chore(release): 3.11.1

Co-authored-by: sergargar <sergargar@users.noreply.github.com>

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @prowler-cloud/prowler-oss

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,97 @@
+name: 🐞 Bug Report
+description: Create a report to help us improve
+title: "[Bug]: "
+labels: ["bug", "status/needs-triage"]
+
+body:
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to Reproduce
+      description: Steps to reproduce the behavior
+      placeholder: |-
+        1. What command are you running?
+        2. Cloud provider you are launching
+        3. Environment you have, like single account, multi-account, organizations, multi or single subscription, etc.
+        4. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Result with Screenshots or Logs
+      description: If applicable, add screenshots to help explain your problem. Also, you can add logs (anonymize them first!). Here a command that may help to share a log `prowler <your arguments> --log-level DEBUG --log-file $(date +%F)_debug.log` then attach here the log file.
+    validations:
+      required: true
+  - type: dropdown
+    id: type
+    attributes:
+      label: How did you install Prowler?
+      options:
+        - Cloning the repository from github.com (git clone)
+        - From pip package (pip install prowler)
+        - From brew (brew install prowler)
+        - Docker (docker pull toniblyx/prowler)
+    validations:
+      required: true
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment Resource
+      description: From where are you running Prowler?
+      placeholder: |-
+        1. EC2 instance
+        2. Fargate task
+        3. Docker container locally
+        4. EKS
+        5. Cloud9
+        6. CodeBuild
+        7. Workstation
+        8. Other(please specify)
+    validations:
+      required: true
+  - type: textarea
+    id: os
+    attributes:
+      label: OS used
+      description: Which OS are you using?
+      placeholder: |-
+        1. Amazon Linux 2
+        2. MacOS
+        3. Alpine Linux
+        4. Windows
+        5. Other(please specify)
+    validations:
+      required: true
+  - type: input
+    id: prowler-version
+    attributes:
+      label: Prowler version
+      description: Which Prowler version are you using?
+      placeholder: |-
+        prowler --version
+    validations:
+      required: true
+  - type: input
+    id: pip-version
+    attributes:
+      label: Pip version
+      description: Which pip version are you using?
+      placeholder: |-
+        pip --version
+    validations:
+      required: true
+  - type: textarea
+    id: additional
+    attributes:
+      description: Additional context
+      label: Context
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,36 @@
+name:  💡 Feature Request
+description: Suggest an idea for this project
+labels: ["enhancement", "status/needs-triage"]
+
+
+body:
+  - type: textarea
+    id: Problem
+    attributes:
+      label: New feature motivation
+      description: Is your feature request related to a problem? Please describe
+      placeholder: |-
+        1. A clear and concise description of what the problem is. Ex. I'm always frustrated when
+    validations:
+      required: true
+  - type: textarea
+    id: Solution
+    attributes:
+      label: Solution Proposed
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: Alternatives
+    attributes:
+      label: Describe alternatives you've considered
+      description: A clear and concise description of any alternative solutions or features you've considered.
+    validations:
+      required: true
+  - type: textarea
+    id: Context
+    attributes:
+      label: Additional context
+      description: Add any other context or screenshots about the feature request here.
+    validations:
+      required: false

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "pip"

.github/pull_request_template.md

@@ -0,0 +1,13 @@
+### Context
+
+Please include relevant motivation and context for this PR.
+
+
+### Description
+
+Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.
+
+
+### License
+
+By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.github/workflows/build-lint-push-containers.yml

@@ -0,0 +1,117 @@
+name: build-lint-push-containers
+
+on:
+  push:
+    branches:
+      - "master"
+    paths-ignore:
+      - ".github/**"
+      - "README.md"
+      - "docs/**"
+
+  release:
+    types: [published]
+
+env:
+  AWS_REGION_STG: eu-west-1
+  AWS_REGION_PLATFORM: eu-west-1
+  AWS_REGION: us-east-1
+  IMAGE_NAME: prowler
+  LATEST_TAG: latest
+  STABLE_TAG: stable
+  TEMPORARY_TAG: temporary
+  DOCKERFILE_PATH: ./Dockerfile
+  PYTHON_VERSION: 3.9
+
+jobs:
+  # Build Prowler OSS container
+  container-build-push:
+    # needs: dockerfile-linter
+    runs-on: ubuntu-latest
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup python (release)
+        if: github.event_name == 'release'
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install dependencies (release)
+        if: github.event_name == 'release'
+        run: |
+          pipx install poetry
+          pipx inject poetry poetry-bumpversion
+
+      - name: Update Prowler version (release)
+        if: github.event_name == 'release'
+        run: |
+          poetry version ${{ github.event.release.tag_name }}
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push container image (latest)
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push container image (release)
+        if: github.event_name == 'release'
+        uses: docker/build-push-action@v2
+        with:
+          # Use local context to get changes
+          # https://github.com/docker/build-push-action#path-context
+          context: .
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  dispatch-action:
+    needs: container-build-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get latest commit info
+        if: github.event_name == 'push'
+        run: |
+          LATEST_COMMIT_HASH=$(echo ${{ github.event.after }} | cut -b -7)
+          echo "LATEST_COMMIT_HASH=${LATEST_COMMIT_HASH}" >> $GITHUB_ENV
+      - name: Dispatch event for latest
+        if: github.event_name == 'push'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" --data '{"event_type":"dispatch","client_payload":{"version":"latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
+      - name: Dispatch event for release
+        if: github.event_name == 'release'
+        run: |
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ github.event.release.tag_name }}"}}'

.github/workflows/codeql.yml

@@ -0,0 +1,57 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master", prowler-2, prowler-3.0-dev ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '00 12 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/find-secrets.yml

@@ -0,0 +1,18 @@
+name: find-secrets
+
+on: pull_request
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@v3.4.4
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD

.github/workflows/pull-request.yml

@@ -0,0 +1,90 @@
+name: pr-lint-test
+
+on:
+  push:
+    branches:
+      - "master"
+  pull_request:
+    branches:
+      - "master"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.10", "3.11"]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Test if changes are in not ignored paths
+        id: are-non-ignored-files-changed
+        uses: tj-actions/changed-files@v39
+        with:
+          files: ./**
+          files_ignore: |
+            .github/**
+            README.md
+            docs/**
+            permissions/**
+      - name: Install poetry
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          python -m pip install --upgrade pip
+          pipx install poetry
+      - name: Set up Python ${{ matrix.python-version }}
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+      - name: Install dependencies
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry install
+          poetry run pip list
+          VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
+            grep '"tag_name":' | \
+            sed -E 's/.*"v([^"]+)".*/\1/' \
+            ) && curl -L -o /tmp/hadolint "https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64" \
+            && chmod +x /tmp/hadolint
+      - name: Poetry check
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry lock --check
+      - name: Lint with flake8
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
+      - name: Checking format with black
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run black --check .
+      - name: Lint with pylint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pylint --disable=W,C,R,E -j 0 -rn -sn prowler/
+      - name: Bandit
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
+      - name: Safety
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run safety check
+      - name: Vulture
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run vulture --exclude "contrib" --min-confidence 100 .
+      - name: Hadolint
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          /tmp/hadolint Dockerfile --ignore=DL3013
+      - name: Test with pytest
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
+      - name: Upload coverage reports to Codecov
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@v3
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/pypi-release.yml

@@ -0,0 +1,71 @@
+name: pypi-release
+
+on:
+  release:
+    types: [published]
+
+env:
+  RELEASE_TAG: ${{ github.event.release.tag_name }}
+  GITHUB_BRANCH: master
+
+jobs:
+  release-prowler-job:
+    runs-on: ubuntu-latest
+    env:
+      POETRY_VIRTUALENVS_CREATE: "false"
+    name: Release Prowler to PyPI
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ env.GITHUB_BRANCH }}
+      - name: Install dependencies
+        run: |
+          pipx install poetry
+          pipx inject poetry poetry-bumpversion
+      - name: setup python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.9
+          cache: 'poetry'
+      - name: Change version and Build package
+        run: |
+          poetry version ${{ env.RELEASE_TAG }}
+          git config user.name "github-actions"
+          git config user.email "<noreply@github.com>"
+          git add prowler/config/config.py pyproject.toml
+          git commit -m "chore(release): ${{ env.RELEASE_TAG }}" --no-verify
+          git tag -fa ${{ env.RELEASE_TAG }} -m "chore(release): ${{ env.RELEASE_TAG }}"
+          git push -f origin ${{ env.RELEASE_TAG }}
+          poetry build
+      - name: Publish prowler package to PyPI
+        run: |
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish
+      # Create pull request with new version
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
+          commit-message: "chore(release): update Prowler Version to ${{ env.RELEASE_TAG }}."
+          branch: release-${{ env.RELEASE_TAG }}
+          labels: "status/waiting-for-revision, severity/low"
+          title: "chore(release): update Prowler Version to ${{ env.RELEASE_TAG }}"
+          body: |
+            ### Description
+
+            This PR updates Prowler Version to ${{ env.RELEASE_TAG }}.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+      - name: Replicate PyPi Package
+        run: |
+          rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
+          pip install toml
+          python util/replicate_pypi_package.py
+          poetry build
+      - name: Publish prowler-cloud package to PyPI
+        run: |
+          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
+          poetry publish

.github/workflows/refresh_aws_services_regions.yml

@@ -0,0 +1,67 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Refresh regions of AWS services
+
+on:
+  schedule:
+    - cron: "0 9 * * *" #runs at 09:00 UTC everyday
+
+env:
+  GITHUB_BRANCH: "master"
+  AWS_REGION_DEV: us-east-1
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ env.GITHUB_BRANCH }}
+
+      - name: setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9 #install the python needed
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install boto3
+
+      - name: Configure AWS Credentials -- DEV
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ env.AWS_REGION_DEV }}
+          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
+          role-session-name: refresh-AWS-regions-dev
+
+      # Runs a single command using the runners shell
+      - name: Run a one-line script
+        run: python3 util/update_aws_services_regions.py
+
+      # Create pull request
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
+          commit-message: "feat(regions_update): Update regions for AWS services."
+          branch: "aws-services-regions-updated-${{ github.sha }}"
+          labels: "status/waiting-for-revision, severity/low"
+          title: "chore(regions_update): Changes in regions for AWS services."
+          body: |
+            ### Description
+
+            This PR updates the regions for AWS services.
+
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.gitignore

