pull/9373) - Update Oracle Cloud Identity service metadata to new format [(#9375)](https://github.com/prowler-cloud/prowler/pull/9375) +- Update Alibaba Cloud services metadata to new format [(#10289)](https://github.com/prowler-cloud/prowler/pull/10289) --- diff --git a/prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json b/prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json index cb49461ce0..ed8ff162b0 100644 --- a/prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/actiontrail/actiontrail_multi_region_enabled/actiontrail_multi_region_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "actiontrail_multi_region_enabled", - "CheckTitle": "ActionTrail are configured to export copies of all Log entries", - "CheckType": [ - "Unusual logon", - "Cloud threat detection" - ], + "CheckTitle": "ActionTrail is configured to export copies of all log entries across all regions", + "CheckType": [], "ServiceName": "actiontrail", "SubServiceName": "", - "ResourceIdTemplate": "acs:actiontrail::account-id:trail", + "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "AlibabaCloudActionTrail", + "ResourceType": "ALIYUN::ACTIONTRAIL::Trail", "ResourceGroup": "monitoring", - "Description": "**ActionTrail** is a web service that records API calls for your account and delivers log files to you.\n\nThe recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the Alibaba Cloud service. ActionTrail provides a history of API calls for an account, including API calls made via the Management Console, SDKs, and command line tools.", - "Risk": "The API call history produced by ActionTrail enables **security analysis**, **resource change tracking**, and **compliance auditing**.\n\nEnsuring that a **multi-region trail** exists will detect unexpected activities occurring in otherwise unused regions. Global Service Logging should be enabled by default to capture events generated on Alibaba Cloud global services, ensuring the recording of management operations performed on all resources in an Alibaba Cloud account.", + "Description": "**Alibaba Cloud ActionTrail** is a service that records API calls made to your account and delivers log files containing the identity of the API caller, the time and source IP of the call, the request parameters, and the response elements returned by the service. Ensuring that a **multi-region trail** exists guarantees that management operations performed across all regions and global services are captured, enabling detection of unexpected activities in otherwise unused regions.", + "Risk": "Without a **multi-region trail** enabled, API calls made in regions outside the primary trail's scope will not be recorded. This creates blind spots in **security analysis**, **resource change tracking**, and **compliance auditing**, potentially allowing unauthorized or malicious activity to go undetected across your Alibaba Cloud account.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/28829.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ActionTrail/enable-multi-region-trails.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ActionTrail/enable-multi-region-trails.html" ], "Remediation": { "Code": { "CLI": "aliyun actiontrail CreateTrail --Name --OssBucketName --RoleName aliyunactiontraildefaultrole --SlsProjectArn --SlsWriteRoleArn --EventRW ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ActionTrail Console**\n2. Click on **Trails** in the left navigation pane\n3. Click **Add new trail**\n4. Enter a trail name in the `Trail name` box\n5. Set **Yes** for `Apply Trail to All Regions`\n6. Specify an OSS bucket name in the `OSS bucket` box\n7. Specify an SLS project name in the `SLS project` box\n8. Click **Create**", "Terraform": "resource \"alicloud_actiontrail_trail\" \"example\" {\n trail_name = \"multi-region-trail\"\n trail_region = \"All\"\n sls_project_arn = \"acs:log:cn-hangzhou:123456789:project/actiontrail-project\"\n sls_write_role_arn = data.alicloud_ram_roles.actiontrail.roles.0.arn\n}" }, "Recommendation": { - "Text": "1. Log on to the **ActionTrail Console**\n2. Click on **Trails** in the left navigation pane\n3. Click **Add new trail**\n4. Enter a trail name in the `Trail name` box\n5. Set **Yes** for `Apply Trail to All Regions`\n6. Specify an OSS bucket name in the `OSS bucket` box\n7. Specify an SLS project name in the `SLS project` box\n8. Click **Create**", + "Text": "Enable a multi-region trail in ActionTrail to ensure all API calls across all regions are recorded and delivered to a centralized OSS bucket and SLS project for security analysis and compliance auditing.", "Url": "https://hub.prowler.com/check/actiontrail_multi_region_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json b/prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json index 7505a7404a..55daf22591 100644 --- a/prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json +++ b/prowler/providers/alibabacloud/services/actiontrail/actiontrail_oss_bucket_not_publicly_accessible/actiontrail_oss_bucket_not_publicly_accessible.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "actiontrail_oss_bucket_not_publicly_accessible", - "CheckTitle": "The OSS used to store ActionTrail logs is not publicly accessible", - "CheckType": [ - "Sensitive file tampering" - ], + "CheckTitle": "The OSS bucket used to store ActionTrail logs is not publicly accessible", + "CheckType": [], "ServiceName": "actiontrail", "SubServiceName": "", - "ResourceIdTemplate": "acs:oss::account-id:bucket-name", + "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "AlibabaCloudOSSBucket", + "ResourceType": "ALIYUN::ACTIONTRAIL::Trail", "ResourceGroup": "storage", - "Description": "**ActionTrail** logs a record of every API call made in your Alibaba Cloud account. These log files are stored in an **OSS bucket**.\n\nIt is recommended that the **Access Control List (ACL)** of the OSS bucket, which ActionTrail logs to, prevents public access to the ActionTrail logs.", - "Risk": "Allowing **public access** to ActionTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\n\nExposed audit logs can reveal sensitive information about your infrastructure, API usage patterns, and security configurations.", + "Description": "**Alibaba Cloud ActionTrail** logs a record of every API call made in your account and stores these log files in an **OSS bucket**. It is recommended that the **Access Control List (ACL)** of the OSS bucket used by ActionTrail is set to `private` to prevent unauthorized public access to sensitive audit log data.", + "Risk": "Allowing **public access** to the OSS bucket containing ActionTrail logs may expose sensitive information about your infrastructure, API usage patterns, and security configurations. An adversary could use this information to identify weaknesses in the affected account, leading to potential **data breaches**, **privilege escalation**, and **compliance violations**.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/31954.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ActionTrail/trail-bucket-publicly-accessible.html" + "https://www.alibabacloud.com/help/doc-detail/31954.htm", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ActionTrail/trail-bucket-publicly-accessible.html" ], "Remediation": { "Code": { "CLI": "ossutil set-acl oss:// private -b", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **OSS Console**\n2. Right-click on the bucket and select **Basic Settings**\n3. In the Access Control List pane, click **Configure**\n4. The Bucket ACL tab shows three types of grants: `Private`, `Public Read`, `Public Read/Write`\n5. Ensure **Private** is set for the bucket\n6. Click **Save** to save the ACL", "Terraform": "resource \"alicloud_oss_bucket_public_access_block\" \"actiontrail\" {\n bucket = alicloud_oss_bucket.actiontrail.bucket\n block_public_access = true\n}" }, "Recommendation": { - "Text": "1. Log on to the **OSS Console**\n2. Right-click on the bucket and select **Basic Settings**\n3. In the Access Control List pane, click **Configure**\n4. The Bucket ACL tab shows three types of grants: `Private`, `Public Read`, `Public Read/Write`\n5. Ensure **Private** is set for the bucket\n6. Click **Save** to save the ACL", + "Text": "Set the ACL of the OSS bucket used to store ActionTrail logs to private to prevent unauthorized public access to sensitive audit log data.", "Url": "https://hub.prowler.com/check/actiontrail_oss_bucket_not_publicly_accessible" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json index 7685aa4f2e..6809db19ec 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cloudmonitor_enabled/cs_kubernetes_cloudmonitor_enabled.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_cloudmonitor_enabled", - "CheckTitle": "CloudMonitor is set to Enabled on Kubernetes Engine Clusters", - "CheckType": [ - "Threat detection during container runtime" - ], + "CheckTitle": "Kubernetes cluster has CloudMonitor enabled", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "The monitoring service in **Kubernetes Engine clusters** depends on the Alibaba Cloud **CloudMonitor** agent to access additional system resources and application services in virtual machine instances.\n\nThe monitor can access metrics about CPU utilization, disk traffic metrics, network traffic, and disk IO information, which help monitor signals and build operations in your Kubernetes Engine clusters.", - "Risk": "Without **CloudMonitor** enabled, you lack visibility into system metrics and custom metrics. System metrics measure the cluster's infrastructure, such as CPU or memory usage.\n\nWith CloudMonitor, a monitor controller is created that periodically connects to each node and collects metrics about its Pods and containers, then sends the metrics to CloudMonitor server.", + "Description": "**Alibaba Cloud CloudMonitor** agent provides visibility into system metrics for **Kubernetes Engine clusters**, including CPU utilization, disk traffic, network traffic, and disk IO information. Without the CloudMonitor agent enabled, operators lack critical observability into node and pod health, making it difficult to detect performance degradation or anomalous resource consumption. Enabling CloudMonitor ensures that a monitor controller is created to periodically connect to each node, collect metrics about its Pods and containers, and send them to the **CloudMonitor** server for analysis and alerting.", + "Risk": "Without **CloudMonitor** enabled on Kubernetes Engine clusters, there is no automated collection of system-level metrics such as CPU, memory, disk, and network usage. This lack of visibility can delay detection of **resource exhaustion**, **node failures**, and **abnormal workload behavior**, increasing the risk of undetected **availability** and **performance** issues. In a security context, the absence of monitoring data impairs the ability to identify **denial-of-service conditions** or **cryptojacking** activities running on cluster nodes.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/125508.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-cloud-monitor.html" + "https://www.alibabacloud.com/help/en/ack/", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-cloud-monitor.html" ], "Remediation": { "Code": { - "CLI": "aliyun cs GET /clusters/[cluster_id]/nodepools to verify nodepools.kubernetes_config.cms_enabled is set to true for all node pools.", + "CLI": "aliyun cs GET /clusters//nodepools --header 'Content-Type=application/json' | jq '.nodepools[].kubernetes_config.cms_enabled'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ACK Console**.\n2. Select the target cluster and click its name to open the cluster detail page.\n3. Select **Nodes** on the left column and click the **Monitor** link on the Actions column of the selected node.\n4. Verify that OS Metrics data exists in the CloudMonitor page.\n5. To enable: Click **Create Kubernetes Cluster** and set `CloudMonitor Agent` to **Enabled** under creation options.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ACK Console**\n2. Select the target cluster and click its name to open the cluster detail page\n3. Select **Nodes** on the left column and click the **Monitor** link on the Actions column of the selected node\n4. Verify that OS Metrics data exists in the CloudMonitor page\n5. To enable: Click **Create Kubernetes Cluster** and set `CloudMonitor Agent` to **Enabled** under creation options", + "Text": "Enable the **CloudMonitor** agent during cluster creation by setting `CloudMonitor Agent` to **Enabled**. For existing clusters, verify that `cms_enabled` is set to `true` for all node pools.", "Url": "https://hub.prowler.com/check/cs_kubernetes_cloudmonitor_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json index ed87a8c2fb..948ca7539f 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_recent/cs_kubernetes_cluster_check_recent.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_cluster_check_recent", - "CheckTitle": "Cluster Check triggered within configured period for Kubernetes Clusters", - "CheckType": [ - "Threat detection during container runtime" - ], + "CheckTitle": "Kubernetes cluster health check has been triggered within the configured period", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "**Kubernetes Engine's cluster check** feature helps you verify the system nodes and components healthy status.\n\nWhen you trigger the checking, the process validates the health state of each node in your cluster and also the cluster configuration (`kubelet`, `docker daemon`, `kernel`, and network `iptables` configuration). If there are consecutive health check failures, the diagnose reports to admin for further repair.", - "Risk": "Kubernetes Engine uses the node's health status to determine if a node needs to be repaired. A cluster health check includes: cloud resource healthy status including **VPC/VSwitch**, **SLB**, and every **ECS node** status in the cluster; the `kubelet`, `docker daemon`, `kernel`, `iptables` configurations on every node.\n\nWithout regular cluster checks, potential issues may go undetected and could lead to **cluster instability** or **security vulnerabilities**.", + "Description": "**Alibaba Cloud Kubernetes Engine** provides a cluster health check feature that validates the health state of each node and verifies the cluster configuration, including `kubelet`, `docker daemon`, `kernel`, and network `iptables` settings. Running these checks regularly ensures that cloud resources such as **VPC/VSwitch**, **SLB**, and every **ECS node** are functioning correctly. If consecutive health check failures are detected, diagnostic reports are generated for administrators to take corrective action.", + "Risk": "Without regular cluster health checks within the configured period, potential issues such as **node failures**, **misconfigured network rules**, or **degraded system components** may go undetected. This increases the risk of **cluster instability**, **service outages**, and **security vulnerabilities** that could be exploited by attackers. Delayed detection of unhealthy nodes or misconfigured components can also impact the **integrity** and **availability** of workloads running on the cluster.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/114882.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/cluster-check.html" + "https://www.alibabacloud.com/help/en/ack/", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/cluster-check.html" ], "Remediation": { "Code": { - "CLI": "aliyun cs GET /clusters/[cluster_id]/checks to verify cluster checks are being run regularly. Trigger a check if needed.", + "CLI": "aliyun cs GET /clusters//checks --header 'Content-Type=application/json'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ACK Console**.\n2. Select the target cluster and open the **More** pop-menu for advanced options.\n3. Select **Global Check** and click the **Start** button to trigger the checking.\n4. Verify the checking time and details in Global Check.\n5. It is recommended to trigger cluster checks at least once within the configured period.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ACK Console**\n2. Select the target cluster and open the **More** pop-menu for advanced options\n3. Select **Global Check** and click the **Start** button to trigger the checking\n4. Verify the checking time and details in Global Check\n5. It is recommended to trigger cluster checks at least once within the configured period (default: weekly)", + "Text": "Trigger a cluster health check regularly within the configured period to ensure all nodes and system components are healthy. Use the **Global Check** feature in the ACK Console or the `aliyun cs` CLI to verify and trigger checks.", "Url": "https://hub.prowler.com/check/cs_kubernetes_cluster_check_recent" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json index db61e88fe2..9e7bb1af6a 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_cluster_check_weekly/cs_kubernetes_cluster_check_weekly.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_cluster_check_weekly", - "CheckTitle": "Cluster Check triggered at least once per week for Kubernetes Clusters", - "CheckType": [ - "Threat detection during container runtime" - ], + "CheckTitle": "Kubernetes cluster health check has been triggered at least once per week", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "**Kubernetes Engine's cluster check** feature helps you verify the system nodes and components healthy status.\n\nWhen you trigger the checking, the process validates the health state of each node in your cluster and also the cluster configuration (`kubelet`, `docker daemon`, `kernel`, and network `iptables` configuration). If there are consecutive health check failures, the diagnose reports to admin for further repair.", - "Risk": "Kubernetes Engine uses the node's health status to determine if a node needs to be repaired. A cluster health check includes: cloud resource healthy status including **VPC/VSwitch**, **SLB**, and every **ECS node** status in the cluster; the `kubelet`, `docker daemon`, `kernel`, `iptables` configurations on every node.\n\nWithout regular cluster checks, potential issues may go undetected and could lead to **cluster instability** or **security vulnerabilities**.", + "Description": "**Alibaba Cloud Kubernetes Engine** provides a cluster health check feature that validates the health state of each node and verifies the cluster configuration, including `kubelet`, `docker daemon`, `kernel`, and network `iptables` settings. Running these checks at least once per week ensures that cloud resources such as **VPC/VSwitch**, **SLB**, and every **ECS node** are functioning correctly. If consecutive health check failures are detected, diagnostic reports are generated for administrators to take corrective action.", + "Risk": "Without weekly cluster health checks, potential issues such as **node failures**, **misconfigured network rules**, or **degraded system components** may go undetected for extended periods. This increases the risk of **cluster instability**, **service outages**, and **security vulnerabilities** that could be exploited by attackers. Delayed detection of unhealthy nodes or misconfigured components can also impact the **integrity** and **availability** of workloads running on the cluster.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/114882.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/cluster-check.html" + "https://www.alibabacloud.com/help/en/ack/", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/cluster-check.html" ], "Remediation": { "Code": { - "CLI": "aliyun cs GET /clusters/[cluster_id]/checks to verify cluster checks are being run regularly. Trigger a check if needed.", + "CLI": "aliyun cs GET /clusters//checks --header 'Content-Type=application/json'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ACK Console**.\n2. Select the target cluster and open the **More** pop-menu for advanced options.\n3. Select **Global Check** and click the **Start** button to trigger the checking.\n4. Verify the checking time and details in Global Check.\n5. Trigger cluster checks at least once per week.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ACK Console**\n2. Select the target cluster and open the **More** pop-menu for advanced options\n3. Select **Global Check** and click the **Start** button to trigger the checking\n4. Verify the checking time and details in Global Check\n5. It is recommended to trigger cluster checks at least once per week", + "Text": "Trigger a cluster health check at least once per week to ensure all nodes and system components are healthy. Use the **Global Check** feature in the ACK Console or the `aliyun cs` CLI to verify and trigger checks.", "Url": "https://hub.prowler.com/check/cs_kubernetes_cluster_check_weekly" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json index 4d0b3ed936..162f75c79f 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_dashboard_disabled/cs_kubernetes_dashboard_disabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_dashboard_disabled", - "CheckTitle": "Kubernetes web UI / Dashboard is not enabled", - "CheckType": [ - "Threat detection during container runtime", - "Unusual logon" - ], + "CheckTitle": "Kubernetes web UI (Dashboard) is disabled on Kubernetes Engine clusters", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "**Dashboard** is a web-based Kubernetes user interface that can be used to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself.\n\nYou should disable the **Kubernetes Web UI (Dashboard)** when running on Kubernetes Engine. The Dashboard is backed by a highly privileged Kubernetes Service Account. It is recommended to use the **ACK User Console** instead to avoid privilege escalation via a compromised dashboard.", - "Risk": "The **Kubernetes Dashboard** is backed by a highly privileged Service Account. If the Dashboard is compromised, it could allow an attacker to gain **full control** over the cluster and potentially **escalate privileges**.\n\nAttackers who gain access to the Dashboard can deploy malicious workloads, exfiltrate secrets, and compromise the entire cluster.", + "Description": "**Alibaba Cloud Kubernetes Engine** clusters should not have the **Kubernetes Dashboard** (web UI) enabled. The Dashboard is backed by a highly privileged Kubernetes Service Account that can perform administrative operations across the cluster. It is recommended to use the **ACK Console** instead, which provides fine-grained access control through RAM policies and RBAC integration, avoiding the risk of privilege escalation through a compromised dashboard.", + "Risk": "The **Kubernetes Dashboard** is backed by a highly privileged Service Account that grants broad access to cluster resources. If the Dashboard is compromised through a vulnerability or unauthorized access, an attacker could gain **full control** over the cluster, deploy malicious workloads, exfiltrate **secrets**, and **escalate privileges**. This directly impacts the **confidentiality**, **integrity**, and **availability** of all workloads and data within the cluster.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/86494.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/disable-kubernetes-dashboard.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/disable-kubernetes-dashboard.html" ], "Remediation": { "Code": { - "CLI": "Use kubectl to delete the dashboard deployment: kubectl delete deployment kubernetes-dashboard -n kube-system", + "CLI": "kubectl delete deployment kubernetes-dashboard -n kube-system", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ACK Console**.\n2. Select the target cluster and select the `kube-system` namespace in the Namespace pop-menu.\n3. Input `dashboard` in the deploy filter bar.\n4. Make sure there is no result after the filter.\n5. If dashboard exists, delete the deployment by selecting **Delete** in the More pop-menu.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ACK Console**\n2. Select the target cluster and select the `kube-system` namespace in the Namespace pop-menu\n3. Input `dashboard` in the deploy filter bar\n4. Make sure there is no result after the filter\n5. If dashboard exists, delete the deployment by selecting **Delete** in the More pop-menu", + "Text": "Delete the Kubernetes Dashboard deployment from the `kube-system` namespace using `kubectl` or the ACK Console. Use the **ACK Console** for cluster management instead of the Kubernetes Dashboard.", "Url": "https://hub.prowler.com/check/cs_kubernetes_dashboard_disabled" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json index 29392fa152..d0c4e8cc92 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_eni_multiple_ip_enabled/cs_kubernetes_eni_multiple_ip_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_eni_multiple_ip_enabled", - "CheckTitle": "ENI multiple IP mode support for Kubernetes Cluster", - "CheckType": [ - "Threat detection during container runtime", - "Suspicious network connection" - ], + "CheckTitle": "Kubernetes cluster has ENI multiple IP mode enabled", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "Alibaba Cloud **ENI (Elastic Network Interface)** supports assigning ranges of internal IP addresses as aliases to a single virtual machine's ENI network interfaces.