fix: incorrect checktypes

This reverts commit 2609f04b69.

prowler/CHANGELOG.md

@@ -19,6 +19,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### Changed
 - Refine kisa isms-p compliance mapping [(#8479)](https://github.com/prowler-cloud/prowler/pull/8479)
+- Update AWS Neptune service metadata to new format [(#8494)](https://github.com/prowler-cloud/prowler/pull/8494)
+- CheckMetadata Pydantic validators [(#8584)](https://github.com/prowler-cloud/prowler/pull/8584)
 - Improve AWS Security Hub region check using multiple threads [(#8365)](https://github.com/prowler-cloud/prowler/pull/8365)
 
 ### Fixed

prowler/lib/check/models.py

@@ -15,6 +15,54 @@ from prowler.lib.check.utils import recover_checks_from_provider
 from prowler.lib.logger import logger
 
 
+def _validate_aws_check_type_in_config(check_type: str) -> bool:
+    """
+    Validate if a CheckType exists in the AWS config using direct lookups.
+    Supports partial paths: namespace, namespace/category, namespace/category/classifier
+
+    Args:
+        check_type: The CheckType string to validate (e.g., "TTPs/Initial Access")
+
+    Returns:
+        bool: True if the CheckType path exists in the config hierarchy
+    """
+    try:
+        import json
+        import os
+
+        if not check_type:
+            return False
+
+        # Get the path to the AWS CheckTypes configuration
+        current_dir = os.path.dirname(os.path.abspath(__file__))
+        check_types_file = os.path.join(
+            current_dir, "..", "..", "providers", "aws", "config", "check_types.json"
+        )
+        check_types_file = os.path.normpath(check_types_file)
+
+        # Load the CheckTypes hierarchy from JSON file
+        if not os.path.exists(check_types_file):
+            return False
+
+        with open(check_types_file, "r") as f:
+            hierarchy = json.load(f)
+
+        # Split the path by '/' to get each level
+        path_parts = check_type.split("/")
+
+        # Navigate through the hierarchy using direct lookups
+        current_level = hierarchy
+        for part in path_parts:
+            if not isinstance(current_level, dict) or part not in current_level:
+                return False
+            current_level = current_level[part]
+
+        return True
+
+    except (KeyError, AttributeError, FileNotFoundError, json.JSONDecodeError):
+        return False
+
+
 class Code(BaseModel):
     """
     Represents the remediation code using IaC like CloudFormation, Terraform or the native CLI.
@@ -94,9 +142,14 @@ class CheckMetadata(BaseModel):
     Validators:
         valid_category(value): Validator function to validate the categories of the check.
         severity_to_lower(severity): Validator function to convert the severity to lowercase.
-        valid_severity(severity): Validator function to validate the severity of the check.
         valid_cli_command(remediation): Validator function to validate the CLI command is not an URL.
         valid_resource_type(resource_type): Validator function to validate the resource type is not empty.
+        validate_service_name(service_name, values): Validator function to validate the service name matches CheckID.
+        valid_check_id(check_id): Validator function to validate the CheckID format.
+        validate_check_title(check_title): Validator function to validate CheckTitle max length (150 chars).
+        validate_check_type(check_type, values): Validator function to validate CheckType - no empty strings for all providers, plus predefined types validation for AWS (loaded from config file).
+        validate_description(description): Validator function to validate Description max length (400 chars).
+        validate_risk(risk): Validator function to validate Risk max length (400 chars).
     """
 
     Provider: str
@@ -178,6 +231,51 @@ class CheckMetadata(BaseModel):
 
         return check_id
 
+    @validator("CheckTitle", pre=True, always=True)
+    def validate_check_title(cls, check_title):
+        if len(check_title) > 150:
+            raise ValueError(
+                f"CheckTitle must not exceed 150 characters, got {len(check_title)} characters"
+            )
+        return check_title
+
+    @validator("CheckType", pre=True, always=True)
+    def validate_check_type(cls, check_type, values):
+        # Check for empty strings in the list - applies to ALL providers
+        for i, check_type_item in enumerate(check_type):
+            if not check_type_item or check_type_item.strip() == "":
+                raise ValueError(
+                    f"CheckType list cannot contain empty strings. Found empty string at index {i}."
+                )
+
+        provider = values.get("Provider", "").lower()
+
+        # For AWS provider, also validate against config hierarchy (like custom checks)
+        if provider == "aws":
+            for check_type_item in check_type:
+                if not _validate_aws_check_type_in_config(check_type_item):
+                    raise ValueError(
+                        f"Invalid CheckType: '{check_type_item}'. Must be a valid path in the AWS CheckType hierarchy. See prowler/providers/aws/config/check_types.json for valid values."
+                    )
+
+        return check_type
+
+    @validator("Description", pre=True, always=True)
+    def validate_description(cls, description):
+        if len(description) > 400:
+            raise ValueError(
+                f"Description must not exceed 400 characters, got {len(description)} characters"
+            )
+        return description
+
+    @validator("Risk", pre=True, always=True)
+    def validate_risk(cls, risk):
+        if len(risk) > 400:
+            raise ValueError(
+                f"Risk must not exceed 400 characters, got {len(risk)} characters"
+            )
+        return risk
+
     @staticmethod
     def get_bulk(provider: str) -> dict[str, "CheckMetadata"]:
         """