@@ -0,0 +1,53 @@
+# Swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Python code
+__pycache__
+venv/
+build/
+dist/
+*.egg-info/
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+
+# Persistent undo
+[._]*.un~
+
+# MacOs DS_Store
+*.DS_Store
+
+# Prowler output
+output/
+
+# Prowler found secrets
+secrets-*/
+
+# JUnit Reports
+junit-reports/
+
+# VSCode files
+.vscode/
+
+# Terraform
+.terraform*
+*.tfstate
+
+# .env
+.env*
+
+# Coverage
+.coverage*
+.coverage
+coverage*

.pre-commit-config.yaml

@@ -0,0 +1,113 @@
+repos:
+  ## GENERAL
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: check-merge-conflict
+      - id: check-yaml
+        args: ["--unsafe"]
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: no-commit-to-branch
+      - id: pretty-format-json
+        args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
+
+  ## TOML
+  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
+    rev: v2.10.0
+    hooks:
+      - id: pretty-format-toml
+        args: [--autofix]
+        files: pyproject.toml
+
+  ## BASH
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.9.0
+    hooks:
+      - id: shellcheck
+  ## PYTHON
+  - repo: https://github.com/myint/autoflake
+    rev: v2.2.0
+    hooks:
+      - id: autoflake
+        args:
+          [
+            "--in-place",
+            "--remove-all-unused-imports",
+            "--remove-unused-variable",
+          ]
+
+  - repo: https://github.com/timothycrosley/isort
+    rev: 5.12.0
+    hooks:
+      - id: isort
+        args: ["--profile", "black"]
+
+  - repo: https://github.com/psf/black
+    rev: 22.12.0
+    hooks:
+      - id: black
+
+  - repo: https://github.com/pycqa/flake8
+    rev: 6.1.0
+    hooks:
+      - id: flake8
+        exclude: contrib
+        args: ["--ignore=E266,W503,E203,E501,W605"]
+
+  - repo: https://github.com/python-poetry/poetry
+    rev: 1.6.0 # add version here
+    hooks:
+      - id: poetry-check
+      - id: poetry-lock
+        args: ["--no-update"]
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.1-beta
+    hooks:
+      - id: hadolint
+        args: ["--ignore=DL3013"]
+
+  - repo: local
+    hooks:
+      - id: pylint
+        name: pylint
+        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
+        language: system
+        files: '.*\.py'
+
+      - id: trufflehog
+        name: TruffleHog
+        description: Detect secrets in your data.
+        # entry: bash -c 'trufflehog git file://. --only-verified --fail'
+        # For running trufflehog in docker, use the following entry instead:
+        entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+        language: system
+        stages: ["commit", "push"]
+
+      - id: pytest-check
+        name: pytest-check
+        entry: bash -c 'pytest tests -n auto'
+        language: system
+        files: '.*\.py'
+
+      - id: bandit
+        name: bandit
+        description: "Bandit is a tool for finding common security issues in Python code"
+        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/' -r .'
+        language: system
+        files: '.*\.py'
+
+      - id: safety
+        name: safety
+        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
+        entry: bash -c 'safety check'
+        language: system
+
+      - id: vulture
+        name: vulture
+        description: "Vulture finds unused code in Python programs."
+        entry: bash -c 'vulture --exclude "contrib" --min-confidence 100 .'
+        language: system
+        files: '.*\.py'

.readthedocs.yaml

@@ -0,0 +1,23 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.9"
+  jobs:
+    post_create_environment:
+      # Install poetry
+      # https://python-poetry.org/docs/#installing-manually
+      - pip install poetry
+      # Tell poetry to not use a virtual environment
+      - poetry config virtualenvs.create false
+    post_install:
+      - poetry install -E docs
+
+mkdocs:
+  configuration: mkdocs.yml

CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at community@prowler.cloud. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

CONTRIBUTING.md

@@ -0,0 +1,13 @@
+# Do you want to learn on how to...
+
+- Contribute with your code or fixes to Prowler
+- Create a new check for a provider
+- Create a new security compliance framework
+- Add a custom output format
+- Add a new integration
+- Contribute with documentation
+
+Want some swag as appreciation for your contribution?
+
+# Prowler Developer Guide
+https://docs.prowler.cloud/en/latest/tutorials/developer-guide/

Dockerfile

@@ -1,4 +1,34 @@
-FROM python
-MAINTAINER Steve Neuharth <steve@aethereal.io>
-RUN apt-get update && apt-get upgrade -y && pip install awscli ansi2html
-ADD prowler* /usr/local/bin/
+FROM python:3.11-alpine
+
+LABEL maintainer="https://github.com/prowler-cloud/prowler"
+
+# Update system dependencies
+#hadolint ignore=DL3018
+RUN apk --no-cache upgrade && apk --no-cache add curl
+
+# Create nonroot user
+RUN mkdir -p /home/prowler && \
+    echo 'prowler:x:1000:1000:prowler:/home/prowler:' > /etc/passwd && \
+    echo 'prowler:x:1000:' > /etc/group && \
+    chown -R prowler:prowler /home/prowler
+USER prowler
+
+# Copy necessary files
+WORKDIR /home/prowler
+COPY prowler/ /home/prowler/prowler/
+COPY pyproject.toml /home/prowler
+COPY README.md /home/prowler
+
+# Install dependencies
+ENV HOME='/home/prowler'
+ENV PATH="$HOME/.local/bin:$PATH"
+#hadolint ignore=DL3013
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir .
+
+# Remove Prowler directory and build files
+USER 0
+RUN rm -rf /home/prowler/prowler /home/prowler/pyproject.toml /home/prowler/README.md /home/prowler/build /home/prowler/prowler.egg-info
+
+USER prowler
+ENTRYPOINT ["prowler"]