\n\nWith **ENI multiple IP mode**, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to **Terway** network plugin. This makes your cluster more scalable and allows better interaction with other Alibaba Cloud products.", - "Risk": "Without **ENI multiple IP mode** (provided by Terway), pods share the node's network interface in a less scalable way.\n\nUsing ENI multiple IPs allows pod IPs to be reserved within the network ahead of time, preventing conflict with other compute resources, and allows firewall controls for Pods to be applied separately from their nodes.", + "Description": "**Alibaba Cloud Elastic Network Interface (ENI)** supports assigning multiple IP addresses to a single virtual machine's network interface. With **ENI multiple IP mode** provided by the **Terway** network plugin, Kubernetes Engine clusters can allocate pod IP addresses from the VPC CIDR block, enabling better scalability and native integration with other Alibaba Cloud services. This mode allows pods to have their own security group associations, providing granular network-level access control independently from their host nodes.", + "Risk": "Without **ENI multiple IP mode** (provided by the **Terway** network plugin), pods share the node's network interface in a less scalable manner and cannot have independent security group associations. This limits the ability to apply **granular firewall controls** at the pod level, increasing the risk of **lateral movement** if a pod is compromised. The inability to isolate pod networking from node networking weakens **network segmentation** and reduces the overall **security posture** of the cluster.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/user-guide/associate-multiple-security-groups-with-an-eni", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-multi-ip-mode.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-multi-ip-mode.html" ], "Remediation": { "Code": { - "CLI": "Terway network plugin must be selected during cluster creation to support ENI multiple IP mode.", + "CLI": "aliyun cs GET /clusters/ --header 'Content-Type=application/json' | jq '.parameters.Network'", "NativeIaC": "", - "Other": "", + "Other": "1. When creating a new cluster in the **ACK Console**, select **Terway** in the `Network Plugin` option to enable ENI multiple IP mode support.\n2. Note that existing clusters using **Flannel** cannot be migrated to **Terway**.", "Terraform": "" }, "Recommendation": { - "Text": "When creating a new cluster, select **Terway** in the `Network Plugin` option to enable ENI multiple IP mode support.\n\n**Note:** Existing clusters using Flannel cannot be migrated to Terway.", + "Text": "Select the **Terway** network plugin during cluster creation to enable ENI multiple IP mode. Existing clusters using **Flannel** cannot be migrated to Terway and must be recreated.", "Url": "https://hub.prowler.com/check/cs_kubernetes_eni_multiple_ip_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json index 22405dd674..b0d683ca31 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_log_service_enabled/cs_kubernetes_log_service_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_log_service_enabled", - "CheckTitle": "Log Service is set to Enabled on Kubernetes Engine Clusters", - "CheckType": [ - "Threat detection during container runtime" - ], + "CheckTitle": "Kubernetes cluster has Log Service enabled", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "**Log Service** is a complete real-time data logging service on Alibaba Cloud supporting collection, shipping, search, storage, and analysis for logs.\n\nLog Service can automatically collect, process, and store your container and audit logs in a dedicated, persistent datastore. Container logs are collected from your containers, audit logs from the `kube-apiserver` or deployed ingress, and events about cluster activity such as the deletion of Pods or Secrets.", - "Risk": "Without **Log Service** enabled, you lose visibility into container and system logs. The per-node logging agent collects: `kube-apiserver` audit logs, ingress visiting logs, and standard output/error logs from containerized processes.\n\nLack of logging makes **incident investigation**, **compliance auditing**, and **security monitoring** significantly more difficult.", + "Description": "**Alibaba Cloud Log Service** is a real-time data logging service that supports collection, shipping, search, storage, and analysis for container and audit logs in **Kubernetes Engine clusters**. When enabled, Log Service automatically collects `kube-apiserver` audit logs, ingress visiting logs, and standard output/error logs from containerized processes. These logs are stored in a dedicated, persistent datastore and are essential for operational visibility, security monitoring, and compliance auditing.", + "Risk": "Without **Log Service** enabled, there is no centralized collection of container logs, audit trails, or cluster events. This severely impairs the ability to perform **incident investigation**, **compliance auditing**, and **security monitoring**. Attackers could operate undetected within the cluster, as there would be no audit trail of API server calls, pod lifecycle events, or container output. The lack of logging directly impacts the **confidentiality** and **integrity** of the cluster by removing a critical detection and forensic capability.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/91406.html", - "https://help.aliyun.com/document_detail/86532.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-log-service.html" + "https://www.alibabacloud.com/help/en/ack/", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-log-service.html" ], "Remediation": { "Code": { - "CLI": "aliyun cs GET /clusters/[cluster_id] to verify AuditProjectName is set. When creating a new cluster, set Enable Log Service to Enabled.", + "CLI": "aliyun cs GET /clusters/ --header 'Content-Type=application/json' | jq '.meta_data' | jq -r 'fromjson | .AuditProjectName'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ACK Console**.\n2. Select the target cluster and click its name to open the cluster detail page.\n3. Select **Cluster Auditing** on the left column and check if the audit page is shown.\n4. To enable: When creating a new cluster, set `Enable Log Service` to **Enabled**.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ACK Console**\n2. Select the target cluster and click its name to open the cluster detail page\n3. Select **Cluster Auditing** on the left column and check if the audit page is shown\n4. To enable: When creating a new cluster, set `Enable Log Service` to **Enabled**", + "Text": "Enable **Log Service** during cluster creation by setting `Enable Log Service` to **Enabled**. For existing clusters, verify that `AuditProjectName` is configured in the cluster metadata.", "Url": "https://hub.prowler.com/check/cs_kubernetes_log_service_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json index e7fddd4694..830d62e716 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_network_policy_enabled/cs_kubernetes_network_policy_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_network_policy_enabled", - "CheckTitle": "Network policy is enabled on Kubernetes Engine Clusters", - "CheckType": [ - "Threat detection during container runtime", - "Suspicious network connection" - ], + "CheckTitle": "Kubernetes cluster has Network policy enabled", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "A **Network Policy** is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.\n\n`NetworkPolicy` resources use labels to select pods and define rules which specify what traffic is allowed. By default, pods are non-isolated and accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them.", - "Risk": "Without **Network Policies**, all pods in a Kubernetes cluster can communicate with each other freely. This open communication model allows an attacker who compromises a single pod to potentially move **laterally** within the cluster and access sensitive services or data.\n\nNetwork Policies are essential for implementing **defense in depth** and **least privilege** networking.", + "Description": "**Alibaba Cloud Kubernetes Engine** clusters should have **Network Policy** support enabled through the **Terway** network plugin. A `NetworkPolicy` is a Kubernetes specification that defines how groups of pods are allowed to communicate with each other and other network endpoints using label-based selection rules. By default, pods are non-isolated and accept traffic from any source; applying NetworkPolicy resources restricts traffic to only explicitly allowed connections, enforcing the principle of least privilege at the network level.", + "Risk": "Without **Network Policies**, all pods in a Kubernetes cluster can communicate with each other freely, creating an unrestricted flat network. This allows an attacker who compromises a single pod to move **laterally** within the cluster, accessing sensitive services, databases, and secrets without restriction. The absence of network segmentation undermines **defense in depth** and increases the blast radius of any compromise, directly impacting the **confidentiality** and **integrity** of workloads.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/97621.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-network-policy-support.html" + "https://www.alibabacloud.com/help/en/ack/", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-network-policy-support.html" ], "Remediation": { "Code": { - "CLI": "Network Policy support (Terway) must be selected during cluster creation.", + "CLI": "aliyun cs GET /clusters/ --header 'Content-Type=application/json' | jq '.parameters.Network'", "NativeIaC": "", - "Other": "", + "Other": "1. When creating a new cluster in the **ACK Console**, select **Terway** in the `Network Plugin` option to enable Network Policy support.\n2. Note that existing clusters using **Flannel** cannot be migrated to **Terway**.", "Terraform": "" }, "Recommendation": { - "Text": "Only the **Terway** network plugin supports the Network Policy feature. When creating a new cluster, select **Terway** in the `Network Plugin` option.\n\n**Note:** Existing clusters using Flannel cannot be migrated to Terway.", + "Text": "Select the **Terway** network plugin during cluster creation to enable Network Policy support. Existing clusters using **Flannel** cannot be migrated to Terway and must be recreated.", "Url": "https://hub.prowler.com/check/cs_kubernetes_network_policy_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json index 4ea2cf3893..92db7daa7a 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_private_cluster_enabled/cs_kubernetes_private_cluster_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_private_cluster_enabled", - "CheckTitle": "Kubernetes Cluster is created with Private cluster enabled", - "CheckType": [ - "Threat detection during container runtime", - "Unusual logon" - ], + "CheckTitle": "Kubernetes cluster is created with private cluster enabled", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "A **private cluster** is a cluster that makes your master inaccessible from the public internet.\n\nIn a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes and masters communicate with each other privately using **VPC peering**.", - "Risk": "Exposing the **API server endpoint** to the public internet increases the attack surface of your cluster. Attackers can attempt to probe for vulnerabilities, perform **brute force attacks**, or exploit misconfigurations if the API server is publicly accessible.\n\nUsing a private cluster significantly reduces network security risks.", + "Description": "**Alibaba Cloud Kubernetes Engine** clusters should be configured as **private clusters** to ensure that the API server endpoint is not accessible from the public internet. In a private cluster, nodes do not have public IP addresses and all communication between nodes and the master occurs privately through **VPC peering**. This significantly reduces the attack surface by eliminating direct internet exposure of the cluster's control plane and worker nodes.", + "Risk": "Exposing the **API server endpoint** to the public internet increases the attack surface of the cluster, allowing attackers to probe for vulnerabilities, perform **brute force attacks** against authentication, or exploit misconfigurations. A publicly accessible API server can be targeted by automated scanning tools and botnets, increasing the risk of unauthorized access. This directly impacts the **confidentiality** and **integrity** of the cluster by potentially allowing attackers to execute commands, deploy malicious workloads, or exfiltrate sensitive data.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/100380.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/private-cluster.html" + "https://www.alibabacloud.com/help/en/ack/", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/private-cluster.html" ], "Remediation": { "Code": { - "CLI": "Public access settings cannot be easily changed for existing clusters. Ensure Public Access is disabled during creation.", + "CLI": "aliyun cs GET /clusters/ --header 'Content-Type=application/json' | jq '.external_loadbalancer_id'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ACK Console**.\n2. Select the target cluster name and go to the cluster detail page.\n3. Check if there is no `API Server Public Network Endpoint` under Cluster Information.\n4. When creating a new cluster, make sure **Public Access** is not enabled.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ACK Console**\n2. Select the target cluster name and go to the cluster detail page\n3. Check if there is no `API Server Public Network Endpoint` under Cluster Information\n4. When creating a new cluster, make sure **Public Access** is not enabled", + "Text": "Disable **Public Access** during cluster creation to ensure the API server is not exposed to the public internet. For existing clusters, remove the public endpoint if one was configured.", "Url": "https://hub.prowler.com/check/cs_kubernetes_private_cluster_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json index bd4fa293ce..c329225cb7 100644 --- a/prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/cs/cs_kubernetes_rbac_enabled/cs_kubernetes_rbac_enabled.metadata.json @@ -1,34 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "cs_kubernetes_rbac_enabled", - "CheckTitle": "Role-based access control (RBAC) authorization is Enabled on Kubernetes Engine Clusters", - "CheckType": [ - "Threat detection during container runtime", - "Abnormal account" - ], + "CheckTitle": "Kubernetes cluster has RBAC authorization enabled", + "CheckType": [], "ServiceName": "cs", "SubServiceName": "", - "ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudKubernetesCluster", + "ResourceType": "ALIYUN::CS::ManagedKubernetesCluster", "ResourceGroup": "container", - "Description": "In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions.\n\nTo ensure that **RBAC** limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, helps ensure that users only have access to specific cluster resources within their own namespace, and is now stable in Kubernetes.", - "Risk": "In Kubernetes, **RBAC** is used to grant permissions to resources at the cluster and namespace level. RBAC allows you to define roles with rules containing a set of permissions.\n\nWithout RBAC, legacy authorization mechanisms like **ABAC** grant **overly broad permissions**, increasing the risk of unauthorized access and privilege escalation.", + "Description": "**Alibaba Cloud Kubernetes Engine** clusters should have **Role-Based Access Control (RBAC)** enabled to enforce fine-grained authorization for cluster resources. RBAC allows administrators to define roles with specific permissions at both the cluster and namespace level, ensuring that users and service accounts only have access to the resources they need. The legacy **ABAC** (Attribute-Based Access Control) authorizer grants broad, statically defined permissions and should be disabled in favor of RBAC for improved security.", + "Risk": "Without **RBAC** enabled, Kubernetes clusters may rely on legacy authorization mechanisms such as **ABAC**, which grant **overly broad permissions** that cannot be scoped to specific namespaces or resource types. This increases the risk of **unauthorized access** and **privilege escalation**, where a compromised service account or user could gain access to sensitive resources across the entire cluster. The lack of granular access control directly impacts the **confidentiality** and **integrity** of workloads and secrets stored in the cluster.", "RelatedUrl": "", "AdditionalURLs": [ - "https://help.aliyun.com/document_detail/87656.html", - "https://help.aliyun.com/document_detail/119596.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-rbac-authorization.html" + "https://www.alibabacloud.com/help/en/ack/", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-rbac-authorization.html" ], "Remediation": { "Code": { - "CLI": "RBAC is enabled by default on new ACK clusters. Verify cluster authorization configuration.", + "CLI": "aliyun cs GET /clusters/ --header 'Content-Type=application/json' | jq '.parameters.KubernetesVersion'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ACK Console**.\n2. Navigate to **Clusters** -> **Authorizations** page.\n3. Select the target RAM sub-account and configure the RBAC roles on specific clusters or namespaces.\n4. Ensure **RBAC** is enabled and legacy ABAC authorization is disabled.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ACK Console**\n2. Navigate to **Clusters** -> **Authorizations** page\n3. Select the target RAM sub-account and configure the RBAC roles on specific clusters or namespaces\n4. Ensure **RBAC** is enabled and legacy ABAC authorization is disabled", + "Text": "Ensure **RBAC** is enabled on all Kubernetes Engine clusters and that legacy **ABAC** authorization is disabled. Configure RBAC roles and bindings through the ACK Console Authorizations page to enforce least-privilege access.", "Url": "https://hub.prowler.com/check/cs_kubernetes_rbac_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json b/prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json index b6d14c101b..2a9f51c0b9 100644 --- a/prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json +++ b/prowler/providers/alibabacloud/services/ecs/ecs_attached_disk_encrypted/ecs_attached_disk_encrypted.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ecs_attached_disk_encrypted", - "CheckTitle": "Virtual Machines disk are encrypted", - "CheckType": [ - "Sensitive file tampering" - ], + "CheckTitle": "ECS attached disk is encrypted", + "CheckType": [], "ServiceName": "ecs", "SubServiceName": "", - "ResourceIdTemplate": "acs:ecs:region:account-id:disk/{disk-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudECSDisk", + "ResourceType": "ALIYUN::ECS::Disk", "ResourceGroup": "storage", - "Description": "**ECS cloud disk encryption** protects your data at rest. The cloud disk data encryption feature automatically encrypts data when data is transferred from ECS instances to disks, and decrypts data when read from disks.\n\nEnsure that disks are encrypted when they are created with the creation of VM instances.", - "Risk": "**Unencrypted disks** attached to ECS instances pose a security risk as they may contain sensitive data that could be accessed if the disk is compromised or accessed by unauthorized parties.\n\nData at rest without encryption is vulnerable to **unauthorized access** if storage media is lost, stolen, or improperly decommissioned.", + "Description": "**Alibaba Cloud ECS cloud disk encryption** protects data at rest by automatically encrypting data when it is transferred from ECS instances to disks and decrypting it when read. Ensuring that all attached disks are encrypted helps prevent unauthorized access to sensitive data stored on the disk. This check verifies that **disk encryption** is enabled on all ECS disks attached to instances, using **KMS** (Key Management Service) for key management.", + "Risk": "**Unencrypted disks** attached to ECS instances pose a significant security risk, as sensitive data could be exposed if the disk is compromised, improperly decommissioned, or accessed by unauthorized parties. Data at rest without encryption is vulnerable to **unauthorized access**, impacting **confidentiality** and potentially leading to **data breaches** or **regulatory non-compliance**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/59643.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/encrypt-vm-instance-disks.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/encrypt-vm-instance-disks.html" ], "Remediation": { "Code": { "CLI": "aliyun ecs CreateDisk --DiskName --Size --Encrypted true --KmsKeyId ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ECS Console** > **Instances & Images** > **Images**.\n2. Select the **Custom Image** tab and select the target image.\n3. Click **Copy Image** and check the **Encrypt** box.\n4. Select a key and click **OK**.\n5. For data disks, go to **Instances** > **Create Instance**, in the Storage section click **Add Disk**, select **Disk Encryption**, and choose a key.\n\n**Note:** You cannot directly convert unencrypted disks to encrypted disks.", "Terraform": "resource \"alicloud_ecs_disk\" \"encrypted\" {\n zone_id = \"cn-hangzhou-a\"\n disk_name = \"encrypted-disk\"\n category = \"cloud_efficiency\"\n size = 20\n encrypted = true\n kms_key_id = alicloud_kms_key.example.id\n}" }, "Recommendation": { - "Text": "**Encrypt a system disk when copying an image:**\n1. Log on to the **ECS Console** > **Instances & Images** > **Images**\n2. Select the **Custom Image** tab and select target image\n3. Click **Copy Image** and check the **Encrypt** box\n4. Select a key and click **OK**\n\n**Encrypt a data disk when creating an instance:**\n1. Log on to the **ECS Console** > **Instances & Images** > **Instances** > **Create Instance**\n2. In the Storage section, click **Add Disk**\n3. Select **Disk Encryption** and choose a key\n\n**Note:** You cannot directly convert unencrypted disks to encrypted disks.", + "Text": "Enable encryption on all ECS disks to protect data at rest. Use KMS-managed keys for encryption. Note that existing unencrypted disks cannot be directly converted; data must be migrated to new encrypted disks.", "Url": "https://hub.prowler.com/check/ecs_attached_disk_encrypted" } }, diff --git a/prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json b/prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json index d2ad113899..d018b97768 100644 --- a/prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json +++ b/prowler/providers/alibabacloud/services/ecs/ecs_instance_endpoint_protection_installed/ecs_instance_endpoint_protection_installed.metadata.json @@ -1,35 +1,29 @@ { "Provider": "alibabacloud", "CheckID": "ecs_instance_endpoint_protection_installed", - "CheckTitle": "The endpoint protection for all Virtual Machines is installed", - "CheckType": [ - "Suspicious process", - "Webshell", - "Unusual logon", - "Sensitive file tampering", - "Malicious software" - ], + "CheckTitle": "ECS instance has endpoint protection installed", + "CheckType": [], "ServiceName": "ecs", "SubServiceName": "", - "ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudECSInstance", + "ResourceType": "ALIYUN::ECS::Instance", "ResourceGroup": "compute", - "Description": "Installing **endpoint protection systems** (like **Security Center** for Alibaba Cloud) provides real-time protection capability that helps identify and remove viruses, spyware, and other malicious software.\n\nConfigurable alerts notify when known malicious software attempts to install itself or run on ECS instances.", - "Risk": "ECS instances without **endpoint protection** are vulnerable to **malware**, **viruses**, and other security threats.