Merge pull request #773 from toniblyx/2.4

v2.4

.dockerignore

@@ -0,0 +1,5 @@
+.git/
+
+# Ignore output directories
+output/
+junit-reports/

.github/pull_request_template.md

@@ -0,0 +1 @@
+By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.gitignore

@@ -0,0 +1,30 @@
+# Swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+# MacOs DS_Store
+*.DS_Store
+
+# Prowler output
+output/
+
+# JUnit Reports
+junit-reports/
+
+# VSCode files
+.vscode/

CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at community@prowler.cloud. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

LICENSE

@@ -1,201 +1,6 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+All CIS based checks in the checks folder are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License.
+The link to the license terms can be found at
+https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
 
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+Any other piece of code is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
+http://www.apache.org/licenses/LICENSE-2.0

LICENSE-APACHE-2.0

@@ -0,0 +1,201 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or
+otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity
+exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or
+Object form, made available under the License, as indicated by a
+copyright notice that is included in or attached to the work
+(an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship. For the purposes
+of this License, Derivative Works shall not include works that remain
+separable from, or merely link (or bind by name) to the interfaces of,
+the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including
+the original version of the Work and any modifications or additions
+to that Work or Derivative Works thereof, that is intentionally
+submitted to Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, the
+Licensor for the purpose of discussing and improving the Work, but
+excluding communication that is conspicuously marked or otherwise
+designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity
+on behalf of whom a Contribution has been received by Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s)
+with the Work to which such Contribution(s) was submitted. If You
+institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work
+or a Contribution incorporated within the Work constitutes direct
+or contributory patent infringement, then any patent licenses
+granted to You under this License for that Work shall terminate
+as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You
+meet the following conditions:
+
+(a) You must give any other recipients of the Work or
+Derivative Works a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and
+attribution notices from the Source form of the Work,
+excluding those notices that do not pertain to any part of
+the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its
+distribution, then any Derivative Works that You distribute must
+include a readable copy of the attribution notices contained
+within such NOTICE file, excluding those notices that do not
+pertain to any part of the Derivative Works, in at least one
+of the following places: within a NOTICE text file distributed
+as part of the Derivative Works; within the Source form or
+documentation, if provided along with the Derivative Works; or,
+within a display generated by the Derivative Works, if and
+wherever such third-party notices normally appear. The contents
+of the NOTICE file are for informational purposes only and
+do not modify the License. You may add Your own attribution
+notices within Derivative Works that You distribute, alongside
+or as an addendum to the NOTICE text from the Work, provided
+that such additional attribution notices cannot be construed
+as modifying the License.
+
+You may add Your own copyright statement to Your modifications and
+may provide additional or different license terms and conditions
+for use, reproduction, or distribution of Your modifications, or
+for any such Derivative Works as a whole, provided Your use,
+reproduction, and distribution of the Work otherwise complies with
+the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work
+by You to the Licensor shall be under the terms and conditions of
+this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify
+the terms of any separate license agreement you may have executed
+with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor,
+except as required for reasonable and customary use in describing the
+origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work (and each
+Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied, including, without limitation, any warranties or conditions
+of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any
+risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work (including but not limited to damages for loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all
+other commercial damages or losses), even if such Contributor
+has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer,
+and charge a fee for, acceptance of support, warranty, indemnity,
+or other liability obligations and/or rights consistent with this
+License. However, in accepting such obligations, You may act only
+on Your own behalf and on Your sole responsibility, not on behalf
+of any other Contributor, and only if You agree to indemnify,
+defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason
+of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following
+boilerplate notice, with the fields enclosed by brackets "[]"
+replaced with your own identifying information. (Don't include
+the brackets!)  The text should be enclosed in the appropriate
+comment syntax for the file format. We also recommend that a
+file or class name and description of purpose be included on the
+same "printed page" as the copyright notice for easier
+identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

LICENSE-CC-BY-SA-4.0

@@ -0,0 +1,360 @@
+Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
+Public License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-NonCommercial-ShareAlike 4.0 International Public License
+("Public License"). To the extent this Public License may be
+interpreted as a contract, You are granted the Licensed Rights in
+consideration of Your acceptance of these terms and conditions, and the
+Licensor grants You such rights in consideration of benefits the
+Licensor receives from making the Licensed Material available under
+these terms and conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. BY-NC-SA Compatible License means a license listed at
+     creativecommons.org/compatiblelicenses, approved by Creative
+     Commons as essentially the equivalent of this Public License.
+
+  d. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  e. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  f. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  g. License Elements means the license attributes listed in the name
+     of a Creative Commons Public License. The License Elements of this
+     Public License are Attribution, NonCommercial, and ShareAlike.
+
+  h. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  i. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  j. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  k. NonCommercial means not primarily intended for or directed towards
+     commercial advantage or monetary compensation. For purposes of
+     this Public License, the exchange of the Licensed Material for
+     other material subject to Copyright and Similar Rights by digital
+     file-sharing or similar means is NonCommercial provided there is
+     no payment of monetary compensation in connection with the
+     exchange.
+
+  l. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  m. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  n. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part, for NonCommercial purposes only; and
+
+            b. produce, reproduce, and Share Adapted Material for
+               NonCommercial purposes only.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. Additional offer from the Licensor -- Adapted Material.
+               Every recipient of Adapted Material from You
+               automatically receives an offer from the Licensor to
+               exercise the Licensed Rights in the Adapted Material
+               under the conditions of the Adapter's License You apply.
+
+            c. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties, including when
+          the Licensed Material is used other than for NonCommercial
+          purposes.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+  b. ShareAlike.
+
+     In addition to the conditions in Section 3(a), if You Share
+     Adapted Material You produce, the following conditions also apply.
+
+       1. The Adapter's License You apply must be a Creative Commons
+          license with the same License Elements, this version or
+          later, or a BY-NC-SA Compatible License.
+
+       2. You must include the text of, or the URI or hyperlink to, the
+          Adapter's License You apply. You may satisfy this condition
+          in any reasonable manner based on the medium, means, and
+          context in which You Share Adapted Material.
+
+       3. You may not offer or impose any additional or different terms
+          or conditions on, or apply any Effective Technological
+          Measures to, Adapted Material that restrict exercise of the
+          rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database for NonCommercial purposes
+     only;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material,
+     including for purposes of Section 3(b); and
+
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.

LIST_OF_CHECKS_AND_GROUPS.md

@@ -0,0 +1,5 @@
+```
+./prowler -l # to see all available checks and their groups.
+./prowler -L # to see all available groups only.
+./prowler -l -g groupname # to see checks in a particular group
+```

Pipfile

@@ -0,0 +1,13 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+
+[packages]
+boto3 = ">=1.9.188"
+detect-secrets = ">=0.12.4"
+
+[requires]
+python_version = "3.7"

checks/check11

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check11="1.1"
+CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)"
+CHECK_SCORED_check11="SCORED"
+CHECK_TYPE_check11="LEVEL1"
+CHECK_SEVERITY_check11="High"
+CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check101="check11"
+CHECK_SERVICENAME_check11="iam"
+CHECK_RISK_check11='The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.'
+CHECK_REMEDIATION_check11='Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.'
+CHECK_DOC_check11='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
+CHECK_CAF_EPIC_check11='IAM'
+
+check11(){
+  # "Avoid the use of the root account (Scored)."
+  MAX_DAYS=-1
+  last_login_dates=$(cat $TEMP_REPORT_FILE | awk -F, '{ print $1,$5,$11,$16 }' | grep '<root_account>' | cut -d' ' -f2,3,4)
+
+  failures=0
+  for date in $last_login_dates; do
+    if [[ ${date%T*} =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]];then
+      days_not_in_use=$(how_many_days_from_today ${date%T*})
+      if [ "$days_not_in_use" -gt "$MAX_DAYS" ];then
+          failures=1
+          textFail "Root user in the account was last accessed ${MAX_DAYS#-} day ago"
+          break
+      fi
+    fi
+  done
+
+  if [[ $failures == 0 ]]; then
+      textPass "Root user in the account wasn't accessed in the last ${MAX_DAYS#-} days"
+  fi
+}

checks/check110

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check110="1.10"
+CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
+CHECK_SCORED_check110="SCORED"
+CHECK_TYPE_check110="LEVEL1"
+CHECK_SEVERITY_check110="Medium"
+CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check110="check110"
+CHECK_SERVICENAME_check110="iam"
+CHECK_RISK_check110='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
+CHECK_REMEDIATION_check110='Ensure "Number of passwords to remember" is set to 24.'
+CHECK_DOC_check110='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
+CHECK_CAF_EPIC_check110='IAM'
+
+check110(){
+  # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
+  COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
+  if [[ $COMMAND110 ]];then
+    if [[ $COMMAND110 -gt "23" ]];then
+      textPass "Password Policy limits reuse"
+    else
+      textFail "Password Policy has weak reuse requirement (lower than 24)"
+    fi
+  else
+    textFail "Password Policy missing reuse requirement"
+  fi
+}

checks/check111

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check111="1.11"
+CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)"
+CHECK_SCORED_check111="SCORED"
+CHECK_TYPE_check111="LEVEL1"
+CHECK_SEVERITY_check111="Medium"
+CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check111="check111"
+CHECK_SERVICENAME_check111="iam"
+CHECK_RISK_check111='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
+CHECK_REMEDIATION_check111='Ensure "Password expiration period (in days):" is set to 90 or less.'
+CHECK_DOC_check111='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
+CHECK_CAF_EPIC_check111='IAM'
+
+check111(){
+  # "Ensure IAM password policy expires passwords within 90 days or less (Scored)"
+  COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query PasswordPolicy.MaxPasswordAge --output text 2> /dev/null)
+  if [[ $COMMAND111 == [0-9]* ]];then
+    if [[ "$COMMAND111" -le "90" ]];then
+      textPass "Password Policy includes expiration (Value: $COMMAND111)"
+    else
+      textFail "Password expiration is set greater than 90 days"
+    fi
+  else
+    textFail "Password expiration is not set"
+  fi
+}

checks/check112

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check112="1.12"
+CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)"
+CHECK_SCORED_check112="SCORED"
+CHECK_TYPE_check112="LEVEL1"
+CHECK_SEVERITY_check112="Critical"
+CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check112="check112"
+CHECK_SERVICENAME_check112="iam"
+CHECK_RISK_check112='The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.'
+CHECK_REMEDIATION_check112='Use the credential report to  that the user and ensure the access_key_1_active and access_key_2_active fields are set to FALSE .'
+CHECK_DOC_check112='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
+CHECK_CAF_EPIC_check112='IAM'
+
+check112(){
+  # "Ensure no root account access key exists (Scored)"
+  # ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
+  ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
+  ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
+  if [ "$ROOTKEY1" == "false" ];then
+    textPass "No access key 1 found for root"
+  else
+    textFail "Found access key 1 for root"
+  fi
+  if [ "$ROOTKEY2" == "false" ];then
+    textPass "No access key 2 found for root"
+  else
+    textFail "Found access key 2 for root"
+  fi
+}

checks/check113

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check113="1.13"
+CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)"
+CHECK_SCORED_check113="SCORED"
+CHECK_TYPE_check113="LEVEL1"
+CHECK_SEVERITY_check113="Critical"
+CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check113="check113"
+CHECK_SERVICENAME_check113="iam"
+CHECK_RISK_check113='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. When virtual MFA is used for root accounts it is recommended that the device used is NOT a personal device but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. ("non-personal virtual MFA") This lessens the risks of losing access to the MFA due to device loss / trade-in or if the individual owning the device is no longer employed at the company.'
+CHECK_REMEDIATION_check113='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.'
+CHECK_DOC_check113='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa'
+CHECK_CAF_EPIC_check113='IAM'
+
+check113(){
+  # "Ensure MFA is enabled for the root account (Scored)"
+  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
+  if [ "$COMMAND113" == "1" ]; then
+    textPass "Virtual MFA is enabled for root"
+  else
+    textFail "MFA is not ENABLED for root account"
+  fi
+}

checks/check114

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check114="1.14"
+CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)"
+CHECK_SCORED_check114="SCORED"
+CHECK_TYPE_check114="LEVEL2"
+CHECK_SEVERITY_check114="Critical"
+CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check114="check114"
+CHECK_SERVICENAME_check114="iam"
+CHECK_RISK_check114='The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2 it is recommended that the root account be protected with a hardware MFA.'
+CHECK_REMEDIATION_check114='Using IAM console navigate to Dashboard and expand Activate MFA on your root account.'
+CHECK_DOC_check114='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa'
+CHECK_CAF_EPIC_check114='IAM'
+
+check114(){
+  # "Ensure hardware MFA is enabled for the root account (Scored)"
+  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
+  if [ "$COMMAND113" == "1" ]; then
+    COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep "^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$")
+    if [[ "$COMMAND114" ]]; then
+      textFail "Only Virtual MFA is enabled for root"
+    else
+      textPass "Hardware MFA is enabled for root"
+    fi
+  else
+    textFail "MFA is not ENABLED for root account"
+  fi
+}

checks/check115

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check115="1.15"
+CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)"
+CHECK_SCORED_check115="NOT_SCORED"
+CHECK_TYPE_check115="LEVEL1"
+CHECK_SEVERITY_check115="Medium"
+CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check115="check115"
+CHECK_SERVICENAME_check115="support"
+CHECK_RISK_check115='The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. When creating a new AWS account a default super user is automatically created. This account is referred to as the "root" account. It is recommended that the use of this account be limited and highly controlled. During events in which the root password is no longer accessible or the MFA token associated with root is lost/destroyed it is possible through authentication using secret questions and associated answers to recover root login access.'
+CHECK_REMEDIATION_check115='Login as root account and from My Account configure Security questions.'
+CHECK_DOC_check115='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys_retrieve.html'
+CHECK_CAF_EPIC_check115='IAM'
+
+check115(){
+  # "Ensure security questions are registered in the AWS account (Not Scored)"
+  textInfo "No command available for check 1.15 "
+  textInfo "Login to the AWS Console as root & click on the Account "
+  textInfo "Name -> My Account -> Configure Security Challenge Questions "
+}