LICENSE

@@ -1,360 +1,201 @@
-Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
-Public License
-
-By exercising the Licensed Rights (defined below), You accept and agree
-to be bound by the terms and conditions of this Creative Commons
-Attribution-NonCommercial-ShareAlike 4.0 International Public License
-("Public License"). To the extent this Public License may be
-interpreted as a contract, You are granted the Licensed Rights in
-consideration of Your acceptance of these terms and conditions, and the
-Licensor grants You such rights in consideration of benefits the
-Licensor receives from making the Licensed Material available under
-these terms and conditions.
-
-
-Section 1 -- Definitions.
-
-  a. Adapted Material means material subject to Copyright and Similar
-     Rights that is derived from or based upon the Licensed Material
-     and in which the Licensed Material is translated, altered,
-     arranged, transformed, or otherwise modified in a manner requiring
-     permission under the Copyright and Similar Rights held by the
-     Licensor. For purposes of this Public License, where the Licensed
-     Material is a musical work, performance, or sound recording,
-     Adapted Material is always produced where the Licensed Material is
-     synched in timed relation with a moving image.
-
-  b. Adapter's License means the license You apply to Your Copyright
-     and Similar Rights in Your contributions to Adapted Material in
-     accordance with the terms and conditions of this Public License.
-
-  c. BY-NC-SA Compatible License means a license listed at
-     creativecommons.org/compatiblelicenses, approved by Creative
-     Commons as essentially the equivalent of this Public License.
-
-  d. Copyright and Similar Rights means copyright and/or similar rights
-     closely related to copyright including, without limitation,
-     performance, broadcast, sound recording, and Sui Generis Database
-     Rights, without regard to how the rights are labeled or
-     categorized. For purposes of this Public License, the rights
-     specified in Section 2(b)(1)-(2) are not Copyright and Similar
-     Rights.
-
-  e. Effective Technological Measures means those measures that, in the
-     absence of proper authority, may not be circumvented under laws
-     fulfilling obligations under Article 11 of the WIPO Copyright
-     Treaty adopted on December 20, 1996, and/or similar international
-     agreements.
-
-  f. Exceptions and Limitations means fair use, fair dealing, and/or
-     any other exception or limitation to Copyright and Similar Rights
-     that applies to Your use of the Licensed Material.
-
-  g. License Elements means the license attributes listed in the name
-     of a Creative Commons Public License. The License Elements of this
-     Public License are Attribution, NonCommercial, and ShareAlike.
-
-  h. Licensed Material means the artistic or literary work, database,
-     or other material to which the Licensor applied this Public
-     License.
-
-  i. Licensed Rights means the rights granted to You subject to the
-     terms and conditions of this Public License, which are limited to
-     all Copyright and Similar Rights that apply to Your use of the
-     Licensed Material and that the Licensor has authority to license.
-
-  j. Licensor means the individual(s) or entity(ies) granting rights
-     under this Public License.
-
-  k. NonCommercial means not primarily intended for or directed towards
-     commercial advantage or monetary compensation. For purposes of
-     this Public License, the exchange of the Licensed Material for
-     other material subject to Copyright and Similar Rights by digital
-     file-sharing or similar means is NonCommercial provided there is
-     no payment of monetary compensation in connection with the
-     exchange.
-
-  l. Share means to provide material to the public by any means or
-     process that requires permission under the Licensed Rights, such
-     as reproduction, public display, public performance, distribution,
-     dissemination, communication, or importation, and to make material
-     available to the public including in ways that members of the
-     public may access the material from a place and at a time
-     individually chosen by them.
-
-  m. Sui Generis Database Rights means rights other than copyright
-     resulting from Directive 96/9/EC of the European Parliament and of
-     the Council of 11 March 1996 on the legal protection of databases,
-     as amended and/or succeeded, as well as other essentially
-     equivalent rights anywhere in the world.
-
-  n. You means the individual or entity exercising the Licensed Rights
-     under this Public License. Your has a corresponding meaning.
-
-
-Section 2 -- Scope.
-
-  a. License grant.
-
-       1. Subject to the terms and conditions of this Public License,
-          the Licensor hereby grants You a worldwide, royalty-free,
-          non-sublicensable, non-exclusive, irrevocable license to
-          exercise the Licensed Rights in the Licensed Material to:
-
-            a. reproduce and Share the Licensed Material, in whole or
-               in part, for NonCommercial purposes only; and
-
-            b. produce, reproduce, and Share Adapted Material for
-               NonCommercial purposes only.
-
-       2. Exceptions and Limitations. For the avoidance of doubt, where
-          Exceptions and Limitations apply to Your use, this Public
-          License does not apply, and You do not need to comply with
-          its terms and conditions.
-
-       3. Term. The term of this Public License is specified in Section
-          6(a).
-
-       4. Media and formats; technical modifications allowed. The
-          Licensor authorizes You to exercise the Licensed Rights in
-          all media and formats whether now known or hereafter created,
-          and to make technical modifications necessary to do so. The
-          Licensor waives and/or agrees not to assert any right or
-          authority to forbid You from making technical modifications
-          necessary to exercise the Licensed Rights, including
-          technical modifications necessary to circumvent Effective
-          Technological Measures. For purposes of this Public License,
-          simply making modifications authorized by this Section 2(a)
-          (4) never produces Adapted Material.
-
-       5. Downstream recipients.
-
-            a. Offer from the Licensor -- Licensed Material. Every
-               recipient of the Licensed Material automatically
-               receives an offer from the Licensor to exercise the
-               Licensed Rights under the terms and conditions of this
-               Public License.
-
-            b. Additional offer from the Licensor -- Adapted Material.
-               Every recipient of Adapted Material from You
-               automatically receives an offer from the Licensor to
-               exercise the Licensed Rights in the Adapted Material
-               under the conditions of the Adapter's License You apply.
-
-            c. No downstream restrictions. You may not offer or impose
-               any additional or different terms or conditions on, or
-               apply any Effective Technological Measures to, the
-               Licensed Material if doing so restricts exercise of the
-               Licensed Rights by any recipient of the Licensed
-               Material.
-
-       6. No endorsement. Nothing in this Public License constitutes or
-          may be construed as permission to assert or imply that You
-          are, or that Your use of the Licensed Material is, connected
-          with, or sponsored, endorsed, or granted official status by,
-          the Licensor or others designated to receive attribution as
-          provided in Section 3(a)(1)(A)(i).
-
-  b. Other rights.
-
-       1. Moral rights, such as the right of integrity, are not
-          licensed under this Public License, nor are publicity,
-          privacy, and/or other similar personality rights; however, to
-          the extent possible, the Licensor waives and/or agrees not to
-          assert any such rights held by the Licensor to the limited
-          extent necessary to allow You to exercise the Licensed
-          Rights, but not otherwise.
-
-       2. Patent and trademark rights are not licensed under this
-          Public License.
-
-       3. To the extent possible, the Licensor waives any right to
-          collect royalties from You for the exercise of the Licensed
-          Rights, whether directly or through a collecting society
-          under any voluntary or waivable statutory or compulsory
-          licensing scheme. In all other cases the Licensor expressly
-          reserves any right to collect such royalties, including when
-          the Licensed Material is used other than for NonCommercial
-          purposes.
-
-
-Section 3 -- License Conditions.
-
-Your exercise of the Licensed Rights is expressly made subject to the
-following conditions.
-
-  a. Attribution.
-
-       1. If You Share the Licensed Material (including in modified
-          form), You must:
-
-            a. retain the following if it is supplied by the Licensor
-               with the Licensed Material:
-
-                 i. identification of the creator(s) of the Licensed
-                    Material and any others designated to receive
-                    attribution, in any reasonable manner requested by
-                    the Licensor (including by pseudonym if
-                    designated);
-
-                ii. a copyright notice;
-
-               iii. a notice that refers to this Public License;
-
-                iv. a notice that refers to the disclaimer of
-                    warranties;
-
-                 v. a URI or hyperlink to the Licensed Material to the
-                    extent reasonably practicable;
-
-            b. indicate if You modified the Licensed Material and
-               retain an indication of any previous modifications; and
-
-            c. indicate the Licensed Material is licensed under this
-               Public License, and include the text of, or the URI or
-               hyperlink to, this Public License.
-
-       2. You may satisfy the conditions in Section 3(a)(1) in any
-          reasonable manner based on the medium, means, and context in
-          which You Share the Licensed Material. For example, it may be
-          reasonable to satisfy the conditions by providing a URI or
-          hyperlink to a resource that includes the required
-          information.
-       3. If requested by the Licensor, You must remove any of the
-          information required by Section 3(a)(1)(A) to the extent
-          reasonably practicable.
-
-  b. ShareAlike.
-
-     In addition to the conditions in Section 3(a), if You Share
-     Adapted Material You produce, the following conditions also apply.
-
-       1. The Adapter's License You apply must be a Creative Commons
-          license with the same License Elements, this version or
-          later, or a BY-NC-SA Compatible License.
-
-       2. You must include the text of, or the URI or hyperlink to, the
-          Adapter's License You apply. You may satisfy this condition
-          in any reasonable manner based on the medium, means, and
-          context in which You Share Adapted Material.
-
-       3. You may not offer or impose any additional or different terms
-          or conditions on, or apply any Effective Technological
-          Measures to, Adapted Material that restrict exercise of the
-          rights granted under the Adapter's License You apply.
-
-
-Section 4 -- Sui Generis Database Rights.
-
-Where the Licensed Rights include Sui Generis Database Rights that
-apply to Your use of the Licensed Material:
-
-  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
-     to extract, reuse, reproduce, and Share all or a substantial
-     portion of the contents of the database for NonCommercial purposes
-     only;
-
-  b. if You include all or a substantial portion of the database
-     contents in a database in which You have Sui Generis Database
-     Rights, then the database in which You have Sui Generis Database
-     Rights (but not its individual contents) is Adapted Material,
-     including for purposes of Section 3(b); and
-
-  c. You must comply with the conditions in Section 3(a) if You Share
-     all or a substantial portion of the contents of the database.
-
-For the avoidance of doubt, this Section 4 supplements and does not
-replace Your obligations under this Public License where the Licensed
-Rights include other Copyright and Similar Rights.
-
-
-Section 5 -- Disclaimer of Warranties and Limitation of Liability.
-
-  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
-     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
-     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
-     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
-     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
-     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
-     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
-     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
-     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
-     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
-  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
-     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
-     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
-     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
-     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
-     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
-     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
-     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
-     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
-  c. The disclaimer of warranties and limitation of liability provided
-     above shall be interpreted in a manner that, to the extent
-     possible, most closely approximates an absolute disclaimer and
-     waiver of all liability.
-
-
-Section 6 -- Term and Termination.
-
-  a. This Public License applies for the term of the Copyright and
-     Similar Rights licensed here. However, if You fail to comply with
-     this Public License, then Your rights under this Public License
-     terminate automatically.
-
-  b. Where Your right to use the Licensed Material has terminated under
-     Section 6(a), it reinstates:
-
-       1. automatically as of the date the violation is cured, provided
-          it is cured within 30 days of Your discovery of the
-          violation; or
-
-       2. upon express reinstatement by the Licensor.
-
-     For the avoidance of doubt, this Section 6(b) does not affect any
-     right the Licensor may have to seek remedies for Your violations
-     of this Public License.
-
-  c. For the avoidance of doubt, the Licensor may also offer the
-     Licensed Material under separate terms or conditions or stop
-     distributing the Licensed Material at any time; however, doing so
-     will not terminate this Public License.
-
-  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
-     License.
-
-
-Section 7 -- Other Terms and Conditions.
-
-  a. The Licensor shall not be bound by any additional or different
-     terms or conditions communicated by You unless expressly agreed.
-
-  b. Any arrangements, understandings, or agreements regarding the
-     Licensed Material not stated herein are separate from and
-     independent of the terms and conditions of this Public License.
-
-
-Section 8 -- Interpretation.
-
-  a. For the avoidance of doubt, this Public License does not, and
-     shall not be interpreted to, reduce, limit, restrict, or impose
-     conditions on any use of the Licensed Material that could lawfully
-     be made without permission under this Public License.
-
-  b. To the extent possible, if any provision of this Public License is
-     deemed unenforceable, it shall be automatically reformed to the
-     minimum extent necessary to make it enforceable. If the provision
-     cannot be reformed, it shall be severed from this Public License
-     without affecting the enforceability of the remaining terms and
-     conditions.
-
-  c. No term or condition of this Public License will be waived and no
-     failure to comply consented to unless expressly agreed to by the
-     Licensor.
-
-  d. Nothing in this Public License constitutes or may be interpreted
-     as a limitation upon, or waiver of, any privileges and immunities
-     that apply to the Licensor or You, including from the legal
-     processes of any jurisdiction or authority.
+                                Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+Copyright 2018 Netflix, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -0,0 +1,47 @@
+.DEFAULT_GOAL:=help
+
+##@ Testing
+test:   ## Test with pytest
+	rm -rf .coverage && \
+	pytest -n auto -vvv -s --cov=./prowler --cov-report=xml tests
+
+coverage: ## Show Test Coverage
+	coverage run --skip-covered -m pytest -v && \
+	coverage report -m && \
+	rm -rf .coverage && \
+	coverage report -m
+
+coverage-html: ## Show Test Coverage
+	rm -rf ./htmlcov && \
+	coverage html && \
+	open htmlcov/index.html
+
+##@ Linting
+format: ## Format Code
+	@echo "Running black..."
+	black .
+
+lint: ## Lint Code
+	@echo "Running flake8..."
+	flake8 . --ignore=E266,W503,E203,E501,W605,E128 --exclude contrib
+	@echo "Running black... "
+	black --check .
+	@echo "Running pylint..."
+	pylint --disable=W,C,R,E -j 0 providers lib util config
+
+##@ PyPI
+pypi-clean: ## Delete the distribution files
+	rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
+
+pypi-build: ## Build package
+	$(MAKE) pypi-clean && \
+	poetry build
+
+pypi-upload: ## Upload package
+	python3 -m twine upload --repository pypi dist/*
+
+
+##@ Help
+help:     ## Show this help.
+	@echo "Prowler Makefile"
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

README.md

@@ -1,615 +1,271 @@
-# Prowler: AWS CIS Benchmark Tool
+<p align="center">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-dark.png?raw=True#gh-dark-mode-only" width="150" height="36">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-light.png?raw=True#gh-light-mode-only" width="15%" height="15%">
+</p>
+<p align="center">
+  <b><i>See all the things you and your team can do with ProwlerPro at <a href="https://prowler.pro">prowler.pro</a></i></b>
+</p>
+<hr>
+<p align="center">
+  <img src="https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png" />
+</p>
+<p align="center">
+  <a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
+  <a href="https://pypi.org/project/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler.svg"></a>
+  <a href="https://pypi.python.org/pypi/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler.svg"></a>
+  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Prowler Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=prowler%20downloads"></a>
+  <a href="https://pypistats.org/packages/prowler-cloud"><img alt="PyPI Prowler-Cloud Downloads" src="https://img.shields.io/pypi/dw/prowler-cloud.svg?label=prowler-cloud%20downloads"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/cloud/build/toniblyx/prowler"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/image-size/toniblyx/prowler"></a>
+  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
+</p>
+<p align="center">
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="Repo size" src="https://img.shields.io/github/repo-size/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/issues"><img alt="Issues" src="https://img.shields.io/github/issues/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler?include_prereleases"></a>
+  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/release-date/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="Contributors" src="https://img.shields.io/github/contributors-anon/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="License" src="https://img.shields.io/github/license/prowler-cloud/prowler"></a>
+  <a href="https://twitter.com/ToniBlyx"><img alt="Twitter" src="https://img.shields.io/twitter/follow/toniblyx?style=social"></a>
+  <a href="https://twitter.com/prowlercloud"><img alt="Twitter" src="https://img.shields.io/twitter/follow/prowlercloud?style=social"></a>
+</p>
 
-## Table of Contents  
-- [Description](#description)
-- [Features](#features)  
-- [Requirements](#requirements)  
-- [Usage](#usage)
-- [Fix](#fix)
-- [Screenshots](#screenshots)
-- [Troubleshooting](#troubleshooting)
-- [Extras](#extras)
-- [Add Custom Checks](#add-custom-checks)
-- [Third Party Integrations](#third-party-integrations)
+# Description
 
-## Description
+`Prowler` is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
 
-Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the [CIS Amazon Web Services Foundations Benchmark 1.1 ](https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf)
+It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.
 