\n\nEndpoint protection provides real-time monitoring and protection capabilities essential for detecting and preventing security incidents.", + "Description": "**Alibaba Cloud Security Center** provides endpoint protection for ECS instances, offering real-time detection and removal of viruses, spyware, and other malicious software. This check verifies that the **Security Center agent** is installed and active on all ECS instances, ensuring configurable alerts notify administrators when known malicious software attempts to install itself or execute on the instance.", + "Risk": "ECS instances without **endpoint protection** are vulnerable to **malware**, **viruses**, **webshells**, and other security threats that can compromise **confidentiality**, **integrity**, and **availability**. Without real-time monitoring, security incidents may go undetected, allowing attackers to maintain persistent access and exfiltrate sensitive data.", "RelatedUrl": "", "AdditionalURLs": [ - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/enable-endpoint-protection.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/enable-endpoint-protection.html" ], "Remediation": { "Code": { - "CLI": "Logon to Security Center Console > Select Settings > Click Agent > Select virtual machines without Security Center agent > Click Install", + "CLI": "aliyun sas InstallBackupClient --Uuid ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **Security Center Console**.\n2. Select **Settings**.\n3. Click **Agent**.\n4. On the Agent tab, select the virtual machines without Security Center agent installed.\n5. Click **Install**.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Agent**\n4. On the Agent tab, select the virtual machines without Security Center agent installed\n5. Click **Install**", + "Text": "Install the Alibaba Cloud **Security Center** agent on all ECS instances to enable real-time endpoint protection, malware detection, and vulnerability scanning.", "Url": "https://hub.prowler.com/check/ecs_instance_endpoint_protection_installed" } }, diff --git a/prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json b/prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json index 21222b9058..d667848b18 100644 --- a/prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json +++ b/prowler/providers/alibabacloud/services/ecs/ecs_instance_latest_os_patches_applied/ecs_instance_latest_os_patches_applied.metadata.json @@ -1,32 +1,29 @@ { "Provider": "alibabacloud", "CheckID": "ecs_instance_latest_os_patches_applied", - "CheckTitle": "The latest OS Patches for all Virtual Machines are applied", - "CheckType": [ - "Malicious software", - "Web application threat detection" - ], + "CheckTitle": "ECS instance has latest OS patches applied", + "CheckType": [], "ServiceName": "ecs", "SubServiceName": "", - "ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudECSInstance", + "ResourceType": "ALIYUN::ECS::Instance", "ResourceGroup": "compute", - "Description": "Windows and Linux virtual machines should be kept updated to address specific bugs or flaws, improve OS or application's general stability, and fix **security vulnerabilities**.\n\nThe Alibaba Cloud **Security Center** checks for the latest updates in Linux and Windows systems.", - "Risk": "**Unpatched systems** are vulnerable to known security exploits and may be compromised by attackers.\n\nKeeping systems updated with the latest patches is critical for maintaining security and preventing **exploitation of known vulnerabilities**.", + "Description": "**Alibaba Cloud Security Center** checks for the latest updates in Linux and Windows systems running on ECS instances. Keeping virtual machines updated with the latest OS patches addresses specific bugs, improves general stability, and fixes **security vulnerabilities**. This check verifies that all known vulnerabilities detected by Security Center have been patched on each ECS instance.", + "Risk": "**Unpatched systems** are vulnerable to known security exploits and can be compromised by attackers leveraging publicly disclosed vulnerabilities. Failure to apply patches in a timely manner increases the risk of **unauthorized access**, **malware infection**, and **data breaches**, impacting the **confidentiality**, **integrity**, and **availability** of the system.", "RelatedUrl": "", "AdditionalURLs": [ - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/apply-latest-os-patches.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/apply-latest-os-patches.html" ], "Remediation": { "Code": { - "CLI": "Logon to Security Center Console > Select Vulnerabilities > Apply all patches for vulnerabilities", + "CLI": "aliyun sas FixCheckWarnings --CheckIds ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **Security Center Console**.\n2. Select **Vulnerabilities** in the left-side navigation pane.\n3. Review all detected vulnerabilities.\n4. Apply all available patches for the reported vulnerabilities.\n5. Verify that vulnerabilities are resolved after patching.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **Security Center Console**\n2. Select **Vulnerabilities**\n3. Ensure all vulnerabilities are fixed\n4. Apply all patches for vulnerabilities", + "Text": "Regularly review and apply OS patches on all ECS instances using the **Alibaba Cloud Security Center** vulnerability management feature to maintain a strong security posture.", "Url": "https://hub.prowler.com/check/ecs_instance_latest_os_patches_applied" } }, diff --git a/prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json b/prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json index 1d3eee3847..5da71e02cf 100644 --- a/prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json +++ b/prowler/providers/alibabacloud/services/ecs/ecs_instance_no_legacy_network/ecs_instance_no_legacy_network.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ecs_instance_no_legacy_network", - "CheckTitle": "Legacy networks does not exist", - "CheckType": [ - "Suspicious network connection" - ], + "CheckTitle": "ECS instance does not use legacy network", + "CheckType": [], "ServiceName": "ecs", "SubServiceName": "", - "ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudECSInstance", + "ResourceType": "ALIYUN::ECS::Instance", "ResourceGroup": "compute", - "Description": "In order to prevent use of **legacy networks**, ECS instances should not have a legacy network configured.\n\nLegacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. With legacy networks, you cannot create subnetworks or switch from legacy to auto or custom subnet networks.", - "Risk": "**Legacy networks** can have an impact on high network traffic ECS instances and are subject to a **single point of failure**.\n\nThey also lack the security isolation and network segmentation capabilities provided by **VPCs**.", + "Description": "**Alibaba Cloud ECS instances** should use **VPC (Virtual Private Cloud)** networks instead of legacy classic networks. Legacy networks have a single IPv4 prefix range and a single gateway IP address for the whole network, preventing the creation of subnetworks or migration to auto/custom subnet networks. This check verifies that no ECS instances are configured with a legacy network type.", + "Risk": "**Legacy networks** lack the security isolation and network segmentation capabilities provided by **VPCs**, creating a **single point of failure** for high-traffic instances. Without proper network segmentation, lateral movement by attackers becomes easier, impacting **confidentiality** and **integrity** of workloads sharing the same flat network.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/87190.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-VPC/legacy-network-usage.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-VPC/legacy-network-usage.html" ], "Remediation": { "Code": { "CLI": "aliyun ecs CreateInstance --InstanceName --ImageId --InstanceType --VSwitchId ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ECS Console**.\n2. In the left-side navigation pane, choose **Instance & Image** > **Instances**.\n3. Click **Create Instance**.\n4. Specify the basic instance information and click **Next: Networking**.\n5. Select **VPC** as the Network Type and choose an appropriate VSwitch.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Instance & Image** > **Instances**\n3. Click **Create Instance**\n4. Specify the basic instance information required and click **Next: Networking**\n5. Select the Network Type of **VPC**", + "Text": "Migrate all ECS instances from legacy classic networks to **VPC** networks. Create new instances within a VPC and migrate workloads from legacy network instances.", "Url": "https://hub.prowler.com/check/ecs_instance_no_legacy_network" } }, diff --git a/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json b/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json index cf61b5255e..855d63279f 100644 --- a/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json +++ b/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_rdp_internet/ecs_securitygroup_restrict_rdp_internet.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ecs_securitygroup_restrict_rdp_internet", - "CheckTitle": "RDP access is restricted from the internet", - "CheckType": [ - "Unusual logon", - "Suspicious network connection" - ], + "CheckTitle": "Security group restricts RDP access from the internet", + "CheckType": [], "ServiceName": "ecs", "SubServiceName": "", - "ResourceIdTemplate": "acs:ecs:region:account-id:security-group/{security-group-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudECSSecurityGroup", + "ResourceType": "ALIYUN::ECS::SecurityGroup", "ResourceGroup": "network", - "Description": "**Security groups** provide stateful filtering of ingress/egress network traffic to Alibaba Cloud resources.\n\nIt is recommended that no security group allows unrestricted ingress access to port **3389 (RDP)**.", - "Risk": "Removing unfettered connectivity to remote console services, such as **RDP**, reduces a server's exposure to risk.\n\nUnrestricted RDP access from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of RDP vulnerabilities**.", + "Description": "**Alibaba Cloud ECS security groups** provide stateful filtering of ingress and egress network traffic to cloud resources. This check verifies that no security group allows unrestricted ingress access to port **3389** (RDP) from the internet (`0.0.0.0/0` or `::/0`). Restricting RDP access to trusted IP addresses significantly reduces the attack surface of ECS instances.", + "Risk": "Unrestricted **RDP access** from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of RDP vulnerabilities** such as BlueKeep. This can lead to **unauthorized access**, **data exfiltration**, and full system compromise, impacting **confidentiality**, **integrity**, and **availability**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/25387.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/unrestricted-rdp-access.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/unrestricted-rdp-access.html" ], "Remediation": { "Code": { "CLI": "aliyun ecs RevokeSecurityGroup --SecurityGroupId --IpProtocol tcp --PortRange 3389/3389 --SourceCidrIp 0.0.0.0/0", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ECS Console**.\n2. In the left-side navigation pane, choose **Network & Security** > **Security Groups**.\n3. Find the target security group and click **Add Rules**.\n4. Locate the rule allowing port `3389` from `0.0.0.0/0`.\n5. Modify the Source IP range to a specific trusted IP or CIDR block.\n6. Click **Save**.", "Terraform": "resource \"alicloud_security_group_rule\" \"deny_rdp_internet\" {\n type = \"ingress\"\n ip_protocol = \"tcp\"\n port_range = \"3389/3389\"\n security_group_id = alicloud_security_group.example.id\n cidr_ip = \"10.0.0.0/8\" # Restrict to internal network\n policy = \"accept\"\n}" }, "Recommendation": { - "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Network & Security** > **Security Groups**\n3. Find the Security Group you want to modify\n4. Modify Source IP range to specific IP instead of `0.0.0.0/0`\n5. Click **Save**", + "Text": "Restrict RDP (port **3389**) access in security groups to only trusted IP addresses or CIDR blocks. Remove any rules allowing access from `0.0.0.0/0` or `::/0`.", "Url": "https://hub.prowler.com/check/ecs_securitygroup_restrict_rdp_internet" } }, diff --git a/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json b/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json index 136687ed7f..19c2b5e7f3 100644 --- a/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json +++ b/prowler/providers/alibabacloud/services/ecs/ecs_securitygroup_restrict_ssh_internet/ecs_securitygroup_restrict_ssh_internet.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ecs_securitygroup_restrict_ssh_internet", - "CheckTitle": "SSH access is restricted from the internet", - "CheckType": [ - "Unusual logon", - "Suspicious network connection" - ], + "CheckTitle": "Security group restricts SSH access from the internet", + "CheckType": [], "ServiceName": "ecs", "SubServiceName": "", - "ResourceIdTemplate": "acs:ecs:region:account-id:security-group/{security-group-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudECSSecurityGroup", + "ResourceType": "ALIYUN::ECS::SecurityGroup", "ResourceGroup": "network", - "Description": "**Security groups** provide stateful filtering of ingress/egress network traffic to Alibaba Cloud resources.\n\nIt is recommended that no security group allows unrestricted ingress access to port **22 (SSH)**.", - "Risk": "Removing unfettered connectivity to remote console services, such as **SSH**, reduces a server's exposure to risk.\n\nUnrestricted SSH access from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of SSH vulnerabilities**.", + "Description": "**Alibaba Cloud ECS security groups** provide stateful filtering of ingress and egress network traffic to cloud resources. This check verifies that no security group allows unrestricted ingress access to port **22** (SSH) from the internet (`0.0.0.0/0` or `::/0`). Restricting SSH access to trusted IP addresses significantly reduces the attack surface of ECS instances.", + "Risk": "Unrestricted **SSH access** from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of SSH vulnerabilities**. This can lead to **unauthorized access**, **data exfiltration**, and full system compromise, impacting **confidentiality**, **integrity**, and **availability**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/25387.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/unrestricted-ssh-access.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/unrestricted-ssh-access.html" ], "Remediation": { "Code": { "CLI": "aliyun ecs RevokeSecurityGroup --SecurityGroupId --IpProtocol tcp --PortRange 22/22 --SourceCidrIp 0.0.0.0/0", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ECS Console**.\n2. In the left-side navigation pane, choose **Network & Security** > **Security Groups**.\n3. Find the target security group and click **Add Rules**.\n4. Locate the rule allowing port `22` from `0.0.0.0/0`.\n5. Modify the Source IP range to a specific trusted IP or CIDR block.\n6. Click **Save**.", "Terraform": "resource \"alicloud_security_group_rule\" \"deny_ssh_internet\" {\n type = \"ingress\"\n ip_protocol = \"tcp\"\n port_range = \"22/22\"\n security_group_id = alicloud_security_group.example.id\n cidr_ip = \"10.0.0.0/8\" # Restrict to internal network\n policy = \"accept\"\n}" }, "Recommendation": { - "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Network & Security** > **Security Groups**\n3. Find the Security Group you want to modify\n4. Modify Source IP range to specific IP instead of `0.0.0.0/0`\n5. Click **Save**", + "Text": "Restrict SSH (port **22**) access in security groups to only trusted IP addresses or CIDR blocks. Remove any rules allowing access from `0.0.0.0/0` or `::/0`.", "Url": "https://hub.prowler.com/check/ecs_securitygroup_restrict_ssh_internet" } }, diff --git a/prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json b/prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json index ed2daedbde..0808a219f0 100644 --- a/prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json +++ b/prowler/providers/alibabacloud/services/ecs/ecs_unattached_disk_encrypted/ecs_unattached_disk_encrypted.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ecs_unattached_disk_encrypted", - "CheckTitle": "Unattached disks are encrypted", - "CheckType": [ - "Sensitive file tampering" - ], + "CheckTitle": "ECS unattached disk is encrypted", + "CheckType": [], "ServiceName": "ecs", "SubServiceName": "", - "ResourceIdTemplate": "acs:ecs:region:account-id:disk/{disk-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudECSDisk", + "ResourceType": "ALIYUN::ECS::Disk", "ResourceGroup": "storage", - "Description": "**Cloud disk encryption** protects your data at rest. The cloud disk data encryption feature automatically encrypts data when data is transferred from ECS instances to disks, and decrypts data when read from disks.", - "Risk": "**Unencrypted unattached disks** pose a security risk as they may contain sensitive data that could be accessed if the disk is compromised or accessed by unauthorized parties.\n\nUnattached disks are especially vulnerable as they may be forgotten or not monitored, increasing the risk of **unauthorized access**.", + "Description": "**Alibaba Cloud ECS cloud disk encryption** protects data at rest by automatically encrypting data when it is transferred from ECS instances to disks and decrypting it when read. This check verifies that unattached (detached) disks have encryption enabled, since unattached disks may still contain sensitive data from previous workloads and are especially vulnerable if not properly managed.", + "Risk": "**Unencrypted unattached disks** pose a significant security risk as they may contain sensitive data that could be accessed if the disk is compromised or accessed by unauthorized parties. Unattached disks are especially vulnerable as they may be overlooked in security monitoring, increasing the risk of **unauthorized access** and **data breaches** that impact **confidentiality**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/59643.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/encrypt-unattached-disks.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/encrypt-unattached-disks.html" ], "Remediation": { "Code": { "CLI": "aliyun ecs CreateDisk --DiskName --Size --Encrypted true --KmsKeyId ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **ECS Console**.\n2. In the left-side navigation pane, choose **Storage & Snapshots** > **Disk**.\n3. In the upper-right corner of the Disks page, click **Create Disk**.\n4. In the Disk section, check the **Disk Encryption** box and select a key from the drop-down list.\n\n**Note:** After a data disk is created, you can only encrypt it by manually copying data from the unencrypted disk to a new encrypted disk.", "Terraform": "resource \"alicloud_ecs_disk\" \"encrypted\" {\n zone_id = \"cn-hangzhou-a\"\n disk_name = \"encrypted-disk\"\n category = \"cloud_efficiency\"\n size = 20\n encrypted = true\n kms_key_id = alicloud_kms_key.example.id\n}" }, "Recommendation": { - "Text": "1. Log on to the **ECS Console**\n2. In the left-side navigation pane, choose **Storage & Snapshots** > **Disk**\n3. In the upper-right corner of the Disks page, click **Create Disk**\n4. In the Disk section, check the **Disk Encryption** box and select a key from the drop-down list\n\n**Note:** After a data disk is created, you can only encrypt the data disk by manually copying data from the unencrypted disk to a new encrypted disk.", + "Text": "Ensure all unattached ECS disks are encrypted. Create new encrypted disks and migrate data from unencrypted disks, then delete the unencrypted originals.", "Url": "https://hub.prowler.com/check/ecs_unattached_disk_encrypted" } }, diff --git a/prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json b/prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json index 23fce0f862..934eee4dbf 100644 --- a/prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/oss/oss_bucket_logging_enabled/oss_bucket_logging_enabled.metadata.json @@ -2,32 +2,29 @@ "Provider": "alibabacloud", "CheckID": "oss_bucket_logging_enabled", "CheckTitle": "Logging is enabled for OSS buckets", - "CheckType": [ - "Sensitive file tampering", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "oss", "SubServiceName": "", - "ResourceIdTemplate": "acs:oss::account-id:bucket-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudOSSBucket", + "ResourceType": "ALIYUN::OSS::Bucket", "ResourceGroup": "storage", - "Description": "**OSS Bucket Access Logging** generates a log that contains access records for each request made to your OSS bucket.\n\nAn access log record contains details about the request, such as the request type, the resources specified in the request, and the time and date the request was processed. It is recommended that bucket access logging be enabled on OSS buckets.", - "Risk": "By enabling **OSS bucket logging** on target OSS buckets, it is possible to capture all events which may affect objects within target buckets.\n\nConfiguring logs to be placed in a separate bucket allows access to log information useful in **security** and **incident response** workflows.", + "Description": "**Alibaba Cloud OSS Bucket Access Logging** generates a log record for each request made to your OSS bucket, containing details such as the request type, the resources specified, and the time and date the request was processed. Enabling bucket access logging on all OSS buckets ensures that access patterns are recorded and available for security analysis and incident response workflows.", + "Risk": "Without **OSS bucket logging** enabled, access events affecting objects within target buckets are not captured. This limits the ability to perform **security analysis**, **incident response**, and **forensic investigations**, as there is no record of who accessed or modified stored data.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/31900.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-bucket-access-logging.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-bucket-access-logging.html" ], "Remediation": { "Code": { "CLI": "ossutil logging --method put oss:// --target-bucket --target-prefix ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Under **Log**, click **Configure**\n4. Click the **Enabled** checkbox\n5. Select `Target Bucket` from the list\n6. Enter a `Target Prefix`\n7. Click **Save**", "Terraform": "resource \"alicloud_oss_bucket_logging\" \"example\" {\n bucket = alicloud_oss_bucket.example.bucket\n target_bucket = alicloud_oss_bucket.log_bucket.bucket\n target_prefix = \"log/\"\n}" }, "Recommendation": { - "Text": "1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Under **Log**, click **Configure**\n4. Click the **Enabled** checkbox\n5. Select `Target Bucket` from the list\n6. Enter a `Target Prefix`\n7. Click **Save**", + "Text": "Enable access logging on all OSS buckets and configure logs to be stored in a separate dedicated bucket for security analysis and compliance auditing.", "Url": "https://hub.prowler.com/check/oss_bucket_logging_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json b/prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json index 8ba7ef19db..748e14b666 100644 --- a/prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json +++ b/prowler/providers/alibabacloud/services/oss/oss_bucket_not_publicly_accessible/oss_bucket_not_publicly_accessible.metadata.json @@ -2,32 +2,29 @@ "Provider": "alibabacloud", "CheckID": "oss_bucket_not_publicly_accessible", "CheckTitle": "OSS bucket is not anonymously or publicly accessible", - "CheckType": [ - "Sensitive file tampering", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "oss", "SubServiceName": "", - "ResourceIdTemplate": "acs:oss::account-id:bucket-name", + "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "AlibabaCloudOSSBucket", + "ResourceType": "ALIYUN::OSS::Bucket", "ResourceGroup": "storage", - "Description": "A bucket is a container used to store objects in **Object Storage Service (OSS)**. All objects in OSS are stored in buckets.\n\nIt is recommended that the access policy on OSS buckets does not allow **anonymous** and/or **public access**.", - "Risk": "Allowing **anonymous** and/or **public access** grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data.\n\nPublic buckets can lead to **data breaches**, **unauthorized data access**, and **compliance violations**.", + "Description": "**Alibaba Cloud Object Storage Service (OSS)** buckets store objects that may contain sensitive data. It is recommended that the access policy on OSS buckets does not allow **anonymous** or **public access**, ensuring that only authorized identities can interact with bucket contents. The bucket ACL should be set to `private` to prevent unintended data exposure.", + "Risk": "Allowing **anonymous** or **public access** to OSS buckets grants permissions to anyone on the internet to read or modify bucket content. This can lead to **data breaches**, **unauthorized data exfiltration**, **data tampering**, and **compliance violations**, particularly when buckets contain sensitive or regulated information.