checks/check116

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check116="1.16"
+CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)"
+CHECK_SCORED_check116="SCORED"
+CHECK_TYPE_check116="LEVEL1"
+CHECK_SEVERITY_check116="Low"
+CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
+CHECK_ALTERNATE_check116="check116"
+CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
+CHECK_SERVICENAME_check116="iam"
+CHECK_RISK_check116='By default IAM users; groups; and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.'
+CHECK_REMEDIATION_check116='Remove any policy attached directly to the user. Use groups or roles instead.'
+CHECK_DOC_check116='https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
+CHECK_CAF_EPIC_check116='IAM'
+
+check116(){
+  # "Ensure IAM policies are attached only to groups or roles (Scored)"
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  C116_NUM_USERS=0
+  for user in $LIST_USERS;do
+    USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
+    if [[ $USER_POLICY ]]; then
+      textFail "$user has managed policy directly attached"
+      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
+    fi
+    USER_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
+    if [[ $USER_POLICY ]]; then
+      textFail "$user has inline policy directly attached"
+      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
+    fi
+  done
+  if [[ $C116_NUM_USERS -eq 0 ]]; then
+    textPass "No policies attached to users"
+  fi
+}

checks/check117

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check117="1.17"
+CHECK_TITLE_check117="[check117] Maintain current contact details (Not Scored)"
+CHECK_SCORED_check117="NOT_SCORED"
+CHECK_TYPE_check117="LEVEL1"
+CHECK_SEVERITY_check117="Medium"
+CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check117="check117"
+CHECK_SERVICENAME_check117="support"
+CHECK_RISK_check117='Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.'
+CHECK_REMEDIATION_check117='Using the Billing and Cost Management console complete contact details.'
+CHECK_DOC_check117='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info'
+CHECK_CAF_EPIC_check117='IAM'
+
+check117(){
+  # "Maintain current contact details (Scored)"
+  # No command available
+  textInfo "No command available for check 1.17 "
+  textInfo "See section 1.17 on the CIS Benchmark guide for details "
+}

checks/check118

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check118="1.18"
+CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Not Scored)"
+CHECK_SCORED_check118="NOT_SCORED"
+CHECK_TYPE_check118="LEVEL1"
+CHECK_SEVERITY_check118="Medium"
+CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check118="check118"
+CHECK_SERVICENAME_check118="support"
+CHECK_RISK_check118='AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. Specifying security-specific contact information will help ensure that security advisories sent by AWS reach the team in your organization that is best equipped to respond to them.'
+CHECK_REMEDIATION_check118='Go to the My Account section and complete alternate contacts.'
+CHECK_DOC_check118='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html'
+CHECK_CAF_EPIC_check118='IAM'
+
+check118(){
+  # "Ensure security contact information is registered (Scored)"
+  # No command available
+  textInfo "No command available for check 1.18 "
+  textInfo "See section 1.18 on the CIS Benchmark guide for details "
+}

checks/check119

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check119="1.19"
+CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
+CHECK_SCORED_check119="NOT_SCORED"
+CHECK_TYPE_check119="LEVEL2"
+CHECK_SEVERITY_check119="Medium"
+CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance"
+CHECK_ALTERNATE_check119="check119"
+CHECK_SERVICENAME_check119="ec2"
+CHECK_RISK_check119='AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised; they can be used from outside of the AWS account.'
+CHECK_REMEDIATION_check119='IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create or re-launch a new instance. (Check for external dependencies on its current private ip or public addresses).'
+CHECK_DOC_check119='http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html'
+CHECK_CAF_EPIC_check119='IAM'
+
+check119(){
+  for regx in $REGIONS; do
+    EC2_DATA=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[].Instances[].[InstanceId, IamInstanceProfile.Arn, State.Name]' --output json)
+    EC2_DATA=$(echo $EC2_DATA | jq '.[]|{InstanceId: .[0], ProfileArn: .[1], StateName: .[2]}')
+    INSTANCE_LIST=$(echo $EC2_DATA | jq -r '.InstanceId')
+    if [[ $INSTANCE_LIST ]]; then
+      for instance in $INSTANCE_LIST; do
+        STATE_NAME=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.StateName')
+        if [[ $STATE_NAME != "terminated" && $STATE_NAME != "shutting-down" ]]; then
+          PROFILEARN=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.ProfileArn')
+          if [[ $PROFILEARN == "null" ]]; then
+            textFail "$regx: Instance $instance not associated with an instance role" $regx
+          else
+            textPass "$regx: Instance $instance associated with role ${PROFILEARN##*/}" $regx
+          fi
+        fi
+      done
+    else
+      textInfo "$regx: No EC2 instances found" $regx
+    fi
+  done
+}

checks/check12

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check12="1.2"
+CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
+CHECK_SCORED_check12="SCORED"
+CHECK_TYPE_check12="LEVEL1"
+CHECK_SEVERITY_check12="High"
+CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
+CHECK_ALTERNATE_check102="check12"
+CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
+CHECK_SERVICENAME_check12="iam"
+CHECK_RISK_check12='Unauthorized access to this critical account if password is not secure or it is disclosed in any way.'
+CHECK_REMEDIATION_check12='Enable MFA for root account. is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.'
+CHECK_DOC_check12='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
+CHECK_CAF_EPIC_check12='IAM'
+
+check12(){
+  # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
+  # List users with password enabled
+  COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }')
+  COMMAND12=$(
+    for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
+      cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }'
+    done)
+    if [[ $COMMAND12 ]]; then
+      for u in $COMMAND12; do
+        textFail "User $u has Password enabled but MFA disabled"
+      done
+    else
+      textPass "No users found with Password enabled and MFA disabled"
+    fi
+}

checks/check120

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check120="1.20"
+CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
+CHECK_SCORED_check120="SCORED"
+CHECK_TYPE_check120="LEVEL1"
+CHECK_SEVERITY_check120="Medium"
+CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
+CHECK_ALTERNATE_check120="check120"
+CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
+CHECK_SERVICENAME_check120="iam"
+CHECK_RISK_check120='AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.'
+CHECK_REMEDIATION_check120='Create an IAM role for managing incidents with AWS.'
+CHECK_DOC_check120='https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html'
+CHECK_CAF_EPIC_check120='IAM'
+
+check120(){
+  # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
+  SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
+  if [[ $SUPPORTPOLICYARN ]];then
+    for policyarn in $SUPPORTPOLICYARN;do
+      POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output text | awk -F$'\t' '{ print $3 }')
+      if [[ $POLICYROLES ]];then
+        for name in $POLICYROLES; do
+          textPass "Support Policy attached to $name"
+        done
+        # for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
+        #   textInfo "User $user has support access via $policyarn"
+        # done
+      else
+        textFail "Support Policy not applied to any Role"
+      fi
+    done
+  else
+    textFail "No Support Policy found"
+  fi
+}

checks/check121

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check121="1.21"
+CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
+CHECK_SCORED_check121="NOT_SCORED"
+CHECK_TYPE_check121="LEVEL1"
+CHECK_SEVERITY_check121="Medium"
+CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
+CHECK_ALTERNATE_check121="check121"
+CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
+CHECK_SERVICENAME_check121="iam"
+CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.'
+CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.'
+CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
+CHECK_CAF_EPIC_check121='IAM'
+
+check121(){
+  # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  # List of USERS with KEY1 last_used_date as N/A
+  LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
+  # List of USERS with KEY1 active, last_used_date as N/A and have a console password
+  LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
+  if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
+    for user in $LIST_USERS_KEY1_ACTIVE; do
+      textFail "User $user has never used access key 1"
+    done
+  else
+    textPass "No users found with access key 1 never used"
+  fi
+  # List of USERS with KEY2 last_used_date as N/A
+  LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
+  # List of USERS with KEY2 active, last_used_date as N/A and have a console password
+  LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done)
+  if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
+    for user in $LIST_USERS_KEY2_ACTIVE; do
+      textFail "User $user has never used access key 2"
+    done
+  else
+    textPass "No users found with access key 2 never used"
+  fi
+}

checks/check122

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check122="1.22"
+CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
+CHECK_SCORED_check122="SCORED"
+CHECK_TYPE_check122="LEVEL1"
+CHECK_SEVERITY_check122="Medium"
+CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
+CHECK_ALTERNATE_check122="check122"
+CHECK_SERVICENAME_check122="iam"
+CHECK_RISK_check122='IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.'
+CHECK_REMEDIATION_check122='It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.'
+CHECK_DOC_check122='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
+CHECK_CAF_EPIC_check122='IAM'
+
+check122(){
+  # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
+  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
+  if [[ $LIST_CUSTOM_POLICIES ]]; then
+    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
+    for policy in $LIST_CUSTOM_POLICIES; do
+      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
+      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
+      POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
+      if [[ $POLICY_WITH_FULL ]]; then
+        POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
+      fi
+    done
+    if [[ $POLICIES_ALLOW_LIST ]]; then
+      textInfo "List of custom policies: "
+      for policy in $POLICIES_ALLOW_LIST; do
+        textFail "Policy $policy allows \"*:*\""
+      done
+    else
+        textPass "No custom policy found that allow full \"*:*\" administrative privileges"
+    fi
+  else
+    textPass "No custom policies found"
+  fi
+}

checks/check13

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check13="1.3"
+CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)"
+CHECK_SCORED_check13="SCORED"
+CHECK_TYPE_check13="LEVEL1"
+CHECK_SEVERITY_check13="Medium"
+CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
+CHECK_ALTERNATE_check103="check13"
+CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4"
+CHECK_SERVICENAME_check13="iam"
+CHECK_RISK_check13='AWS IAM users can access AWS resources using different types of credentials (passwords or access keys). It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.'
+CHECK_REMEDIATION_check13='Use the credential report to  ensure password_last_changed is less than 90 days ago.'
+CHECK_DOC_check13='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
+CHECK_CAF_EPIC_check13='IAM'
+
+check13(){
+  check_creds_used_in_last_days 90
+}

checks/check14

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check14="1.4"
+CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)"
+CHECK_SCORED_check14="SCORED"
+CHECK_TYPE_check14="LEVEL1"
+CHECK_SEVERITY_check14="Medium"
+CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
+CHECK_ALTERNATE_check104="check14"
+CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4 ens-op.acc.5.aws.iam.3"
+CHECK_SERVICENAME_check14="iam"
+CHECK_RISK_check14='Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI)- Tools for Windows PowerShell- the AWS SDKs- or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.'
+CHECK_REMEDIATION_check14='Use the credential report to  ensure  access_key_X_last_rotated  is less than 90 days ago.'
+CHECK_DOC_check14='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
+CHECK_CAF_EPIC_check14='IAM'
+
+check14(){
+  # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
+  LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
+  LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
+  C14_NUM_USERS1=0
+  C14_NUM_USERS2=0
+    if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then
+      # textFail "Users with access key 1 older than 90 days:"
+      for user in $LIST_OF_USERS_WITH_ACCESS_KEY1; do
+        # check access key 1
+        DATEROTATED1=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
+        HOWOLDER=$(how_older_from_today $DATEROTATED1)
+
+        if [ $HOWOLDER -gt "90" ];then
+          textFail "$user has not rotated access key 1 in over 90 days"
+          C14_NUM_USERS1=$(expr $C14_NUM_USERS1 + 1)
+        fi
+      done
+      if [[ $C14_NUM_USERS1 -eq 0 ]]; then
+        textPass "No users with access key 1 older than 90 days"
+      fi
+    else
+      textPass "No users with access key 1"
+    fi
+
+    if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then
+      # textFail "Users with access key 2 older than 90 days:"
+      for user in $LIST_OF_USERS_WITH_ACCESS_KEY2; do
+        # check access key 2
+        DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $15 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
+        HOWOLDER=$(how_older_from_today $DATEROTATED2)
+        if [ $HOWOLDER -gt "90" ];then
+          textFail "$user has not rotated access key 2 in over 90 days"
+          C14_NUM_USERS2=$(expr $C14_NUM_USERS2 + 1)
+        fi
+      done
+      if [[ $C14_NUM_USERS2 -eq 0 ]]; then
+        textPass "No users with access key 2 older than 90 days"
+      fi
+    else
+      textPass "No users with access key 2"
+    fi
+}

checks/check15

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check15="1.5"
+CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)"
+CHECK_SCORED_check15="SCORED"
+CHECK_TYPE_check15="LEVEL1"
+CHECK_SEVERITY_check15="Medium"
+CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check105="check15"
+CHECK_SERVICENAME_check15="iam"
+CHECK_RISK_check15='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
+CHECK_REMEDIATION_check15='Ensure "Requires at least one uppercase letter" is checked under "Password Policy".'
+CHECK_DOC_check15='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
+CHECK_CAF_EPIC_check15='IAM'
+
+check15(){
+  # "Ensure IAM password policy requires at least one uppercase letter (Scored)"
+  COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
+  if [[ "$COMMAND15" == "true" ]];then
+    textPass "Password Policy requires upper case"
+  else
+    textFail "Password Policy missing upper-case requirement"
+  fi
+}

checks/check16

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check16="1.6"
+CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)"
+CHECK_SCORED_check16="SCORED"
+CHECK_TYPE_check16="LEVEL1"
+CHECK_SEVERITY_check16="Medium"
+CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check106="check16"
+CHECK_SERVICENAME_check16="iam"
+CHECK_RISK_check16='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
+CHECK_REMEDIATION_check16='Ensure "Requires at least one lowercase letter" is checked under "Password Policy".'
+CHECK_DOC_check16='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
+CHECK_CAF_EPIC_check16='IAM'
+
+check16(){
+  # "Ensure IAM password policy require at least one lowercase letter (Scored)"
+  COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
+  if [[ "$COMMAND16" == "true" ]];then
+    textPass "Password Policy requires lower case"
+  else
+    textFail "Password Policy missing lower-case requirement"
+  fi
+}

checks/check17

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check17="1.7"
+CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)"
+CHECK_SCORED_check17="SCORED"
+CHECK_TYPE_check17="LEVEL1"
+CHECK_SEVERITY_check17="Medium"
+CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check107="check17"
+CHECK_SERVICENAME_check17="iam"
+CHECK_RISK_check17='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
+CHECK_REMEDIATION_check17='Ensure "Require at least one non-alphanumeric character" is checked under "Password Policy".'
+CHECK_DOC_check17='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
+CHECK_CAF_EPIC_check17='IAM'
+
+check17(){
+  # "Ensure IAM password policy require at least one symbol (Scored)"
+  COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
+  if [[ "$COMMAND17" == "true" ]];then
+    textPass "Password Policy requires symbol"
+  else
+    textFail "Password Policy missing symbol requirement"
+  fi
+}