-## Features
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.cloud/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.cloud/en/latest/tutorials/misc/#categories) |
+|---|---|---|---|---|
+| AWS | 301 | 61 -> `prowler aws --list-services` | 25 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |
+| GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
+| Azure | 23 | 4 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` |
+| Kubernetes | Planned | - | - | - |
 
-It covers hardening and security best practices for all AWS regions related to:
+# 📖 Documentation
 
-- Identity and Access Management (24 checks)
-- Logging (8 checks)
-- Monitoring (15 checks)
-- Networking (5 checks)
-- Extra checks (5 checks) *see Extras section
+The full documentation can now be found at [https://docs.prowler.cloud](https://docs.prowler.cloud)
 
-For a comprehesive list and resolution look at the guide on the link above.
+## Looking for Prowler v2 documentation?
+For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prowler/tree/2.12.1.
 
-With Prowler you can:
-- get a colourish or monochrome report
-- a CSV format report for diff
-- run specific checks without having to run the entire report
-- check multiple AWS accounts in parallel
+# ⚙️ Install
 
-## Requirements
-This script has been written in bash using AWS-CLI and it works in Linux and OSX.
+## Pip package
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9:
 
-- Make sure your AWS-CLI is installed on your workstation, with Python pip already installed:
+```console
+pip install prowler
+prowler -v
 ```
-pip install awscli
-```
-Or install it using "brew", "apt", "yum" or manually from https://aws.amazon.com/cli/
+More details at https://docs.prowler.cloud
+
+## Containers
+
+The available versions of Prowler are the following:
+
+- `latest`: in sync with master branch (bear in mind that it is not a stable version)
+- `<x.y.z>` (release): you can find the releases [here](https://github.com/prowler-cloud/prowler/releases), those are stable releases.
+- `stable`: this tag always point to the latest release.
+
+The container images are available here:
+
+- [DockerHub](https://hub.docker.com/r/toniblyx/prowler/tags)
+- [AWS Public ECR](https://gallery.ecr.aws/prowler-cloud/prowler)
+
+## From Github
+
+Python >= 3.9 is required with pip and poetry:
 
-- Previous steps, from your workstation:
 ```
-git clone https://github.com/Alfresco/prowler
+git clone https://github.com/prowler-cloud/prowler
 cd prowler
+poetry shell
+poetry install
+python prowler.py -v
 ```
 
-- Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
-```
-aws configure
+# 📐✏️ High level architecture
+
+You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.
+
+![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/080261d9-773d-4af1-af79-217a273e3176)
+
+# 📝 Requirements
+
+Prowler has been written in Python using the [AWS SDK (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html#), [Azure SDK](https://azure.github.io/azure-sdk-for-python/) and [GCP API Python Client](https://github.com/googleapis/google-api-python-client/).
+## AWS
+
+Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence).
+Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
+
+  ```console
+  aws configure
+  ```
+
+  or
+
+  ```console
+  export AWS_ACCESS_KEY_ID="ASXXXXXXX"
+  export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
+  export AWS_SESSION_TOKEN="XXXXXXXXX"
+  ```
+
+Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
+
+  - `arn:aws:iam::aws:policy/SecurityAudit`
+  - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
+
+  > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
+
+  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
+
+  ## Azure
+
+  Prowler for Azure supports the following authentication types:
+
+- Service principal authentication by environment variables (Enterprise Application)
+- Current az cli credentials stored
+- Interactive browser authentication
+- Managed identity authentication
+
+### Service Principal authentication
+
+To allow Prowler assume the service principal identity to start the scan, it is needed to configure the following environment variables:
+
+```console
+export AZURE_CLIENT_ID="XXXXXXXXX"
+export AZURE_TENANT_ID="XXXXXXXXX"
+export AZURE_CLIENT_SECRET="XXXXXXX"
 ```
 
-- Make sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
+If you try to execute Prowler with the `--sp-env-auth` flag and those variables are empty or not exported, the execution is going to fail.
+### AZ CLI / Browser / Managed Identity authentication
 
-```
-arn:aws:iam::aws:policy/SecurityAudit
-```
-> In some cases you may need more list or get permissions in some services, look at the Troubleshooting section for a more comprehensive policy if you find issues with the default SecurityAudit policy.
+The other three cases do not need additional configuration, `--az-cli-auth` and `--managed-identity-auth` are automated options, `--browser-auth` needs the user to authenticate using the default browser to start the scan. Also `--browser-auth` needs the tenant id to be specified with `--tenant-id`.
 
-## Usage
+### Permissions
 
-1 - Run the prowler.sh command without options (it will use your environment variable credentials if exist or default in ~/.aws/credentials file and run checks over all regions when needed, default region is us-east-1):
+To use each one, you need to pass the proper flag to the execution. Prowler for Azure handles two types of permission scopes, which are:
 
-```
-./prowler
+- **Azure Active Directory permissions**: Used to retrieve metadata from the identity assumed by Prowler and future AAD checks (not mandatory to have access to execute the tool)
+- **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool.
+
+
+#### Azure Active Directory scope
+
+Azure Active Directory (AAD) permissions required by the tool are the following:
+
+- `Directory.Read.All`
+- `Policy.Read.All`
+
+
+#### Subscriptions scope
+
+Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription  to the entity that is going to be assumed by the tool:
+
+- `Security Reader`
+- `Reader`
+
+
+## Google Cloud Platform
+
+Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order):
+
+1. [GOOGLE_APPLICATION_CREDENTIALS environment variable](https://cloud.google.com/docs/authentication/application-default-credentials#GAC)
+2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)
+3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)
+
+Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.
+
+> By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.
+
+# 💻 Basic Usage
+
+To run prowler, you will need to specify the provider (e.g aws or azure):
+
+```console
+prowler <provider>
 ```
 
-2 - For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
+![Prowler Execution](https://github.com/prowler-cloud/prowler/blob/b91b0103ff38e66a915c8a0ed84905a07e4aae1d/docs/img/short-display.png?raw=True)
 
-```
-./prowler -p custom-profile -r us-east-1
+> Running the `prowler` command without options will use your environment variable credentials.
+
+By default, prowler will generate a CSV, a JSON and a HTML report, however you can generate JSON-ASFF (only for AWS Security Hub) report with `-M` or `--output-modes`:
+
+```console
+prowler <provider> -M csv json json-asff html
 ```
 
-3 - For a single check use option -c:
+The html report will be located in the `output` directory as the other files and it will look like:
 
-```
-./prowler -c check310
-```
-or for custom profile and region
-```
-./prowler -p custom-profile -r us-east-1 -c check11
-```
-or for a group of checks use group name:
-```
-./prowler -c check3
+![Prowler Execution](https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/html-output.png?raw=True)
+
+You can use `-l`/`--list-checks` or `--list-services` to list all available checks or services within the provider.
+
+```console
+prowler <provider> --list-checks
+prowler <provider> --list-services
 ```
 
-Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
+For executing specific checks or services you can use options `-c`/`--checks` or `-s`/`--services`:
 
-4 - If you want to save your report for later analysis:
-```
-./prowler > prowler-report.txt
-```
-or if you want a colored HTML report do:
-```
-pip install ansi2html
-./prowler | ansi2html -la > report.html
-```
-or if you want a pipe-delimited report file, do:
-```
-./prowler -M csv > output.psv
+```console
+prowler aws --checks s3_bucket_public_access
+prowler aws --services s3 ec2
 ```
 
-5 - To perform an assessment based on CIS Profile Definitions you can use level1 or level2 with `-c` flag, more information about this [here, page 8](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf):
-```
-./prowler -c level1
+Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
+
+```console
+prowler aws --excluded-checks s3_bucket_public_access
+prowler aws --excluded-services s3 ec2
 ```
 
-6 - If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`):
+You can always use `-h`/`--help` to access to the usage information and all the possible options:
 
-```
-grep -E '^\[([0-9A-Aa-z_-]+)\]'  ~/.aws/credentials | tr -d '][' | shuf |  \
-xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv  2> /dev/null  >> all-accounts.csv
+```console
+prowler -h
 ```
 