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/31896.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html" ], "Remediation": { "Code": { "CLI": "aliyun oss PutBucketAcl --bucket --acl private", "NativeIaC": "", - "Other": "", + "Other": "**Set Bucket ACL to Private:**\n1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Click on **Basic Setting** in the top middle of the console\n4. Under ACL section, click on **Configure**\n5. Click **Private** and click **Save**\n\n**For Bucket Policy:**\n1. Click **Bucket**, and then click the name of the target bucket\n2. Click the **Files** tab and click **Authorize**\n3. In the Authorize dialog, choose `Anonymous Accounts (*)` for Accounts and choose `None` for Authorized Operation\n4. Click **OK**", "Terraform": "resource \"alicloud_oss_bucket_public_access_block\" \"example\" {\n bucket = alicloud_oss_bucket.example.bucket\n block_public_access = true\n}" }, "Recommendation": { - "Text": "**Set Bucket ACL to Private:**\n1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Click on **Basic Setting** in the top middle of the console\n4. Under ACL section, click on **Configure**\n5. Click **Private** and click **Save**\n\n**For Bucket Policy:**\n1. Click **Bucket**, and then click the name of the target bucket\n2. Click the **Files** tab and click **Authorize**\n3. In the Authorize dialog, choose `Anonymous Accounts (*)` for Accounts and choose `None` for Authorized Operation\n4. Click **OK**", + "Text": "Set the OSS bucket ACL to private and configure bucket policies to deny anonymous or public access, ensuring only authorized identities can access stored objects.", "Url": "https://hub.prowler.com/check/oss_bucket_not_publicly_accessible" } }, diff --git a/prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json b/prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json index d5b0a59bf9..b112b84d43 100644 --- a/prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/oss/oss_bucket_secure_transport_enabled/oss_bucket_secure_transport_enabled.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "oss_bucket_secure_transport_enabled", - "CheckTitle": "Secure transfer required is set to Enabled", - "CheckType": [ - "Sensitive file tampering" - ], + "CheckTitle": "Secure transfer required is enabled for OSS buckets", + "CheckType": [], "ServiceName": "oss", "SubServiceName": "", - "ResourceIdTemplate": "acs:oss::account-id:bucket-name", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudOSSBucket", + "ResourceType": "ALIYUN::OSS::Bucket", "ResourceGroup": "storage", - "Description": "Enable **data encryption in transit**. The secure transfer enhances the security of OSS buckets by only allowing requests to the storage account via a secure connection.\n\nFor example, when calling REST APIs to access storage accounts, the connection must use **HTTPS**. Any requests using HTTP will be rejected.", - "Risk": "Without **secure transfer enforcement**, OSS buckets may accept HTTP requests, which are not encrypted in transit.\n\nThis exposes data to potential **interception** and **man-in-the-middle attacks**, compromising data confidentiality and integrity.", + "Description": "**Alibaba Cloud OSS** buckets should enforce **secure transfer** by requiring all requests to use HTTPS. A bucket policy that denies requests with `acs:SecureTransport` set to `false` ensures that data in transit is encrypted, rejecting any unencrypted HTTP connections to the storage endpoint.", + "Risk": "Without **secure transfer enforcement**, OSS buckets accept HTTP requests that transmit data in plaintext. This exposes stored data to potential **interception**, **man-in-the-middle attacks**, and **eavesdropping**, compromising data **confidentiality** and **integrity** during transit.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/85111.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-secure-transfer.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-secure-transfer.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun oss PutBucketPolicy --bucket --policy '{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":[\"*\"],\"Action\":[\"oss:*\"],\"Resource\":[\"acs:oss:*:*:\",\"acs:oss:*:*:/*\"],\"Condition\":{\"Bool\":{\"acs:SecureTransport\":\"false\"}}}]}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Click on **Files** in the top middle of the console\n4. Click on **Authorize**\n5. Configure: `Whole Bucket`, `*`, `None` (Authorized Operation) and `http` (Conditions: Access Method) to deny HTTP access\n6. Click **Save**", "Terraform": "resource \"alicloud_oss_bucket\" \"example\" {\n bucket = \"example-bucket\"\n \n policy = jsonencode({\n \"Version\": \"1\",\n \"Statement\": [{\n \"Effect\": \"Deny\",\n \"Principal\": [\"*\"],\n \"Action\": [\"oss:*\"],\n \"Resource\": [\"acs:oss:*:*:example-bucket\", \"acs:oss:*:*:example-bucket/*\"],\n \"Condition\": {\n \"Bool\": {\n \"acs:SecureTransport\": \"false\"\n }\n }\n }]\n })\n}" }, "Recommendation": { - "Text": "1. Log on to the **OSS Console**\n2. In the bucket-list pane, click on a target OSS bucket\n3. Click on **Files** in the top middle of the console\n4. Click on **Authorize**\n5. Configure: `Whole Bucket`, `*`, `None` (Authorized Operation) and `http` (Conditions: Access Method) to deny HTTP access\n6. Click **Save**", + "Text": "Enforce secure transfer on OSS buckets by applying a bucket policy that denies all requests not using HTTPS, ensuring data in transit is always encrypted.", "Url": "https://hub.prowler.com/check/oss_bucket_secure_transport_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json index be7ec536fd..d0ce95a9a1 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_no_root_access_key/ram_no_root_access_key.metadata.json @@ -2,32 +2,29 @@ "Provider": "alibabacloud", "CheckID": "ram_no_root_access_key", "CheckTitle": "No root account access key exists", - "CheckType": [ - "Unusual logon", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:root", + "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "AlibabaCloudRAMAccessKey", + "ResourceType": "ALIYUN::RAM::User", "ResourceGroup": "IAM", - "Description": "Ensure no **root account access key** exists. Access keys provide programmatic access to a given Alibaba Cloud account.\n\nIt is recommended that all access keys associated with the root account be removed.", - "Risk": "The **root account** is the most privileged user in an Alibaba Cloud account. Access Keys provide programmatic access to a given Alibaba Cloud account.\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised and encourages the creation and use of **role-based accounts** that are least privileged.", + "Description": "**Alibaba Cloud RAM** access keys provide programmatic access to a given account. The **root account** is the most privileged user in an Alibaba Cloud account and should not have access keys associated with it. It is recommended that all access keys associated with the root account be removed to limit vectors by which the account can be compromised and encourage the creation of **role-based accounts** that follow the principle of least privilege.", + "Risk": "The **root account** has unrestricted access to all resources and services within the Alibaba Cloud account. If access keys for the root account are compromised, an attacker gains **full administrative control** over the entire account, including the ability to create, modify, or delete any resource. This poses a critical risk to the **confidentiality**, **integrity**, and **availability** of all cloud resources and data.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/102600.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/remove-root-access-keys.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/remove-root-access-keys.html" ], "Remediation": { "Code": { "CLI": "aliyun ram DeleteAccessKey --UserAccessKeyId ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console** by using your Alibaba Cloud account (root account).\n2. Move the pointer over the account icon in the upper-right corner and click **AccessKey**.\n3. Click **Continue to manage AccessKey**.\n4. On the Security Management page, find the target access keys and click **Delete** to delete the target access keys permanently.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console** by using your Alibaba Cloud account (root account)\n2. Move the pointer over the account icon in the upper-right corner and click **AccessKey**\n3. Click **Continue to manage AccessKey**\n4. On the Security Management page, find the target access keys and click **Delete** to delete the target access keys permanently", + "Text": "Remove all access keys associated with the root account to reduce the attack surface and encourage the use of role-based accounts with least privilege.", "Url": "https://hub.prowler.com/check/ram_no_root_access_key" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json index f5189bc2c8..5cfd7d06ae 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_lowercase/ram_password_policy_lowercase.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_password_policy_lowercase", - "CheckTitle": "RAM password policy requires at least one lowercase letter", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM password policy has lowercase letter requirement", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **lowercase letter**.", - "Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nWeak passwords without character variety are more susceptible to dictionary attacks and automated password cracking tools.", + "Description": "**Alibaba Cloud RAM** password policies can be used to enforce password complexity requirements. It is recommended that the password policy require at least one **lowercase letter** to increase the character diversity of passwords. This enhances account resiliency against **brute force logon attempts** and dictionary attacks.", + "Risk": "Without requiring **lowercase letters** in the password policy, users may create passwords with limited character diversity. Weak passwords without sufficient character variety are more susceptible to **dictionary attacks** and automated password cracking tools, potentially compromising the **confidentiality** of user accounts and the resources they have access to.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/lowercase-letter-password-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/lowercase-letter-password-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --RequireLowercaseCharacters true", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. In the Charset section, select **Lower case**.\n5. Click **OK**.", "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n require_lowercase_characters = true\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the Charset section, select **Lower case**\n5. Click **OK**", + "Text": "Configure the RAM password policy to require at least one lowercase letter to improve password complexity.", "Url": "https://hub.prowler.com/check/ram_password_policy_lowercase" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json index f2228326e7..9e4f4298b3 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_login_attempts/ram_password_policy_max_login_attempts.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_password_policy_max_login_attempts", - "CheckTitle": "RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM password policy temporarily blocks logon after 5 incorrect attempts within an hour", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "**RAM password policies** can temporarily block logon after several incorrect logon attempts within an hour.\n\nIt is recommended that the password policy is set to temporarily block logon after **5 incorrect logon attempts** within an hour.", - "Risk": "Temporarily blocking logon for incorrect password input increases account resiliency against **brute force logon attempts**.\n\nThis control helps prevent automated password guessing attacks from succeeding.", + "Description": "**Alibaba Cloud RAM** password policies can temporarily block logon after several incorrect logon attempts within an hour. It is recommended that the password policy is set to temporarily block logon after **5 incorrect logon attempts** within an hour to protect accounts against automated **brute force logon attempts** and credential stuffing attacks.", + "Risk": "Without an account lockout policy, attackers can make unlimited **brute force logon attempts** against RAM user accounts without any throttling. This significantly increases the risk of password compromise, potentially leading to unauthorized access to cloud resources and a breach of **confidentiality** and **integrity** of the account's data and services.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/max-login-attempts-password-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/max-login-attempts-password-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --MaxLoginAttemps 5", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. In the `Max Attempts` field, check the box next to **Enable** and enter `5`.\n5. Click **OK**.", "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n max_login_attemps = 5\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the `Max Attempts` field, check the box next to **Enable** and enter `5`\n5. Click **OK**", + "Text": "Configure the RAM password policy to temporarily block logon after 5 incorrect attempts within an hour.", "Url": "https://hub.prowler.com/check/ram_password_policy_max_login_attempts" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json index a4138c2362..88e9292d37 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_max_password_age/ram_password_policy_max_password_age.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_password_policy_max_password_age", - "CheckTitle": "RAM password policy expires passwords in 365 days or greater", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM password policy expires passwords within 365 days or less", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "**RAM password policies** can require passwords to be expired after a given number of days.\n\nIt is recommended that the password policy expire passwords after **365 days** or greater.", - "Risk": "Too frequent password changes are more harmful than beneficial. They offer no containment benefits and enforce bad habits, since they encourage users to choose variants of older passwords.\n\nThe CIS now recommends an **annual password reset** as a balanced approach.", + "Description": "**Alibaba Cloud RAM** password policies can require passwords to be expired after a given number of days. It is recommended that the password policy expire passwords after **365 days** or less to ensure periodic credential rotation. The CIS benchmark recommends an **annual password reset** as a balanced approach that avoids forcing overly frequent changes while still ensuring compromised credentials have a limited lifespan.", + "Risk": "Without a maximum password age policy, compromised passwords can remain valid **indefinitely**, giving attackers persistent access to cloud resources. While overly frequent password changes can encourage users to choose weak variants, a reasonable maximum age of **365 days** ensures that any compromised credentials are eventually invalidated, reducing the window of opportunity for unauthorized access and protecting the **confidentiality** and **integrity** of account data.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-password-expiration-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-password-expiration-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --MaxPasswordAge 365", "NativeIaC": "", - "Other": "", - "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n max_password_age = 90\n}" + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. Check the box under `Max Age`, enter `365` or a smaller number.\n5. Click **OK**.", + "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n max_password_age = 365\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. Check the box under `Max Age`, enter `365` or a greater number up to `1095`\n5. Click **OK**", + "Text": "Configure the RAM password policy to expire passwords within 365 days or less.", "Url": "https://hub.prowler.com/check/ram_password_policy_max_password_age" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json index 4c0c45c406..fd1be8c195 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_minimum_length/ram_password_policy_minimum_length.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_password_policy_minimum_length", - "CheckTitle": "RAM password policy requires minimum length of 14 or greater", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM password policy requires a minimum length of 14 or greater", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require a minimum of **14 or greater characters** for any password.", - "Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nLonger passwords provide exponentially more security against automated password cracking.", + "Description": "**Alibaba Cloud RAM** password policies can be used to enforce password complexity requirements. It is recommended that the password policy require a minimum of **14 or greater characters** for any password. Longer passwords provide exponentially more security against automated password cracking, as the keyspace increases dramatically with each additional character.", + "Risk": "Allowing short passwords significantly reduces the effort required for **brute force attacks** to succeed. Passwords shorter than **14 characters** can be cracked in a fraction of the time compared to longer passwords, potentially compromising the **confidentiality** of user accounts. This can lead to unauthorized access to cloud resources and sensitive data, affecting the overall **integrity** and **availability** of the environment.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-14-characters-password-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-14-characters-password-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --MinimumPasswordLength 14", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. In the Length section, enter `14` or a greater number.\n5. Click **OK**.", "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n minimum_password_length = 14\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the Length section, enter `14` or a greater number\n5. Click **OK**", + "Text": "Configure the RAM password policy to require a minimum password length of 14 characters or greater.", "Url": "https://hub.prowler.com/check/ram_password_policy_minimum_length" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json index 29aba59a21..9b107baa91 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_number/ram_password_policy_number.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_password_policy_number", - "CheckTitle": "RAM password policy require at least one number", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM password policy requires at least one number", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **number**.", - "Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nWeak passwords without numeric characters are more susceptible to dictionary attacks.", + "Description": "**Alibaba Cloud RAM** password policies can be used to enforce password complexity requirements. It is recommended that the password policy require at least one **numeric character** to increase the character diversity of passwords. This enhances account resiliency against **brute force logon attempts** and dictionary attacks by expanding the keyspace.", + "Risk": "Without requiring **numeric characters** in the password policy, users may create passwords composed only of alphabetic characters. Such passwords are more susceptible to **dictionary attacks** and automated cracking tools, potentially compromising the **confidentiality** of user accounts and the cloud resources they protect.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-number-password-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-number-password-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --RequireNumbers true", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. In the Charset section, select **Number**.\n5. Click **OK**.", "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n require_numbers = true\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the Charset section, select **Number**\n5. Click **OK**", + "Text": "Configure the RAM password policy to require at least one numeric character to improve password complexity.", "Url": "https://hub.prowler.com/check/ram_password_policy_number" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json index 761807fb00..43b3f7ae5d 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_password_reuse_prevention/ram_password_policy_password_reuse_prevention.metadata.json @@ -2,32 +2,29 @@ "Provider": "alibabacloud", "CheckID": "ram_password_policy_password_reuse_prevention", "CheckTitle": "RAM password policy prevents password reuse", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "It is recommended that the **password policy** prevent the reuse of passwords.\n\nThis ensures users cannot cycle back to previously compromised passwords.", - "Risk": "Preventing **password reuse** increases account resiliency against brute force logon attempts.\n\nIf a password is compromised and later reused, attackers with knowledge of old credentials can regain access.", + "Description": "**Alibaba Cloud RAM** password policies can be configured to prevent the reuse of previously used passwords. It is recommended that the password policy prevent the reuse of passwords to ensure users cannot cycle back to previously compromised credentials. This increases account resiliency against **brute force logon attempts** and reduces the risk of credential reuse attacks.", + "Risk": "Without **password reuse prevention**, users may cycle back to previously compromised passwords. If a password was compromised in the past and is later reused, attackers with knowledge of old credentials can regain access to the account, threatening the **confidentiality** and **integrity** of cloud resources. This significantly weakens the overall security posture of the Alibaba Cloud environment.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/prevent-password-reuse-password-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/prevent-password-reuse-password-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --PasswordReusePrevention 5", "NativeIaC": "", - "Other": "", - "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n password_reuse_prevention = 24\n}" + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. In the `Do Not repeat History` section field, enter `5`.\n5. Click **OK**.", + "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n password_reuse_prevention = 5\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the `Do Not repeat History` section field, enter `5`\n5. Click **OK**", + "Text": "Configure the RAM password policy to prevent the reuse of at least the last 5 passwords.", "Url": "https://hub.prowler.com/check/ram_password_policy_password_reuse_prevention" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json index 7c369a89c2..46fc154d33 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_symbol/ram_password_policy_symbol.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_password_policy_symbol", - "CheckTitle": "RAM password policy require at least one symbol", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM password policy requires at least one symbol", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **symbol**.", - "Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nSpecial characters significantly increase the keyspace that attackers must search.", + "Description": "**Alibaba Cloud RAM** password policies can be used to enforce password complexity requirements. It is recommended that the password policy require at least one **special character (symbol)** to increase the character diversity of passwords. Special characters significantly increase the keyspace that attackers must search, enhancing account resiliency against **brute force logon attempts**.", + "Risk": "Without requiring **symbols** in the password policy, users may create passwords composed only of alphanumeric characters. Such passwords have a reduced keyspace and are more susceptible to **brute force attacks** and automated password cracking tools, potentially compromising the **confidentiality** of user accounts and the cloud resources they protect.