checks/check18

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check18="1.8"
+CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)"
+CHECK_SCORED_check18="SCORED"
+CHECK_TYPE_check18="LEVEL1"
+CHECK_SEVERITY_check18="Medium"
+CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check108="check18"
+CHECK_SERVICENAME_check18="iam"
+CHECK_RISK_check18='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
+CHECK_REMEDIATION_check18='Ensure "Require at least one number " is checked under "Password Policy".'
+CHECK_DOC_check18='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
+CHECK_CAF_EPIC_check18='IAM'
+
+check18(){
+  # "Ensure IAM password policy require at least one number (Scored)"
+  COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
+  if [[ "$COMMAND18" == "true" ]];then
+    textPass "Password Policy requires number"
+  else
+    textFail "Password Policy missing number requirement"
+  fi
+}

checks/check19

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check19="1.9"
+CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
+CHECK_SCORED_check19="SCORED"
+CHECK_TYPE_check19="LEVEL1"
+CHECK_SEVERITY_check19="Medium"
+CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check109="check19"
+CHECK_SERVICENAME_check19="iam"
+CHECK_RISK_check19='Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.'
+CHECK_REMEDIATION_check19='Ensure "Minimum password length" is set to 14 or greater.'
+CHECK_DOC_check19='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html'
+CHECK_CAF_EPIC_check19='IAM'
+
+check19(){
+  # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
+  COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
+  if [[ $COMMAND19 -gt "13" ]];then
+    textPass "Password Policy requires more than 13 characters"
+  else
+    textFail "Password Policy missing or weak length requirement"
+  fi
+}

checks/check21

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check21="2.1"
+CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)"
+CHECK_SCORED_check21="SCORED"
+CHECK_TYPE_check21="LEVEL1"
+CHECK_SEVERITY_check21="High"
+CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check201="check21"
+CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1 ens-op.mon.1.aws.trail.1"
+CHECK_SERVICENAME_check21="cloudtrail"
+CHECK_RISK_check21='AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller; the time of the API call; the source IP address of the API caller; the request parameters; and the response elements returned by the AWS service.'
+CHECK_REMEDIATION_check21='Ensure Logging is set to ON on all regions (even if they are not being used at the moment.'
+CHECK_DOC_check21='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events'
+CHECK_CAF_EPIC_check21='Logging and Monitoring'
+
+check21(){
+  trail_count=0
+  # "Ensure CloudTrail is enabled in all regions (Scored)"
+  for regx in $REGIONS; do
+    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
+    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to describe trails in $regx"
+      continue
+    fi
+    if [[ $TRAILS_AND_REGIONS ]]; then
+      for reg_trail in $TRAILS_AND_REGIONS; do
+        TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
+        if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region
+          continue
+        fi
+        trail=$(echo $reg_trail | cut -d',' -f2)
+        trail_count=$((trail_count + 1))
+
+        MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail)
+        if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then
+          textFail "Trail $trail in $regx is not enabled for all regions"
+        else
+          textPass "Trail $trail in $regx is enabled for all regions"
+        fi
+
+      done
+    fi
+  done
+  if [[ $trail_count == 0 ]]; then
+    textFail "No CloudTrail trails were found in the account"
+  fi
+}

checks/check22

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check22="2.2"
+CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)"
+CHECK_SCORED_check22="SCORED"
+CHECK_TYPE_check22="LEVEL2"
+CHECK_SEVERITY_check22="Medium"
+CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check202="check22"
+CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"
+CHECK_SERVICENAME_check22="cloudtrail"
+CHECK_RISK_check22='Enabling log file validation will provide additional integrity checking of CloudTrail logs. '
+CHECK_REMEDIATION_check22='Ensure LogFileValidationEnabled is set to true for each trail.'
+CHECK_DOC_check22='http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html'
+CHECK_CAF_EPIC_check22='Logging and Monitoring'
+
+check22(){
+  trail_count=0
+  # "Ensure CloudTrail log file validation is enabled (Scored)"
+  for regx in $REGIONS; do
+    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
+    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to describe trails in $regx"
+      continue
+    fi
+    if [[ $TRAILS_AND_REGIONS ]]; then
+      for reg_trail in $TRAILS_AND_REGIONS; do
+        TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
+        if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region
+          continue
+        fi
+        trail=$(echo $reg_trail | cut -d',' -f2)
+        trail_count=$((trail_count + 1))
+
+        LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail)
+        if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then
+          textFail "Trail $trail in $regx log file validation disabled"
+        else
+          textPass "Trail $trail in $regx log file validation enabled"
+        fi
+
+      done
+    fi
+  done
+  if [[ $trail_count == 0 ]]; then
+    textFail "No CloudTrail trails were found in the account"
+  fi
+}

checks/check23

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check23="2.3"
+CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
+CHECK_SCORED_check23="SCORED"
+CHECK_TYPE_check23="LEVEL1"
+CHECK_SEVERITY_check23="Critical"
+CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
+CHECK_ALTERNATE_check203="check23"
+CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.trail.4"
+CHECK_SERVICENAME_check23="cloudtrail"
+CHECK_RISK_check23='Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.'
+CHECK_REMEDIATION_check23='Analyze Bucket policy to validate appropriate permissions. Ensure the AllUsers principal is not granted privileges. Ensure the AuthenticatedUsers principal is not granted privileges.'
+CHECK_DOC_check23='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_ principal.html '
+CHECK_CAF_EPIC_check23='Logging and Monitoring'
+
+check23(){
+  trail_count=0
+  # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
+  for regx in $REGIONS; do
+    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
+    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to describe trails in $regx"
+      continue
+    fi
+    if [[ $TRAILS_AND_REGIONS ]]; then
+      for reg_trail in $TRAILS_AND_REGIONS; do
+        TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
+        if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region
+          continue
+        fi
+        trail=$(echo $reg_trail | cut -d',' -f2)
+        trail_count=$((trail_count + 1))
+
+        CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].[S3BucketName]' --output text --trail-name-list $trail)
+        if [[ -z $CLOUDTRAILBUCKET ]]; then
+          textFail "Trail $trail in $TRAIL_REGION does not publish to S3"
+          continue
+        fi
+
+        CLOUDTRAIL_ACCOUNT_ID=$(echo $trail | awk -F: '{ print $5 }')
+        if [ "$CLOUDTRAIL_ACCOUNT_ID" != "$ACCOUNT_NUM" ]; then
+          textInfo "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not in current account"
+          continue
+        fi
+
+        #
+        # LOCATION - requests referencing buckets created after March 20, 2019
+        # must be made to S3 endpoints in the same region as the bucket was
+        # created.
+        #
+        BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $regx --bucket $CLOUDTRAILBUCKET --output text 2>&1)
+        if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then
+          textFail "Trail $trail in $TRAIL_REGION Access Denied getting bucket location for $CLOUDTRAILBUCKET"
+          continue
+        fi
+        if [[ $BUCKET_LOCATION == "None" ]]; then
+          BUCKET_LOCATION="us-east-1"
+        fi
+        if [[ $BUCKET_LOCATION == "EU" ]]; then
+          BUCKET_LOCATION="eu-west-1"
+        fi
+
+        CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $CLOUDTRAILBUCKET $PROFILE_OPT --region $BUCKET_LOCATION --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' --output text 2>&1)
+        if [[ $(echo "$CLOUDTRAILBUCKET_HASALLPERMISIONS" | grep AccessDenied) ]]; then
+          textInfo "Trail $trail in $TRAIL_REGION Access Denied getting bucket acl for $CLOUDTRAILBUCKET"
+          continue
+        fi
+
+        if [[ -z $CLOUDTRAILBUCKET_HASALLPERMISIONS ]]; then
+          textPass "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not publicly accessible"
+        else
+          textFail "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is publicly accessible"
+        fi
+
+      done
+    fi
+  done
+  if [[ $trail_count == 0 ]]; then
+    textFail "No CloudTrail trails were found in the account"
+  fi
+}

checks/check24

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check24="2.4"
+CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
+CHECK_SCORED_check24="SCORED"
+CHECK_TYPE_check24="LEVEL1"
+CHECK_SEVERITY_check24="Low"
+CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check204="check24"
+CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"
+CHECK_SERVICENAME_check24="cloudtrail"
+CHECK_RISK_check24='Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.'
+CHECK_REMEDIATION_check24='Validate that the trails in CloudTrail has an arn set in the CloudWatchLogsLogGroupArn property.'
+CHECK_DOC_check24='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html'
+CHECK_CAF_EPIC_check24='Logging and Monitoring'
+
+check24(){
+  trail_count=0
+  # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
+  for regx in $REGIONS; do
+    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
+    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to describe trails in $regx"
+      continue
+    fi
+    if [[ $TRAILS_AND_REGIONS ]]; then
+      for reg_trail in $TRAILS_AND_REGIONS; do
+        TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
+        if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region
+          continue
+        fi
+        trail=$(echo $reg_trail | cut -d',' -f2)
+        trail_count=$((trail_count + 1))
+
+        LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None)
+        if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then
+          textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
+        else
+          LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP)
+          HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE)
+          if [ $HOWOLDER -gt "1" ];then
+            textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
+          else
+            textPass "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
+          fi
+        fi
+
+      done
+    fi
+  done
+  if [[ $trail_count == 0 ]]; then
+    textFail "No CloudTrail trails were found in the account"
+  fi
+}

checks/check25

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check25="2.5"
+CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)"
+CHECK_SCORED_check25="SCORED"
+CHECK_TYPE_check25="LEVEL1"
+CHECK_SEVERITY_check25="Medium"
+CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check205="check25"
+CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"
+CHECK_SERVICENAME_check25="configservice"
+CHECK_RISK_check25='The AWS configuration item history captured by AWS Config enables security analysis; resource change tracking; and compliance auditing.'
+CHECK_REMEDIATION_check25='It is recommended to enable AWS Config be enabled in all regions.'
+CHECK_DOC_check25='https://aws.amazon.com/blogs/mt/aws-config-best-practices/'
+CHECK_CAF_EPIC_check25='Logging and Monitoring'
+
+check25(){
+  # "Ensure AWS Config is enabled in all regions (Scored)"
+  for regx in $REGIONS; do
+    CHECK_AWSCONFIG_RECORDING=$($AWSCLI configservice describe-configuration-recorder-status $PROFILE_OPT --region $regx --query 'ConfigurationRecordersStatus[*].recording' --output text 2>&1)
+    CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice describe-configuration-recorder-status $PROFILE_OPT --region $regx --query 'ConfigurationRecordersStatus[*].lastStatus' --output text 2>&1)
+    if [[ $(echo "$CHECK_AWSCONFIG_STATUS" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to describe configuration recorder status in $regx"
+      continue
+    fi
+    if [[ $CHECK_AWSCONFIG_RECORDING == "True" ]]; then
+      if [[ $CHECK_AWSCONFIG_STATUS == "SUCCESS" ]]; then
+        textPass "Region $regx AWS Config recorder enabled"
+      else
+        textFail "Region $regx AWS Config recorder in failure state"
+      fi
+    else
+      textFail "Region $regx AWS Config recorder disabled"
+    fi
+  done
+}

checks/check26

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check26="2.6"
+CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
+CHECK_SCORED_check26="SCORED"
+CHECK_TYPE_check26="LEVEL1"
+CHECK_SEVERITY_check26="Medium"
+CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket"
+CHECK_ALTERNATE_check206="check26"
+CHECK_SERVICENAME_check26="s3"
+CHECK_RISK_check26='Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.'
+CHECK_REMEDIATION_check26='Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.'
+CHECK_DOC_check26='https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html'
+CHECK_CAF_EPIC_check26='Logging and Monitoring'
+
+check26(){
+  trail_count=0
+  # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
+  for regx in $REGIONS; do
+    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
+    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to describe trails in $regx"
+      continue
+    fi
+    if [[ $TRAILS_AND_REGIONS ]]; then
+      for reg_trail in $TRAILS_AND_REGIONS; do
+        TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
+        if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region
+          continue
+        fi
+        trail=$(echo $reg_trail | cut -d',' -f2)
+        trail_count=$((trail_count + 1))
+
+        CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].[S3BucketName]' --output text --trail-name-list $trail)
+        if [[ -z $CLOUDTRAILBUCKET ]]; then
+          textFail "Trail $trail in $TRAIL_REGION does not publish to S3"
+          continue
+        fi
+
+        CLOUDTRAIL_ACCOUNT_ID=$(echo $trail | awk -F: '{ print $5 }')
+        if [ "$CLOUDTRAIL_ACCOUNT_ID" != "$ACCOUNT_NUM" ]; then
+          textInfo "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not in current account"
+          continue
+        fi
+
+        #
+        # LOCATION - requests referencing buckets created after March 20, 2019
+        # must be made to S3 endpoints in the same region as the bucket was
+        # created.
+        #
+        BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $regx --bucket $CLOUDTRAILBUCKET --output text 2>&1)
+        if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then
+          textFail "Trail $trail in $TRAIL_REGION Access Denied getting bucket location for $CLOUDTRAILBUCKET"
+          continue
+        fi
+        if [[ $BUCKET_LOCATION == "None" ]]; then
+          BUCKET_LOCATION="us-east-1"
+        fi
+        if [[ $BUCKET_LOCATION == "EU" ]]; then
+          BUCKET_LOCATION="eu-west-1"
+        fi
+
+        CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $CLOUDTRAILBUCKET $PROFILE_OPT --region $BUCKET_LOCATION --query 'LoggingEnabled.TargetBucket' --output text 2>&1)
+        if [[ $(echo "$CLOUDTRAILBUCKET_LOGENABLED" | grep AccessDenied) ]]; then
+          textInfo "Trail $trail in $TRAIL_REGION Access Denied getting bucket logging for $CLOUDTRAILBUCKET"
+          continue
+        fi
+
+        if [[ $CLOUDTRAILBUCKET_LOGENABLED != "None" ]]; then
+          textPass "Trail $trail in $TRAIL_REGION S3 bucket access logging is enabled for $CLOUDTRAILBUCKET"
+        else
+          textFail "Trail $trail in $TRAIL_REGION S3 bucket access logging is not enabled for $CLOUDTRAILBUCKET"
+        fi
+
+      done
+    fi
+  done
+  if [[ $trail_count == 0 ]]; then
+    textFail "No CloudTrail trails were found in the account"
+  fi
+}