prowler/providers/aws/config/check_types.json

@@ -0,0 +1,79 @@
+{
+  "Software and Configuration Checks": {
+    "Vulnerabilities": {
+      "CVE": {}
+    },
+    "AWS Security Best Practices": {
+      "Network Reachability": {},
+      "Runtime Behavior Analysis": {}
+    },
+    "Industry and Regulatory Standards": {
+      "AWS Foundational Security Best Practices": {},
+      "CIS Host Hardening Benchmarks": {},
+      "CIS AWS Foundations Benchmark": {},
+      "PCI-DSS": {},
+      "Cloud Security Alliance Controls": {},
+      "ISO 90001 Controls": {},
+      "ISO 27001 Controls": {},
+      "ISO 27017 Controls": {},
+      "ISO 27018 Controls": {},
+      "SOC 1": {},
+      "SOC 2": {},
+      "HIPAA Controls (USA)": {},
+      "NIST 800-53 Controls (USA)": {},
+      "NIST CSF Controls (USA)": {},
+      "IRAP Controls (Australia)": {},
+      "K-ISMS Controls (Korea)": {},
+      "MTCS Controls (Singapore)": {},
+      "FISC Controls (Japan)": {},
+      "My Number Act Controls (Japan)": {},
+      "ENS Controls (Spain)": {},
+      "Cyber Essentials Plus Controls (UK)": {},
+      "G-Cloud Controls (UK)": {},
+      "C5 Controls (Germany)": {},
+      "IT-Grundschutz Controls (Germany)": {},
+      "GDPR Controls (Europe)": {},
+      "TISAX Controls (Europe)": {}
+    },
+    "Patch Management": {}
+  },
+  "TTPs": {
+    "Initial Access": {},
+    "Execution": {},
+    "Persistence": {},
+    "Privilege Escalation": {},
+    "Defense Evasion": {},
+    "Credential Access": {},
+    "Discovery": {},
+    "Lateral Movement": {},
+    "Collection": {},
+    "Command and Control": {}
+  },
+  "Effects": {
+    "Data Exposure": {},
+    "Data Exfiltration": {},
+    "Data Destruction": {},
+    "Denial of Service": {},
+    "Resource Consumption": {}
+  },
+  "Unusual Behaviors": {
+    "Application": {},
+    "Network Flow": {},
+    "IP address": {},
+    "User": {},
+    "VM": {},
+    "Container": {},
+    "Serverless": {},
+    "Process": {},
+    "Database": {},
+    "Data": {}
+  },
+  "Sensitive Data Identifications": {
+    "PII": {},
+    "Passwords": {},
+    "Legal": {},
+    "Financial": {},
+    "Security": {},
+    "Business": {}
+  }
+}

prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_backup_enabled",
-  "CheckTitle": "Check for Neptune Clusters Backup Retention Period.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has automated backups enabled with retention period equal to or greater than the configured minimum",
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have backup enabled.",
-  "Risk": "Ensure that your Amazon Neptune graph database clusters have set a minimum backup retention period of 7 days or greater in order to achieve your organization compliance requirements. The retention period represents the number of days to retain automated snapshots.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5",
+  "Description": "*Neptune DB cluster* automated backup is enabled and retention days are more than the required minimum retention period (default to 7 days).",
+  "Risk": "**Insufficient backup retention** reduces the ability to recover from data corruption, accidental deletion, or ransomware, impacting **availability** and **integrity**.\n\n- Prevents point-in-time recovery to required dates\n- Increases downtime, irreversible data loss, and compliance violations",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5",
+    "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html",
+    "https://support.icompaas.com/support/solutions/articles/62000233327-check-for-neptune-clusters-backup-retention-period",
+    "https://asecure.cloud/a/p_configrule_neptune_cluster_backup_retention_check/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html#"
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --backup-retention-period 7 --apply-immediately",
+      "NativeIaC": "```yaml\nParameters:\n  DBClusterId:\n    Type: String\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: !Ref DBClusterId\n      BackupRetentionPeriod: 7\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier      = var.cluster_id\n  backup_retention_period = 7\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console\n2. Services → Amazon Neptune → Databases\n3. Select the DB cluster and click Modify\n4. In Backup retention period set the value to 7 (or higher)\n5. Choose Apply immediately and click Modify cluster"
     },
     "Recommendation": {
-      "Text": "Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5"
+      "Text": "Ensure automated backups are enabled and retention aligns with your **RPO/RTO** and regulatory requirements (at least `7` days).\n\n- Define backup lifecycle and storage retention policies\n- Regularly test restore procedures and monitor backup health\n- Incorporate backups into Disaster Recovery and retention governance",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_backup_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json