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-symbol-password-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-symbol-password-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --RequireSymbols true", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. In the Charset section, select **Symbol**.\n5. Click **OK**.", "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n require_symbols = true\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the Charset section, select **Symbol**\n5. Click **OK**", + "Text": "Configure the RAM password policy to require at least one symbol to improve password complexity.", "Url": "https://hub.prowler.com/check/ram_password_policy_symbol" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json index 28f115bd3e..41e5ec4845 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_password_policy_uppercase/ram_password_policy_uppercase.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_password_policy_uppercase", - "CheckTitle": "RAM password policy requires at least one uppercase letter", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM password policy has uppercase letter requirement", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:password-policy", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMPasswordPolicy", + "ResourceType": "ALIYUN::RAM::SecurityPreference", "ResourceGroup": "IAM", - "Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **uppercase letter**.", - "Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nWeak passwords without case variety are more susceptible to dictionary attacks.", + "Description": "**Alibaba Cloud RAM** password policies can be used to enforce password complexity requirements. It is recommended that the password policy require at least one **uppercase letter** to increase the character diversity of passwords. This enhances account resiliency against **brute force logon attempts** and dictionary attacks by requiring mixed-case passwords.", + "Risk": "Without requiring **uppercase letters** in the password policy, users may create passwords with limited case diversity. Weak passwords without case variety are more susceptible to **dictionary attacks** and automated password cracking tools, potentially compromising the **confidentiality** of user accounts and the resources they have access to.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116413.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/uppercase-letter-password-policy.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/uppercase-letter-password-policy.html" ], "Remediation": { "Code": { "CLI": "aliyun ram SetPasswordPolicy --RequireUppercaseCharacters true", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Settings**.\n3. In the Password section, click **Modify**.\n4. In the Charset section, select **Upper case**.\n5. Click **OK**.", "Terraform": "resource \"alicloud_ram_password_policy\" \"example\" {\n require_uppercase_characters = true\n}" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Settings**\n3. In the Password section, click **Modify**\n4. In the Charset section, select **Upper case**\n5. Click **OK**", + "Text": "Configure the RAM password policy to require at least one uppercase letter to improve password complexity.", "Url": "https://hub.prowler.com/check/ram_password_policy_uppercase" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json index 0dfa1782bd..5c895dc0ca 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_policy_attached_only_to_group_or_roles/ram_policy_attached_only_to_group_or_roles.metadata.json @@ -2,32 +2,29 @@ "Provider": "alibabacloud", "CheckID": "ram_policy_attached_only_to_group_or_roles", "CheckTitle": "RAM policies are attached only to groups or roles", - "CheckType": [ - "Abnormal account", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:user/{user-name}", + "ResourceIdTemplate": "", "Severity": "low", - "ResourceType": "AlibabaCloudRAMUser", + "ResourceType": "ALIYUN::RAM::ManagedPolicy", "ResourceGroup": "IAM", - "Description": "By default, **RAM users**, groups, and roles have no access to Alibaba Cloud resources. RAM policies are the means by which privileges are granted to users, groups, or roles.\n\nIt is recommended that RAM policies be applied directly to **groups and roles** but not users.", - "Risk": "Assigning privileges at the **group or role level** reduces the complexity of access management as the number of users grows.\n\nReducing access management complexity may in turn reduce opportunity for a principal to inadvertently receive or retain **excessive privileges**.", + "Description": "**Alibaba Cloud RAM** users, groups, and roles have no access to resources by default. RAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that RAM policies be applied directly to **groups and roles** but not to individual users. This simplifies access management and reduces the likelihood of granting unintended permissions as the number of users grows.", + "Risk": "Assigning privileges directly to individual users instead of **groups or roles** increases the complexity of access management. As the number of users grows, this complexity can lead to principals inadvertently receiving or retaining **excessive privileges**, threatening the **confidentiality** and **integrity** of cloud resources. It also makes auditing and compliance reviews significantly more difficult.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116820.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/receive-permissions-via-ram-groups-only.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/receive-permissions-via-ram-groups-only.html" ], "Remediation": { "Code": { "CLI": "aliyun ram DetachPolicyFromUser --PolicyName --PolicyType --UserName ", "NativeIaC": "", - "Other": "", + "Other": "1. Create **RAM user groups** and assign policies to those groups.\n2. Add users to the appropriate groups.\n3. Detach any policies directly attached to users using the RAM Console or CLI.", "Terraform": "" }, "Recommendation": { - "Text": "1. Create **RAM user groups** and assign policies to those groups\n2. Add users to the appropriate groups\n3. Detach any policies directly attached to users using the RAM Console or CLI", + "Text": "Detach policies from individual RAM users and attach them to groups or roles instead to simplify access management.", "Url": "https://hub.prowler.com/check/ram_policy_attached_only_to_group_or_roles" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json index 3d2e085fc9..27fbeff47c 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_policy_no_administrative_privileges/ram_policy_no_administrative_privileges.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_policy_no_administrative_privileges", - "CheckTitle": "RAM policies that allow full \"*:*\" administrative privileges are not created", - "CheckType": [ - "Abnormal account", - "Cloud threat detection" - ], + "CheckTitle": "RAM policies do not allow full administrative privileges", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:policy/{policy-name}", + "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "AlibabaCloudRAMPolicy", + "ResourceType": "ALIYUN::RAM::ManagedPolicy", "ResourceGroup": "IAM", - "Description": "**RAM policies** represent permissions that can be granted to users, groups, or roles. It is recommended to grant **least privilege**—that is, granting only the permissions required to perform tasks.\n\nDetermine what users need to do and then create policies with permissions that only fit those tasks, instead of allowing full administrative privileges.", - "Risk": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary. Providing **full administrative privileges** exposes your resources to potentially unwanted actions.\n\nRAM policies with `\"Effect\": \"Allow\"`, `\"Action\": \"*\"`, and `\"Resource\": \"*\"` should be prohibited.", + "Description": "**Alibaba Cloud RAM** policies represent permissions that can be granted to users, groups, or roles. It is recommended to follow the principle of **least privilege** by granting only the permissions required to perform specific tasks. RAM policies with `\"Effect\": \"Allow\"`, `\"Action\": \"*\"`, and `\"Resource\": \"*\"` should be avoided as they grant full administrative access to all resources and services.", + "Risk": "RAM policies granting **full administrative privileges** (`*:*`) expose all cloud resources to potentially unwanted actions. If such a policy is attached to a compromised user, group, or role, an attacker gains unrestricted access to create, modify, or delete any resource, severely impacting the **confidentiality**, **integrity**, and **availability** of the entire Alibaba Cloud environment.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/93733.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/policies-with-full-administrative-privileges.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/policies-with-full-administrative-privileges.html" ], "Remediation": { "Code": { "CLI": "aliyun ram DetachPolicyFromUser --PolicyName --PolicyType Custom --UserName ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Permissions** > **Policies**.\n3. From the Policy Type drop-down list, select **Custom Policy**.\n4. In the Policy Name column, click the name of the target policy.\n5. In the Policy Document section, edit the policy to remove the statement with full administrative privileges, or remove the policy from any RAM users, user groups, or roles that have this policy attached.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Permissions** > **Policies**\n3. From the Policy Type drop-down list, select **Custom Policy**\n4. In the Policy Name column, click the name of the target policy\n5. In the Policy Document section, edit the policy to remove the statement with full administrative privileges, or remove the policy from any RAM users, user groups, or roles that have this policy attached", + "Text": "Remove or modify RAM policies that grant full administrative privileges and replace them with least-privilege policies.", "Url": "https://hub.prowler.com/check/ram_policy_no_administrative_privileges" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json index c5f4bf24ce..da8d81b20f 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_rotate_access_key_90_days/ram_rotate_access_key_90_days.metadata.json @@ -2,32 +2,29 @@ "Provider": "alibabacloud", "CheckID": "ram_rotate_access_key_90_days", "CheckTitle": "Access keys are rotated every 90 days or less", - "CheckType": [ - "Unusual logon", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:user/{user-name}/accesskey/{access-key-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMAccessKey", + "ResourceType": "ALIYUN::RAM::User", "ResourceGroup": "IAM", - "Description": "An **access key** consists of an access key ID and a secret, which are used to sign programmatic requests that you make to Alibaba Cloud.\n\nRAM users need their own access keys to make programmatic calls from SDKs, CLIs, or direct API calls. It is recommended that all access keys be **regularly rotated**.", - "Risk": "Access keys might be compromised by leaving them in code, configuration files, on-premise and cloud storages, and then stolen by attackers.\n\n**Rotating access keys** reduces the window of opportunity for a compromised access key to be used.", + "Description": "**Alibaba Cloud RAM** access keys consist of an access key ID and a secret, which are used to sign programmatic requests. RAM users need their own access keys to make programmatic calls from SDKs, CLIs, or direct API calls. It is recommended that all access keys be **regularly rotated** every 90 days or less to reduce the window of opportunity for compromised keys to be used.", + "Risk": "Access keys might be compromised by being left in code, configuration files, or cloud storage and then stolen by attackers. Without regular **access key rotation**, a compromised key can remain valid indefinitely, allowing persistent unauthorized access. This threatens the **confidentiality**, **integrity**, and **availability** of all resources accessible via those credentials.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116401.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/access-keys-rotation.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/access-keys-rotation.html" ], "Remediation": { "Code": { "CLI": "aliyun ram CreateAccessKey --UserName && aliyun ram UpdateAccessKey --UserAccessKeyId --Status Inactive --UserName && aliyun ram DeleteAccessKey --UserAccessKeyId --UserName ", "NativeIaC": "", - "Other": "", + "Other": "1. Create a new **AccessKey pair** for rotation.\n2. Update all applications and systems to use the new AccessKey pair.\n3. **Disable** the original AccessKey pair.\n4. Confirm that your applications and systems are working.\n5. **Delete** the original AccessKey pair.", "Terraform": "" }, "Recommendation": { - "Text": "1. Create a new **AccessKey pair** for rotation\n2. Update all applications and systems to use the new AccessKey pair\n3. **Disable** the original AccessKey pair\n4. Confirm that your applications and systems are working\n5. **Delete** the original AccessKey pair", + "Text": "Rotate all RAM user access keys every 90 days or less to limit the impact of compromised credentials.", "Url": "https://hub.prowler.com/check/ram_rotate_access_key_90_days" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json index 1f6b644a46..3d920c351e 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_user_console_access_unused/ram_user_console_access_unused.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_user_console_access_unused", - "CheckTitle": "Users not logged on for 90 days or longer are disabled for console logon", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "RAM user not logged on for 90 days or longer has console logon disabled", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:user/{user-name}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRAMUser", + "ResourceType": "ALIYUN::RAM::User", "ResourceGroup": "IAM", - "Description": "Alibaba Cloud **RAM users** can log on to the Alibaba Cloud console by using their username and password.\n\nIf a user has not logged on for **90 days or longer**, it is recommended to disable the console access of the user.", - "Risk": "Disabling users from having unnecessary logon privileges will reduce the opportunity that an **abandoned user** or a user with **compromised password** to be exploited.\n\nInactive accounts are common targets for attackers attempting account takeover.", + "Description": "**Alibaba Cloud RAM** users can log on to the console by using their username and password. If a user has not logged on for **90 days or longer**, it is recommended to disable the console access of the user. Disabling unused console access reduces the attack surface by removing unnecessary logon capabilities from potentially abandoned or dormant accounts.", + "Risk": "Inactive accounts with console access enabled are common targets for attackers attempting **account takeover**. An abandoned user account or one with a **compromised password** that has not been used in over 90 days may go unmonitored, allowing unauthorized access to go undetected. This poses a significant risk to the **confidentiality** and **integrity** of cloud resources accessible through the compromised account.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/116820.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/inactive-ram-user.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/inactive-ram-user.html" ], "Remediation": { "Code": { "CLI": "aliyun ram DeleteLoginProfile --UserName ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. Choose **Identities** > **Users**.\n3. In the User Logon Name/Display Name column, click the username of the target RAM user.\n4. In the Console Logon Management section, click **Modify Logon Settings**.\n5. In the Console Password Logon section, select **Disabled**.\n6. Click **OK**.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. Choose **Identities** > **Users**\n3. In the User Logon Name/Display Name column, click the username of the target RAM user\n4. In the Console Logon Management section, click **Modify Logon Settings**\n5. In the Console Password Logon section, select **Disabled**\n6. Click **OK**", + "Text": "Disable console access for RAM users that have not logged on for 90 days or longer to reduce the attack surface.", "Url": "https://hub.prowler.com/check/ram_user_console_access_unused" } }, diff --git a/prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json b/prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json index 11d8177294..92b537df54 100644 --- a/prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json +++ b/prowler/providers/alibabacloud/services/ram/ram_user_mfa_enabled_console_access/ram_user_mfa_enabled_console_access.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "ram_user_mfa_enabled_console_access", - "CheckTitle": "Multi-factor authentication is enabled for all RAM users that have a console password", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "Multi-factor authentication is enabled for all RAM users with console access", + "CheckType": [], "ServiceName": "ram", "SubServiceName": "", - "ResourceIdTemplate": "acs:ram::account-id:user/{user-name}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudRAMUser", + "ResourceType": "ALIYUN::RAM::User", "ResourceGroup": "IAM", - "Description": "**Multi-Factor Authentication (MFA)** adds an extra layer of protection on top of a username and password.\n\nWith MFA enabled, when a user logs on to Alibaba Cloud, they will be prompted for their username and password followed by an authentication code from their virtual MFA device. It is recommended that MFA be enabled for all users that have a console password.", - "Risk": "**MFA** requires users to verify their identities by entering two authentication factors. When MFA is enabled, an attacker faces at least two different authentication mechanisms.\n\nThe additional security makes it significantly harder for an attacker to gain access even if passwords are compromised.", + "Description": "**Alibaba Cloud RAM** supports **Multi-Factor Authentication (MFA)**, which adds an extra layer of protection on top of a username and password. With MFA enabled, when a user logs on to the console, they are prompted for their username and password followed by an authentication code from their virtual MFA device. It is recommended that MFA be enabled for all RAM users that have a console password to significantly strengthen account security.", + "Risk": "Without **MFA** enabled, RAM user accounts rely solely on passwords for authentication. If a password is compromised through phishing, credential stuffing, or other attacks, an attacker gains full access to the account. Enabling MFA requires an additional authentication factor, making it significantly harder for attackers to gain unauthorized access even with compromised credentials, thereby protecting the **confidentiality**, **integrity**, and **availability** of cloud resources.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/119555.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/ram-user-multi-factor-authentication-enabled.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/ram-user-multi-factor-authentication-enabled.html" ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RAM Console**.\n2. For each user with console access, go to the user's details.\n3. In the **Console Logon Management** section, click **Modify Logon Settings**.\n4. For `Enable MFA`, select **Required**.\n5. Click **OK** to save the settings.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RAM Console**\n2. For each user with console access, go to the user's details\n3. In the **Console Logon Management** section, click **Modify Logon Settings**\n4. For `Enable MFA`, select **Required**\n5. Click **OK** to save the settings", + "Text": "Enable MFA for all RAM users with console access to add an extra layer of authentication security.", "Url": "https://hub.prowler.com/check/ram_user_mfa_enabled_console_access" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json index ac073851a7..02305aa74b 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_no_public_access_whitelist/rds_instance_no_public_access_whitelist.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_no_public_access_whitelist", - "CheckTitle": "RDS Instances are not open to the world", - "CheckType": [ - "Intrusion into applications", - "Suspicious network connection" - ], + "CheckTitle": "RDS instance does not allow public access in the IP whitelist", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "Database Server should accept connections only from trusted **Network(s)/IP(s)** and restrict access from the world.\n\nTo minimize attack surface on a Database server Instance, only trusted/known and required IPs should be whitelisted. Authorized network should not have IPs/networks configured to `0.0.0.0` or `/0` which would allow access from anywhere in the world.", - "Risk": "Allowing **public access** (`0.0.0.0/0`) to the database significantly increases the risk of **brute-force attacks**, **unauthorized access**, and **data exfiltration**.\n\nDatabases exposed to the internet are prime targets for attackers.", + "Description": "**Alibaba Cloud RDS instances** should only accept connections from trusted networks and IP addresses. This check verifies that the IP whitelist does not contain entries such as `0.0.0.0/0` or `0.0.0.0` that would allow access from anywhere on the internet. Only specific, trusted IP addresses should be whitelisted to minimize the attack surface of the database server.", + "Risk": "Allowing **public access** (`0.0.0.0/0`) to the database significantly increases the risk of **brute-force attacks**, **unauthorized access**, and **data exfiltration**. Databases exposed to the internet are prime targets for attackers, and a successful breach can compromise **confidentiality**, **integrity**, and **availability** of all stored data.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/26198.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/disable-network-public-access.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/disable-network-public-access.html" ], "Remediation": { "Code": { - "CLI": "aliyun rds ModifySecurityIps --DBInstanceId --SecurityIps ", + "CLI": "aliyun rds ModifySecurityIps --DBInstanceId --SecurityIps ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the target RDS instance.\n3. Go to **Data Security** > **Whitelist Settings** tab.\n4. Remove any `0.0.0.0` or `0.0.0.0/0` entries.\n5. Add only the specific IP addresses that need to access the instance.\n6. Click **OK** to save changes.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Go to **Data Security** > **Whitelist Settings** tab\n3. Remove any `0.0.0.0` or `/0` entries\n4. Only add the IP addresses that need to access the instance", + "Text": "Restrict the RDS IP whitelist to only trusted IP addresses. Remove any entries that allow unrestricted access such as `0.0.0.0/0`.", "Url": "https://hub.prowler.com/check/rds_instance_no_public_access_whitelist" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json index ee59a7cd50..e81fd5a60f 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_connections_enabled/rds_instance_postgresql_log_connections_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_postgresql_log_connections_enabled", - "CheckTitle": "Parameter log_connections is set to ON for PostgreSQL Database", - "CheckType": [ - "Intrusion into applications", - "Unusual logon" - ], + "CheckTitle": "RDS PostgreSQL instance has log_connections parameter enabled", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "Enable `log_connections` on **PostgreSQL Servers**. Enabling `log_connections` helps PostgreSQL Database log attempted connections to the server, as well as successful completion of client authentication.\n\nLog data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", - "Risk": "Without **connection logging**, unauthorized access attempts might go unnoticed, and troubleshooting connection issues becomes more difficult.\n\nThis data is essential for **security monitoring** and **incident investigation**.", + "Description": "**Alibaba Cloud RDS PostgreSQL instances** should have the `log_connections` parameter set to `on`. Enabling this parameter logs each attempted connection to the server, including successful client authentication. This log data is essential for identifying, troubleshooting, and repairing configuration errors, detecting unauthorized access attempts, and supporting **security auditing**.", + "Risk": "Without **connection logging** enabled, unauthorized access attempts to the database may go unnoticed, making it difficult to detect **brute-force attacks** or **credential compromise**. This gap in visibility impacts the ability to perform **security monitoring**, **incident investigation**, and **forensic analysis**, reducing overall **confidentiality** assurance.