-7 - For help use:
-
+## Checks Configurations
+Several Prowler's checks have user configurable variables that can be modified in a common **configuration file**.
+This file can be found in the following path:
 ```
-./prowler -h
-
-USAGE:
-      prowler -p <profile> -r <region> [ -h ]
-  Options:
-      -p <profile>        specify your AWS profile to use (i.e.: default)
-      -r <region>         specify an AWS region to direct API requests to (i.e.: us-east-1), all regions are checked anyway
-      -c <checknum>       specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1, check3 for entire section 3 or level1 for CIS Level 1 Profile Definitions)
-      -f <filterregion>   specify an AWS region to run checks against (i.e.: us-west-1)
-      -m <maxitems>       specify the maximum number of items to return for long-running requests (default: 100)
-      -M <mode>           output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr)
-      -k                  keep the credential report
-      -n                  show check numbers to sort easier (i.e.: 1.01 instead of 1.1)
-      -l                  list all available checks only (does not perform any check)
-      -h                  this help
-
-```
-## Fix:
- Check your report and fix the issues following all specific guidelines per check in https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf
-
-## Screenshots
-
-- Sample screenshot of report first lines:
- <img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
-
-- Sample screnshot of single check for check 3.3:
-<img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
-
-- Sample of a full report:
-
-```
-$ ./prowler
-                          _
-  _ __  _ __ _____      _| | ___ _ __
- | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
- | |_) | | | (_) \ V  V /| |  __/ |
- | .__/|_|  \___/ \_/\_/ |_|\___|_|
- |_| CIS based AWS Account Hardening Tool
-
-
-Date: Wed Sep 14 13:30:13 EDT 2016
-
-This report is being generated using credentials below:
-
-AWS-CLI Profile: [default] AWS Region: [us-east-1]
-
---------------------------------------------------------------------------------------
-|                                  GetCallerIdentity                                 |
-+--------------+-------------------------------------------+-------------------------+
-|    Account   |                    Arn                    |         UserId          |
-+--------------+-------------------------------------------+-------------------------+
-|  XXXXXXXXXXXX|  arn:aws:iam::XXXXXXXXXXXX:user/toni      |  XXXXXXXXXXXXXXXXXXXXX  |
-+--------------+-------------------------------------------+-------------------------+
-
-Colors Code for results:  INFORMATIVE, OK (RECOMMENDED VALUE),  CRITICAL (FIX REQUIRED)
-
-
-Generating AWS IAM Credential Report....COMPLETE
-
-
- 1 Identity and Access Management *********************************
-
- 1.1 Avoid the use of the root account (Scored). Last time root account was used
-     (password last used, access_key_1_last_used, access_key_2_last_used):
-      2016-08-11T20:59:27+00:00, N/A, N/A
-
- 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
-     List of users with Password enabled but MFA disabled:
-      toni
-
- 1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)
-     User list:
-      toni
-
- 1.4 Ensure access keys are rotated every 90 days or less (Scored)
-     Users with access key 1 older than 90 days:
-      <root_account>
-     Users with access key 2 older than 90 days:
-
- 1.5 Ensure IAM password policy requires at least one uppercase letter (Scored)
-      FALSE
-
- 1.6 Ensure IAM password policy require at least one lowercase letter (Scored)
-      FALSE
-
- 1.7 Ensure IAM password policy require at least one symbol (Scored)
-      FALSE
-
- 1.8 Ensure IAM password policy require at least one number (Scored)
-      FALSE
-
- 1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
-      FALSE
-
- 1.10 Ensure IAM password policy prevents password reuse (Scored)
-      FALSE
-
- 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
-      FALSE
-
- 1.12 Ensure no root account access key exists (Scored)
-      Found access key 1
-      OK  No access key 2 found
-
- 1.13 Ensure hardware MFA is enabled for the root account (Scored)
-      OK
-
- 1.14 Ensure security questions are registered in the AWS account (Not Scored)
-      No command available for check 1.14
-      Login to the AWS Console as root, click on the Account
-      Name -> My Account -> Configure Security Challenge Questions
-
- 1.15 Ensure IAM policies are attached only to groups or roles (Scored)
-      Users with policy attached to them instead to groups: (it may take few seconds...)
-      toni
-
-
- 2 Logging ********************************************************
-
- 2.1 Ensure CloudTrail is enabled in all regions (Scored)
-      FALSE
-
- 2.2 Ensure CloudTrail log file validation is enabled (Scored)
-      FALSE
-
- 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
-      WARNING! CloudTrail bucket doesn't exist!
-
- 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
-      WARNING! No CloudTrail trails found!
-
- 2.5 Ensure AWS Config is enabled in all regions (Scored)
-      WARNING! Region ap-south-1 has AWS Config disabled or not configured
-      WARNING! Region eu-west-1 has AWS Config disabled or not configured
-      WARNING! Region ap-southeast-1 has AWS Config disabled or not configured
-      WARNING! Region ap-southeast-2 has AWS Config disabled or not configured
-      WARNING! Region eu-central-1 has AWS Config disabled or not configured
-      WARNING! Region ap-northeast-2 has AWS Config disabled or not configured
-      WARNING! Region ap-northeast-1 has AWS Config disabled or not configured
-      WARNING! Region us-east-1 has AWS Config disabled or not configured
-      WARNING! Region sa-east-1 has AWS Config disabled or not configured
-      WARNING! Region us-west-1 has AWS Config disabled or not configured
-      WARNING! Region us-west-2 has AWS Config disabled or not configured
-
- 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
-      WARNING! CloudTrail bucket doesn't exist!
-
- 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
-      WARNING! CloudTrail bucket doesn't exist!
-
- 2.8 Ensure rotation for customer created CMKs is enabled (Scored)
-      Region ap-south-1 doesn't have encryption keys
-      Region eu-west-1 doesn't have encryption keys
-      Region ap-southeast-1 doesn't have encryption keys
-      Region ap-southeast-2 doesn't have encryption keys
-      Region eu-central-1 doesn't have encryption keys
-      Region ap-northeast-2 doesn't have encryption keys
-      Region ap-northeast-1 doesn't have encryption keys
-      WARNING! Key a0e988df-bc84-423f-996c-XXXX in Region us-east-1 is not set to rotate!
-      Region sa-east-1 doesn't have encryption keys
-      Region us-west-1 doesn't have encryption keys
-      Region us-west-2 doesn't have encryption keys
-
-
- 3 Monitoring *****************************************************
-
- 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
-      WARNING! No CloudWatch group found, no metric filters or alarms associated
-
- 3.15 Ensure security contact information is registered (Scored)
-      No command available for check 3.15
-      Login to the AWS Console, click on My Account
-      Go to Alternate Contacts -> make sure Security section is filled
-
- 3.16 Ensure appropriate subscribers to each SNS topic (Not Scored)
-      Region ap-south-1 doesn't have topics
-      Region eu-west-1 doesn't have topics
-      Region ap-southeast-1 doesn't have topics
-      Region ap-southeast-2 doesn't have topics
-      Region eu-central-1 doesn't have topics
-      Region ap-northeast-2 doesn't have topics
-      Region ap-northeast-1 doesn't have topics
-      Region us-east-1 doesn't have topics
-      Region sa-east-1 doesn't have topics
-      Region us-west-1 doesn't have topics
-      Region us-west-2 doesn't have topics
-
-
- 4 Networking **************************************************
-
- 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
-      OK, No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in us-east-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0
-
- 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
-      OK, No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in us-east-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0
-      OK, No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0
-
- 4.3 Ensure VPC Flow Logging is Enabled in all Applicable Regions (Scored)
-      WARNING! no VPCFlowLog has been found in Region ap-south-1
-      WARNING! no VPCFlowLog has been found in Region eu-west-1
-      WARNING! no VPCFlowLog has been found in Region ap-southeast-1
-      WARNING! no VPCFlowLog has been found in Region ap-southeast-2
-      WARNING! no VPCFlowLog has been found in Region eu-central-1
-      WARNING! no VPCFlowLog has been found in Region ap-northeast-2
-      WARNING! no VPCFlowLog has been found in Region ap-northeast-1
-      WARNING! no VPCFlowLog has been found in Region us-east-1
-      WARNING! no VPCFlowLog has been found in Region sa-east-1
-      WARNING! no VPCFlowLog has been found in Region us-west-1
-      WARNING! no VPCFlowLog has been found in Region us-west-2
-
- 4.4 Ensure the default security group restricts all traffic (Scored)
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1
-      OK, no Default Security Groups open to 0.0.0.0 found in Region us-east-1
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1
-      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1
-      OK, no Default Security Groups open to 0.0.0.0 found in Region us-west-2
-
- - For more information and reference:
-   https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+prowler/config/config.yaml
 ```
 
-## Troubleshooting
+## AWS
 
-### STS expired token
-If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
+Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want to audit with `-f`/`--filter-region`:
 
+```console
+prowler aws --profile custom-profile -f us-east-1 eu-south-2
 ```
-A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired
+> By default, `prowler` will scan all AWS regions.
+
+## Azure
+
+With Azure you need to specify which auth method is going to be used:
+
+```console
+prowler azure [--sp-env-auth, --az-cli-auth, --browser-auth, --managed-identity-auth]
 ```
-To fix it, please renew your token by authenticating again to the AWS API.
+> By default, `prowler` will scan all Azure subscriptions.
 
-### Custom IAM Policy
-Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list, not change!) here you go a good example for a "ProwlerPolicyReadOnly":
+## Google Cloud Platform
 