checks/check27

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check27="2.7"
+CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
+CHECK_SCORED_check27="SCORED"
+CHECK_TYPE_check27="LEVEL2"
+CHECK_SEVERITY_check27="Medium"
+CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check207="check27"
+CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"
+CHECK_SERVICENAME_check27="cloudtrail"
+CHECK_RISK_check27='By default; the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable; you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.'
+CHECK_REMEDIATION_check27='This approach has the following advantages: You can create and manage the CMK encryption keys yourself. You can use a single CMK to encrypt and decrypt log files for multiple accounts across all regions. You have control over who can use your key for encrypting and decrypting CloudTrail log files. You can assign permissions for the key to the users. You have enhanced security.'
+CHECK_DOC_check27='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html'
+CHECK_CAF_EPIC_check27='Logging and Monitoring'
+
+check27(){
+  trail_count=0
+  # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
+  for regx in $REGIONS; do
+    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
+    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to describe trails in $regx"
+      continue
+    fi
+    if [[ $TRAILS_AND_REGIONS ]]; then
+      for reg_trail in $TRAILS_AND_REGIONS; do
+        TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
+        if [ $TRAIL_REGION != $regx ]; then # Only report trails once in home region
+          continue
+        fi
+        trail=$(echo $reg_trail | cut -d',' -f2)
+        trail_count=$((trail_count + 1))
+
+        KMSKEYID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].KmsKeyId' --output text --trail-name-list $trail)
+        if [[ "$KMSKEYID" ]];then
+          textPass "Trail $trail in $regx has encryption enabled"
+        else
+          textFail "Trail $trail in $regx has encryption disabled"
+        fi
+      done
+    fi
+  done
+  if [[ $trail_count == 0 ]]; then
+    textFail "No CloudTrail trails were found in the account"
+  fi
+}

checks/check28

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check28="2.8"
+CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled (Scored)"
+CHECK_SCORED_check28="SCORED"
+CHECK_TYPE_check28="LEVEL2"
+CHECK_SEVERITY_check28="Medium"
+CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
+CHECK_ALTERNATE_check208="check28"
+CHECK_SERVICENAME_check28="kms"
+CHECK_RISK_check28='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.'
+CHECK_REMEDIATION_check28='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.'
+CHECK_DOC_check28='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html'
+CHECK_CAF_EPIC_check28='Data Protection'
+
+check28(){
+  # "Ensure rotation for customer created CMKs is enabled (Scored)"
+  for regx in $REGIONS; do
+    CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId' --output text 2>&1)
+    if [[ $(echo "$CHECK_KMS_KEYLIST" | grep AccessDenied) ]]; then
+      textFail "Access Denied trying to list keys in $regx"
+      continue
+    fi
+    if [[ $CHECK_KMS_KEYLIST ]]; then
+      cmk_count=0
+      for key in $CHECK_KMS_KEYLIST; do
+        KMSDETAILS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,man:KeyManager,origin:Origin,spec:CustomerMasterKeySpec,state:KeyState}' --output text 2>&1 | grep SYMMETRIC)
+        if [[ $(echo "$KMSDETAILS" | grep AccessDenied) ]]; then
+           textFail "$regx: Key $key Access Denied describing key"
+           continue
+        fi
+
+        KEYID=$(echo $KMSDETAILS | awk '{print $1}')
+        KEYMANAGER=$(echo $KMSDETAILS | awk '{print $2}')
+        KEYORIGIN=$(echo $KMSDETAILS | awk '{print $3}')
+        KEYSTATE=$(echo $KMSDETAILS | awk '{print $5}')
+
+        if [[ "$KEYMANAGER" == "AWS" ]]; then
+          continue
+        fi
+        if [[ "$KEYSTATE" != "Enabled" ]]; then
+          continue
+        fi
+        cmk_count=$((cmk_count + 1))
+
+        if [[ "$KEYORIGIN" == "EXTERNAL" ]]; then
+          textPass "$regx: Key $key uses imported key material"
+        else
+          CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text 2>&1)
+          if [[ $(echo "$CHECK_KMS_KEY_ROTATION" | grep AccessDenied) ]]; then
+            textFail "$regx: Key $key Access Denied getting key rotation status"
+            continue
+          fi
+          if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
+            textPass "$regx: Key $key automatic rotation of the key material is enabled"
+          else
+            textFail "$regx: Key $key automatic rotation of the key material is disabled"
+          fi
+        fi
+      done
+      if [[ $cmk_count == 0 ]]; then
+        textInfo "$regx: This region has no customer managed keys"
+      fi
+    else
+      textInfo "$regx: This region has no KMS keys"
+    fi
+  done
+}

checks/check29

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check29="2.9"
+CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+CHECK_SCORED_check29="SCORED"
+CHECK_TYPE_check29="LEVEL2"
+CHECK_SEVERITY_check29="Medium"
+CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
+CHECK_ALTERNATE_check209="check29"
+CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
+CHECK_SERVICENAME_check29="vpc"
+CHECK_RISK_check29='PC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.'
+CHECK_REMEDIATION_check29='It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. '
+CHECK_DOC_check29='http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html '
+CHECK_CAF_EPIC_check29='Logging and Monitoring'
+
+check29(){
+  # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+  for regx in $REGIONS; do
+    AVAILABLE_VPC=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[?State==`available`].VpcId' --output text 2>&1)
+    if [[ $(echo "$AVAILABLE_VPC" | grep AccessDenied) ]]; then
+      textFail "$regx: Access Denied trying to describe VPCs"
+      continue
+    fi
+    for vpcx in $AVAILABLE_VPC; do
+      CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --filter Name="resource-id",Values="${vpcx}" --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].FlowLogId' --output text 2>&1)
+      if [[ $(echo "$CHECK_FL" | grep AccessDenied) ]]; then
+        textFail "$regx: VPC $vpcx Access Denied trying to describe flow logs"
+        continue
+      fi
+      if [[ $CHECK_FL ]]; then
+        for FL in $CHECK_FL; do
+          textPass "$regx: VPC $vpcx VPCFlowLog is enabled for LogGroupName: $FL"
+        done
+      else
+        textFail "$regx: VPC $vpcx VPCFlowLog is disabled"
+      fi
+    done
+  done
+}

checks/check31

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/MyCloudTrailLG \
+#     --filter-name AWSAuthorizationFailures \
+#     --filter-pattern '{ $.errorCode = "*UnauthorizedOperation" || $.errorCode = "AccessDenied*" }' \
+#     --metric-transformations metricName=AuthorizationFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name "Authorization Failures" \
+#     --alarm-description "Alarm triggered when unauthorized API calls are made" \
+#     --metric-name AuthorizationFailureCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check31="3.1"
+CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
+CHECK_SCORED_check31="SCORED"
+CHECK_TYPE_check31="LEVEL1"
+CHECK_SEVERITY_check31="Medium"
+CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check301="check31"
+CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
+CHECK_SERVICENAME_check31="iam"
+CHECK_RISK_check31='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check31='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check31='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check31='Logging and Monitoring'
+
+check31(){
+  check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
+}

checks/check310

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name SecurityGroupConfigChanges \
+#     --filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }' \
+#     --metric-transformations metricName=SecurityGroupEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name SecurityGroupConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS security group(s) config changes." \
+#     --metric-name SecurityGroupEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check310="3.10"
+CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)"
+CHECK_SCORED_check310="SCORED"
+CHECK_TYPE_check310="LEVEL2"
+CHECK_SEVERITY_check310="Medium"
+CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check310="check310"
+CHECK_SERVICENAME_check310="ec2"
+CHECK_RISK_check310='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check310='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check310='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check310='Logging and Monitoring'
+
+check310(){
+  check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup'
+}

checks/check311

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name NetworkACLConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' \
+#     --metric-transformations metricName=NetworkAclEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name NetworkACLConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS Network ACL(s) config changes." \
+#     --metric-name NetworkAclEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check311="3.11"
+CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
+CHECK_SCORED_check311="SCORED"
+CHECK_TYPE_check311="LEVEL2"
+CHECK_SEVERITY_check311="Medium"
+CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check311="check311"
+CHECK_SERVICENAME_check311="vpc"
+CHECK_RISK_check311='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check311='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check311='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check311='Logging and Monitoring'
+
+check311(){
+  check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation'
+}

checks/check312

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name VPCGatewayConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' \
+#     --metric-transformations metricName=GatewayEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name VPCGatewayConfigChangesAlarm \
+#     --alarm-description "Triggered by VPC Customer/Internet Gateway changes." \
+#     --metric-name GatewayEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check312="3.12"
+CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
+CHECK_SCORED_check312="SCORED"
+CHECK_TYPE_check312="LEVEL1"
+CHECK_SEVERITY_check312="Medium"
+CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check312="check312"
+CHECK_SERVICENAME_check312="vpc"
+CHECK_RISK_check312='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check312='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check312='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check312='Logging and Monitoring'
+
+check312(){
+  check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway'
+}

checks/check313

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name RouteTableConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' \
+#     --metric-transformations metricName=RouteTableEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name RouteTableConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS Route Table config changes." \
+#     --metric-name RouteTableEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check313="3.13"
+CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)"
+CHECK_SCORED_check313="SCORED"
+CHECK_TYPE_check313="LEVEL1"
+CHECK_SEVERITY_check313="Medium"
+CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check313="check313"
+CHECK_SERVICENAME_check313="vpc"
+CHECK_RISK_check313='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check313='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check313='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check313='Logging and Monitoring'
+
+check313(){
+  check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable'
+}

checks/check314

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name VPCNetworkConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' \
+#     --metric-transformations metricName=VpcEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name VPCNetworkConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS VPC(s) environment config changes." \
+#     --metric-name VpcEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check314="3.14"
+CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)"
+CHECK_SCORED_check314="SCORED"
+CHECK_TYPE_check314="LEVEL1"
+CHECK_SEVERITY_check314="Medium"
+CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check314="check314"
+CHECK_SERVICENAME_check314="vpc"
+CHECK_RISK_check314='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check314='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check314='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check314='Logging and Monitoring'
+
+check314(){
+  check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink'
+}

checks/check32

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name ConsoleSignInWithoutMfaCount \
+#     --filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes" }' \
+#     --metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name ConsoleSignInWithoutMfaAlarm \
+#     --alarm-description "Triggered by sign-in requests made without MFA." \
+#     --metric-name ConsoleSignInWithoutMfaCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check32="3.2"
+CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
+CHECK_SCORED_check32="SCORED"
+CHECK_TYPE_check32="LEVEL1"
+CHECK_SEVERITY_check32="Medium"
+CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check302="check32"
+CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
+CHECK_SERVICENAME_check32="iam"
+CHECK_RISK_check32='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check32='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check32='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check32='Logging and Monitoring'
+
+check32(){
+  check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
+}

checks/check33

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name RootAccountUsage \
+#     --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' \
+#     --metric-transformations metricName=RootAccountUsageEventCount,metricNamespace=CloudTrailMetrics,metricValue=1 \
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name RootAccountUsageAlarm \
+#     --alarm-description "Triggered by AWS Root Account usage." \
+#     --metric-name RootAccountUsageEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check33="3.3"
+CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)"
+CHECK_SCORED_check33="SCORED"
+CHECK_TYPE_check33="LEVEL1"
+CHECK_SEVERITY_check33="Medium"
+CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check303="check33"
+CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
+CHECK_SERVICENAME_check33="iam"
+CHECK_RISK_check33='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check33='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check33='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check33='Logging and Monitoring'
+
+check33(){
+  check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
+}

checks/check34

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name IAMAuthConfigChanges \
+#     --filter-pattern '{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) || ($.eventName = DeleteUserPolicy) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicyVersion) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) }' \
+#     --metric-transformations metricName=IAMPolicyEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name IAMAuthorizationActivityAlarm \
+#     --alarm-description "Triggered by AWS IAM authorization config changes." \
+#     --metric-name IAMPolicyEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check34="3.4"
+CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
+CHECK_SCORED_check34="SCORED"
+CHECK_TYPE_check34="LEVEL1"
+CHECK_SEVERITY_check34="Medium"
+CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check304="check34"
+CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
+CHECK_SERVICENAME_check34="iam"
+CHECK_RISK_check34='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check34='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check34='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check34='IAM'
+
+check34(){
+  check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
+}

checks/check35

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/MyCloudTrailLG \
+#     --filter-name AWSCloudTrailChanges \
+#     --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' \
+#     --metric-transformations metricName=CloudTrailEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name "CloudTrail Changes" \
+#     --alarm-description "Triggered by AWS CloudTrail configuration changes." \
+#     --metric-name CloudTrailEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check35="3.5"
+CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
+CHECK_SCORED_check35="SCORED"
+CHECK_TYPE_check35="LEVEL1"
+CHECK_SEVERITY_check35="Medium"
+CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check305="check35"
+CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"
+CHECK_SERVICENAME_check35="cloudtrail"
+CHECK_RISK_check35='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check35='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check35='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check35='Logging and Monitoring'
+
+check35(){
+  check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
+}

checks/check36

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/MyCloudTrailLG \
+#     --filter-name AWSConsoleSignInFailures \
+#     --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }' \
+#     --metric-transformations metricName=ConsoleSigninFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name "Console Sign-in Failures" \
+#     --alarm-description "AWS Management Console Sign-in Failure Alarm." \
+#     --metric-name ConsoleSigninFailureCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 3 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check36="3.6"
+CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
+CHECK_SCORED_check36="SCORED"
+CHECK_TYPE_check36="LEVEL2"
+CHECK_SEVERITY_check36="Medium"
+CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check306="check36"
+CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
+CHECK_SERVICENAME_check36="iam"
+CHECK_RISK_check36='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check36='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check36='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check36='Logging and Monitoring'
+
+check36(){
+  check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
+}

checks/check37

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name AWSCMKChanges \
+#     --filter-pattern '{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }' \
+#     --metric-transformations metricName=CMKEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name AWSCMKChangesAlarm \
+#     --alarm-description "Triggered by AWS CMK changes." \
+#     --metric-name CMKEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check37="3.7"
+CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs (Scored)"
+CHECK_SCORED_check37="SCORED"
+CHECK_TYPE_check37="LEVEL2"
+CHECK_SEVERITY_check37="Medium"
+CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check307="check37"
+CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"
+CHECK_SERVICENAME_check37="kms"
+CHECK_RISK_check37='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check37='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check37='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check37='Logging and Monitoring'
+
+check37(){
+  check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
+}