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/96751.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-log-connections-for-postgresql.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-log-connections-for-postgresql.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifyParameter --DBInstanceId --Parameters \"{\\\"log_connections\\\":\\\"on\\\"}\"", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the region and target PostgreSQL instance.\n3. In the left-side navigation pane, select **Parameters**.\n4. Find the `log_connections` parameter and set it to `on`.\n5. Click **Apply Changes**.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Select the region and target instance\n3. In the left-side navigation pane, select **Parameters**\n4. Find the `log_connections` parameter and set it to `on`\n5. Click **Apply Changes**", + "Text": "Enable the `log_connections` parameter on all PostgreSQL RDS instances to log connection attempts for security monitoring and troubleshooting.", "Url": "https://hub.prowler.com/check/rds_instance_postgresql_log_connections_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json index 2255790916..7c358b77df 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_disconnections_enabled/rds_instance_postgresql_log_disconnections_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_postgresql_log_disconnections_enabled", - "CheckTitle": "Server parameter log_disconnections is set to ON for PostgreSQL Database Server", - "CheckType": [ - "Intrusion into applications", - "Unusual logon" - ], + "CheckTitle": "RDS PostgreSQL instance has log_disconnections parameter enabled", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "Enable `log_disconnections` on **PostgreSQL Servers**. Enabling `log_disconnections` helps PostgreSQL Database log session terminations of the server, as well as duration of the session.\n\nLog data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", - "Risk": "Without **disconnection logging**, it's harder to track session durations and identify abnormal disconnection patterns that might indicate **attacks** or **stability issues**.", + "Description": "**Alibaba Cloud RDS PostgreSQL instances** should have the `log_disconnections` parameter set to `on`. Enabling this parameter logs session terminations and the duration of each session. This data is valuable for identifying abnormal disconnection patterns, troubleshooting performance issues, and supporting **security auditing** and **incident investigation**.", + "Risk": "Without **disconnection logging**, it is harder to track session durations and identify abnormal disconnection patterns that might indicate **attacks**, **session hijacking**, or **stability issues**. This reduces visibility into database activity, impacting **security monitoring** and the ability to perform effective **forensic analysis**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/96751.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-log-disconnections-for-postgresql.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-log-disconnections-for-postgresql.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifyParameter --DBInstanceId --Parameters \"{\\\"log_disconnections\\\":\\\"on\\\"}\"", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the region and target PostgreSQL instance.\n3. In the left-side navigation pane, select **Parameters**.\n4. Find the `log_disconnections` parameter and set it to `on`.\n5. Click **Apply Changes**.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Select the region and target instance\n3. In the left-side navigation pane, select **Parameters**\n4. Find the `log_disconnections` parameter and set it to `on`\n5. Click **Apply Changes**", + "Text": "Enable the `log_disconnections` parameter on all PostgreSQL RDS instances to log session terminations for security monitoring and troubleshooting.", "Url": "https://hub.prowler.com/check/rds_instance_postgresql_log_disconnections_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json index dc5a2d9d3a..a0c04e5228 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_postgresql_log_duration_enabled/rds_instance_postgresql_log_duration_enabled.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_postgresql_log_duration_enabled", - "CheckTitle": "Server parameter log_duration is set to ON for PostgreSQL Database Server", - "CheckType": [ - "Intrusion into applications" - ], + "CheckTitle": "RDS PostgreSQL instance has log_duration parameter enabled", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "Enable `log_duration` on **PostgreSQL Servers**. Enabling `log_duration` helps PostgreSQL Database log the duration of each completed SQL statement which in turn generates query and error logs.\n\nQuery and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", - "Risk": "Without **duration logging**, it's difficult to identify **slow queries**, **performance bottlenecks**, and potential **DoS attempts**.\n\nThis information is critical for database performance tuning and security monitoring.", + "Description": "**Alibaba Cloud RDS PostgreSQL instances** should have the `log_duration` parameter set to `on`. Enabling this parameter logs the duration of each completed SQL statement, generating query and error logs that can be used to identify **slow queries**, troubleshoot performance issues, and detect potential **denial-of-service** patterns targeting the database.", + "Risk": "Without **duration logging**, it is difficult to identify **slow queries**, **performance bottlenecks**, and potential **DoS attempts** against the database. This lack of visibility impacts the ability to optimize database performance and detect **malicious activity** such as resource exhaustion attacks, reducing overall **availability** assurance.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/96751.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-log-duration-for-postgresql.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-log-duration-for-postgresql.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifyParameter --DBInstanceId --Parameters \"{\\\"log_duration\\\":\\\"on\\\"}\"", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the region and target PostgreSQL instance.\n3. In the left-side navigation pane, select **Parameters**.\n4. Find the `log_duration` parameter and set it to `on`.\n5. Click **Apply Changes**.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Select the region and target instance\n3. In the left-side navigation pane, select **Parameters**\n4. Find the `log_duration` parameter and set it to `on`\n5. Click **Apply Changes**", + "Text": "Enable the `log_duration` parameter on all PostgreSQL RDS instances to log SQL statement durations for performance monitoring and security analysis.", "Url": "https://hub.prowler.com/check/rds_instance_postgresql_log_duration_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json index 2506245412..76ed06d5b5 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_enabled/rds_instance_sql_audit_enabled.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_sql_audit_enabled", - "CheckTitle": "Auditing is set to On for applicable database instances", - "CheckType": [ - "Intrusion into applications" - ], + "CheckTitle": "RDS instance has SQL auditing enabled", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "Enable **SQL auditing** on all RDS instances (except SQL Server 2012/2016/2017 and MariaDB TX). Auditing tracks database events and writes them to an audit log.\n\nIt helps to maintain **regulatory compliance**, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.", - "Risk": "Without **SQL auditing**, it's difficult to detect **unauthorized access**, **data breaches**, or **malicious activity** within the database.\n\nIt also hinders **forensic investigations** and compliance reporting.", + "Description": "**Alibaba Cloud RDS instances** should have **SQL auditing** (SQL Explorer) enabled to track database events and write them to an audit log. SQL auditing helps maintain **regulatory compliance**, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. This applies to all RDS engine types except SQL Server 2012/2016/2017 and MariaDB TX.", + "Risk": "Without **SQL auditing**, it is difficult to detect **unauthorized access**, **data breaches**, or **malicious activity** within the database. The absence of audit logs hinders **forensic investigations**, compliance reporting, and the ability to identify **data exfiltration** or **privilege escalation** attempts, impacting **confidentiality** and **integrity**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/96123.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-audit-logs.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-audit-logs.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifySQLCollectorPolicy --DBInstanceId --SQLCollectorStatus Enable --StoragePeriod ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the target RDS instance.\n3. In the left-side navigation pane, select **SQL Explorer**.\n4. Click **Activate Now**.\n5. Specify the SQL log storage duration.\n6. Click **Activate**.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. In the left-side navigation pane, select **SQL Explorer**\n3. Click **Activate Now**\n4. Specify the SQL log storage duration\n5. Click **Activate**", + "Text": "Enable **SQL auditing** (SQL Explorer) on all applicable RDS instances to track database events and maintain audit logs for security monitoring and compliance.", "Url": "https://hub.prowler.com/check/rds_instance_sql_audit_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json index 17300c26e5..2402bf7146 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_sql_audit_retention/rds_instance_sql_audit_retention.metadata.json @@ -1,32 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_sql_audit_retention", - "CheckTitle": "Auditing Retention is greater than the configured period", - "CheckType": [ - "Intrusion into applications" - ], + "CheckTitle": "RDS instance SQL audit retention period meets the configured minimum", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "Database **SQL Audit Retention** should be configured to be greater than or equal to the configured period (default: **6 months / 180 days**).\n\nAudit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.", - "Risk": "**Short retention periods** for audit logs can result in the loss of critical forensic data needed for **incident investigation** and **compliance auditing**.\n\nMany regulations require minimum retention periods for audit data.", + "Description": "**Alibaba Cloud RDS instances** with SQL auditing enabled should have a retention period configured to be greater than or equal to the required minimum (default: **6 months / 180 days**). Audit logs are essential for checking anomalies, understanding database activity, and gaining insight into suspected breaches or misuse of information and access.", + "Risk": "**Short retention periods** for audit logs can result in the loss of critical forensic data needed for **incident investigation**, **compliance auditing**, and **regulatory reporting**. Many regulations and security frameworks require minimum retention periods for audit data, and failing to meet them can result in **non-compliance** penalties.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/96123.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/configure-log-retention-period.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/configure-log-retention-period.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifySQLCollectorPolicy --DBInstanceId --SQLCollectorStatus Enable --StoragePeriod 180", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the target RDS instance.\n3. In the left-side navigation pane, select **SQL Explorer**.\n4. Click **Service Setting**.\n5. Enable `Activate SQL Explorer` if not already active.\n6. Set the storage duration to `6 months` or longer.\n7. Click **OK** to save changes.", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Select **SQL Explorer**\n3. Click **Service Setting**\n4. Enable `Activate SQL Explorer`\n5. Set the storage duration to `6 months` or longer", + "Text": "Configure the SQL audit retention period to at least **180 days** (6 months) on all RDS instances to ensure adequate audit log availability for compliance and forensic purposes.", "Url": "https://hub.prowler.com/check/rds_instance_sql_audit_retention" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json index c00ac879ec..aa1ff3224f 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_ssl_enabled/rds_instance_ssl_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_ssl_enabled", - "CheckTitle": "RDS instance requires all incoming connections to use SSL", - "CheckType": [ - "Sensitive file tampering", - "Intrusion into applications" - ], + "CheckTitle": "RDS instance has SSL encryption enabled", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "It is recommended to enforce all incoming connections to SQL database instances to use **SSL**.\n\nSQL database connections if successfully intercepted (MITM) can reveal sensitive data like credentials, database queries, and query outputs. For security, it is recommended to always use SSL encryption when connecting to your instance.", - "Risk": "If **SSL is not enabled**, data in transit (including credentials and query results) can be intercepted by attackers performing **Man-in-the-Middle (MITM) attacks**.\n\nThis compromises data confidentiality and integrity.", + "Description": "**Alibaba Cloud RDS instances** should enforce **SSL encryption** for all incoming connections. SSL protects data in transit between the application and the database, preventing interception of sensitive data such as credentials, database queries, and query outputs. This check verifies that SSL encryption is enabled on the RDS instance.", + "Risk": "If **SSL is not enabled**, data in transit including credentials and query results can be intercepted by attackers performing **Man-in-the-Middle (MITM) attacks**. This compromises data **confidentiality** and **integrity**, potentially leading to **credential theft**, **data exfiltration**, and unauthorized manipulation of database communications.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/32474.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-encryption-in-transit.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-encryption-in-transit.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifyDBInstanceSSL --DBInstanceId --SSLEnabled 1", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the region and target instance.\n3. In the left-side navigation pane, click **Data Security**.\n4. Click the **SSL Encryption** tab.\n5. Click the switch next to **Disabled** to enable SSL encryption.\n6. Download the SSL CA certificate for client configuration.", "Terraform": "resource \"alicloud_db_instance\" \"example\" {\n engine = \"MySQL\"\n engine_version = \"8.0\"\n instance_type = \"rds.mysql.s1.small\"\n instance_storage = 20\n ssl_action = \"Open\"\n}" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Select the region and target instance\n3. In the left-side navigation pane, click **Data Security**\n4. Click the **SSL Encryption** tab\n5. Click the switch next to **Disabled** in the SSL Encryption parameter to enable it", + "Text": "Enable **SSL encryption** on all RDS instances to protect data in transit and prevent Man-in-the-Middle attacks.", "Url": "https://hub.prowler.com/check/rds_instance_ssl_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json index da57605bfe..0b033bdbb4 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_tde_enabled/rds_instance_tde_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_tde_enabled", - "CheckTitle": "TDE is set to Enabled on for applicable database instance", - "CheckType": [ - "Sensitive file tampering", - "Intrusion into applications" - ], + "CheckTitle": "RDS instance has Transparent Data Encryption enabled", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "Enable **Transparent Data Encryption (TDE)** on every RDS instance. RDS Database TDE helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and log files at rest.\n\nNo changes to the application are required.", - "Risk": "**Data at rest** that is not encrypted is vulnerable to unauthorized access if the underlying storage media or backups are compromised.\n\nTDE protects against physical theft and unauthorized access to storage systems.", + "Description": "**Alibaba Cloud RDS instances** should have **Transparent Data Encryption (TDE)** enabled. TDE performs real-time encryption and decryption of the database, associated backups, and log files at rest, without requiring changes to the application. This check verifies that TDE is enabled to protect sensitive data stored in the RDS instance from unauthorized physical access.", + "Risk": "**Data at rest** that is not encrypted is vulnerable to unauthorized access if the underlying storage media or backups are compromised, stolen, or improperly decommissioned. Without TDE, attackers with physical or administrative access to the storage layer can read sensitive data directly, impacting **confidentiality** and potentially leading to **data breaches**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/33510.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-sql-database-tde.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-sql-database-tde.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifyDBInstanceTDE --DBInstanceId --TDEStatus Enabled", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the target RDS instance.\n3. Go to **Data Security** > **TDE** tab.\n4. Find TDE Status and click the switch next to **Disabled**.\n5. Choose automatically generated key or custom key.\n6. Click **Confirm**.", "Terraform": "resource \"alicloud_db_instance\" \"example\" {\n engine = \"MySQL\"\n engine_version = \"8.0\"\n instance_type = \"rds.mysql.s1.small\"\n instance_storage = 20\n tde_status = \"Enabled\"\n}" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Go to **Data Security** > **TDE** tab\n3. Find TDE Status and click the switch next to **Disabled**\n4. Choose automatically generated key or custom key\n5. Click **Confirm**", + "Text": "Enable **Transparent Data Encryption (TDE)** on all applicable RDS instances to protect data at rest from unauthorized physical access.", "Url": "https://hub.prowler.com/check/rds_instance_tde_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json b/prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json index 5b911a5ace..24fe497d8d 100644 --- a/prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json +++ b/prowler/providers/alibabacloud/services/rds/rds_instance_tde_key_custom/rds_instance_tde_key_custom.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "rds_instance_tde_key_custom", - "CheckTitle": "RDS instance TDE protector is encrypted with BYOK (Use your own key)", - "CheckType": [ - "Sensitive file tampering", - "Intrusion into applications" - ], + "CheckTitle": "RDS instance TDE uses a customer-managed key (BYOK)", + "CheckType": [], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudRDSDBInstance", + "ResourceType": "ALIYUN::RDS::DBInstance", "ResourceGroup": "database", - "Description": "**TDE with BYOK** support provides increased transparency and control, increased security with an HSM-backed KMS service, and promotion of separation of duties.\n\nBased on business needs or criticality of data, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (**BYOK**).", - "Risk": "Using **service-managed keys** means the cloud provider manages the encryption keys. **BYOK (Bring Your Own Key)** gives you full control over the key lifecycle and permissions.\n\nThis ensures that even the cloud provider cannot access your data without your explicit permission.", + "Description": "**Alibaba Cloud RDS instances** with TDE enabled should use a **customer-managed key (BYOK)** rather than a service-managed key. BYOK provides increased transparency and control over the encryption key lifecycle, enhanced security through an HSM-backed **KMS** service, and promotes separation of duties between the data owner and the cloud provider.", + "Risk": "Using **service-managed keys** means the cloud provider manages the encryption keys, limiting the data owner's control over key access and rotation. Without **BYOK (Bring Your Own Key)**, the cloud provider retains the ability to access encrypted data, reducing **confidentiality** assurance and making it harder to enforce **separation of duties** and **key lifecycle management** policies.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/96121.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-tde-with-cmk.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-RDS/enable-tde-with-cmk.html" ], "Remediation": { "Code": { "CLI": "aliyun rds ModifyDBInstanceTDE --DBInstanceId --TDEStatus Enabled --EncryptionKey ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **RDS Console**.\n2. Select the target RDS instance.\n3. Go to **Data Security** > **TDE** tab.\n4. Click the switch next to **Disabled** (or modify existing TDE configuration).\n5. In the displayed dialog box, choose **custom key** and select your KMS key.\n6. Click **Confirm**.", "Terraform": "resource \"alicloud_db_instance\" \"example\" {\n engine = \"MySQL\"\n engine_version = \"8.0\"\n instance_type = \"rds.mysql.s1.small\"\n instance_storage = 20\n tde_status = \"Enabled\"\n encryption_key = alicloud_kms_key.example.id\n}" }, "Recommendation": { - "Text": "1. Log on to the **RDS Console**\n2. Go to **Data Security** > **TDE** tab\n3. Click the switch next to **Disabled**\n4. In the displayed dialog box, choose **custom key**\n5. Click **Confirm**", + "Text": "Configure TDE on RDS instances to use a **customer-managed key (BYOK)** from KMS for full control over the encryption key lifecycle and enhanced security.", "Url": "https://hub.prowler.com/check/rds_instance_tde_key_custom" } }, diff --git a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json index ff90197827..429663bc2a 100644 --- a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json +++ b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_advanced_or_enterprise_edition/securitycenter_advanced_or_enterprise_edition.metadata.json @@ -1,37 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "securitycenter_advanced_or_enterprise_edition", - "CheckTitle": "Security Center is Advanced or Enterprise Edition", - "CheckType": [ - "Suspicious process", - "Webshell", - "Unusual logon", - "Sensitive file tampering", - "Malicious software", - "Precision defense" - ], + "CheckTitle": "Security Center is using Advanced or Enterprise Edition", + "CheckType": [], "ServiceName": "securitycenter", "SubServiceName": "", - "ResourceIdTemplate": "acs:sas::account-id:security-center", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSecurityCenter", + "ResourceType": "ALIYUN::SAS::Instance", "ResourceGroup": "security", - "Description": "The **Advanced or Enterprise Edition** enables threat detection for network and endpoints, providing **malware detection**, **webshell detection**, and **anomaly detection** in Security Center.", - "Risk": "Using **Basic or Free Edition** of Security Center may not provide comprehensive protection against cloud threats.\n\n**Advanced or Enterprise Edition** allows for full protection to defend against cloud threats.", + "Description": "**Alibaba Cloud Security Center** should be running the **Advanced** or **Enterprise Edition** to enable comprehensive threat detection capabilities for network and endpoints. These editions provide **malware detection**, **webshell detection**, **anomaly detection**, and **precision defense** features that are not available in the Basic or Free editions.", + "Risk": "Using the **Basic or Free Edition** of Security Center limits threat detection capabilities to basic vulnerability scanning only. Without the **Advanced or Enterprise Edition**, critical protections such as **malware detection**, **intrusion prevention**, **webshell detection**, and **anomalous behavior analysis** are unavailable, leaving workloads exposed to sophisticated cloud threats.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/product/28498.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/security-center-plan.