+Optionally, you can provide the location of an application credential JSON file with the following argument:
+
+```console
+prowler gcp --credentials-file path
 ```
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Action": [
-            "acm:describecertificate",
-            "acm:listcertificates",
-            "autoscaling:describe*",
-            "cloudformation:describestack*",
-            "cloudformation:getstackpolicy",
-            "cloudformation:gettemplate",
-            "cloudformation:liststack*",
-            "cloudfront:get*",
-            "cloudfront:list*",
-            "cloudtrail:describetrails",
-            "cloudtrail:gettrailstatus",
-            "cloudtrail:listtags",
-            "cloudwatch:describe*",
-            "cloudwatchlogs:describeloggroups",
-            "cloudwatchlogs:describemetricfilters",
-            "codecommit:batchgetrepositories",
-            "codecommit:getbranch",
-            "codecommit:getobjectidentifier",
-            "codecommit:getrepository",
-            "codecommit:list*",
-            "codedeploy:batch*",
-            "codedeploy:get*",
-            "codedeploy:list*",
-            "config:deliver*",
-            "config:describe*",
-            "config:get*",
-            "datapipeline:describeobjects",
-            "datapipeline:describepipelines",
-            "datapipeline:evaluateexpression",
-            "datapipeline:getpipelinedefinition",
-            "datapipeline:listpipelines",
-            "datapipeline:queryobjects",
-            "datapipeline:validatepipelinedefinition",
-            "directconnect:describe*",
-            "dynamodb:listtables",
-            "ec2:describe*",
-            "ecs:describe*",
-            "ecs:list*",
-            "elasticache:describe*",
-            "elasticbeanstalk:describe*",
-            "elasticloadbalancing:describe*",
-            "elasticmapreduce:describejobflows",
-            "elasticmapreduce:listclusters",
-            "es:describeelasticsearchdomainconfig",
-            "es:listdomainnames",
-            "firehose:describe*",
-            "firehose:list*",
-            "glacier:listvaults",
-            "iam:generatecredentialreport",
-            "iam:get*",
-            "iam:list*",
-            "kms:describe*",
-            "kms:get*",
-            "kms:list*",
-            "lambda:getpolicy",
-            "lambda:listfunctions",
-            "logs:DescribeMetricFilters",
-            "rds:describe*",
-            "rds:downloaddblogfileportion",
-            "rds:listtagsforresource",
-            "redshift:describe*",
-            "route53:getchange",
-            "route53:getcheckeripranges",
-            "route53:getgeolocation",
-            "route53:gethealthcheck",
-            "route53:gethealthcheckcount",
-            "route53:gethealthchecklastfailurereason",
-            "route53:gethostedzone",
-            "route53:gethostedzonecount",
-            "route53:getreusabledelegationset",
-            "route53:listgeolocations",
-            "route53:listhealthchecks",
-            "route53:listhostedzones",
-            "route53:listhostedzonesbyname",
-            "route53:listresourcerecordsets",
-            "route53:listreusabledelegationsets",
-            "route53:listtagsforresource",
-            "route53:listtagsforresources",
-            "route53domains:getdomaindetail",
-            "route53domains:getoperationdetail",
-            "route53domains:listdomains",
-            "route53domains:listoperations",
-            "route53domains:listtagsfordomain",
-            "s3:getbucket*",
-            "s3:getlifecycleconfiguration",
-            "s3:getobjectacl",
-            "s3:getobjectversionacl",
-            "s3:listallmybuckets",
-            "sdb:domainmetadata",
-            "sdb:listdomains",
-            "ses:getidentitydkimattributes",
-            "ses:getidentityverificationattributes",
-            "ses:listidentities",
-            "ses:listverifiedemailaddresses",
-            "ses:sendemail",
-            "sns:gettopicattributes",
-            "sns:listsubscriptionsbytopic",
-            "sns:listtopics",
-            "sqs:getqueueattributes",
-            "sqs:listqueues",
-            "tag:getresources",
-            "tag:gettagkeys"
-        ],
-        "Effect": "Allow",
-        "Resource": "*"
-    }]
-}
-```
+> By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.
 
-### Incremental IAM Policy
+# 📃 License
 
-Alternatively, here is a policy which defines the permissions which are NOT present in the AWS Managed SecurityAudit policy. Attach both this policy and the AWS Managed SecurityAudit policy to the group and you're good to go.  
-
-```
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "acm:DescribeCertificate",
-        "acm:ListCertificates",
-        "cloudwatchlogs:describeLogGroups",
-        "cloudwatchlogs:DescribeMetricFilters",
-        "es:DescribeElasticsearchDomainConfig",
-        "ses:GetIdentityVerificationAttributes",
-        "sns:ListSubscriptionsByTopic"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-```
-
-### Bootstrap Script
-
-Quick bash script to set up a "prowler" IAM user and "SecurityAudit" group with the required permissions. To run the script below, you need user with administrative permissions; set the AWS_DEFAULT_PROFILE to use that account.
-
-```
-export AWS_DEFAULT_PROFILE=default
-export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"')
-aws iam create-group --group-name SecurityAudit
-aws iam create-policy --policy-name ProwlerAuditAdditions --policy-document file://$(pwd)/prowler-policy-additions.json
-aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit
-aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerAuditAdditions
-aws iam create-user --user-name prowler
-aws iam add-user-to-group --user-name prowler --group-name SecurityAudit
-aws iam create-access-key --user-name prowler
-unset ACCOUNT_ID AWS_DEFAULT_PROFILE
-```
-
-The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown.  If you loose it, you will need to generate a replacement.
-
-## Extras
-We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
-At this momment we have 5 extra checks:
-
-- 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
-- 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
-- 7.3 (`extra73`) Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)
-- 7.4 (`extra74`) Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)
-- 7.5 (`extra75`) Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)
-- 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
-- 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
-
-```
-./prowler -c extras
-```
-or to run just one of the checks, to see if you have S3 buckets open:
-```
-./prowler -c extraNUMBER
-```
-
-## Add Custom Checks
-
-In order to add any new check feel free to create a new extra check in the extras section. To do so, you will need to follow these steps:
-
-1. use any existing extra check as reference
-2. add `ID7N` and `TITLE7N`, where N is a new check number part of the extras section (7) around line 361 `# List of checks IDs and Titles`
-3. add your new extra check function name at `callCheck` function (around line 1817) and below in that case inside extras option (around line 1853)
-4. finally add it in `# List only check tittles` around line 1930
-5. save changes and run it as ./prowler -c extraNN
-6. send me a pull request! :)
-
-## Third Party Integrations
-
-### Telegram
-Javier Pecete has done an awesome job integrating Prowler with Telegram, you have more details here https://github.com/i4specete/ServerTelegramBot
-### Cloud Security Suite
-The guys of SecurityFTW have added Prowler in their Cloud Security Suite along with other cool security tools https://github.com/SecurityFTW/cs-suite 
+Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
+<http://www.apache.org/licenses/LICENSE-2.0>

SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Software Security
+As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (FTR)](https://aws.amazon.com/partners/foundational-technical-review/) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated:
+
+- `bandit` for code security review.
+- `safety` and `dependabot` for dependencies.
+- `hadolint` and `dockle` for our containers security.
+- `snyk` in Docker Hub.
+- `clair` in Amazon ECR.
+- `vulture`, `flake8`, `black` and `pylint` for formatting and best practices.
+
+## Reporting a Vulnerability
+
+If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to help@prowler.pro.
+
+The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+
+We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
+
+You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability.
+
+We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

contrib/cloud9/cloud9-installation.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Install system dependencies
+sudo yum -y install openssl-devel bzip2-devel libffi-devel gcc
+# Upgrade to Python 3.9
+cd /tmp && wget https://www.python.org/ftp/python/3.9.13/Python-3.9.13.tgz
+tar zxf Python-3.9.13.tgz
+cd Python-3.9.13/ || exit
+./configure --enable-optimizations
+sudo make altinstall
+python3.9 --version
+# Install Prowler
+cd ~ || exit
+python3.9 -m pip install prowler-cloud
+prowler -v
+# Run Prowler
+prowler

contrib/cloudshell/cloudshell-installation.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Install system dependencies
+sudo yum -y install openssl-devel bzip2-devel libffi-devel gcc
+# Upgrade to Python 3.9
+cd /tmp && wget https://www.python.org/ftp/python/3.9.13/Python-3.9.13.tgz
+tar zxf Python-3.9.13.tgz
+cd Python-3.9.13/ || exit
+./configure --enable-optimizations
+sudo make altinstall
+python3.9 --version
+# Install Prowler
+cd ~ || exit
+python3.9 -m pip install prowler-cloud
+prowler -v
+# Run Prowler
+prowler

contrib/codebuild/codebuild-prowlerv2-audit-account-cfn.yaml

@@ -0,0 +1,384 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates a CodeBuild project to audit an AWS account with Prowler Version 2 and stores the html report in a S3 bucket. This will run onece at the beginning and on a schedule afterwards. Partial contribution from https://github.com/stevecjones
+Parameters:
+  ServiceName:
+    Description: 'Specifies the service name used within component naming'
+    Type: String
+    Default: 'prowler'
+
+  LogsRetentionInDays:
+    Description: 'Specifies the number of days you want to retain CodeBuild run log events in the specified log group. Junit reports are kept for 30 days, HTML reports in S3 are not deleted'
+    Type: Number
+    Default: 3
+    AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 180, 365]
+
+  ProwlerOptions:
+    Description: 'Options to pass to Prowler command, make sure at least -M junit-xml is used for CodeBuild reports. Use -r for the region to send API queries, -f to filter only one region, -M output formats, -c for comma separated checks, for all checks do not use -c or -g, for more options see -h. For a complete assessment use  "-M text,junit-xml,html,csv,json", for SecurityHub integration use "-r region -f region -M text,junit-xml,html,csv,json,json-asff -S -q"'
+    Type: String
+    # Prowler command below runs a set of checks, configure it base on your needs, no options will run all regions all checks.
+    # option -M junit-xml is required in order to get the report in CodeBuild.
+    Default: -r eu-west-1 -f eu-west-1 -M text,junit-xml,html,csv,json -c check11,check12,check13,check14
+
+  ProwlerScheduler:
+    Description: The time when Prowler will run in cron format. Default is daily at 22:00h or 10PM 'cron(0 22 * * ? *)', for every 5 hours also works 'rate(5 hours)'. More info here https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html.
+    Type: String
+    Default: 'cron(0 22 * * ? *)'
+
+Resources:
+  CodeBuildStartBuild:
+    Type: 'Custom::CodeBuildStartBuild'
+    DependsOn:
+      - CodeBuildLogPolicy
+      - CodeBuildStartLogPolicy
+    Properties:
+      Build: !Ref ProwlerCodeBuild
+      ServiceToken: !GetAtt CodeBuildStartBuildLambda.Arn
+
+  CodeBuildStartBuildLambdaRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: !Sub lambda.${AWS::URLSuffix}
+            Action: 'sts:AssumeRole'
+      Description: !Sub 'DO NOT DELETE - Used by Lambda. Created by CloudFormation Stack ${AWS::StackId}'
+      Policies:
+        - PolicyName: StartBuildInline
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action: 'codebuild:StartBuild'