checks/check38

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name S3BucketConfigChanges \
+#     --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' \
+#     --metric-transformations metricName=S3BucketEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name S3BucketConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS S3 Bucket config changes." \
+#     --metric-name S3BucketEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check38="3.8"
+CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
+CHECK_SCORED_check38="SCORED"
+CHECK_TYPE_check38="LEVEL1"
+CHECK_SEVERITY_check38="Medium"
+CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check308="check38"
+CHECK_SERVICENAME_check38="s3"
+CHECK_RISK_check38='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
+CHECK_REMEDIATION_check38='It is recommended that a metric filter and alarm be established for unauthorized requests.'
+CHECK_DOC_check38='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check38='Logging and Monitoring'
+
+check38(){
+  check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
+}

checks/check39

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name AWSConfigChanges \
+#     --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) }' \
+#     --metric-transformations metricName=ConfigEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name AWSConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS Config changes." \
+#     --metric-name ConfigEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check39="3.9"
+CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
+CHECK_SCORED_check39="SCORED"
+CHECK_TYPE_check39="LEVEL2"
+CHECK_SEVERITY_check39="Medium"
+CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check309="check39"
+CHECK_SERVICENAME_check39="configservice"
+CHECK_RISK_check39='If not enabled important changes to accounts could go unnoticed or difficult to find.'
+CHECK_REMEDIATION_check39='Use this service as a complement to implement detective controls that cannot be prevented. (e.g. a Security Group is modified to open to internet without restrictions or route changed to avoid going thru the network firewall). Ensure AWS Config is enabled in all regions in order to detect any not intended action. On the other hand if sufficient preventive controls to make changes in critical services are in place; the rating on this finding can be lowered or discarded depending on residual risk.'
+CHECK_DOC_check39='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
+CHECK_CAF_EPIC_check39='Logging and Monitoring'
+
+check39(){
+  check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder'
+}

checks/check41

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check41="4.1"
+CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
+CHECK_SCORED_check41="SCORED"
+CHECK_TYPE_check41="LEVEL2"
+CHECK_SEVERITY_check41="High"
+CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
+CHECK_ALTERNATE_check401="check41"
+CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"
+CHECK_SERVICENAME_check41="ec2"
+CHECK_RISK_check41='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
+CHECK_REMEDIATION_check41='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.'
+CHECK_DOC_check41='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html'
+CHECK_CAF_EPIC_check41='Infrastructure Security'
+
+check41(){
+  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
+  for regx in $REGIONS; do
+    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    if [[ $SG_LIST ]];then
+      for SG in $SG_LIST;do
+        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
+      done
+    else
+      textPass "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0" "$regx"
+    fi
+  done
+}

checks/check42

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check42="4.2"
+CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
+CHECK_SCORED_check42="SCORED"
+CHECK_TYPE_check42="LEVEL2"
+CHECK_SEVERITY_check42="High"
+CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
+CHECK_ALTERNATE_check402="check42"
+CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"
+CHECK_SERVICENAME_check42="ec2"
+CHECK_RISK_check42='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
+CHECK_REMEDIATION_check42='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.'
+CHECK_DOC_check42='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html'
+CHECK_CAF_EPIC_check42='Infrastructure Security'
+
+check42(){
+  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
+  for regx in $REGIONS; do
+    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    if [[ $SG_LIST ]];then
+      for SG in $SG_LIST;do
+        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
+      done
+    else
+      textPass "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0" "$regx"
+    fi
+  done
+}

checks/check43

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check43="4.3"
+CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)"
+CHECK_SCORED_check43="SCORED"
+CHECK_TYPE_check43="LEVEL2"
+CHECK_SEVERITY_check43="High"
+CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
+CHECK_ALTERNATE_check403="check43"
+CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"
+CHECK_SERVICENAME_check43="ec2"
+CHECK_RISK_check43='Even having a perimeter firewall; having security groups open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
+CHECK_REMEDIATION_check43='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive security groups. Recommended best practices is to narrow the definition for the minimum ports required.'
+CHECK_DOC_check43='https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html'
+CHECK_CAF_EPIC_check43='Infrastructure Security'
+
+check43(){
+  # "Ensure the default security group of every VPC restricts all traffic (Scored)"
+  for regx in $REGIONS; do
+    CHECK_SGDEFAULT_IDS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].GroupId[]' --output text)
+    for CHECK_SGDEFAULT_ID in $CHECK_SGDEFAULT_IDS; do
+      CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '\s0.0.0.0|\:\:\/0')
+      if [[ $CHECK_SGDEFAULT_ID_OPEN ]];then
+        textFail "Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
+      else
+        textPass "No Default Security Groups ($CHECK_SGDEFAULT_ID) open to 0.0.0.0 found in Region $regx" "$regx"
+      fi
+    done
+  done
+}

checks/check44

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check44="4.4"
+CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
+CHECK_SCORED_check44="NOT_SCORED"
+CHECK_TYPE_check44="LEVEL2"
+CHECK_SEVERITY_check44="Medium"
+CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc"
+CHECK_ALTERNATE_check404="check44"
+CHECK_SERVICENAME_check44="vpc"
+CHECK_RISK_check44='Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.'
+CHECK_REMEDIATION_check44='Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.'
+CHECK_DOC_check44='https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html'
+CHECK_CAF_EPIC_check44='Infrastructure Security'
+
+check44(){
+  # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
+  textInfo "Looking for VPC peering in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId'| sort | paste -s -d" " -)
+    if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
+      textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
+      #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
+      #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
+      # for vpc in $LIST_OF_VPCS; do
+      #   VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" $PROFILE_OPT --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
+      # done
+      #echo $VPCS_WITH_PEERING
+    else
+      textPass "$regx: No VPC peering found" "$regx"
+    fi
+  done
+}

checks/check_extra71

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra71="7.1"
+CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra71="NOT_SCORED"
+CHECK_TYPE_extra71="EXTRA"
+CHECK_SEVERITY_extra71="High"
+CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
+CHECK_ALTERNATE_extra701="extra71"
+CHECK_ALTERNATE_check71="extra71"
+CHECK_ALTERNATE_check701="extra71"
+CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
+CHECK_SERVICENAME_extra71="iam"
+CHECK_RISK_extra71='Policy "may" allow Anonymous users to perform actions.'
+CHECK_REMEDIATION_extra71='Ensure this repository and its contents should be publicly accessible.'
+CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
+CHECK_CAF_EPIC_extra71='Infrastructure Security'
+
+extra71(){
+  # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
+  ADMIN_GROUPS=''
+  AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --region $REGION --query 'Groups[].GroupName')
+  for grp in $AWS_GROUPS; do
+    # aws --profile onlinetraining iam list-attached-group-policies --group-name Administrators --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess'
+    # list-attached-group-policies
+    CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep  "arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess")
+    if [[ $CHECK_ADMIN_GROUP ]]; then
+      ADMIN_GROUPS="$ADMIN_GROUPS $grp"
+      textInfo "$grp group provides administrative access"
+      ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --region $REGION --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
+      for auser in $ADMIN_USERS; do
+        # users in group are Administrators
+        # users
+        # check for user MFA device in credential report
+        USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8)
+        if [[ "true" == $USER_MFA_ENABLED ]]; then
+          textPass "$auser / MFA Enabled / admin via group $grp"
+        else
+          textFail "$auser / MFA DISABLED / admin via group $grp"
+        fi
+      done
+    else
+      textInfo "$grp group provides non-administrative access"
+    fi
+  done
+}

checks/check_extra710

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra710="7.10"
+CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra710="NOT_SCORED"
+CHECK_TYPE_extra710="EXTRA"
+CHECK_SEVERITY_extra710="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
+CHECK_ALTERNATE_check710="extra710"
+CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"
+CHECK_SERVICENAME_extra710="ec2"
+CHECK_RISK_extra710='Exposing an EC2 directly to internet increases the attack surface and therefore the risk of compromise.'
+CHECK_REMEDIATION_extra710='Use an ALB and apply WAF ACL.'
+CHECK_DOC_extra710='https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/'
+CHECK_CAF_EPIC_extra710='Infrastructure Security'
+
+extra710(){
+  # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
+  textInfo "Looking for instances in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text)
+    if [[ $LIST_OF_PUBLIC_INSTANCES ]];then
+      while read -r instance;do
+        INSTANCE_ID=$(echo $instance | awk '{ print $1; }')
+        PUBLIC_IP=$(echo $instance | awk '{ print $2; }')
+        textFail "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx"
+      done <<< "$LIST_OF_PUBLIC_INSTANCES"
+      else
+        textPass "$regx: no Internet Facing EC2 Instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7100

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building
+# on the hard work of others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7100="7.100"
+CHECK_TITLE_extra7100="[extra7100] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
+CHECK_SCORED_extra7100="NOT_SCORED"
+CHECK_TYPE_extra7100="EXTRA"
+CHECK_SEVERITY_extra7100="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
+CHECK_ALTERNATE_check7100="extra7100"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
+CHECK_SERVICENAME_extra7100="iam"
+CHECK_RISK_extra7100='If not restricted unintended access could happen.'
+CHECK_REMEDIATION_extra7100='Use the least privilege principle when granting permissions.'
+CHECK_DOC_extra7100='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html'
+CHECK_CAF_EPIC_extra7100='IAM'
+
+extra7100(){
+  # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
+  #
+  # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined
+  # This is most often seen as sts:assumeRole on *, but can take other forms.
+  #
+  # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
+  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
+  if [[ $LIST_CUSTOM_POLICIES ]]; then
+    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
+    for policy in $LIST_CUSTOM_POLICIES; do
+      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
+      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
+
+      POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \
+        --output json \
+        --policy-arn $POLICY_ARN \
+        --version-id $POLICY_VERSION \
+        --query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \
+        $PROFILE_OPT \
+        --region $REGION
+      )
+
+      # Identify permissive policies by:
+      #   1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string)
+      #   3) Iterate over the policy statements
+      #   4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity)
+      #   5) Narrow the scope to Resources (IAM Roles) which include a wildcard
+      POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \
+        | jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \
+        | jq 'map( .Action |= (if type=="array" then . else [.] end) )' \
+        | jq '.[]' \
+        | jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \
+        | jq 'select(.Resource[] | contains("*"))')
+
+      if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then
+        PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN"
+      fi
+
+    done
+    if [[ $PERMISSIVE_POLICIES_LIST ]]; then
+      textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs"
+      textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
+      for policy in $PERMISSIVE_POLICIES_LIST; do
+        textFail "Policy $policy allows permissive STS Role assumption"
+      done
+    else
+      textPass "No custom policies found that allow permissive STS Role assumption"
+    fi
+  else
+    textPass "No custom policies found"
+  fi
+}

checks/check_extra7101

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7101="7.101"
+CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled"
+CHECK_SCORED_extra7101="NOT_SCORED"
+CHECK_TYPE_extra7101="EXTRA"
+CHECK_SEVERITY_extra7101="Low"
+CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain"
+CHECK_ALTERNATE_check7101="extra7101"
+CHECK_SERVICENAME_extra7101="es"
+CHECK_RISK_extra7101='If logs are not enabled; monitoring of service use and threat analysis is not possible.'
+CHECK_REMEDIATION_extra7101='Make sure you are logging information about Amazon Elasticsearch Service operations.'
+CHECK_DOC_extra7101='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html'
+CHECK_CAF_EPIC_extra7101='Logging and Monitoring'
+
+extra7101(){
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        AUDIT_LOGS_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.AUDIT_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $AUDIT_LOGS_ENABLED ]];then
+          textPass "$regx: Amazon ES domain $domain AUDIT_LOGS enabled" "$regx"
+        else
+          textFail "$regx: Amazon ES domain $domain AUDIT_LOGS disabled!" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Amazon ES domain found" "$regx"
+    fi
+  done
+}

checks/check_extra7102

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7102="7.102"
+CHECK_TITLE_extra7102="[extra7102] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY)"
+CHECK_SCORED_extra7102="NOT_SCORED"
+CHECK_TYPE_extra7102="EXTRA"
+CHECK_SEVERITY_extra7102="High"
+CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip"
+CHECK_ALTERNATE_check7102="extra7102"
+CHECK_SERVICENAME_extra7102="ec2"
+CHECK_RISK_extra7102='Sites like Shodan index exposed systems and further expose them to wider audiences as a quick way to find exploitable systems.'
+CHECK_REMEDIATION_extra7102='Check Identified IPs; consider changing them to private ones and delete them from Shodan.'
+CHECK_DOC_extra7102='https://www.shodan.io/'
+CHECK_CAF_EPIC_extra7102='Infrastructure Security'
+
+# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively 
+# your IP will be banned by Shodan
+
+# This is the right way to do so
+# curl -ks https://api.shodan.io/shodan/host/{ip}?key={YOUR_API_KEY}
+
+# Each finding will be saved in prowler/output folder for further review.
+
+extra7102(){
+  if [[ ! $SHODAN_API_KEY ]]; then
+    textInfo "[extra7102] Requires a Shodan API key to work. Use -N <shodan_api_key>"
+  else 
+    for regx in $REGIONS; do
+      LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-network-interfaces --query 'NetworkInterfaces[*].Association.PublicIp' --output text)
+      if [[ $LIST_OF_EIP ]]; then
+        for ip in $LIST_OF_EIP;do
+          SHODAN_QUERY=$(curl -ks https://api.shodan.io/shodan/host/$ip?key=$SHODAN_API_KEY)
+	  # Shodan has a request rate limit of 1 request/second.
+          sleep 1
+          if [[ $SHODAN_QUERY == *"No information available for that IP"* ]]; then
+            textPass "$regx: IP $ip is not listed in Shodan" "$regx"
+          else
+            echo $SHODAN_QUERY > $OUTPUT_DIR/shodan-output-$ip.json
+            IP_SHODAN_INFO=$(cat $OUTPUT_DIR/shodan-output-$ip.json | jq -r '. | { ports: .ports, org: .org, country: .country_name }| @text' | tr -d \"\{\}\}\]\[ | tr , '\ ' )
+            textFail "$regx: IP $ip is listed in Shodan with data $IP_SHODAN_INFO. More info https://www.shodan.io/host/$ip and $OUTPUT_DIR/shodan-output-$ip.json" "$regx"
+          fi
+        done
+      else
+        textInfo "$regx: No Public or Elastic IPs found" "$regx"
+      fi
+    done
+  fi
+}

checks/check_extra7103

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+    
+CHECK_ID_extra7103="7.103"
+CHECK_TITLE_extra7103="[extra7103] Check if Amazon SageMaker Notebook instances have root access disabled"
+CHECK_SCORED_extra7103="NOT_SCORED"
+CHECK_TYPE_extra7103="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7103="extra7103"
+CHECK_SEVERITY_extra7103="Medium"
+CHECK_SERVICENAME_extra7103="sagemaker"
+CHECK_RISK_extra7103='Users with root access have administrator privileges; users can access and edit all files on a notebook instance with root access enabled.'
+CHECK_REMEDIATION_extra7103='set the RootAccess field to Disabled. You can also disable root access for users when you create or update a notebook instance in the Amazon SageMaker console.'
+CHECK_DOC_extra7103='https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html'
+CHECK_CAF_EPIC_extra7103='IAM'
+
+extra7103(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_ROOTACCESS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'RootAccess' --output text)
+                if [[ "${SM_NB_ROOTACCESS}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has root access enabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has root access disabled" "${regx}"                    
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7104