@@ -1,33 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_copy_tags_to_snapshots",
-  "CheckTitle": "Check if Neptune DB clusters are configured to copy tags to snapshots.",
+  "CheckTitle": "Neptune DB cluster is configured to copy tags to snapshots.",
   "CheckType": [
     "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:cluster:db-cluster-identifier",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "This check ensures that Neptune DB clusters are configured to copy all tags to snapshots when the snapshots are created.",
-  "Risk": "If tags are not copied to snapshots, the snapshots may lack necessary metadata for identification, governance, and access control, leading to potential mismanagement and security risks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview",
+  "Description": "*Neptune DB cluster* is configured to copy all tags to snapshots when snapshots are created.",
+  "Risk": "**Missing snapshot tags** weakens governance across confidentiality, integrity, and availability.\n\n- **Access control**: tag-based IAM conditions may not apply to snapshots, enabling unauthorized restore or copy\n- **Operational**: recovery, retention, and cost tracking can fail due to unidentifiable or orphaned snapshots",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview",
+    "https://www.cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_copy_tags_to_snapshot_enabled",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-8",
+    "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <db-cluster-identifier> --copy-tags-to-snapshot --apply-immediately",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-8",
-      "Terraform": ""
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --copy-tags-to-snapshot --apply-immediately",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::RDS::DBCluster\n    Properties:\n      DBClusterIdentifier: <DB_CLUSTER_ID>\n      Engine: neptune\n      CopyTagsToSnapshot: true\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier     = \"<DB_CLUSTER_ID>\"\n  copy_tags_to_snapshot  = true\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Click Clusters and select the cluster\n3. Click Modify\n4. In Backup, enable \"Copy tags to snapshots\"\n5. Check \"Apply immediately\"\n6. Click Modify Cluster"
     },
     "Recommendation": {
-      "Text": "Configure your Neptune DB clusters to copy tags to snapshots when the snapshots are created.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview"
+      "Text": "Preserve metadata by enabling tag inheritance for snapshots and enforcing a consistent tagging strategy.\n\n- Adopt a standardized tag taxonomy\n- Use tag-based access controls and apply least privilege\n- Automate tagging and policy checks in provisioning to prevent untagged snapshots",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_copy_tags_to_snapshots"
     }
   },
-  "Categories": [
-    "trustboundaries"
-  ],
+  "Categories": [],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_deletion_protection",
-  "CheckTitle": "Check if Neptune Clusters storage has deletion protection enabled.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has deletion protection enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Destruction"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters storage has deletion protection enabled.",
-  "Risk": "Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. A Neptune DB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4",
+  "ResourceType": "Other",
+  "Description": "*Neptune DB cluster* has **deletion protection** enabled.",
+  "Risk": "Absence of **deletion protection** weakens *availability* and *integrity*: clusters can be removed by accidental admin actions, rogue automation, or compromised credentials.\n\nCluster deletion causes immediate service outage, potential permanent data loss, and extended recovery time if backups or restores are insufficient.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_IDENTIFIER> --deletion-protection --apply-immediately",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: <CLUSTER_ID>\n      DeletionProtection: true\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier  = \"<CLUSTER_ID>\"\n  deletion_protection = true\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In the navigation pane, choose Databases\n3. Select the DB cluster and choose Modify\n4. Enable Deletion protection\n5. Choose Apply immediately (if shown) and then Modify DB cluster"
     },
     "Recommendation": {
-      "Text": "Enable deletion protection for production Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4"
+      "Text": "Enable **deletion protection** for production *Neptune* clusters and apply the principles of **least privilege** and *separation of duties* for delete operations.\n\nEnforce change-control approvals, restrict delete permissions to audited roles, and limit automated workflows that can perform destructive actions to prevent accidental or malicious deletions.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_deletion_protection"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json

@@ -1,29 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_iam_authentication_enabled",
-  "CheckTitle": "Check if Neptune Clusters have IAM authentication enabled.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has IAM authentication enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Credential Access"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have IAM authentication enabled.",
-  "Risk": "Ensure that IAM Database Authentication feature is enabled for your Amazon Neptune database clusters in order to make use of AWS Identity and Access Management (IAM) service to manage database access.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7",
+  "Description": "*Neptune DB clusters* are evaluated for **IAM database authentication**. \n\nIf this setting is enabled, the cluster supports IAM-based authentication.\nIf disabled, the cluster requires traditional database credentials instead.",
+  "Risk": "**Disabled IAM database authentication** weakens confidentiality and integrity of the database.\n\n- Static or embedded DB credentials can be stolen or reused, enabling unauthorized queries and data exfiltration\n- Attackers may bypass centralized access controls, escalate privileges, and move laterally without IAM-based audit trails",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7",
+    "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-iam-database-authentication.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#",
+    "https://hub.steampipe.io/plugins/turbot/terraform/queries/neptune/neptune_cluster_iam_authentication_enabled"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --enable-iam-database-authentication",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#"
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_ID> --enable-iam-database-authentication --apply-immediately",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: <DB_CLUSTER_ID>\n      IamAuthEnabled: true\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier                  = \"<DB_CLUSTER_ID>\"\n  iam_database_authentication_enabled = true\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune > Databases\n2. Select the DB cluster and choose **Actions** > **Modify**\n3. In **Authentication**, enable **IAM DB authentication** and check **Apply immediately**\n4. Click **Continue** then **Modify DB cluster**"
     },
     "Recommendation": {
-      "Text": "Enable IAM authentication for Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7"
+      "Text": "Adopt **IAM database authentication** and centralized identity management to remove static DB credentials and improve auditability.\n\n- Enforce **least privilege** for database roles\n- Use short-lived credentials, centralized rotation and logging\n- Apply defense-in-depth and integrate DB access with IAM for accountability",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_iam_authentication_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json