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/security-center-plan.html" ], "Remediation": { "Code": { - "CLI": "Logon to Security Center Console > Select Overview > Click Upgrade > Select Advanced or Enterprise Edition > Finish order placement", + "CLI": "", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **Security Center Console**\n2. Select **Overview**\n3. Click **Upgrade**\n4. Select **Advanced** or **Enterprise Edition**\n5. Finish order placement", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **Security Center Console**\n2. Select **Overview**\n3. Click **Upgrade**\n4. Select **Advanced** or **Enterprise Edition**\n5. Finish order placement", + "Text": "Upgrade Security Center to the Advanced or Enterprise Edition to enable comprehensive threat detection including malware detection, webshell detection, and anomaly detection capabilities.", "Url": "https://hub.prowler.com/check/securitycenter_advanced_or_enterprise_edition" } }, diff --git a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json index 97decc7e0a..bd63eed35f 100644 --- a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json +++ b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_all_assets_agent_installed/securitycenter_all_assets_agent_installed.metadata.json @@ -1,36 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "securitycenter_all_assets_agent_installed", - "CheckTitle": "All assets are installed with security agent", - "CheckType": [ - "Suspicious process", - "Webshell", - "Unusual logon", - "Sensitive file tampering", - "Malicious software" - ], + "CheckTitle": "All assets have the Security Center agent installed", + "CheckType": [], "ServiceName": "securitycenter", "SubServiceName": "", - "ResourceIdTemplate": "acs:sas:region:account-id:machine/{machine-id}", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudSecurityCenterMachine", + "ResourceType": "ALIYUN::SAS::Instance", "ResourceGroup": "security", - "Description": "The endpoint protection of **Security Center** requires an agent to be installed on the endpoint to work. Such an agent-based approach allows the security center to provide comprehensive endpoint intrusion detection and protection capabilities.\n\nThis includes remote logon detection, **webshell detection** and removal, **anomaly detection** (detection of abnormal process behaviors and network connections), and detection of changes in key files and suspicious accounts.", - "Risk": "Assets without **Security Center agent** installed are not protected by endpoint intrusion detection and protection capabilities, leaving them vulnerable to security threats.\n\nUnprotected assets become blind spots in your security monitoring.", + "Description": "**Alibaba Cloud Security Center** requires an agent to be installed on each endpoint to provide comprehensive endpoint intrusion detection and protection capabilities. The agent enables remote logon detection, **webshell detection** and removal, **anomaly detection** of abnormal process behaviors and network connections, and monitoring of changes to key files and suspicious accounts.", + "Risk": "Assets without the **Security Center agent** installed become blind spots in security monitoring, as they are not protected by endpoint intrusion detection capabilities. This leaves them vulnerable to **malware infections**, **unauthorized access**, **webshell attacks**, and **anomalous process execution** without any alerts being generated.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/111650.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/install-security-agent.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/install-security-agent.html" ], "Remediation": { "Code": { "CLI": "aliyun sas InstallUninstallAegis --InstanceIds ,", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Agent**\n4. On the `Client to be installed` tab, select all items on the list\n5. Click **One-click installation** to install the agent on all assets", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Agent**\n4. On the `Client to be installed` tab, select all items on the list\n5. Click **One-click installation** to install the agent on all assets", + "Text": "Install the Security Center agent on all assets to enable comprehensive endpoint intrusion detection and protection, including webshell detection, anomaly detection, and remote logon monitoring.", "Url": "https://hub.prowler.com/check/securitycenter_all_assets_agent_installed" } }, diff --git a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json index 480e46fb8b..c688baaa48 100644 --- a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json +++ b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_notification_enabled_high_risk/securitycenter_notification_enabled_high_risk.metadata.json @@ -1,36 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "securitycenter_notification_enabled_high_risk", - "CheckTitle": "Notification is enabled on all high risk items", - "CheckType": [ - "Suspicious process", - "Webshell", - "Unusual logon", - "Sensitive file tampering", - "Malicious software" - ], + "CheckTitle": "Notifications are enabled for all high-risk items in Security Center", + "CheckType": [], "ServiceName": "securitycenter", "SubServiceName": "", - "ResourceIdTemplate": "acs:sas::account-id:notice-config/{project}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSecurityCenterNoticeConfig", + "ResourceType": "ALIYUN::SAS::Instance", "ResourceGroup": "security", - "Description": "Enable all **risk item notifications** in Vulnerability, Baseline Risks, Alerts, and AccessKey Leak event detection categories.\n\nThis ensures that relevant security operators receive notifications as soon as security events occur.", - "Risk": "Without **notifications enabled** for high-risk items, security operators may not be aware of critical security events in a timely manner, potentially leading to **delayed response** and **increased security exposure**.", + "Description": "**Alibaba Cloud Security Center** should have all **risk item notifications** enabled across Vulnerability, Baseline Risks, Alerts, and AccessKey Leak event detection categories. This ensures that relevant security operators receive notifications as soon as critical security events occur, enabling timely incident response.", + "Risk": "Without **notifications enabled** for high-risk items in Security Center, security operators may not be aware of critical security events such as **vulnerability discoveries**, **baseline violations**, **intrusion alerts**, and **AccessKey leaks** in a timely manner. This leads to **delayed incident response** and **prolonged security exposure**, increasing the potential impact of threats.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/111648.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/enable-high-risk-item-notifications.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/enable-high-risk-item-notifications.html" ], "Remediation": { "Code": { "CLI": "aliyun sas ModifyNoticeConfig --Project --Route ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Notification**\n4. Enable all high-risk items on Notification setting\n\nRoute values: `1`=text message, `2`=email, `3`=internal message, `4`=text+email, `5`=text+internal, `6`=email+internal, `7`=all methods", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **Security Center Console**\n2. Select **Settings**\n3. Click **Notification**\n4. Enable all high-risk items on Notification setting\n\nRoute values: `1`=text message, `2`=email, `3`=internal message, `4`=text+email, `5`=text+internal, `6`=email+internal, `7`=all methods", + "Text": "Enable notifications for all high-risk items in Security Center including vulnerabilities, baseline risks, alerts, and AccessKey leak detection to ensure timely incident response.", "Url": "https://hub.prowler.com/check/securitycenter_notification_enabled_high_risk" } }, diff --git a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json index c302a79842..6d2033f02f 100644 --- a/prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/securitycenter/securitycenter_vulnerability_scan_enabled/securitycenter_vulnerability_scan_enabled.metadata.json @@ -2,32 +2,29 @@ "Provider": "alibabacloud", "CheckID": "securitycenter_vulnerability_scan_enabled", "CheckTitle": "Scheduled vulnerability scan is enabled on all servers", - "CheckType": [ - "Malicious software", - "Web application threat detection" - ], + "CheckType": [], "ServiceName": "securitycenter", "SubServiceName": "", - "ResourceIdTemplate": "acs:sas::account-id:vulnerability-scan-config", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AlibabaCloudSecurityCenterVulConfig", + "ResourceType": "ALIYUN::SAS::Instance", "ResourceGroup": "security", - "Description": "Ensure that **scheduled vulnerability scan** is enabled on all servers.\n\nBe sure that vulnerability scanning is performed periodically to discover system vulnerabilities in time.", - "Risk": "Without **scheduled vulnerability scans** enabled, system vulnerabilities may not be discovered in a timely manner, leaving systems exposed to **known security threats** and **exploits**.", + "Description": "**Alibaba Cloud Security Center** should have **scheduled vulnerability scanning** enabled on all servers to periodically discover system vulnerabilities. The scan should cover all vulnerability types including `yum`, `cve`, `sys`, `cms`, and `emg` to ensure comprehensive detection of known security weaknesses across the infrastructure.", + "Risk": "Without **scheduled vulnerability scans** enabled, system vulnerabilities may remain undetected for extended periods. This leaves servers exposed to **known security exploits**, **privilege escalation attacks**, and **malware infections** that target unpatched software, increasing the overall attack surface and risk of compromise.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/109076.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/enable-scheduled-vulnerability-scan.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SecurityCenter/enable-scheduled-vulnerability-scan.html" ], "Remediation": { "Code": { "CLI": "aliyun sas ModifyVulConfig --Type --Config on", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **Security Center Console**\n2. Select **Vulnerabilities**\n3. Click **Settings**\n4. Apply all types of vulnerabilities (`yum`, `cve`, `sys`, `cms`, `emg`)\n5. Enable **High** (asap) and **Medium** (later) vulnerability scan levels", "Terraform": "" }, "Recommendation": { - "Text": "1. Log on to the **Security Center Console**\n2. Select **Vulnerabilities**\n3. Click **Settings**\n4. Apply all types of vulnerabilities (`yum`, `cve`, `sys`, `cms`, `emg`)\n5. Enable **High** (asap) and **Medium** (later) vulnerability scan levels", + "Text": "Enable scheduled vulnerability scanning on all servers in Security Center, covering all vulnerability types to ensure timely discovery and remediation of known security weaknesses.", "Url": "https://hub.prowler.com/check/securitycenter_vulnerability_scan_enabled" } }, diff --git a/prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json index 94baf55bc5..0e64eb6412 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_cloud_firewall_changes_alert_enabled/sls_cloud_firewall_changes_alert_enabled.metadata.json @@ -2,28 +2,25 @@ "Provider": "alibabacloud", "CheckID": "sls_cloud_firewall_changes_alert_enabled", "CheckTitle": "Log monitoring and alerts are set up for Cloud Firewall changes", - "CheckType": [ - "Suspicious network connection", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "It is recommended that a **metric filter and alarm** be established for **Cloud Firewall** rule changes.", - "Risk": "Monitoring for **Create** or **Update** firewall rule events gives insight into network access changes and may reduce the time it takes to detect **suspicious activity**.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a metric filter and alarm configured for **Cloud Firewall** rule changes. By directing **ActionTrail** logs to SLS and establishing corresponding query and alert rules, real-time monitoring of firewall modifications can be achieved. This ensures that any creation, update, or deletion of Cloud Firewall control policies is promptly detected and reviewed.", + "Risk": "Without monitoring for **Cloud Firewall** changes, unauthorized or accidental modifications to firewall rules may go undetected. This could lead to **network exposure**, allowing malicious traffic to reach protected resources or blocking legitimate traffic. Failure to detect firewall rule changes in a timely manner increases the risk of **data breaches**, **lateral movement**, and **service disruption**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/cloudfirewall-control-policy-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/cloudfirewall-control-policy-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name cloud-firewall-changes --alert-displayname 'Cloud Firewall Changes Alert' --condition 'event.serviceName: CloudFirewall and (event.eventName: CreateControlPolicy or event.eventName: ModifyControlPolicy or event.eventName: DeleteControlPolicy)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for Cloud Firewall changes: `event.serviceName: CloudFirewall and (event.eventName: CreateControlPolicy or event.eventName: ModifyControlPolicy or event.eventName: DeleteControlPolicy)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json index 2c564f7bdb..0aacaf5541 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_customer_created_cmk_changes_alert_enabled/sls_customer_created_cmk_changes_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_customer_created_cmk_changes_alert_enabled", - "CheckTitle": "A log monitoring and alerts are set up for disabling or deletion of customer created CMKs", - "CheckType": [ - "Sensitive file tampering", - "Cloud threat detection" - ], + "CheckTitle": "A log monitoring and alert is set up for disabling or deletion of customer created CMKs", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for customer-created **KMS keys** which have changed state to disabled or deletion.", - "Risk": "Data encrypted with **disabled or deleted keys** will no longer be accessible.\n\nThis could lead to **data loss** or **business disruption** if keys are inadvertently or maliciously disabled.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for customer-created **KMS Customer Master Keys (CMKs)** that have changed state to disabled or scheduled for deletion. Real-time monitoring of API calls can be achieved by directing **ActionTrail** logs to SLS and establishing corresponding alert rules. This ensures that any disabling or deletion of encryption keys is promptly detected, preventing accidental or malicious loss of access to encrypted data.", + "Risk": "Without monitoring for **CMK state changes**, data encrypted with **disabled or deleted keys** will become permanently inaccessible. This could lead to **data loss**, **business disruption**, and **compliance violations**. Malicious actors who gain access to the KMS service could silently disable or schedule deletion of critical encryption keys, rendering protected data unrecoverable if not detected in time.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/kms-cmk-config-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/kms-cmk-config-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name cmk-changes --alert-displayname 'CMK Changes Alert' --condition 'event.serviceName: Kms and (event.eventName: DisableKey or event.eventName: ScheduleKeyDeletion)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for CMK changes: `event.serviceName: Kms and (event.eventName: DisableKey or event.eventName: ScheduleKeyDeletion)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json index 6b5b4e5420..828a15bfb7 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_logstore_retention_period/sls_logstore_retention_period.metadata.json @@ -2,28 +2,26 @@ "Provider": "alibabacloud", "CheckID": "sls_logstore_retention_period", "CheckTitle": "Logstore data retention period is set to the recommended period (default 365 days)", - "CheckType": [ - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/logstore/logstore-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSLogStore", + "ResourceType": "ALIYUN::SLS::Logstore", "ResourceGroup": "monitoring", - "Description": "Ensure **Activity Log Retention** is set for **365 days** or greater.", - "Risk": "Logstore lifecycle controls how your activity log is exported and retained. It is recommended to retain your activity log for **365 days or more** to have time to respond to any incidents.\n\nShort retention periods may result in loss of **forensic evidence** needed for security investigations.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** Logstore data retention should be configured for at least **365 days**. The Logstore retention period controls how long activity logs are stored and available for analysis. Ensuring a minimum retention of `365` days provides sufficient time to investigate security incidents, perform forensic analysis, and meet regulatory compliance requirements.", + "Risk": "Insufficient log retention periods may result in the **loss of forensic evidence** needed for security investigations and incident response. If logs are deleted before an incident is detected, it becomes impossible to determine the scope, impact, and root cause of security breaches. Short retention periods may also lead to **compliance violations** with regulations that mandate specific log retention durations, affecting the organization's **integrity** and **accountability**.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/48990.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/sufficient-logstore-data-retention-period.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/sufficient-logstore-data-retention-period.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls update-logstore --project --logstore --ttl 365", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Log on to the **SLS Console**.\n2. Find the project in the **Projects** section.\n3. Click the **Modify** icon next to the target Logstore.\n4. Set the `Data Retention Period` to `365` days or greater.\n5. Click **Save** to apply the changes.", + "Terraform": "resource \"alicloud_log_store\" \"example\" {\n project = alicloud_log_project.example.name\n name = \"example-logstore\"\n retention_period = 365\n}" }, "Recommendation": { "Text": "1. Log on to the **SLS Console**\n2. Find the project in the Projects section\n3. Click **Modify** icon next to the Logstore\n4. Modify the `Data Retention Period` to `365` or greater", diff --git a/prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json index dac8630a84..a99cff9645 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_management_console_authentication_failures_alert_enabled/sls_management_console_authentication_failures_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_management_console_authentication_failures_alert_enabled", - "CheckTitle": "A log monitoring and alerts are set up for Management Console authentication failures", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "A log monitoring and alert is set up for Management Console authentication failures", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for **failed console authentication attempts**.", - "Risk": "Monitoring **failed console logins** may decrease lead time to detect an attempt to **brute force** a credential, which may provide an indicator (such as source IP) that can be used in other event correlation.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for **failed console authentication attempts**. Real-time monitoring of API calls can be achieved by directing **ActionTrail** logs to SLS and establishing corresponding alert rules. This ensures that repeated login failures are detected promptly, enabling early identification of brute-force attacks or credential stuffing attempts against the Management Console.", + "Risk": "Without monitoring for **failed console authentication attempts**, brute-force attacks and credential stuffing campaigns may go undetected. Failure to identify these patterns increases the risk of **unauthorized access** to the Management Console. Monitoring failed logins provides critical indicators such as source IP addresses that can be used for **threat correlation** and proactive blocking, reducing the time to detect and respond to **account compromise** attempts.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/account-continuous-login-failures-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/account-continuous-login-failures-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name console-auth-failures --alert-displayname 'Console Authentication Failures Alert' --condition 'event.eventName: ConsoleSignin and event.errorCode: *' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for failed console authentication: `event.eventName: ConsoleSignin and event.errorCode: *`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json index 14cb54b236..f67c4faf3c 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_management_console_signin_without_mfa_alert_enabled/sls_management_console_signin_without_mfa_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_management_console_signin_without_mfa_alert_enabled", - "CheckTitle": "A log monitoring and alerts are set up for Management Console sign-in without MFA", - "CheckType": [ - "Unusual logon", - "Abnormal account" - ], + "CheckTitle": "A log monitoring and alert is set up for Management Console sign-in without MFA", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for console logins that are not protected by **multi-factor authentication (MFA)**.", - "Risk": "Monitoring for **single-factor console logins** will increase visibility into accounts that are not protected by MFA.\n\nThis helps identify potential security gaps in authentication enforcement.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for console logins that are not protected by **multi-factor authentication (MFA)**. Real-time monitoring of API calls can be achieved by directing **ActionTrail** logs to SLS and establishing corresponding alert rules. This ensures that any single-factor console sign-in events are detected, helping identify accounts that bypass MFA enforcement policies.", + "Risk": "Without monitoring for **single-factor console logins**, accounts that are not protected by MFA may go unnoticed. This increases the risk of **unauthorized access** through compromised credentials, as passwords alone are insufficient to prevent account takeover. Failure to enforce and monitor MFA compliance weakens the overall **authentication posture** and may lead to **privilege escalation** or **data breaches** if an attacker gains access to an unprotected account.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/single-factor-console-logins-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/single-factor-console-logins-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name console-signin-no-mfa --alert-displayname 'Console Sign-in Without MFA Alert' --condition 'event.eventName: ConsoleSignin and event.additionalEventData.MFAUsed: false' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for sign-in without MFA: `event.eventName: ConsoleSignin and event.additionalEventData.MFAUsed: false`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json index 60c37a3b6f..df8c4abfa0 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_oss_bucket_policy_changes_alert_enabled/sls_oss_bucket_policy_changes_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_oss_bucket_policy_changes_alert_enabled", - "CheckTitle": "A log monitoring and alerts are set up for OSS bucket policy changes", - "CheckType": [ - "Sensitive file tampering", - "Cloud threat detection" - ], + "CheckTitle": "A log monitoring and alerts is set up for OSS bucket policy changes", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for changes to **OSS bucket policies**.", - "Risk": "Monitoring changes to **OSS bucket policies** may reduce time to detect and correct **permissive policies** on sensitive OSS buckets.\n\nThis helps prevent unintended data exposure.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for changes to **OSS bucket policies**. Real-time monitoring of API calls can be achieved by directing **ActionTrail** logs to SLS and establishing corresponding alert rules. This ensures that any modifications to bucket access policies are detected promptly, enabling quick identification of potentially dangerous permission changes on sensitive storage resources.", + "Risk": "Without monitoring for **OSS bucket policy changes**, permissive or malicious policy modifications may go undetected. This could lead to **unintended data exposure**, allowing unauthorized users to access, modify, or delete sensitive objects stored in OSS buckets. Delayed detection of policy changes increases the risk of **data breaches**, **data exfiltration**, and **compliance violations**, as attackers could silently widen access to critical storage resources.