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7104="7.104"
+CHECK_TITLE_extra7104="[extra7104] Check if Amazon SageMaker Notebook instances have VPC settings configured"
+CHECK_SCORED_extra7104="NOT_SCORED"
+CHECK_TYPE_extra7104="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7104="extra7104"
+CHECK_SEVERITY_extra7104="Medium"
+CHECK_SERVICENAME_extra7104="sagemaker"
+CHECK_RISK_extra7104='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7104='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7104='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
+CHECK_CAF_EPIC_extra7104='Infrastructure Security'
+
+extra7104(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_SUBNETID=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'SubnetId' --output text)
+                if [[ "${SM_NB_SUBNETID}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has VPC settings disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance is in a VPC" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7105

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+	
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7105="7.105"
+CHECK_TITLE_extra7105="[extra7105] Check if Amazon SageMaker Models have network isolation enabled"
+CHECK_SCORED_extra7105="NOT_SCORED"
+CHECK_TYPE_extra7105="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
+CHECK_ALTERNATE_check7105="extra7105"
+CHECK_SEVERITY_extra7105="Medium"
+CHECK_SERVICENAME_extra7105="sagemaker"
+CHECK_RISK_extra7105='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7105='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7105='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
+CHECK_CAF_EPIC_extra7105='Infrastructure Security'
+
+extra7105(){
+	for regx in ${REGIONS}; do
+		LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+		if [[ $LIST_SM_NB_MODELS ]];then 
+			for nb_model_name in $LIST_SM_NB_MODELS; do
+				SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'EnableNetworkIsolation' --output text)
+				if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+					textFail "${regx}: SageMaker Model $nb_model_name has network isolation disabled" "${regx}"
+				else
+					textPass "${regx}: SageMaker Model $nb_model_name has network isolation enabled" "${regx}"
+				fi 
+			done
+		else 
+			textInfo "${regx}: No Sagemaker Models found" "${regx}"
+		fi 
+	done
+}
+		

checks/check_extra7106

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7106="7.106"
+CHECK_TITLE_extra7106="[extra7106] Check if Amazon SageMaker Models have VPC settings configured"
+CHECK_SCORED_extra7106="NOT_SCORED"
+CHECK_TYPE_extra7106="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
+CHECK_ALTERNATE_check7106="extra7106"
+CHECK_SEVERITY_extra7106="Medium"
+CHECK_SERVICENAME_extra7106="sagemaker"
+CHECK_RISK_extra7106='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7106='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7106='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
+CHECK_CAF_EPIC_extra7106='Infrastructure Security'
+
+extra7106(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+        if [[ $LIST_SM_NB_MODELS ]];then 
+            for nb_model_name in $LIST_SM_NB_MODELS; do
+                SM_NB_VPCCONFIG=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_VPCCONFIG == "None" ]]; then
+                    textFail "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings disabled" "${regx}"
+                else
+                    textPass "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Models found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7107

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7107="7.107"
+CHECK_TITLE_extra7107="[extra7107] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled"
+CHECK_SCORED_extra7107="NOT_SCORED"
+CHECK_TYPE_extra7107="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7107="extra7107"
+CHECK_SEVERITY_extra7107="Medium"
+CHECK_SERVICENAME_extra7107="sagemaker"
+CHECK_RISK_extra7107='If not restricted unintended access could happen.'
+CHECK_REMEDIATION_extra7107='Internetwork communications support TLS 1.2 encryption between all components and clients.'
+CHECK_DOC_extra7107='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7107='Data Protection'
+
+extra7107(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_INTERCONTAINERENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableInterContainerTrafficEncryption' --output text)
+                if [[ $SM_NB_INTERCONTAINERENCRYPTION == "False" ]]; then
+                    textFail "${regx}: SageMaker Training job $nb_job_name has intercontainer encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: SageMaker Training jobs $nb_job_name has intercontainer encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Training found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7108

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7108="7.108"
+CHECK_TITLE_extra7108="[extra7108] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled"
+CHECK_SCORED_extra7108="NOT_SCORED"
+CHECK_TYPE_extra7108="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7108="extra7108"
+CHECK_SEVERITY_extra7108="Medium"
+CHECK_SERVICENAME_extra7108="sagemaker"
+CHECK_RISK_extra7108='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
+CHECK_REMEDIATION_extra7108='Specify AWS KMS keys to use for input and output from S3 and EBS.'
+CHECK_DOC_extra7108='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
+CHECK_CAF_EPIC_extra7108='Data Protection'
+
+extra7108(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_JOB_KMSENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'ResourceConfig.VolumeKmsKeyId' --output text)
+                if [[ "${SM_JOB_KMSENCRYPTION}" == "None" ]];then
+                    textFail "${regx}: Sagemaker Trainings job $nb_job_name has KMS encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Trainings job $nb_job_name has KSM encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7109

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7109="7.109"
+CHECK_TITLE_extra7109="[extra7109] Check if Amazon SageMaker Training jobs have network isolation enabled"
+CHECK_SCORED_extra7109="NOT_SCORED"
+CHECK_TYPE_extra7109="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7109="extra7109"
+CHECK_SEVERITY_extra7109="Medium"
+CHECK_SERVICENAME_extra7109="sagemaker"
+CHECK_RISK_extra7109='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7109='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7109='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7109='Infrastructure Security'
+
+extra7109(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableNetworkIsolation' --output text)
+                if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has network isolation disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has network isolation enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra711

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra711="7.11"
+CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra711="NOT_SCORED"
+CHECK_TYPE_extra711="EXTRA"
+CHECK_SEVERITY_extra711="High"
+CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
+CHECK_ALTERNATE_check711="extra711"
+CHECK_SERVICENAME_extra711="redshift"
+CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.'
+CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.'
+CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html'
+CHECK_CAF_EPIC_extra711='Data Protection'
+
+extra711(){
+  # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
+  textInfo "Looking for Redshift clusters in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text)
+    if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then
+      while read -r cluster;do
+        CLUSTER_ID=$(echo $cluster | awk '{ print $1; }')
+        CLUSTER_ENDPOINT=$(echo $cluster | awk '{ print $2; }')
+        textFail "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx"
+      done <<< "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS"
+      else
+        textPass "$regx: no Publicly Accessible Redshift Clusters found" "$regx"
+    fi
+  done
+}

checks/check_extra7110

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7110="7.110"
+CHECK_TITLE_extra7110="[extra7110] Check if Amazon SageMaker Training job have VPC settings configured."
+CHECK_SCORED_extra7110="NOT_SCORED"
+CHECK_TYPE_extra7110="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7110="extra7110"
+CHECK_SEVERITY_extra7110="Medium"
+CHECK_SERVICENAME_extra7110="sagemaker"
+CHECK_RISK_extra7110='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7110='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7110='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7110='Infrastructure Security'
+ 
+extra7110(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_SUBNETS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_SUBNETS == "None" ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7111

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7111="7.111"
+CHECK_TITLE_extra7111="[extra7111] Check if Amazon SageMaker Notebook instances have direct internet access"
+CHECK_SCORED_extra7111="NOT_SCORED"
+CHECK_TYPE_extra7111="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7111="extra7111"
+CHECK_SEVERITY_extra7111="Medium"
+CHECK_SERVICENAME_extra7111="sagemaker"
+CHECK_RISK_extra7111='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7111='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7111='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7111='Infrastructure Security'
+
+extra7111(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_DIRECTINET=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'DirectInternetAccess' --output text)
+                if [[ "${SM_NB_DIRECTINET}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access enabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access disabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7112

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7112="7.112"
+CHECK_TITLE_extra7112="[extra7112] Check if Amazon SageMaker Notebook instances have data encryption enabled"
+CHECK_SCORED_extra7112="NOT_SCORED"
+CHECK_TYPE_extra7112="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7112="extra7112"
+CHECK_SEVERITY_extra7112="Medium"
+CHECK_SERVICENAME_extra7112="sagemaker"
+CHECK_RISK_extra7112='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
+CHECK_REMEDIATION_extra7112='Specify AWS KMS keys to use for input and output from S3 and EBS.'
+CHECK_DOC_extra7112='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
+CHECK_CAF_EPIC_extra7112='Data Protection'
+
+extra7112(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_KMSKEY=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'KmsKeyId' --output text)
+                if [[ "${SM_NB_KMSKEY}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has data encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has data encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7113

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7113="7.113"
+CHECK_TITLE_extra7113="[extra7113] Check if RDS instances have deletion protection enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7113="NOT_SCORED"
+CHECK_TYPE_extra7113="EXTRA"
+CHECK_SEVERITY_extra7113="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance"
+CHECK_ALTERNATE_check7113="extra7113"
+CHECK_SERVICENAME_extra7113="rds"
+CHECK_RISK_extra7113='You can only delete instances that do not have deletion protection enabled.'
+CHECK_REMEDIATION_extra7113='Enable deletion protection using the AWS Management Console for production DB instances.'
+CHECK_DOC_extra7113='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html'
+CHECK_CAF_EPIC_extra7113='Data Protection'
+
+extra7113(){
+  textInfo "Looking for RDS Volumes in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
+    if [[ $LIST_OF_RDS_INSTANCES ]];then
+      for rdsinstance in $LIST_OF_RDS_INSTANCES; do
+        IS_DELETIONPROTECTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].DeletionProtection' --output text)
+        if [[ $IS_DELETIONPROTECTION == "False" ]]; then
+          textFail "$regx: RDS instance $rdsinstance deletion protection is not enabled!" "$regx"
+        else
+          textPass "$regx: RDS instance $rdsinstance deletion protection is enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No RDS instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7114

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7114="7.114"
+CHECK_TITLE_extra7114="[extra7114] Check if Glue development endpoints have S3 encryption enabled."
+CHECK_SCORED_extra7114="NOT_SCORED"
+CHECK_TYPE_extra7114="EXTRA"
+CHECK_SEVERITY_extra7114="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue"
+CHECK_ALTERNATE_check7114="extra7114"
+CHECK_SERVICENAME_extra7114="glue"
+CHECK_RISK_extra7114='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
+CHECK_REMEDIATION_extra7114='Specify AWS KMS keys to use for input and output from S3 and EBS.'
+CHECK_DOC_extra7114='https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html'
+CHECK_CAF_EPIC_extra7114='Data Protection'
+
+extra7114(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text)
+          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}
+
+

checks/check_extra7115

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7115="7.115"
+CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection has SSL connection enabled."
+CHECK_SCORED_extra7115="NOT_SCORED"
+CHECK_TYPE_extra7115="EXTRA"
+CHECK_SEVERITY_extra7115="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
+CHECK_ALTERNATE_check7115="extra7115"
+CHECK_SERVICENAME_extra7115="glue"
+CHECK_RISK_extra7115='Data exfiltration could happen if information is not protected in transit.'
+CHECK_REMEDIATION_extra7115='Configure encryption settings for crawlers; ETL jobs; and development endpoints using security configurations in AWS Glue.'
+CHECK_DOC_extra7115='https://docs.aws.amazon.com/glue/latest/dg/encryption-in-transit.html'
+CHECK_CAF_EPIC_extra7115='Data Protection'
+
+extra7115(){
+  for regx in $REGIONS; do
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}')
+    if [[ $CONNECTION_LIST != '[]' ]]; then
+      for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do
+          CONNECTION_NAME=$(echo $connection | base64 --decode   | jq -r '.Name' )
+          CONNECTION_SSL_STATE=$(echo $connection | base64 --decode  | jq -r '.SSL')
+          if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then
+              textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled"  "$regx"
+          else 
+              textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled"  "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue connections" "$regx"
+    fi 
+  done     
+}

checks/check_extra7116

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7116="7.116"
+CHECK_TITLE_extra7116="[extra7116] Check if Glue data catalog settings have metadata encryption enabled."
+CHECK_SCORED_extra7116="NOT_SCORED"
+CHECK_TYPE_extra7116="EXTRA"
+CHECK_SEVERITY_extra7116="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
+CHECK_ALTERNATE_check7116="extra7116"
+CHECK_SERVICENAME_extra7116="glue"
+CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
+CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html'
+CHECK_CAF_EPIC_extra7116='Data Protection'
+
+extra7116(){
+  for regx in $REGIONS; do
+    TABLE_LIST=$($AWSCLI glue search-tables --max-results 1 $PROFILE_OPT --region $regx  --output text --query 'TableList[*]' )
+    if [[ ! -z $TABLE_LIST ]]; then
+      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode")
+      if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then
+        textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx"
+      else
+        textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx"
+      fi
+    else
+      textInfo "$regx: Glue data catalog settings metadata encryption does not apply since there are no tables" "$regx"
+    fi
+  done
+}