@@ -1,32 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_integration_cloudwatch_logs",
-  "CheckTitle": "Check if Neptune Clusters have audit cloudwatch logs enabled.",
+  "CheckTitle": "Neptune cluster has CloudWatch audit logs enabled",
   "CheckType": [
-    "Software and Configuration Checks, AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have audit cloudwatch logs enabled.",
-  "Risk": "If audit logs are not enabled, it is difficult to determine the root cause of security incidents.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html",
+  "ResourceType": "Other",
+  "Description": "*Neptune DB cluster* is inspected for CloudWatch export of **audit** events. The finding indicates whether the cluster publishes `audit` logs to CloudWatch; a *FAIL* means the `audit` export is not enabled and audit records are not being forwarded to CloudWatch for centralized logging and review.",
+  "Risk": "Missing **audit logs** reduces **detectability** and **accountability**: \n\n- investigators cannot reconstruct queries, client origins, or timeline\n- unauthorized queries, data exfiltration, or privilege misuse may go undetected\n\nThis degrades confidentiality and integrity and slows incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html",
+    "https://cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_cloudwatch_log_export_enabled_remediation",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-2"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <value> --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"audit\"]}'",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-2",
-      "Terraform": ""
+      "CLI": "aws neptune modify-db-cluster --db-cluster-identifier <DB_CLUSTER_IDENTIFIER> --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"audit\"]}'",
+      "NativeIaC": "```yaml\nResources:\n  NeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: \"<DB_CLUSTER_IDENTIFIER>\"\n      EnableCloudwatchLogsExports:\n        - audit\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier               = \"<db_cluster_identifier>\"\n  enabled_cloudwatch_logs_exports = [\"audit\"]\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Go to Databases and select the Neptune DB cluster\n3. Actions > Modify\n4. In Log exports, check \"Audit\"\n5. Continue > Modify DB Cluster"
     },
     "Recommendation": {
-      "Text": "Enable audit logs for Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html"
+      "Text": "Enable and centralize **audit logging** for *Neptune* by exporting `audit` events to *CloudWatch Logs* and integrating with monitoring or SIEM.\n\n- enforce **least privilege** on log access\n- configure retention, encryption, and alerting for anomalous queries\n\nThis supports proactive detection and forensic readiness.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_integration_cloudwatch_logs"
     }
   },
   "Categories": [
-    "logging"
+    "logging",
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_multi_az",
-  "CheckTitle": "Check if Neptune Clusters have multi-AZ enabled.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster has Multi-AZ enabled",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Denial of Service"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters have multi-AZ enabled.",
-  "Risk": "Ensure that your Amazon Neptune graph database clusters are using Multi-AZ deployment configurations to enhance High Availability (HA) through automatic failover to read replicas in the event of a failure such as an Availability Zone (AZ) outage, an internal hardware or network outage, a software failure or in case of planned system maintenance.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9",
+  "Description": "*Amazon Neptune DB clusters* are evaluated for `Multi-AZ` deployment by checking whether the cluster has read-replica instances distributed across multiple Availability Zones.\n\nA failing result indicates the cluster is deployed in a single AZ and lacks read-replicas that enable automatic promotion and cross‑AZ failover.",
+  "Risk": "**Single-AZ deployment** creates a clear availability single point of failure.\n\n- **Availability**: AZ outage or maintenance can cause prolonged downtime until the primary is rebuilt.\n- **Integrity/Recovery**: Manual recovery increases risk of configuration errors and longer RTOs, impacting operations and compliance.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#"
+      "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \"<DB_CLUSTER_IDENTIFIER>\"\n # Important: Specify multiple Availability Zones\n AvailabilityZones:\n - \"<AZ_1>\"\n - \"<AZ_2>\"\n - \"<AZ_3>\"\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example\" {\n cluster_identifier = \"<db_cluster_identifier>\"\n availability_zones = [\"<AZ_1>\", \"<AZ_2>\", \"<AZ_3>\"]\n}\n```",
+      "Other": ""
     },
     "Recommendation": {
-      "Text": "Enable multi-AZ deployment for production Neptune Clusters.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9"
+      "Text": "Adopt a **high availability** deployment model for production *Neptune* clusters by placing read‑replicas in separate Availability Zones to avoid single points of failure.\n\nRegularly test automated failover and combine HA with robust backup and recovery practices as part of a defense‑in‑depth strategy.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_multi_az"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json

@@ -1,26 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_public_snapshot",
-  "CheckTitle": "Check if NeptuneDB manual cluster snapshot is public.",
-  "CheckType": [],
+  "CheckTitle": "NeptuneDB cluster snapshot is not publicly shared",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Effects/Data Exposure",
+    "TTPs/Initial Access/Unauthorized Access"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "AwsRdsDbClusterSnapshot",
-  "Description": "Check if NeptuneDB manual cluster snapshot is public.",
-  "Risk": "If you share an unencrypted manual snapshot as public, the snapshot is available to all AWS accounts. Public snapshots may result in unintended data exposure.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/security-considerations.html",
+  "Description": "*Neptune DB manual cluster snapshot* is evaluated to determine if its restore attributes allow access to *all AWS accounts* (public).\n\nA **FAIL** means the snapshot is publicly shared and can be copied or restored by any AWS account; **PASS** means it is not shared publicly.",
+  "Risk": "**Public snapshots** compromise confidentiality of stored data and metadata.\n\nAttackers or third parties can:\n- Copy or restore snapshots to external accounts.\n- Access sensitive data contained in the snapshot.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-3",
+    "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-snapshot-public-prohibited.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws neptune modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-3",
-      "Terraform": ""
+      "Terraform": "",
+      "Other": "1. Sign in to the AWS Management Console and open the Amazon RDS console\n2. In the left navigation, choose Snapshots > DB cluster snapshots\n3. Select the snapshot, choose Actions > Manage snapshot permissions\n4. In the permissions dialog remove the Public/all-accounts permission and click Save"
     },
     "Recommendation": {
-      "Text": "To remove public access from a manual snapshot, follow the AWS documentation on NeptuneDB snapshots.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/security-considerations.html"
+      "Text": "Avoid public sharing and apply **least privilege** when granting snapshot access: share only with specific AWS accounts or roles.\n\nUse **encryption**, enforce automated policies and regular audits, and apply **separation of duties** and tagging to control and track snapshot access.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_public_snapshot"
     }
   },
   "Categories": [

prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json

@@ -1,28 +1,34 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_snapshot_encrypted",
-  "CheckTitle": "Check if Neptune DB cluster snapshots are encrypted at rest.",
+  "CheckTitle": "Neptune DB cluster snapshot is encrypted at rest",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Encryption at Rest",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:cluster-snapshot:db-cluster-snapshot-identifier",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbClusterSnapshot",
-  "Description": "This check ensures that Neptune DB cluster snapshots are encrypted at rest to protect sensitive data from unauthorized access.",
-  "Risk": "If Neptune DB cluster snapshots are not encrypted, sensitive data might be exposed in case of unauthorized access, leading to potential data breaches and non-compliance with data protection regulations.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-create-snapshot.html",
+  "Description": "*Neptune DB cluster snapshot* is encryoted at rest. The evaluation looks at whether each snapshot's encrypted attribute is enabled, confirming that the data is protected while stored.",
+  "Risk": "**Unencrypted Neptune snapshots** undermine data confidentiality. If accessed or shared due to compromised credentials or misconfiguration, attackers can restore or download snapshot contents, enabling **data exfiltration**, and exposure of sensitive records. This weakens overall data protection posture.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-6",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-share-snapshot.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws rds copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier <source-snapshot> --target-db-cluster-snapshot-identifier <encrypted-snapshot> --kms-key-id <kms-key-id>",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-6",
-      "Terraform": ""
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"restored\" {\n  cluster_identifier  = \"restored-cluster\"\n  snapshot_identifier = \"<source-snapshot>\"\n  storage_encrypted   = true\n}\n```",
+      "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In the left pane choose **Snapshots**\n3. Select the unencrypted snapshot and click **Actions** > **Restore snapshot**\n4. In the Restore page enable **Encryption** and select a KMS key\n5. Click **Restore DB cluster**\n6. After the cluster is restored, create a new snapshot of the restored (encrypted) cluster"
     },
     "Recommendation": {
-      "Text": "Ensure that all Neptune DB cluster snapshots are encrypted at rest by enabling encryption on the cluster before creating snapshots or by copying unencrypted snapshots to encrypted ones.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-create-snapshot.html"
+      "Text": "Protect snapshot data by enforcing **encryption at rest** and strong key governance.\n\n- Use **customer-managed keys** with controlled lifecycle and rotation\n- Apply **least privilege** to snapshot access and sharing\n- Prevent creation of unencrypted snapshots via organizational configuration and policy controls",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_snapshot_encrypted"
     }
   },
   "Categories": [

prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_storage_encrypted",
-  "CheckTitle": "Check if Neptune Clusters storage is encrypted at rest.",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster storage is encrypted at rest",
+  "CheckType": [
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Sensitive Data Identifications/Security"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "AwsRdsDbCluster",
-  "Description": "Check if Neptune Clusters storage is encrypted at rest.",
-  "Risk": "Ensure that the data available on your Amazon Neptune database instances is encrypted in order to meet regulatory requirements and prevent unauthorized users from accessing sensitive information. Encryption provides an additional layer of protection by securing your Neptune databases from unauthorized access to the underlying storage. Neptune is a fast, scalable, highly secure and fully-managed graph database service that makes it easy to build and run applications that work with deeply connected datasets.",
-  "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-1",
+  "ResourceType": "Other",
+  "Description": "*Neptune DB cluster* is evaluated for **encryption at rest**. Indicating the cluster's underlying storage is not encrypted.",
+  "Risk": "**Unencrypted Neptune storage** reduces confidentiality of stored data and metadata and increases attack surface.\n\nPossible impacts:\n- Unauthorized access or data exfiltration from underlying volumes or snapshots\n- Greater blast radius from leaked or shared snapshots",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-1",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_18#cloudformation",
-      "Other": "https://docs.prowler.com/checks/aws/general-policies/general_18/",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_18#terraform"
+      "NativeIaC": "```yaml\nResources:\n  EncryptedNeptuneCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBClusterIdentifier: !Sub ${DBClusterIdentifier}\n      StorageEncrypted: true\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n  cluster_identifier = \"<cluster-id>\"\n  storage_encrypted  = true\n}\n```",
+      "Other": ""
     },
     "Recommendation": {
-      "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
-      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-1"
+      "Text": "Provision all new *Neptune DB clusters* with **encryption at rest** and prefer **Customer‑Managed Keys (CMK)** for key ownership and auditability.\n\nEnforce **least privilege** on KMS keys, implement key lifecycle practices (rotation, revocation) and ensure backups/snapshots remain encrypted to prevent exposure.",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_storage_encrypted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "neptune_cluster_uses_public_subnet",
-  "CheckTitle": "Ensure Neptune Cluster is not using a public subnet",
-  "CheckType": [],
+  "CheckTitle": "Neptune cluster is not using public subnets",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "TTPs/Initial Access/Unauthorized Access"
+  ],
   "ServiceName": "neptune",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:rds:<region>:<account>:cluster:<resource_name>",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRdsDbCluster",
-  "Description": "Ensure Neptune Cluster is not using a public subnet",
-  "Risk": "There is a risk of exposing sensitive data if Neptune Cluster uses a public subnet.",
-  "RelatedUrl": "https://docs.aws.amazon.com/neptune/latest/userguide/get-started-vpc.html",
+  "Description": "*Neptune cluster* is associated with one or more **public subnets**.",
+  "Risk": "A *Neptune cluster* in a **public subnet** increases exposure across the CIA triad:\n\n- **Confidentiality**: direct access enables credential attacks and data exfiltration\n- **Integrity**: attackers may modify or inject graph data\n- **Availability**: public reachability allows DDoS or remote exploitation, causing downtime",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/neptune/latest/userguide/get-started-vpc.html",
+    "https://docs.aws.amazon.com/neptune/latest/userguide/feature-overview-endpoints.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```yaml\nResources:\n  NeptuneSubnetGroup:\n    Type: AWS::Neptune::DBSubnetGroup\n    Properties:\n      DBSubnetGroupDescription: \"Private subnets for Neptune\"\n      SubnetIds:\n        - <PRIVATE_SUBNET_ID_1>\n        - <PRIVATE_SUBNET_ID_2>\n\n  NeptuneDBCluster:\n    Type: AWS::Neptune::DBCluster\n    Properties:\n      DBSubnetGroupName: !Ref NeptuneSubnetGroup\n```",
+      "Terraform": "```hcl\nresource \"aws_neptune_subnet_group\" \"neptune\" {\n  name       = \"neptune-private-subnets\"\n  subnet_ids = [\"<PRIVATE_SUBNET_ID_1>\", \"<PRIVATE_SUBNET_ID_2>\"]\n}\n\nresource \"aws_neptune_cluster\" \"example_cluster\" {\n  neptune_subnet_group_name = aws_neptune_subnet_group.neptune.name\n}\n```",
+      "Other": "1. Open the AWS Console and go to Amazon Neptune > Subnet groups\n2. Click Create DB Subnet Group\n3. Enter a name and description, select the VPC, and add only private subnet IDs (at least two)\n4. Click Create\n5. Go to Amazon Neptune > DB clusters > Select the cluster > Actions > Modify\n6. Set DB subnet group to the newly created subnet group and save (Apply immediately if required)\n7. Verify the cluster subnet group now lists only private subnets"
     },
     "Recommendation": {
-      "Text": "To ensure your Neptune cluster is not using a public subnet, follow the recommended remediation steps based on your preferred method.",
-      "Url": "https://docs.aws.amazon.com/neptune/latest/userguide/get-started-vpc.html"
+      "Text": "Place *Neptune clusters* in **private subnets** and remove public routability to reduce attack surface.\n\n- Apply **least privilege** and network segmentation\n- Restrict inbound access with scoped network controls and minimal trusted paths\n- Enforce logging, monitoring, and private connectivity for administrative and application access",
+      "Url": "https://hub.prowler.com/check/neptune_cluster_uses_public_subnet"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