+                Resource: !GetAtt ProwlerCodeBuild.Arn
+
+  CodeBuildStartBuildLambda:
+    Type: 'AWS::Lambda::Function'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: 'This Lambda has permissions to write Logs'
+          - id: W89
+            reason: 'VPC is not needed'
+          - id: W92
+            reason: 'ReservedConcurrentExecutions not needed'
+    Properties:
+      Handler: index.lambda_handler
+      MemorySize: 128
+      Role: !Sub ${CodeBuildStartBuildLambdaRole.Arn}
+      Timeout: 120
+      Runtime: python3.9
+      Code:
+        ZipFile: |
+          import boto3
+          import cfnresponse
+          from botocore.exceptions import ClientError
+
+          def lambda_handler(event,context):
+            props = event['ResourceProperties']
+            codebuild_client = boto3.client('codebuild')
+
+            if (event['RequestType'] == 'Create' or event['RequestType'] == 'Update'):
+              try:
+                  response = codebuild_client.start_build(projectName=props['Build'])
+                  print(response)
+                  print("Respond: SUCCESS")
+                  cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
+              except Exception as ex:
+                  print(ex.response['Error']['Message'])
+                  cfnresponse.send(event, context, cfnresponse.FAILED, ex.response)
+            else:
+              cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
+
+  CodeBuildStartLogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      LogGroupName: !Sub '/aws/lambda/${CodeBuildStartBuildLambda}'
+      RetentionInDays: !Ref LogsRetentionInDays
+
+  CodeBuildStartLogPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action:
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource: !GetAtt CodeBuildStartLogGroup.Arn
+      PolicyName: LogGroup
+      Roles:
+        - !Ref CodeBuildStartBuildLambdaRole
+
+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W35
+            reason: 'S3 Access Logging is not needed'
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Sub '${ServiceName}-${AWS::AccountId}-S3-Prowler-${AWS::StackName}'
+      BucketName: !Sub '${ServiceName}-reports-${AWS::Region}-prowler-${AWS::AccountId}'
+      AccessControl: LogDeliveryWrite
+      VersioningConfiguration:
+        Status: Enabled
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
+  ArtifactBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref ArtifactBucket
+      PolicyDocument:
+        Id: Content
+        Version: '2012-10-17'
+        Statement:
+          - Action: '*'
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+            Effect: Deny
+            Principal: '*'
+            Resource: !Sub '${ArtifactBucket.Arn}/*'
+            Sid: S3ForceSSL
+          - Action: 's3:PutObject'
+            Condition:
+              'Null':
+                s3:x-amz-server-side-encryption: true
+            Effect: Deny
+            Principal: '*'
+            Resource: !Sub '${ArtifactBucket.Arn}/*'
+            Sid: DenyUnEncryptedObjectUploads
+
+  CodeBuildServiceRole:
+    Type: AWS::IAM::Role
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: 'Role complies with the least privilege principle.'
+    Properties:
+      Description: !Sub 'DO NOT DELETE - Used by CodeBuild. Created by CloudFormation Stack ${AWS::StackId}'
+      ManagedPolicyArns:
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/job-function/SupportUser'
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess'
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/SecurityAudit'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: !Sub codebuild.${AWS::URLSuffix}
+      Policies:
+        - PolicyName: S3
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - s3:PutObject
+                  - s3:GetObject
+                  - s3:GetObjectVersion
+                  - s3:GetBucketAcl
+                  - s3:GetBucketLocation
+                Effect: Allow
+                Resource: !Sub '${ArtifactBucket.Arn}/*'
+        - PolicyName: ProwlerAdditions
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - ds:ListAuthorizedApplications
+                  - ec2:GetEbsEncryptionByDefault
+                  - ecr:Describe*
+                  - elasticfilesystem:DescribeBackupPolicy
+                  - glue:GetConnections
+                  - glue:GetSecurityConfiguration
+                  - glue:SearchTables
+                  - lambda:GetFunction
+                  - s3:GetAccountPublicAccessBlock
+                  - shield:DescribeProtection
+                  - shield:GetSubscriptionState
+                  - ssm:GetDocument
+                  - support:Describe*
+                  - tag:GetTagKeys
+                Effect: Allow
+                Resource: '*'
+        - PolicyName: CodeBuild
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - codebuild:CreateReportGroup
+                  - codebuild:CreateReport
+                  - codebuild:UpdateReport
+                  - codebuild:BatchPutTestCases
+                  - codebuild:BatchPutCodeCoverages
+                Effect: Allow
+                Resource: !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*'
+        - PolicyName: SecurityHubBatchImportFindings
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action: securityhub:BatchImportFindings
+                Effect: Allow
+                Resource: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::product/prowler/prowler'
+
+  CodeBuildLogPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action:
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource: !GetAtt ProwlerLogGroup.Arn
+      PolicyName: LogGroup
+      Roles:
+        - !Ref CodeBuildServiceRole
+
+  CodeBuildAssumePolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Resource: !GetAtt CodeBuildServiceRole.Arn
+      PolicyName: AssumeRole
+      Roles:
+        - !Ref CodeBuildServiceRole
+
+  ProwlerCodeBuild:
+    Type: AWS::CodeBuild::Project
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W32
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      Artifacts:
+        Type: NO_ARTIFACTS
+      ConcurrentBuildLimit: 1
+      SourceVersion: prowler-2
+      Source:
+        GitCloneDepth: 1
+        Location: https://github.com/prowler-cloud/prowler
+        Type: GITHUB
+        ReportBuildStatus: false
+        BuildSpec: |
+          version: 0.2
+          phases:
+            install:
+              runtime-versions:
+                python: 3.9
+              commands:
+                - echo "Installing Prowler and dependencies..."
+                - pip3 install detect-secrets
+            build:
+              commands:
+                - echo "Running Prowler as ./prowler $PROWLER_OPTIONS"
+                - ./prowler $PROWLER_OPTIONS
+            post_build:
+              commands:
+                - echo "Uploading reports to S3..."
+                - aws s3 cp --sse AES256 output/ s3://$BUCKET_REPORT/ --recursive
+                - echo "Done!"
+          reports:
+            prowler:
+              files:
+                - '**/*'
+              base-directory: 'junit-reports'
+              file-format: JunitXml
+      Environment:
+        # AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month.
+        # BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute.
+        # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute.
+        # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute.
+        # BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute.
+        ComputeType: "BUILD_GENERAL1_SMALL"
+        Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+        Type: "LINUX_CONTAINER"
+        EnvironmentVariables:
+          - Name: BUCKET_REPORT
+            Value: !Ref ArtifactBucket
+            Type: PLAINTEXT
+          - Name: PROWLER_OPTIONS
+            Value: !Ref ProwlerOptions
+            Type: PLAINTEXT
+      Description: Run Prowler assessment
+      ServiceRole: !GetAtt CodeBuildServiceRole.Arn
+      TimeoutInMinutes: 300
+
+  ProwlerLogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      LogGroupName: !Sub '/aws/codebuild/${ProwlerCodeBuild}'
+      RetentionInDays: !Ref LogsRetentionInDays
+
+  EventBridgeServiceRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: !Sub 'DO NOT DELETE - Used by EventBridge. Created by CloudFormation Stack ${AWS::StackId}'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: !Sub events.${AWS::URLSuffix}
+      Policies:
+        - PolicyName: CodeBuild
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action: 'codebuild:StartBuild'
+                Resource: !GetAtt ProwlerCodeBuild.Arn
+
+  ProwlerSchedule:
+    Type: 'AWS::Events::Rule'
+    Properties:
+      Description: A schedule to trigger Prowler in CodeBuild
+      ScheduleExpression: !Ref ProwlerScheduler
+      State: ENABLED
+      Targets:
+        - Arn: !GetAtt ProwlerCodeBuild.Arn
+          Id: ProwlerSchedule
+          RoleArn: !GetAtt EventBridgeServiceRole.Arn
+
+Outputs:
+  ArtifactBucketName:
+    Description: Artifact Bucket Name
+    Value: !Ref ArtifactBucket

contrib/codebuild/codebuild-prowlerv3-audit-account-cfn.yaml

@@ -0,0 +1,398 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates a CodeBuild project to audit an AWS account with Prowler Version 2 and stores the html report in a S3 bucket. This will run onece at the beginning and on a schedule afterwards. Partial contribution from https://github.com/stevecjones
+Parameters:
+  ServiceName:
+    Description: 'Specifies the service name used within component naming'
+    Type: String
+    Default: 'prowler'
+
+  LogsRetentionInDays:
+    Description: 'Specifies the number of days you want to retain CodeBuild run log events in the specified log group. Junit reports are kept for 30 days, HTML reports in S3 are not deleted'
+    Type: Number
+    Default: 3
+    AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 180, 365]
+
+  ProwlerOptions:
+    Description: 'Options to pass to Prowler command, use -f to filter specific regions, -c for specific checks, -s for specific services, for SecurityHub integration use "-f shub_region -S", for more options see -h. For a complete assessment leave this empty.'
+    Type: String
+    # Prowler command below runs a set of checks, configure it base on your needs, no options will run all regions all checks.
+    Default: -f eu-west-1 -s s3 iam ec2
+
+  ProwlerScheduler:
+    Description: The time when Prowler will run in cron format. Default is daily at 22:00h or 10PM 'cron(0 22 * * ? *)', for every 5 hours also works 'rate(5 hours)'. More info here https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html.
+    Type: String
+    Default: 'cron(0 22 * * ? *)'
+
+Resources:
+  CodeBuildStartBuild:
+    Type: 'Custom::CodeBuildStartBuild'
+    DependsOn:
+      - CodeBuildLogPolicy
+      - CodeBuildStartLogPolicy
+    Properties:
+      Build: !Ref ProwlerCodeBuild
+      ServiceToken: !GetAtt CodeBuildStartBuildLambda.Arn
+
+  CodeBuildStartBuildLambdaRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: !Sub lambda.${AWS::URLSuffix}
+            Action: 'sts:AssumeRole'
+      Description: !Sub 'DO NOT DELETE - Used by Lambda. Created by CloudFormation Stack ${AWS::StackId}'
+      Policies:
+        - PolicyName: StartBuildInline
+          PolicyDocument:
+            Statement:
+              - Effect: Allow
+                Action: 'codebuild:StartBuild'
+                Resource: !GetAtt ProwlerCodeBuild.Arn
+
+  CodeBuildStartBuildLambda:
+    Type: 'AWS::Lambda::Function'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W58
+            reason: 'This Lambda has permissions to write Logs'
+          - id: W89
+            reason: 'VPC is not needed'
+          - id: W92
+            reason: 'ReservedConcurrentExecutions not needed'
+    Properties:
+      Handler: index.lambda_handler
+      MemorySize: 128
+      Role: !Sub ${CodeBuildStartBuildLambdaRole.Arn}
+      Timeout: 120
+      Runtime: python3.9
+      Code:
+        ZipFile: |
+          import boto3
+          import cfnresponse
+          from botocore.exceptions import ClientError
+
+          def lambda_handler(event,context):
+            props = event['ResourceProperties']
+            codebuild_client = boto3.client('codebuild')
+
+            if (event['RequestType'] == 'Create' or event['RequestType'] == 'Update'):