checks/check_extra7117

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7117="7.117"
+CHECK_TITLE_extra7117="[extra7117] Check if Glue data catalog settings have encrypt connection password enabled."
+CHECK_SCORED_extra7117="NOT_SCORED"
+CHECK_TYPE_extra7117="EXTRA"
+CHECK_SEVERITY_extra7117="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
+CHECK_ALTERNATE_check7117="extra7117"
+CHECK_SERVICENAME_extra7117="glue"
+CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.'
+CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html'
+CHECK_CAF_EPIC_extra7117='Data Protection'
+
+extra7117(){
+  for regx in $REGIONS; do
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output text --query 'ConnectionList[*]')
+    if [[ ! -z $CONNECTION_LIST ]]; then
+      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted")
+      if [[ "$METADATA_ENCRYPTED" == "False" ]]; then
+        textFail "$regx: Glue data catalog connection password is not encrypted" "$regx"
+      else
+        textPass "$regx: Glue data catalog connection password is encrypted" "$regx"
+      fi
+    else
+      textInfo "$regx: Glue data catalog connection password encryption does not apply since there are no connections" "$regx"
+    fi
+  done
+}

checks/check_extra7118

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7118="7.118"
+CHECK_TITLE_extra7118="[extra7118] Check if Glue ETL Jobs have S3 encryption enabled."
+CHECK_SCORED_extra7118="NOT_SCORED"
+CHECK_TYPE_extra7118="EXTRA"
+CHECK_SEVERITY_extra7118="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
+CHECK_ALTERNATE_check7118="extra7118"
+CHECK_SERVICENAME_extra7118="glue"
+CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.'
+CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
+CHECK_CAF_EPIC_extra7118='Data Protection'
+
+extra7118(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
+            if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then
+              if [[ ! -z "$JOB_ENCRYPTION" ]]; then
+                textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+              else 
+                textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+              fi 
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx"
+            fi
+          elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
+            textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+          else 
+            textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}

checks/check_extra7119

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7119="7.119"
+CHECK_TITLE_extra7119="[extra7119] Check if Glue development endpoints have CloudWatch logs encryption enabled."
+CHECK_SCORED_extra7119="NOT_SCORED"
+CHECK_TYPE_extra7119="EXTRA"
+CHECK_SEVERITY_extra7119="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
+CHECK_ALTERNATE_check7119="extra7119"
+CHECK_SERVICENAME_extra7119="glue"
+CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.'
+CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
+CHECK_CAF_EPIC_extra7119='Logging and Monitoring'
+
+extra7119(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
+          if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}

checks/check_extra712

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra712="7.12"
+CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra712="NOT_SCORED"
+CHECK_TYPE_extra712="EXTRA"
+CHECK_SEVERITY_extra712="Low"
+CHECK_ALTERNATE_check712="extra712"
+CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession"
+CHECK_SERVICENAME_extra712="macie"
+CHECK_RISK_extra712='Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover; monitor; and protect your sensitive data in AWS.'
+CHECK_REMEDIATION_extra712='Enable Amazon Macie and create appropriate jobs to discover sensitive data.'
+CHECK_DOC_extra712='https://docs.aws.amazon.com/macie/latest/user/getting-started.html'
+CHECK_CAF_EPIC_extra712='Data Protection'
+
+ extra712(){ 
+#    textInfo "No API commands available to check if Macie is enabled," 
+#    textInfo "just looking if IAM Macie related permissions exist.  " 
+   MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) 
+   if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then 
+     textPass "Macie related IAM roles exist so it might be enabled. Check it out manually" 
+else
+     textFail "No Macie related IAM roles found. It is most likely not to be enabled" 
+fi
+}

checks/check_extra7120

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7120="7.120"
+CHECK_TITLE_extra7120="[extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled."
+CHECK_SCORED_extra7120="NOT_SCORED"
+CHECK_TYPE_extra7120="EXTRA"
+CHECK_SEVERITY_extra7120="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
+CHECK_ALTERNATE_check7120="extra7120"
+CHECK_SERVICENAME_extra7120="glue"
+CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.'
+CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
+CHECK_CAF_EPIC_extra7120='Logging and Monitoring'
+
+extra7120(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration  // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode')
+            if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}

checks/check_extra7121

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7121="7.121"
+CHECK_TITLE_extra7121="[extra7121] Check if Glue development endpoints have Job bookmark encryption enabled."
+CHECK_SCORED_extra7121="NOT_SCORED"
+CHECK_TYPE_extra7121="EXTRA"
+CHECK_SEVERITY_extra7121="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
+CHECK_ALTERNATE_check7121="extra7121"
+CHECK_SERVICENAME_extra7121="glue"
+CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.'
+CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
+CHECK_CAF_EPIC_extra7121='Data Protection'
+
+extra7121(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
+          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}
+
+

checks/check_extra7122

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7122="7.122"
+CHECK_TITLE_extra7122="[extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled."
+CHECK_SCORED_extra7122="NOT_SCORED"
+CHECK_TYPE_extra7122="EXTRA"
+CHECK_SEVERITY_extra7122="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
+CHECK_ALTERNATE_check7122="extra7122"
+CHECK_SERVICENAME_extra7122="glue"
+CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.'
+CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
+CHECK_CAF_EPIC_extra7122='Data Protection'
+
+extra7122(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode')
+            if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}

checks/check_extra7123

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7123="7.123"
+CHECK_TITLE_extra7123="[extra7123] Check if IAM users have two active access keys"
+CHECK_SCORED_extra7123="NOT_SCORED"
+CHECK_TYPE_extra7123="EXTRA"
+CHECK_SEVERITY_extra7123="Medium"
+CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
+CHECK_ALTERNATE_check7123="extra7123"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
+CHECK_SERVICENAME_extra7123="iam"
+CHECK_RISK_extra7123='Access Keys could be lost or stolen. It creates a critical risk.'
+CHECK_REMEDIATION_extra7123='Avoid using long lived access keys.'
+CHECK_DOC_extra7123='https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html'
+CHECK_CAF_EPIC_extra7123='IAM'
+
+extra7123(){
+  LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')
+  if [[ $LIST_OF_USERS_WITH_2ACCESS_KEYS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_OF_USERS_WITH_2ACCESS_KEYS; do
+      textFail "User $user has 2 active access keys" 
+    done
+  else
+    textPass "No users with 2 active access keys"
+  fi
+}

checks/check_extra7124

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7124="7.124"
+CHECK_TITLE_extra7124="[extra7124] Check if EC2 instances are managed by Systems Manager."
+CHECK_SCORED_extra7124="NOT_SCORED"
+CHECK_TYPE_extra7124="EXTRA"
+CHECK_SEVERITY_extra7124="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
+CHECK_ALTERNATE_check7124="extra7124"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1 ens-op.acc.4.aws.sys.1"
+CHECK_SERVICENAME_extra7124="ssm"
+CHECK_RISK_extra7124='AWS Config provides AWS Managed Rules; which are predefined; customizable rules that AWS Config uses to evaluate whether your AWS resource configurations comply with common best practices.'
+CHECK_REMEDIATION_extra7124='Verify and apply Systems Manager Prerequisites.'
+CHECK_DOC_extra7124='https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html'
+CHECK_CAF_EPIC_extra7124='Infrastructure Security'
+
+extra7124(){
+  for regx in $REGIONS; do
+    # Filters running instances only 
+    LIST_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --query 'Reservations[*].Instances[*].[InstanceId]' --filters Name=instance-state-name,Values=running --region $regx --output text)
+    if [[ $LIST_EC2_INSTANCES ]]; then
+      LIST_SSM_MANAGED_INSTANCES=$($AWSCLI ssm describe-instance-information $PROFILE_OPT --query "InstanceInformationList[].InstanceId"  --region $regx | jq -r '.[]')
+      LIST_EC2_UNMANAGED=$(echo ${LIST_SSM_MANAGED_INSTANCES[@]} ${LIST_EC2_INSTANCES[@]} | tr ' ' '\n' | sort | uniq -u)
+      if [[ $LIST_EC2_UNMANAGED ]]; then
+        for instance in $LIST_EC2_UNMANAGED; do
+          textFail "$regx: EC2 instance $instance is not managed by Systems Manager" "$regx"
+        done
+      fi 
+      if [[ $LIST_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $LIST_SSM_MANAGED_INSTANCES; do 
+          textPass "$regx: EC2 instance $instance is managed by Systems Manager" "$regx"
+        done 
+      fi 
+    else 
+      textInfo "$regx: No EC2 instances running found" "$regx"
+    fi
+  done
+}

checks/check_extra7125

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7125="7.125"
+CHECK_TITLE_extra7125="[extra7125] Check if IAM users have Hardware MFA enabled."
+CHECK_SCORED_extra7125="NOT_SCORED"
+CHECK_TYPE_extra7125="EXTRA"
+CHECK_SEVERITY_extra7125="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
+CHECK_ALTERNATE_check7125="extra7125"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
+CHECK_SERVICENAME_extra7125="iam"
+CHECK_RISK_extra7125='Hardware MFA is preferred over virtual MFA.'
+CHECK_REMEDIATION_extra7125='Enable hardware MFA device for an IAM user from the AWS Management Console; the command line; or the IAM API.'
+CHECK_DOC_extra7125='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html'
+CHECK_CAF_EPIC_extra7125='IAM'
+
+extra7125(){
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  if [[ $LIST_USERS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_USERS; do
+      # Would be virtual if sms-mfa or mfa, hardware is u2f or different.
+      MFA_TYPE=$($AWSCLI iam list-mfa-devices --user-name $user $PROFILE_OPT --region $REGION --query MFADevices[].SerialNumber --output text | awk -F':' '{ print $6 }'| awk -F'/' '{ print $1 }')
+      if [[ $MFA_TYPE == "mfa" || $MFA_TYPE == "sms-mfa" ]]; then 
+        textInfo "User $user has virtual MFA enabled" 
+      elif [[ $MFA_TYPE == "" ]]; then 
+        textFail "User $user has not hardware MFA enabled"
+      else 
+        textPass "User $user has hardware MFA enabled"
+      fi
+    done
+  else
+    textPass "No users found"
+  fi
+}

checks/check_extra7126

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7126="7.126"
+CHECK_TITLE_extra7126="[extra7126] Check if there are CMK KMS keys not used"
+CHECK_SCORED_extra7126="NOT_SCORED"
+CHECK_TYPE_extra7126="EXTRA"
+CHECK_SEVERITY_extra7126="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
+CHECK_ALTERNATE_check7126="extra7126"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2"
+CHECK_SERVICENAME_extra7126="kms"
+CHECK_RISK_extra7126='Unused keys may increase service cost.'
+CHECK_REMEDIATION_extra7126='Before deleting a customer master key (CMK); you might want to know how many cipher-texts were encrypted under that key.  '
+CHECK_DOC_extra7126='https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-determining-usage.html'
+CHECK_CAF_EPIC_extra7126='Data Protection'
+
+extra7126(){
+  for regx in $REGIONS; do
+    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --output text |grep -v :alias/aws/ |awk '{ print $4 }')
+    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
+      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
+        CHECK_STATUS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output json | jq -r '.KeyMetadata.KeyState')
+        if [[ $CHECK_STATUS == "PendingDeletion" ]]; then
+          textInfo "$regx: KMS key $key is pending deletion" "$regx"
+        elif [[ $CHECK_STATUS == "Disabled"  ]]; then
+          textInfo "$regx: KMS key $key is disabled" "$regx"
+        else
+          textPass "$regx: KMS key $key is not disabled or pending deletion" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No KMS keys found" "$regx"
+    fi
+  done
+}

checks/check_extra7127

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7127="7.127"
+CHECK_TITLE_extra7127="[extra7127] Check if EC2 instances managed by Systems Manager are compliant with patching requirements"
+CHECK_SCORED_extra7127="NOT_SCORED"
+CHECK_TYPE_extra7127="EXTRA"
+CHECK_SEVERITY_extra7127="High"
+CHECK_ASFF_RESOURCE_TYPE_extra7127="AwsEc2Instance"
+CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sys.1"
+CHECK_ALTERNATE_check7127="extra7127"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1 ens-op.exp.4.aws.sys.1"
+CHECK_SERVICENAME_extra7127="ssm"
+CHECK_RISK_extra7127='Without the most recent security patches your system is potentially vulnerable to cyberattacks. Even the best-designed software can not anticipate every future threat to cybersecurity. Poor patch management can leave an organizations data exposed subjecting them to malware and ransomware attacks.'
+CHECK_REMEDIATION_extra7127='Consider using SSM in all accounts and services to at least monitor for missing patches on servers. Use a robust process to apply security fixes as soon as they are made available. Patch compliance data from Patch Manager can be sent to AWS Security Hub to centralize security issues.'
+CHECK_DOC_extra7127='https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html'
+CHECK_CAF_EPIC_extra7127='Infrastructure Security'
+
+extra7127(){
+  for regx in $REGIONS; do
+    NON_COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=NON_COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES || $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+      if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $NON_COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textFail "$regx: EC2 managed instance $instance is non-compliant" "$regx"
+        done
+      fi
+      if [[ $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textPass "$regx: EC2 managed instance $instance is compliant" "$regx"
+        done
+      fi 
+    else 
+      textInfo "$regx: No EC2 managed instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7128