tests/lib/check/check_loader_test.py

@@ -1,4 +1,4 @@
-from mock import patch
+from unittest.mock import patch
 
 from prowler.lib.check.checks_loader import (
     load_checks_to_execute,
@@ -30,7 +30,9 @@ class TestCheckLoader:
             Provider="aws",
             CheckID=S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME,
             CheckTitle="Check S3 Bucket Level Public Access Block.",
-            CheckType=["Data Protection"],
+            CheckType=[
+                "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+            ],
             CheckAliases=[S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME_CUSTOM_ALIAS],
             ServiceName=S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME_SERVICE,
             SubServiceName="",
@@ -64,7 +66,9 @@ class TestCheckLoader:
             Provider="aws",
             CheckID=IAM_USER_NO_MFA_NAME,
             CheckTitle="Check IAM User No MFA.",
-            CheckType=["Data Protection"],
+            CheckType=[
+                "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+            ],
             CheckAliases=[IAM_USER_NO_MFA_NAME_CUSTOM_ALIAS],
             ServiceName=IAM_USER_NO_MFA_NAME_SERVICE,
             SubServiceName="",
@@ -98,7 +102,7 @@ class TestCheckLoader:
             Provider="aws",
             CheckID=CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME,
             CheckTitle="Ensure there are no potential enumeration threats in CloudTrail",
-            CheckType=[],
+            CheckType=["TTPs/Discovery"],
             ServiceName="cloudtrail",
             SubServiceName="",
             ResourceIdTemplate="arn:partition:service:region:account-id:resource-id",
@@ -122,55 +126,55 @@ class TestCheckLoader:
         )
 
     def test_load_checks_to_execute(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
 
         assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             provider=self.provider,
         )
 
     def test_load_checks_to_execute_with_check_list(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         check_list = [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME]
 
         assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             check_list=check_list,
             provider=self.provider,
         )
 
     def test_load_checks_to_execute_with_severities(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         severities = [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_SEVERITY]
 
         assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             severities=severities,
             provider=self.provider,
         )
 
     def test_load_checks_to_execute_with_severities_and_services(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         service_list = [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME_SERVICE]
         severities = [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_SEVERITY]
 
         assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             service_list=service_list,
             severities=severities,
             provider=self.provider,
         )
 
     def test_load_checks_to_execute_with_severities_and_services_multiple(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata(),
             IAM_USER_NO_MFA_NAME: self.get_custom_check_iam_metadata(),
         }
@@ -181,7 +185,7 @@ class TestCheckLoader:
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME,
             IAM_USER_NO_MFA_NAME,
         } == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             service_list=service_list,
             severities=severities,
             provider=self.provider,
@@ -190,14 +194,14 @@ class TestCheckLoader:
     def test_load_checks_to_execute_with_severities_and_services_not_within_severity(
         self,
     ):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         service_list = ["ec2"]
         severities = [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_SEVERITY]
 
         assert set() == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             service_list=service_list,
             severities=severities,
             provider=self.provider,
@@ -206,7 +210,7 @@ class TestCheckLoader:
     def test_load_checks_to_execute_with_checks_file(
         self,
     ):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         checks_file = "path/to/test_file"
@@ -215,7 +219,7 @@ class TestCheckLoader:
             return_value={S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME},
         ):
             assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-                bulk_checks_metadata=bulk_checks_metatada,
+                bulk_checks_metadata=bulk_checks_metadata,
                 checks_file=checks_file,
                 provider=self.provider,
             )
@@ -223,13 +227,13 @@ class TestCheckLoader:
     def test_load_checks_to_execute_with_service_list(
         self,
     ):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         service_list = [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME_SERVICE]
 
         assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             service_list=service_list,
             provider=self.provider,
         )
@@ -237,7 +241,7 @@ class TestCheckLoader:
     def test_load_checks_to_execute_with_compliance_frameworks(
         self,
     ):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         bulk_compliance_frameworks = {
@@ -259,7 +263,7 @@ class TestCheckLoader:
         compliance_frameworks = ["soc2_aws"]
 
         assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             bulk_compliance_frameworks=bulk_compliance_frameworks,
             compliance_frameworks=compliance_frameworks,
             provider=self.provider,
@@ -268,24 +272,24 @@ class TestCheckLoader:
     def test_load_checks_to_execute_with_categories(
         self,
     ):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         categories = {"internet-exposed"}
 
         assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             categories=categories,
             provider=self.provider,
         )
 
     def test_load_checks_to_execute_no_bulk_checks_metadata(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         with patch(
             "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
-            return_value=bulk_checks_metatada,
+            return_value=bulk_checks_metadata,
         ):
             assert {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME} == load_checks_to_execute(
                 provider=self.provider,
@@ -311,13 +315,13 @@ class TestCheckLoader:
 
         compliance_frameworks = ["soc2_aws"]
 