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/oss-bucket-authority-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/oss-bucket-authority-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name oss-bucket-policy-changes --alert-displayname 'OSS Bucket Policy Changes Alert' --condition 'event.serviceName: Oss and (event.eventName: PutBucketPolicy or event.eventName: DeleteBucketPolicy)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for OSS bucket policy changes: `event.serviceName: Oss and (event.eventName: PutBucketPolicy or event.eventName: DeleteBucketPolicy)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json index 2ca4e36872..b6ec2c6aa1 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_oss_permission_changes_alert_enabled/sls_oss_permission_changes_alert_enabled.metadata.json @@ -2,28 +2,25 @@ "Provider": "alibabacloud", "CheckID": "sls_oss_permission_changes_alert_enabled", "CheckTitle": "Log monitoring and alerts are set up for OSS permission changes", - "CheckType": [ - "Sensitive file tampering", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "It is recommended that a **metric filter and alarm** be established for **OSS Bucket RAM** changes.", - "Risk": "Monitoring changes to **OSS permissions** may reduce time to detect and correct permissions on sensitive OSS buckets and objects inside the bucket.\n\nThis helps prevent **unauthorized access** to stored data.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a metric filter and alarm configured for **OSS Bucket RAM** permission changes. By directing **ActionTrail** logs to SLS and establishing corresponding alert rules, real-time monitoring of OSS permission modifications can be achieved. This ensures that changes to bucket-level access controls and RAM policies affecting OSS resources are promptly detected and reviewed.", + "Risk": "Without monitoring for **OSS permission changes**, unauthorized modifications to bucket access controls may go undetected. This could allow attackers to grant themselves or others **unauthorized access** to sensitive objects stored in OSS buckets. Delayed detection of permission changes increases the risk of **data exfiltration**, **data tampering**, and **compliance violations**, as the confidentiality and integrity of stored data may be compromised.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/oss-bucket-permission-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/oss-bucket-permission-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name oss-permission-changes --alert-displayname 'OSS Permission Changes Alert' --condition 'event.serviceName: Oss and (event.eventName: PutBucketAcl or event.eventName: PutObjectAcl)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for OSS permission changes: `event.serviceName: Oss and (event.eventName: PutBucketAcl or event.eventName: PutObjectAcl)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json index a30d12cd0b..448cfa58c2 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_ram_role_changes_alert_enabled/sls_ram_role_changes_alert_enabled.metadata.json @@ -2,28 +2,25 @@ "Provider": "alibabacloud", "CheckID": "sls_ram_role_changes_alert_enabled", "CheckTitle": "Log monitoring and alerts are set up for RAM Role changes", - "CheckType": [ - "Abnormal account", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "It is recommended that a query and alarm be established for **RAM Role** creation, deletion, and updating activities.", - "Risk": "Monitoring **role creation**, **deletion**, and **updating** activities will help in identifying potential **malicious actions** at an early stage.\n\nUnauthorized role changes could lead to privilege escalation.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for **RAM Role** creation, deletion, and updating activities. By directing **ActionTrail** logs to SLS and establishing corresponding alert rules, real-time monitoring of role changes can be achieved. This ensures that any modifications to RAM roles are detected promptly, enabling early identification of unauthorized privilege escalation attempts.", + "Risk": "Without monitoring for **RAM role changes**, unauthorized creation, modification, or deletion of roles may go undetected. This could lead to **privilege escalation**, where an attacker creates or modifies roles to gain elevated access to cloud resources. Undetected role changes compromise the **integrity** of the identity and access management framework and may result in **unauthorized access** to sensitive data and services across the entire cloud environment.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/ram-policy-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/ram-policy-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name ram-role-changes --alert-displayname 'RAM Role Changes Alert' --condition 'event.serviceName: Ram and (event.eventName: CreateRole or event.eventName: DeleteRole or event.eventName: UpdateRole or event.eventName: AttachPolicyToRole or event.eventName: DetachPolicyFromRole)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for RAM role changes: `event.serviceName: Ram and (event.eventName: CreateRole or event.eventName: DeleteRole or event.eventName: UpdateRole or event.eventName: AttachPolicyToRole or event.eventName: DetachPolicyFromRole)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json index d196b1802d..202a24b167 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_rds_instance_configuration_changes_alert_enabled/sls_rds_instance_configuration_changes_alert_enabled.metadata.json @@ -2,28 +2,25 @@ "Provider": "alibabacloud", "CheckID": "sls_rds_instance_configuration_changes_alert_enabled", "CheckTitle": "Log monitoring and alerts are set up for RDS instance configuration changes", - "CheckType": [ - "Intrusion into applications", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "It is recommended that a **metric filter and alarm** be established for **RDS Instance** configuration changes.", - "Risk": "Monitoring changes to **RDS Instance configuration** may reduce time to detect and correct **misconfigurations** done on database servers.\n\nThis helps prevent security gaps in database deployments.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a metric filter and alarm configured for **RDS Instance** configuration changes. By directing **ActionTrail** logs to SLS and establishing corresponding alert rules, real-time monitoring of database configuration modifications can be achieved. This ensures that any changes to RDS instance settings, such as security parameters, network configurations, or access controls, are promptly detected and reviewed.", + "Risk": "Without monitoring for **RDS Instance configuration changes**, unauthorized or accidental modifications to database servers may go undetected. This could lead to **security misconfigurations** such as enabling public access, disabling encryption, or weakening authentication settings. Delayed detection of configuration changes increases the risk of **data breaches**, **unauthorized database access**, and **service disruption**, potentially compromising the **confidentiality** and **integrity** of stored data.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/rds-instance-config-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/rds-instance-config-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name rds-config-changes --alert-displayname 'RDS Instance Configuration Changes Alert' --condition 'event.serviceName: Rds and (event.eventName: ModifyDBInstanceSpec or event.eventName: ModifySecurityIps or event.eventName: ModifyDBInstanceNetworkType)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for RDS configuration changes: `event.serviceName: Rds and (event.eventName: ModifyDBInstanceSpec or event.eventName: ModifySecurityIps or event.eventName: ModifyDBInstanceNetworkType)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json index e6d271b482..ff8de28cd6 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_root_account_usage_alert_enabled/sls_root_account_usage_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_root_account_usage_alert_enabled", - "CheckTitle": "A log monitoring and alerts are set up for usage of root account", - "CheckType": [ - "Unusual logon", - "Cloud threat detection" - ], + "CheckTitle": "A log monitoring and alert is set up for usage of root account", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for **root account login** attempts.", - "Risk": "Monitoring for **root account logins** will provide visibility into the use of a fully privileged account and an opportunity to reduce its use.\n\nRoot account usage should be minimized and closely monitored.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for **root account login** attempts. Real-time monitoring of API calls can be achieved by directing **ActionTrail** logs to SLS and establishing corresponding alert rules. This ensures that any usage of the fully privileged root account is detected promptly, supporting the principle of least privilege and enabling timely review of root-level operations.", + "Risk": "Without monitoring for **root account usage**, activities performed by the most privileged account may go unnoticed. The root account has unrestricted access to all resources and services, making it a high-value target for attackers. Failure to detect unauthorized root account usage increases the risk of **complete account takeover**, **data destruction**, and **irreversible configuration changes** that could compromise the **confidentiality**, **integrity**, and **availability** of all cloud resources.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/root-account-login-frequent-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/root-account-login-frequent-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name root-account-usage --alert-displayname 'Root Account Usage Alert' --condition 'event.userIdentity.type: root-account' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for root account usage: `event.userIdentity.type: root-account`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json index eca2fd9b53..b80e7da84b 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_security_group_changes_alert_enabled/sls_security_group_changes_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_security_group_changes_alert_enabled", - "CheckTitle": "A log monitoring and alerts are set up for security group changes", - "CheckType": [ - "Suspicious network connection", - "Cloud threat detection" - ], + "CheckTitle": "A log monitoring and alert is set up for security group changes", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\n**Security Groups** are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a query and alarm be established for changes to Security Groups.", - "Risk": "Monitoring changes to **security groups** will help ensure that resources and services are not unintentionally exposed.\n\nUnauthorized security group modifications could lead to **network exposure** and **unauthorized access**.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for changes to **Security Groups**. Real-time monitoring of API calls can be achieved by directing **ActionTrail** logs to SLS and establishing corresponding alert rules. **Security Groups** are stateful packet filters that control ingress and egress traffic within a VPC, and monitoring their changes ensures that network access modifications are promptly detected and reviewed.", + "Risk": "Without monitoring for **security group changes**, unauthorized modifications to network access controls may go undetected. This could lead to resources and services being **unintentionally exposed** to the internet or untrusted networks. Unauthorized security group modifications increase the risk of **network exposure**, **unauthorized access**, and **lateral movement** within the cloud environment, potentially compromising the **confidentiality** and **availability** of critical services.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/security-group-config-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/security-group-config-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name security-group-changes --alert-displayname 'Security Group Changes Alert' --condition 'event.serviceName: Ecs and (event.eventName: AuthorizeSecurityGroup or event.eventName: RevokeSecurityGroup or event.eventName: CreateSecurityGroup or event.eventName: DeleteSecurityGroup)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for security group changes: `event.serviceName: Ecs and (event.eventName: AuthorizeSecurityGroup or event.eventName: RevokeSecurityGroup or event.eventName: CreateSecurityGroup or event.eventName: DeleteSecurityGroup)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json index 5115561aba..fb2d54f3c0 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_unauthorized_api_calls_alert_enabled/sls_unauthorized_api_calls_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_unauthorized_api_calls_alert_enabled", - "CheckTitle": "A log monitoring and alerts are set up for unauthorized API calls", - "CheckType": [ - "Unusual logon", - "Cloud threat detection" - ], + "CheckTitle": "A log monitoring and alert is set up for unauthorized API calls", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for **unauthorized API calls**.", - "Risk": "Monitoring **unauthorized API calls** will help reveal application errors and may reduce time to detect **malicious activity**.\n\nThis is essential for early detection of potential security breaches.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a query and alarm configured for **unauthorized API calls**. Real-time monitoring of API calls can be achieved by directing **ActionTrail** logs to SLS and establishing corresponding alert rules. This ensures that any API calls resulting in unauthorized errors are detected promptly, helping identify misconfigured applications, compromised credentials, or active reconnaissance by attackers.", + "Risk": "Without monitoring for **unauthorized API calls**, patterns of failed access attempts may go undetected. These patterns often indicate **malicious activity** such as attackers probing for permissions or attempting to exploit misconfigured access controls. Failure to detect unauthorized API calls in a timely manner increases the risk of **security breaches**, as it delays identification of compromised credentials and **privilege escalation** attempts across cloud services.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/unauthorized-api-calls-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/unauthorized-api-calls-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name unauthorized-api-calls --alert-displayname 'Unauthorized API Calls Alert' --condition 'event.errorCode: Forbidden or event.errorCode: AccessDenied' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for unauthorized API calls: `event.errorCode: Forbidden or event.errorCode: AccessDenied`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json index e922cd50c9..fe091fd369 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_vpc_changes_alert_enabled/sls_vpc_changes_alert_enabled.metadata.json @@ -2,28 +2,25 @@ "Provider": "alibabacloud", "CheckID": "sls_vpc_changes_alert_enabled", "CheckTitle": "Log monitoring and alerts are set up for VPC changes", - "CheckType": [ - "Suspicious network connection", - "Cloud threat detection" - ], + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "It is recommended that a **log search/analysis query and alarm** be established for **VPC changes**.", - "Risk": "Monitoring changes to **VPC** will help ensure VPC traffic flow is not getting impacted.\n\nUnauthorized VPC modifications could disrupt network connectivity or create security vulnerabilities.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a log search/analysis query and alarm configured for **VPC** changes. By directing **ActionTrail** logs to SLS and establishing corresponding alert rules, real-time monitoring of VPC modifications can be achieved. This ensures that any creation, deletion, or modification of VPCs and their associated components is promptly detected and reviewed.", + "Risk": "Without monitoring for **VPC changes**, unauthorized or accidental modifications to virtual network infrastructure may go undetected. This could disrupt **network connectivity**, create **security vulnerabilities**, or expose internal resources to untrusted networks. Unauthorized VPC modifications increase the risk of **service disruption**, **data interception**, and **lateral movement** within the cloud environment, potentially compromising the **confidentiality** and **availability** of all connected resources.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/vpc-config-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/vpc-config-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name vpc-changes --alert-displayname 'VPC Changes Alert' --condition 'event.serviceName: Vpc and (event.eventName: CreateVpc or event.eventName: DeleteVpc or event.eventName: ModifyVpcAttribute)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for VPC changes: `event.serviceName: Vpc and (event.eventName: CreateVpc or event.eventName: DeleteVpc or event.eventName: ModifyVpcAttribute)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json b/prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json index fccd21af53..626ab7becf 100644 --- a/prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/sls/sls_vpc_network_route_changes_alert_enabled/sls_vpc_network_route_changes_alert_enabled.metadata.json @@ -1,29 +1,26 @@ { "Provider": "alibabacloud", "CheckID": "sls_vpc_network_route_changes_alert_enabled", - "CheckTitle": "Log monitoring and alerts are set up for VPC network route changes", - "CheckType": [ - "Suspicious network connection", - "Cloud threat detection" - ], + "CheckTitle": "A log monitoring and alert is set up for VPC network route changes", + "CheckType": [], "ServiceName": "sls", "SubServiceName": "", - "ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudSLSAlert", + "ResourceType": "ALIYUN::SLS::Alert", "ResourceGroup": "monitoring", - "Description": "It is recommended that a **metric filter and alarm** be established for **VPC network route** changes.", - "Risk": "Monitoring changes to **route tables** will help ensure that all VPC traffic flows through an expected path.\n\nUnauthorized route changes could redirect traffic through malicious intermediaries.", + "Description": "**Alibaba Cloud Simple Log Service (SLS)** should have a metric filter and alarm configured for **VPC network route** changes. By directing **ActionTrail** logs to SLS and establishing corresponding alert rules, real-time monitoring of route table modifications can be achieved. This ensures that any creation, deletion, or modification of route entries is promptly detected, helping verify that all VPC traffic flows through the expected network paths.", + "Risk": "Without monitoring for **route table changes**, unauthorized modifications to network routes may go undetected. This could allow attackers to redirect traffic through **malicious intermediaries** for interception or manipulation. Undetected route changes increase the risk of **man-in-the-middle attacks**, **data exfiltration**, and **service disruption**, as traffic may be silently diverted away from intended destinations, compromising the **confidentiality** and **integrity** of data in transit.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/en/doc-detail/91784.htm", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/vpc-network-route-changes-alert.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-SLS/vpc-network-route-changes-alert.html" ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aliyun sls create-alert --project --alert-name vpc-route-changes --alert-displayname 'VPC Network Route Changes Alert' --condition 'event.serviceName: Vpc and (event.eventName: CreateRouteEntry or event.eventName: DeleteRouteEntry or event.eventName: ModifyRouteEntry)' --dashboard --schedule '{\"type\":\"FixedRate\",\"interval\":\"1m\"}'", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **SLS Console**.\n2. Ensure **ActionTrail** is enabled and delivering logs to a **Log Service** project.\n3. Navigate to the project receiving ActionTrail logs.\n4. Select **Alerts** and click **Create Alert Rule**.\n5. Configure the query to filter for VPC network route changes: `event.serviceName: Vpc and (event.eventName: CreateRouteEntry or event.eventName: DeleteRouteEntry or event.eventName: ModifyRouteEntry)`.\n6. Set the alert **schedule**, **notification method**, and **severity**.\n7. Save and enable the alert rule.", "Terraform": "" }, "Recommendation": { diff --git a/prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json b/prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json index c150689c06..414bc8b80a 100644 --- a/prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json +++ b/prowler/providers/alibabacloud/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.metadata.json @@ -1,33 +1,30 @@ { "Provider": "alibabacloud", "CheckID": "vpc_flow_logs_enabled", - "CheckTitle": "VPC flow logging is enabled in all VPCs", - "CheckType": [ - "Suspicious network connection", - "Cloud threat detection" - ], + "CheckTitle": "VPC flow logging is enabled for all VPCs", + "CheckType": [], "ServiceName": "vpc", "SubServiceName": "", - "ResourceIdTemplate": "acs:vpc:region:account-id:vpc/{vpc-id}", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "AlibabaCloudVPC", + "ResourceType": "ALIYUN::VPC::FlowLog", "ResourceGroup": "network", - "Description": "You can use the **flow log function** to monitor the IP traffic information for an ENI, a VSwitch, or a VPC.\n\nIf you create a flow log for a VSwitch or a VPC, all the **Elastic Network Interfaces**, including the newly created ones, are monitored. Such flow log data is stored in **Log Service**, where you can view and analyze IP traffic information. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.", - "Risk": "**VPC Flow Logs** provide visibility into network traffic that traverses the VPC and can be used to detect **anomalous traffic** or provide insight during security workflows.\n\nWithout flow logs, it is difficult to investigate network-based security incidents.", + "Description": "**Alibaba Cloud VPC Flow Logs** capture IP traffic information for Elastic Network Interfaces, VSwitches, or entire VPCs. When a flow log is created for a VPC, all ENIs within it, including newly created ones, are automatically monitored. Flow log data is stored in **Log Service** where it can be viewed and analyzed for security and operational purposes.", + "Risk": "Without **VPC Flow Logs** enabled, there is no visibility into network traffic traversing the VPC. This prevents detection of **anomalous traffic patterns**, **unauthorized network connections**, and **data exfiltration attempts**, and severely limits the ability to investigate network-based security incidents.", "RelatedUrl": "", "AdditionalURLs": [ "https://www.alibabacloud.com/help/doc-detail/90628.html", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-VPC/enable-flow-logs.html" + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/alibaba-cloud/AlibabaCloud-VPC/enable-flow-logs.html" ], "Remediation": { "Code": { "CLI": "aliyun vpc CreateFlowLog --ResourceId --ResourceType VPC --FlowLogName --LogStoreName --ProjectName ", "NativeIaC": "", - "Other": "", + "Other": "1. Log on to the **VPC Console**\n2. In the left-side navigation pane, click **FlowLog**\n3. Click **Create Flow Log**\n4. Select the target VPC as the resource\n5. Configure the Log Service project and logstore for storing flow log data\n6. Click **OK** to enable flow logging", "Terraform": "resource \"alicloud_vpc_flow_log\" \"example\" {\n flow_log_name = \"example-flow-log\"\n resource_type = \"VPC\"\n resource_id = alicloud_vpc.example.id\n traffic_type = \"All\"\n project_name = alicloud_log_project.example.project_name\n log_store_name = alicloud_log_store.example.logstore_name\n}" }, "Recommendation": { - "Text": "1. Log on to the **VPC Console**\n2. In the left-side navigation pane, click **FlowLog**\n3. Follow the instructions to create FlowLog for each of your VPCs", + "Text": "Enable VPC Flow Logs for all VPCs to capture IP traffic information and store it in Log Service for security analysis, anomaly detection, and incident response.", "Url": "https://hub.prowler.com/check/vpc_flow_logs_enabled" } },