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7128="7.128"
+CHECK_TITLE_extra7128="[extra7128] Check if DynamoDB table has encryption at rest enabled using CMK KMS"
+CHECK_SCORED_extra7128="NOT_SCORED"
+CHECK_TYPE_extra7128="EXTRA"
+CHECK_SEVERITY_extra7128="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable"
+CHECK_ALTERNATE_check7128="extra7128"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1"
+CHECK_SERVICENAME_extra7128="dynamodb"
+CHECK_RISK_extra7128='All user data stored in Amazon DynamoDB is fully encrypted at rest. This functionality helps reduce the operational burden and complexity involved in protecting sensitive data.'
+CHECK_REMEDIATION_extra7128='Specify an encryption key when you create a new table or switch the encryption keys on an existing table by using the AWS Management Console.'
+CHECK_DOC_extra7128='https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html'
+CHECK_CAF_EPIC_extra7128='Data Protection'
+
+extra7128(){
+  for regx in $REGIONS; do
+    DDB_TABLES_LIST=$($AWSCLI dynamodb list-tables $PROFILE_OPT --region $regx --output text --query TableNames)
+    if [[ $DDB_TABLES_LIST ]]; then
+      for table in $DDB_TABLES_LIST; do
+          DDB_TABLE_WITH_KMS=$($AWSCLI dynamodb describe-table --table-name $table $PROFILE_OPT --region $regx --query Table.SSEDescription.SSEType --output text)
+          if [[ $DDB_TABLE_WITH_KMS == "KMS" ]]; then
+            textPass "$regx: DynamoDB table $table does have KMS encryption enabled" "$regx"
+          else
+            textInfo "$regx: DynamoDB table $table does have DEFAULT encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no DynamoDB tables" "$regx"
+    fi 
+  done
+}

checks/check_extra7129

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7129="7.129"
+CHECK_TITLE_extra7129="[extra7129] Check if Application Load Balancer has a WAF ACL attached"
+CHECK_SCORED_extra7129="NOT_SCORED"
+CHECK_TYPE_extra7129="EXTRA"
+CHECK_SEVERITY_extra7129="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer"
+CHECK_ALTERNATE_check7129="extra7129"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3"
+CHECK_SERVICENAME_extra7129="elb"
+CHECK_RISK_extra7129='If not WAF ACL is attached risk of web attacks increases.'
+CHECK_REMEDIATION_extra7129='Using the AWS Management Console open the AWS WAF console to attach an ACL.'
+CHECK_DOC_extra7129='https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html'
+CHECK_CAF_EPIC_extra7129='Infrastructure Security'
+
+extra7129(){
+  for regx in $REGIONS; do
+    LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing` && Type == `application`].[LoadBalancerName]' --output text)
+    LIST_OF_WAFV2_WEBACL_ARN=$($AWSCLI wafv2 list-web-acls $PROFILE_OPT --region=$regx --scope=REGIONAL --query WebACLs[*].ARN --output text)
+    if [[ $LIST_OF_ELBSV2 ]]; then
+      for alb in $LIST_OF_ELBSV2; do
+        if [[ $LIST_OF_WAFV2_WEBACL_ARN ]]; then 
+          WAF_PROTECTED_ALBS=()
+          for wafaclarn in $LIST_OF_WAFV2_WEBACL_ARN; do
+            ALB_RESOURCES_IN_WEBACL=$($AWSCLI wafv2 list-resources-for-web-acl $PROFILE_OPT --web-acl-arn $wafaclarn --region=$regx --resource-type APPLICATION_LOAD_BALANCER --query ResourceArns --output text | xargs -n1 | awk -F'/' '{ print $3 }'| grep $alb)
+            if [[ $ALB_RESOURCES_IN_WEBACL ]]; then 
+              WAF_PROTECTED_ALBS+=($wafaclarn)
+            fi
+          done
+          if [[ ${#WAF_PROTECTED_ALBS[@]} -gt 0 ]]; then
+            for wafaclarn in "${WAF_PROTECTED_ALBS[@]}"; do
+              WAFV2_WEBACL_ARN_SHORT=$(echo $wafaclarn |  awk -F'/' '{ print $3 }')
+              textPass "$regx: Application Load Balancer $alb is protected by WAFv2 ACL $WAFV2_WEBACL_ARN_SHORT" "$regx"
+            done
+          else
+            textFail "$regx: Application Load Balancer $alb is not protected by WAFv2 ACL" "$regx"
+          fi
+        else 
+          textFail "$regx: Application Load Balancer $alb is not protected no WAFv2 ACL found" "$regx"
+        fi
+      done         
+    else
+      textInfo "$regx: No Application Load Balancers found" "$regx"
+    fi    
+  done
+}

checks/check_extra713

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra713="7.13"
+CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra713="NOT_SCORED"
+CHECK_TYPE_extra713="EXTRA"
+CHECK_SEVERITY_extra713="High"
+CHECK_ALTERNATE_check713="extra713"
+CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"
+CHECK_ASFF_RESOURCE_TYPE_extra713="AwsGuardDutyDetector"
+CHECK_SERVICENAME_extra713="guardduty"
+CHECK_RISK_extra713='Amazon GuardDuty is a continuous security monitoring service that analyzes and processes several datasources.'
+CHECK_REMEDIATION_extra713='Enable GuardDuty and analyze its findings.'
+CHECK_DOC_extra713='https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html'
+CHECK_CAF_EPIC_extra713='Data Protection'
+
+extra713(){
+  # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
+  for regx in $REGIONS; do
+    LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text --query DetectorIds[*] 2> /dev/null)
+    RESULT=$?
+    if [ $RESULT -eq 0 ];then
+      if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then
+        while read -r detector;do
+          DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --query "Status" --output text|grep ENABLED)
+          if [[ $DETECTOR_ENABLED ]]; then
+            textPass "$regx: GuardDuty detector $detector enabled" "$regx"
+          else
+            textFail "$regx: GuardDuty detector $detector configured but suspended" "$regx"
+          fi
+        done <<< "$LIST_OF_GUARDDUTY_DETECTORS"
+        else
+          textFail "$regx: GuardDuty detector not configured!" "$regx"
+      fi
+      else 
+      # if list-detectors return any error 
+      textInfo "$regx: GuardDuty not checked" "$regx"
+    fi 
+  done
+}

checks/check_extra7130

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7130="7.130"
+CHECK_TITLE_extra7130="[extra7130] Ensure there are no SNS Topics unencrypted"
+CHECK_SCORED_extra7130="NOT_SCORED"
+CHECK_TYPE_extra7130="EXTRA"
+CHECK_SEVERITY_extra7130="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7130="AwsSnsTopic"
+CHECK_ALTERNATE_check7130="extra7130"
+CHECK_SERVICENAME_extra7130="sns"
+CHECK_RISK_extra7130='If not enabled sensible information at rest is not protected.'
+CHECK_REMEDIATION_extra7130='Use Amazon SNS with AWS KMS.'
+CHECK_DOC_extra7130='https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html'
+CHECK_CAF_EPIC_extra7130='Data Protection'
+
+extra7130(){
+  textInfo "Looking for SNS Topics in all regions...  "
+  for regx in $REGIONS; do
+    LIST_SNS=$($AWSCLI sns list-topics $PROFILE_OPT --region $regx --query 'Topics[*].TopicArn' --output text)
+    if [[ $LIST_SNS ]];then
+      for topic in $LIST_SNS; do
+        SHORT_TOPIC=$(echo $topic | awk -F ":" '{print $NF}')
+        SNS_ENCRYPTION=$($AWSCLI sns get-topic-attributes $PROFILE_OPT --region $regx --topic-arn $topic --query 'Attributes.KmsMasterKeyId' --output text)
+        if [[ "None" == $SNS_ENCRYPTION ]]; then
+          textFail "$regx: $SHORT_TOPIC is not encrypted!" "$regx"
+        else
+          textPass "$regx: $SHORT_TOPIC is encrypted" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No SNS topic found" "$regx"
+    fi
+  done
+}

checks/check_extra7131

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7131="7.131"
+CHECK_TITLE_extra7131="[extra7131] Ensure RDS instances have minor version upgrade enabled"
+CHECK_SCORED_extra7131="NOT_SCORED"
+CHECK_TYPE_extra7131="EXTRA"
+CHECK_SEVERITY_extra7131="Low"
+CHECK_ASFF_RESOURCE_TYPE_extra7131="AwsRdsDbInstance"
+CHECK_ALTERNATE_check7131="extra7131"
+CHECK_SERVICENAME_extra7131="rds"
+CHECK_RISK_extra7131='Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs; and therefor should be applied.'
+CHECK_REMEDIATION_extra7131='Enable auto minor version upgrade for all databases and environments.'
+CHECK_DOC_extra7131='https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/'
+CHECK_CAF_EPIC_extra7131='Infrastructure Security'
+
+extra7131(){
+  for regx in $REGIONS; do
+    # LIST_OF_RDS_PUBLIC_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[?PubliclyAccessible==`true` && DBInstanceStatus==`"available"`].[DBInstanceIdentifier,Endpoint.Address]' --output text)
+    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].[DBInstanceIdentifier,AutoMinorVersionUpgrade]'  --output text)
+    if [[ $LIST_OF_RDS_INSTANCES ]];then
+      while read -r rds_instance;do
+        RDS_NAME=$(echo $rds_instance | awk '{ print $1; }')
+        RDS_AUTOMINORUPGRADE_FLAG=$(echo $rds_instance | awk '{ print $2; }')
+        if [[ $RDS_AUTOMINORUPGRADE_FLAG == "True" ]];then 
+            textPass "$regx: RDS instance: $RDS_NAME is has minor version upgrade enabled" "$regx"
+        else
+            textFail "$regx: RDS instance: $RDS_NAME does not have minor version upgrade enabled" "$regx"
+        fi
+      done <<< "$LIST_OF_RDS_INSTANCES"
+      else
+        textInfo "$regx: no RDS instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7132

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7132="7.132"
+CHECK_TITLE_extra7132="[extra7132] Check if RDS instances has enhanced monitoring enabled"
+CHECK_SCORED_extra7132="NOT_SCORED"
+CHECK_TYPE_extra7132="EXTRA"
+CHECK_SEVERITY_extra7132="Low"
+CHECK_ASFF_RESOURCE_TYPE_extra7132="AwsRdsDbInstance"
+CHECK_ALTERNATE_check7132="extra7132"
+CHECK_SERVICENAME_extra7132="rds"
+CHECK_RISK_extra7132='A smaller monitoring interval results in more frequent reporting of OS metrics.'
+CHECK_REMEDIATION_extra7132='To use Enhanced Monitoring; you must create an IAM role; and then enable Enhanced Monitoring.'
+CHECK_DOC_extra7132='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html'
+CHECK_CAF_EPIC_extra7132='Logging and Monitoring'
+
+extra7132(){
+  for regx in $REGIONS; do
+    RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
+    if [[ $RDS_INSTANCES ]];then
+      for rdsinstance in ${RDS_INSTANCES}; do
+          RDS_NAME="$rdsinstance"
+          MONITORING_FLAG=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].[EnhancedMonitoringResourceArn]' --output text)
+          if [[ $MONITORING_FLAG == "None" ]];then 
+              textFail "$regx: RDS instance: $RDS_NAME has enhanced monitoring disabled!" "$rex"
+          else
+              textPass "$regx: RDS instance: $RDS_NAME has enhanced monitoring enabled." "$regx"
+          fi
+      done
+    else
+      textInfo "$regx: no RDS instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7133

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7133="7.133"
+CHECK_TITLE_extra7133="[extra7133] Check if RDS instances have multi-AZ enabled"
+CHECK_SCORED_extra7133="NOT_SCORED"
+CHECK_TYPE_extra7133="EXTRA"
+CHECK_SEVERITY_extra7133="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7133="AwsRdsDbInstance"
+CHECK_ALTERNATE_check7133="extra7133"
+CHECK_SERVICENAME_extra7133="rds"
+CHECK_RISK_extra7133='In case of failure; with a single-AZ deployment configuration; should an availability zone specific database failure occur; Amazon RDS can not automatically fail over to the standby availability zone.'
+CHECK_REMEDIATION_extra7133='Enable multi-AZ deployment for production databases.'
+CHECK_DOC_extra7133='https://aws.amazon.com/rds/features/multi-az/'
+CHECK_CAF_EPIC_extra7133='Data Protection'
+
+extra7133(){
+  for regx in $REGIONS; do
+    RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
+    if [[ $RDS_INSTANCES ]];then
+      for rdsinstance in ${RDS_INSTANCES}; do
+          RDS_NAME="$rdsinstance"
+          MULTIAZ_FLAG=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].MultiAZ' --output text)
+          if [[ $MULTIAZ_FLAG == "True" ]];then 
+              textPass "$regx: RDS instance: $RDS_NAME has multi-AZ enabled" "$rex"
+          else
+              textFail "$regx: RDS instance: $RDS_NAME has multi-AZ disabled!" "$regx"
+          fi
+      done
+    else
+      textInfo "$regx: no RDS instances found" "$regx"
+    fi
+  done
+}

checks/check_extra714

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra714="7.14"
+CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra714="NOT_SCORED"
+CHECK_TYPE_extra714="EXTRA"
+CHECK_SEVERITY_extra714="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution"
+CHECK_ALTERNATE_check714="extra714"
+CHECK_SERVICENAME_extra714="cloudfront"
+CHECK_RISK_extra714='If not enabled monitoring of service use is not possible.'
+CHECK_REMEDIATION_extra714='Real-time monitoring can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Enable logging for services with defined log rotation. This logs are useful for Incident Response and forensics investigation among other use cases.'
+CHECK_DOC_extra714='https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html'
+CHECK_CAF_EPIC_extra714='Logging and Monitoring'
+
+extra714(){
+  # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
+  LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[].Id' --output text | grep -v "^None")
+  if [[ $LIST_OF_DISTRIBUTIONS ]]; then
+    for dist in $LIST_OF_DISTRIBUTIONS; do
+      LOG_ENABLED=$($AWSCLI cloudfront get-distribution $PROFILE_OPT --id "$dist" --query 'Distribution.DistributionConfig.Logging.Enabled' | grep true)
+      if [[ $LOG_ENABLED ]]; then
+        textPass "CloudFront distribution $dist has logging enabled"
+      else
+        textFail "CloudFront distribution $dist has logging disabled"
+      fi
+    done
+  else
+    textInfo "No CloudFront distributions found"
+  fi
+}

checks/check_extra715

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra715="7.15"
+CHECK_TITLE_extra715="[extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled"
+CHECK_SCORED_extra715="NOT_SCORED"
+CHECK_TYPE_extra715="EXTRA"
+CHECK_SEVERITY_extra715="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain"
+CHECK_ALTERNATE_check715="extra715"
+CHECK_SERVICENAME_extra715="es"
+CHECK_RISK_extra715='Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs; search slow logs; index slow logs; and audit logs. '
+CHECK_REMEDIATION_extra715='Enable Elasticsearch log. Create use cases for them. Using audit logs check for access denied events.'
+CHECK_DOC_extra715='https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html'
+CHECK_CAF_EPIC_extra715='Logging and Monitoring'
+
+extra715(){
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $SEARCH_SLOWLOG_ENABLED ]];then
+          textPass "$regx: Amazon ES domain $domain SEARCH_SLOW_LOGS enabled" "$regx"
+        else
+          textFail "$regx: Amazon ES domain $domain SEARCH_SLOW_LOGS disabled!" "$regx"
+        fi
+        INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $INDEX_SLOWLOG_ENABLED ]];then
+          textPass "$regx: Amazon ES domain $domain INDEX_SLOW_LOGS enabled" "$regx"
+        else
+          textFail "$regx: Amazon ES domain $domain INDEX_SLOW_LOGS disabled!" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Amazon ES domain found" "$regx"
+    fi
+  done
+}