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
         }
         with (
             patch(
                 "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
-                return_value=bulk_checks_metatada,
+                return_value=bulk_checks_metadata,
             ),
             patch(
                 "prowler.lib.check.checks_loader.Compliance.get_bulk",
@@ -344,38 +348,38 @@ class TestCheckLoader:
         )
 
     def test_threat_detection_category(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME: self.get_threat_detection_check_metadata()
         }
         categories = {"threat-detection"}
 
         assert {CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             categories=categories,
             provider=self.provider,
         )
 
     def test_discard_threat_detection_checks(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME: self.get_threat_detection_check_metadata()
         }
         categories = {}
 
         assert set() == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             categories=categories,
             provider=self.provider,
         )
 
     def test_threat_detection_single_check(self):
-        bulk_checks_metatada = {
+        bulk_checks_metadata = {
             CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME: self.get_threat_detection_check_metadata()
         }
         categories = {}
         check_list = [CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME]
 
         assert {CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME} == load_checks_to_execute(
-            bulk_checks_metadata=bulk_checks_metatada,
+            bulk_checks_metadata=bulk_checks_metadata,
             check_list=check_list,
             categories=categories,
             provider=self.provider,

tests/lib/check/compliance_check_test.py

@@ -192,7 +192,7 @@ class TestCompliance:
                 Provider="aws",
                 CheckID="accessanalyzer_enabled",
                 CheckTitle="Check 1",
-                CheckType=["type1"],
+                CheckType=["TTPs/Initial Access"],
                 ServiceName="accessanalyzer",
                 SubServiceName="subservice1",
                 ResourceIdTemplate="template1",
@@ -220,7 +220,7 @@ class TestCompliance:
                 Provider="aws",
                 CheckID="iam_user_mfa_enabled_console_access",
                 CheckTitle="Check 2",
-                CheckType=["type2"],
+                CheckType=["TTPs/Credential Access"],
                 ServiceName="iam",
                 SubServiceName="subservice2",
                 ResourceIdTemplate="template2",

tests/lib/check/custom_checks_metadata_test.py

@@ -36,7 +36,7 @@ class TestCustomChecksMetadata:
             Provider="aws",
             CheckID=S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME,
             CheckTitle="Check S3 Bucket Level Public Access Block.",
-            CheckType=["Data Protection"],
+            CheckType=["Sensitive Data Identifications/PII"],
             CheckAliases=[],
             ServiceName="s3",
             SubServiceName="",

tests/lib/check/fixtures/bulk_checks_metadata.py

@@ -5,7 +5,9 @@ test_bulk_checks_metadata = {
         Provider="aws",
         CheckID="vpc_peering_routing_tables_with_least_privilege",
         CheckTitle="Ensure routing tables for VPC peering are least access.",
-        CheckType=["Infrastructure Security"],
+        CheckType=[
+            "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+        ],
         ServiceName="vpc",
         SubServiceName="route_table",
         ResourceIdTemplate="arn:partition:service:region:account-id:resource-id",
@@ -36,7 +38,9 @@ test_bulk_checks_metadata = {
         Provider="aws",
         CheckID="vpc_subnet_different_az",
         CheckTitle="Ensure all vpc has subnets in more than one availability zone",
-        CheckType=["Infrastructure Security"],
+        CheckType=[
+            "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+        ],
         ServiceName="vpc",
         SubServiceName="subnet",
         ResourceIdTemplate="arn:partition:service:region:account-id:resource-id",
@@ -64,7 +68,9 @@ test_bulk_checks_metadata = {
         Provider="aws",
         CheckID="vpc_subnet_separate_private_public",
         CheckTitle="Ensure all vpc has public and private subnets defined",
-        CheckType=["Infrastructure Security"],
+        CheckType=[
+            "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+        ],
         ServiceName="vpc",
         SubServiceName="subnet",
         ResourceIdTemplate="arn:partition:service:region:account-id:resource-id",
@@ -91,7 +97,9 @@ test_bulk_checks_metadata = {
         Provider="aws",
         CheckID="workspaces_volume_encryption_enabled",
         CheckTitle="Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements",
-        CheckType=[],
+        CheckType=[
+            "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis"
+        ],
         ServiceName="workspaces",
         SubServiceName="",
         ResourceIdTemplate="arn:aws:workspaces:region:account-id:workspace",
@@ -122,7 +130,9 @@ test_bulk_checks_metadata = {
         Provider="aws",
         CheckID="workspaces_vpc_2private_1public_subnets_nat",
         CheckTitle="Ensure that the Workspaces VPC are deployed following the best practices using 1 public subnet and 2 private subnets with a NAT Gateway attached",
-        CheckType=[],
+        CheckType=[
+            "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis"
+        ],
         ServiceName="workspaces",
         SubServiceName="",
         ResourceIdTemplate="arn:aws:workspaces:region:account-id:workspace",

tests/lib/outputs/asff/asff_test.py

@@ -534,7 +534,9 @@ class TestASFF:
                 },
                 "GeneratorId": "prowler-service_test_check_id",
                 "AwsAccountId": "123456789012",
-                "Types": ["test-type"],
+                "Types": [
+                    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+                ],
                 "FirstObservedAt": timestamp,
                 "UpdatedAt": timestamp,
                 "CreatedAt": timestamp,

tests/lib/outputs/csv/csv_test.py

@@ -61,7 +61,10 @@ class TestCSV:
         assert output_data["PROVIDER"] == "aws"
         assert output_data["CHECK_ID"] == "service_test_check_id"
         assert output_data["CHECK_TITLE"] == "service_test_check_id"
-        assert output_data["CHECK_TYPE"] == "test-type"
+        assert (
+            output_data["CHECK_TYPE"]
+            == "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+        )
         assert isinstance(output_data["STATUS"], str)
         assert output_data["STATUS"] == "PASS"
         assert output_data["STATUS_EXTENDED"] == "status-extended"
@@ -113,7 +116,7 @@ class TestCSV:
             output.batch_write_data_to_file()
 
