From ff6fbcbf48518d979fa65f7b36bf97475fcd9e42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Fri, 19 Dec 2025 10:39:29 +0100 Subject: [PATCH] chore(aws): enhance metadata for `stepfunctions` service (#9432) Co-authored-by: Daniel Barranquero --- prowler/CHANGELOG.md | 3 +++ ...statemachine_logging_enabled.metadata.json | 27 +++++++++++-------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index ed92f34f84..3b50ffc748 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -7,6 +7,9 @@ All notable changes to the **Prowler SDK** are documented in this file. ### Added - Add Prowler ThreatScore for the Alibaba Cloud provider [(#9511)](https://github.com/prowler-cloud/prowler/pull/9511) +### Changed +- Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432) + --- ## [5.16.0] (Prowler v5.16.0) diff --git a/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.metadata.json b/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.metadata.json index 494750d1c7..1508a287ca 100644 --- a/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.metadata.json +++ b/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.metadata.json @@ -1,28 +1,33 @@ { "Provider": "aws", "CheckID": "stepfunctions_statemachine_logging_enabled", - "CheckTitle": "Step Functions state machines should have logging enabled", + "CheckTitle": "Step Functions state machine has logging enabled", "CheckType": [ - "Software and Configuration Checks/AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis" ], "ServiceName": "stepfunctions", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:states:{region}:{account-id}:stateMachine/{stateMachine-id}", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsStepFunctionStateMachine", - "Description": "This control checks if AWS Step Functions state machines have logging enabled. The control fails if the state machine doesn't have the loggingConfiguration property defined.", - "Risk": "Without logging enabled, important operational data may be lost, making it difficult to troubleshoot issues, monitor performance, and ensure compliance with auditing requirements.", - "RelatedUrl": "https://docs.aws.amazon.com/step-functions/latest/dg/logging.html", + "Description": "**AWS Step Functions state machines** are configured to emit **execution logs** to CloudWatch Logs via a defined `loggingConfiguration` with a `level` set above `OFF`.", + "Risk": "Without **execution logs**, workflow failures and anomalies are **undetectable**, increasing MTTR and risking silent data loss. Missing audit trails weaken **integrity** oversight and complicate **forensics**, enabling misuse of invoked services to go unnoticed and creating **compliance** gaps.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/step-functions/latest/dg/logging.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/stepfunctions-controls.html#stepfunctions-1", + "https://support.icompaas.com/support/solutions/articles/62000233757-ensure-step-functions-state-machines-should-have-logging-enabled" + ], "Remediation": { "Code": { "CLI": "aws stepfunctions update-state-machine --state-machine-arn --logging-configuration file://logging-config.json", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/stepfunctions-controls.html#stepfunctions-1", - "Terraform": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine#logging_configuration" + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::StepFunctions::StateMachine\n Properties:\n RoleArn: arn:aws:iam:::role/\n DefinitionString: |\n {\"StartAt\":\"Pass\",\"States\":{\"Pass\":{\"Type\":\"Pass\",\"End\":true}}}\n LoggingConfiguration:\n Destinations:\n - CloudWatchLogsLogGroup:\n LogGroupArn: arn:aws:logs:::log-group::* # Critical: target CloudWatch Logs group\n Level: ERROR # Critical: enables logging (not OFF)\n```", + "Other": "1. Open AWS Console > Step Functions > State machines\n2. Select the state machine and click Edit\n3. In Logging, enable logging\n4. Choose an existing CloudWatch Logs log group\n5. Set Level to Error (or All)\n6. Save changes", + "Terraform": "```hcl\nresource \"aws_sfn_state_machine\" \"\" {\n name = \"\"\n role_arn = \"arn:aws:iam:::role/\"\n definition = jsonencode({ StartAt = \"Pass\", States = { Pass = { Type = \"Pass\", End = true } } })\n\n logging_configuration {\n log_destination = \"arn:aws:logs:::log-group::*\" # Critical: CloudWatch Logs destination\n level = \"ERROR\" # Critical: enables logging\n }\n}\n```" }, "Recommendation": { - "Text": "Configure logging for your Step Functions state machines to ensure that operational data is captured and available for debugging, monitoring, and auditing purposes.", - "Url": "https://docs.aws.amazon.com/step-functions/latest/dg/logging.html" + "Text": "Enable CloudWatch logging on all state machines at an appropriate `level` (e.g., `ERROR` or `ALL`) and send logs to a protected log group. Apply **least privilege** to log write/read, set **retention**, and avoid sensitive data unless required using `includeExecutionData`. Use X-Ray tracing for **defense in depth**.", + "Url": "https://hub.prowler.com/check/stepfunctions_statemachine_logging_enabled" } }, "Categories": [