         mock_file.seek(0)
-        expected_csv = f"AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION\r\nprofile: default;{datetime.now()};123456789012;123456789012;;test-organization-id;test-organization;test-tag:test-value;test-unique-finding;aws;service_test_check_id;service_test_check_id;test-type;PASS;;False;service;;high;test-resource;;;;;aws;eu-west-1;check description;test-risk;test-url;;;;;;;test-compliance: test-compliance;test-category;test-dependency;test-related-to;test-notes;{prowler_version}\r\n"
+        expected_csv = f"AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION\r\nprofile: default;{datetime.now()};123456789012;123456789012;;test-organization-id;test-organization;test-tag:test-value;test-unique-finding;aws;service_test_check_id;service_test_check_id;Software and Configuration Checks/AWS Security Best Practices/Network Reachability;PASS;;False;service;;high;test-resource;;;;;aws;eu-west-1;check description;test-risk;test-url;;;;;;;test-compliance: test-compliance;test-category;test-dependency;test-related-to;test-notes;{prowler_version}\r\n"
         content = mock_file.read()
 
         assert content == expected_csv
@@ -191,7 +194,7 @@ class TestCSV:
             with patch.object(temp_file, "close", return_value=None):
                 csv.batch_write_data_to_file()
 
-            expected_csv = f"AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION\nprofile: default;{datetime.now()};123456789012;123456789012;;test-organization-id;test-organization;test-tag:test-value;test-unique-finding;aws;service_test_check_id;service_test_check_id;test-type;PASS;;False;service;;high;test-resource;;;;;aws;eu-west-1;check description;test-risk;test-url;;;;;;;test-compliance: test-compliance;test-category;test-dependency;test-related-to;test-notes;{prowler_version}\n"
+            expected_csv = f"AUTH_METHOD;TIMESTAMP;ACCOUNT_UID;ACCOUNT_NAME;ACCOUNT_EMAIL;ACCOUNT_ORGANIZATION_UID;ACCOUNT_ORGANIZATION_NAME;ACCOUNT_TAGS;FINDING_UID;PROVIDER;CHECK_ID;CHECK_TITLE;CHECK_TYPE;STATUS;STATUS_EXTENDED;MUTED;SERVICE_NAME;SUBSERVICE_NAME;SEVERITY;RESOURCE_TYPE;RESOURCE_UID;RESOURCE_NAME;RESOURCE_DETAILS;RESOURCE_TAGS;PARTITION;REGION;DESCRIPTION;RISK;RELATED_URL;REMEDIATION_RECOMMENDATION_TEXT;REMEDIATION_RECOMMENDATION_URL;REMEDIATION_CODE_NATIVEIAC;REMEDIATION_CODE_TERRAFORM;REMEDIATION_CODE_CLI;REMEDIATION_CODE_OTHER;COMPLIANCE;CATEGORIES;DEPENDS_ON;RELATED_TO;NOTES;PROWLER_VERSION\nprofile: default;{datetime.now()};123456789012;123456789012;;test-organization-id;test-organization;test-tag:test-value;test-unique-finding;aws;service_test_check_id;service_test_check_id;Software and Configuration Checks/AWS Security Best Practices/Network Reachability;PASS;;False;service;;high;test-resource;;;;;aws;eu-west-1;check description;test-risk;test-url;;;;;;;test-compliance: test-compliance;test-category;test-dependency;test-related-to;test-notes;{prowler_version}\n"
 
             temp_file.seek(0)
 

tests/lib/outputs/finding_test.py

@@ -795,7 +795,7 @@ class TestFinding:
             "provider": "test_provider",
             "checkid": "service_check_001",
             "checktitle": "Test Check",
-            "checktype": ["type1"],
+            "checktype": [],
             "servicename": "service",
             "subservicename": "SubService",
             "severity": "high",
@@ -838,7 +838,7 @@ class TestFinding:
         assert meta.Provider == "test_provider"
         assert meta.CheckID == "service_check_001"
         assert meta.CheckTitle == "Test Check"
-        assert meta.CheckType == ["type1"]
+        assert meta.CheckType == []
         assert meta.ServiceName == "service"
         assert meta.SubServiceName == "SubService"
         assert meta.Severity == "high"

tests/lib/outputs/fixtures/fixtures.py

@@ -39,7 +39,9 @@ def generate_finding_output(
     service_name: str = "service",
     check_id: str = "service_test_check_id",
     check_title: str = "service_test_check_id",
-    check_type: list[str] = ["test-type"],
+    check_type: list[str] = [
+        "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+    ],
 ) -> Finding:
     return Finding(
         auth_method="profile: default",

tests/lib/outputs/ocsf/ocsf_test.py

@@ -62,7 +62,9 @@ class TestOCSF:
         assert output_data.finding_info.desc == findings[0].metadata.Description
         assert output_data.finding_info.title == findings[0].metadata.CheckTitle
         assert output_data.finding_info.uid == findings[0].uid
-        assert output_data.finding_info.types == ["test-type"]
+        assert output_data.finding_info.types == [
+            "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+        ]
         assert output_data.time == int(findings[0].timestamp.timestamp())
         assert output_data.time_dt == findings[0].timestamp
         assert (
@@ -200,7 +202,9 @@ class TestOCSF:
                     "desc": "check description",
                     "title": "service_test_check_id",
                     "uid": "test-unique-finding",
-                    "types": ["test-type"],
+                    "types": [
+                        "Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
+                    ],
                 },
                 "resources": [
                     {