+              try:
+                  response = codebuild_client.start_build(projectName=props['Build'])
+                  print(response)
+                  print("Respond: SUCCESS")
+                  cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
+              except Exception as ex:
+                  print(ex.response['Error']['Message'])
+                  cfnresponse.send(event, context, cfnresponse.FAILED, ex.response)
+            else:
+              cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
+
+  CodeBuildStartLogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      LogGroupName: !Sub '/aws/lambda/${CodeBuildStartBuildLambda}'
+      RetentionInDays: !Ref LogsRetentionInDays
+
+  CodeBuildStartLogPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action:
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource: !GetAtt CodeBuildStartLogGroup.Arn
+      PolicyName: LogGroup
+      Roles:
+        - !Ref CodeBuildStartBuildLambdaRole
+
+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W35
+            reason: 'S3 Access Logging is not needed'
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Sub '${ServiceName}-${AWS::AccountId}-S3-Prowler-${AWS::StackName}'
+      BucketName: !Sub '${ServiceName}-reports-${AWS::Region}-prowler-${AWS::AccountId}'
+      AccessControl: LogDeliveryWrite
+      VersioningConfiguration:
+        Status: Enabled
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
+  ArtifactBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref ArtifactBucket
+      PolicyDocument:
+        Id: Content
+        Version: '2012-10-17'
+        Statement:
+          - Action: '*'
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+            Effect: Deny
+            Principal: '*'
+            Resource: !Sub '${ArtifactBucket.Arn}/*'
+            Sid: S3ForceSSL
+          - Action: 's3:PutObject'
+            Condition:
+              'Null':
+                s3:x-amz-server-side-encryption: true
+            Effect: Deny
+            Principal: '*'
+            Resource: !Sub '${ArtifactBucket.Arn}/*'
+            Sid: DenyUnEncryptedObjectUploads
+
+  CodeBuildServiceRole:
+    Type: AWS::IAM::Role
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: 'Role complies with the least privilege principle.'
+    Properties:
+      Description: !Sub 'DO NOT DELETE - Used by CodeBuild. Created by CloudFormation Stack ${AWS::StackId}'
+      ManagedPolicyArns:
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/job-function/SupportUser'
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess'
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/SecurityAudit'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: !Sub codebuild.${AWS::URLSuffix}
+      Policies:
+        - PolicyName: S3
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - s3:PutObject
+                  - s3:GetObject
+                  - s3:GetObjectVersion
+                  - s3:GetBucketAcl
+                  - s3:GetBucketLocation
+                Effect: Allow
+                Resource: !Sub '${ArtifactBucket.Arn}/*'
+        - PolicyName: ProwlerAdditions
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                - account:Get*
+                - appstream:Describe*
+                - codeartifact:List*
+                - codebuild:BatchGet*
+                - ds:Get*
+                - ds:Describe*
+                - ds:List*
+                - ec2:GetEbsEncryptionByDefault
+                - ecr:Describe*
+                - elasticfilesystem:DescribeBackupPolicy
+                - glue:GetConnections
+                - glue:GetSecurityConfiguration*
+                - glue:SearchTables
+                - lambda:GetFunction*
+                - macie2:GetMacieSession
+                - s3:GetAccountPublicAccessBlock
+                - s3:GetPublicAccessBlock
+                - shield:DescribeProtection
+                - shield:GetSubscriptionState
+                - securityhub:BatchImportFindings
+                - securityhub:GetFindings
+                - ssm:GetDocument
+                - support:Describe*
+                - tag:GetTagKeys
+                Effect: Allow
+                Resource: '*'
+        - PolicyName: ProwlerAdditionsApiGW
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                - apigateway:GET
+                Effect: Allow
+                Resource: 'arn:aws:apigateway:*::/restapis/*'
+        - PolicyName: CodeBuild
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action:
+                  - codebuild:CreateReportGroup
+                  - codebuild:CreateReport
+                  - codebuild:UpdateReport
+                  - codebuild:BatchPutTestCases
+                  - codebuild:BatchPutCodeCoverages
+                Effect: Allow
+                Resource: !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*'
+        - PolicyName: SecurityHubBatchImportFindings
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Action: securityhub:BatchImportFindings
+                Effect: Allow
+                Resource: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::product/prowler/prowler'
+
+  CodeBuildLogPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action:
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource: !GetAtt ProwlerLogGroup.Arn
+      PolicyName: LogGroup
+      Roles:
+        - !Ref CodeBuildServiceRole
+
+  CodeBuildAssumePolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Resource: !GetAtt CodeBuildServiceRole.Arn
+      PolicyName: AssumeRole
+      Roles:
+        - !Ref CodeBuildServiceRole
+
+  ProwlerCodeBuild:
+    Type: AWS::CodeBuild::Project
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W32
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      Artifacts:
+        Type: NO_ARTIFACTS
+      ConcurrentBuildLimit: 1
+      Source:
+        Type: NO_SOURCE
+        BuildSpec: |
+          version: 0.2
+          phases:
+            install:
+              runtime-versions:
+                python: 3.9
+              commands:
+                - echo "Installing Prowler..."
+                - pip3 install prowler
+            build:
+              commands:
+                - echo "Running Prowler as prowler $PROWLER_OPTIONS"
+                - prowler $PROWLER_OPTIONS
+            post_build:
+              commands:
+                - echo "Uploading reports to S3..."
+                - aws s3 cp --sse AES256 output/ s3://$BUCKET_REPORT/ --recursive
+                - echo "Done!"
+          # Currently not supported in Version 3
+          # reports:
+          #   prowler:
+          #     files:
+          #       - '**/*'
+          #     base-directory: 'junit-reports'
+          #     file-format: JunitXml
+      Environment:
+        # AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month.
+        # BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute.
+        # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute.
+        # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute.
+        # BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute.
+        ComputeType: "BUILD_GENERAL1_SMALL"
+        Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+        Type: "LINUX_CONTAINER"
+        EnvironmentVariables:
+          - Name: BUCKET_REPORT
+            Value: !Ref ArtifactBucket
+            Type: PLAINTEXT
+          - Name: PROWLER_OPTIONS
+            Value: !Ref ProwlerOptions
+            Type: PLAINTEXT
+      Description: Run Prowler assessment
+      ServiceRole: !GetAtt CodeBuildServiceRole.Arn
+      TimeoutInMinutes: 300
+
+  ProwlerLogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W84
+            reason: 'KMS encryption is not needed.'
+    Properties:
+      LogGroupName: !Sub '/aws/codebuild/${ProwlerCodeBuild}'
+      RetentionInDays: !Ref LogsRetentionInDays
+
+  EventBridgeServiceRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: !Sub 'DO NOT DELETE - Used by EventBridge. Created by CloudFormation Stack ${AWS::StackId}'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: !Sub events.${AWS::URLSuffix}
+      Policies:
+        - PolicyName: CodeBuild
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action: 'codebuild:StartBuild'
+                Resource: !GetAtt ProwlerCodeBuild.Arn
+
+  ProwlerSchedule:
+    Type: 'AWS::Events::Rule'
+    Properties:
+      Description: A schedule to trigger Prowler in CodeBuild
+      ScheduleExpression: !Ref ProwlerScheduler
+      State: ENABLED
+      Targets:
+        - Arn: !GetAtt ProwlerCodeBuild.Arn
+          Id: ProwlerSchedule
+          RoleArn: !GetAtt EventBridgeServiceRole.Arn
+
+Outputs:
+  ArtifactBucketName:
+    Description: Artifact Bucket Name
+    Value: !Ref ArtifactBucket

contrib/k8s/README.md

@@ -0,0 +1,11 @@
+## K8S - Cronjob
+Simple instructions to add a cronjob on K8S to execute a prowler and save the results on AWS S3.
+
+### Files:
+cronjob.yml ---> is a **cronjob** for K8S, you must set the frequency and probes from yours scans \
+secret.yml -----> is a **secret** file with AWS ID/Secret and the name of bucket
+
+### To apply:
+
+`$ kubectl -f cronjob.yml` \
+`$ kubectl -f secret.yml`

contrib/k8s/cronjob.yml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: devsecops-prowler-cronjob-secret
+  namespace: defectdojo
+spec:
+#Cron Time is set according to server time, ensure server time zone and set accordingly.
+  successfulJobsHistoryLimit: 2
+  failedJobsHistoryLimit: 1
+  schedule: "5 3 * * 0,2,4"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: prowler
+            image: toniblyx/prowler:latest
+            imagePullPolicy: Always
+            command:
+            - "./prowler.py"
+            args: [ "-B", "$(awsS3Bucket)" ]
+            env:
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name:  devsecops-prowler-cronjob-secret
+                  key: awsId
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name:  devsecops-prowler-cronjob-secret
+                  key: awsSecretKey
+            - name: awsS3Bucket
+              valueFrom:
+                secretKeyRef:
+                  name:  devsecops-prowler-cronjob-secret
+                  key: awsS3Bucket
+            imagePullPolicy: IfNotPresent
+          restartPolicy: OnFailure
+      backoffLimit: 3

contrib/k8s/secret.yml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: devsecops-prowler-cronjob-secret
+  namespace: defectdojo
+type: Opaque
+stringData:
+  awsId: myAWSSecretID
+  awsSecretKey: myAWSSecretKey
+  awsS3Bucket: myAWSS3Bucket

contrib/multi-account-securityhub/.awsvariables

@@ -0,0 +1,3 @@
+export ROLE=ProwlerXA-Role
+export PARALLEL_ACCOUNTS=1
+export REGION=us-east-1

contrib/multi-account-securityhub/Dockerfile

@@ -0,0 +1,24 @@
+# Build command
+# docker build --platform=linux/amd64  --no-cache -t prowler:latest .
+
+ARG PROWLER_VERSION=latest
+
+FROM toniblyx/prowler:${PROWLER_VERSION}
+
+USER 0
+# hadolint ignore=DL3018
+RUN apk --no-cache add bash aws-cli jq
+
+ARG MULTI_ACCOUNT_SECURITY_HUB_PATH=/home/prowler/multi-account-securityhub
+
+USER prowler
+
+# Move script and environment variables
+RUN mkdir "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"
+COPY --chown=prowler:prowler .awsvariables run-prowler-securityhub.sh  "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/
+RUN chmod 500 "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/run-prowler-securityhub.sh & \
+    chmod 400 "${MULTI_ACCOUNT_SECURITY_HUB_PATH}"/.awsvariables
+
+WORKDIR ${MULTI_ACCOUNT_SECURITY_HUB_PATH}
+
+ENTRYPOINT ["./run-prowler-securityhub.sh"]

contrib/multi-account-securityhub/README.md

@@ -0,0 +1,94 @@
+# Example Solution:  Serverless Organizational Prowler Deployment with SecurityHub
+
+Deploys [Prowler](https://github.com/prowler-cloud/prowler) with AWS Fargate to assess all Accounts in an AWS Organization on a schedule, and sends the results to Security Hub.
+
+## Context
+Originally based on [org-multi-account](https://github.com/prowler-cloud/prowler/tree/master/util/org-multi-account), but changed in the following ways:
+
+ - No HTML reports and no S3 buckets
+ - Findings sent directly to Security Hub using the native integration
+ - AWS Fargate Task with EventBridge Rule instead of EC2 instance with cronjob
+ - Based on amazonlinux:2022 to leverage "wait -n" for improved parallelization as new jobs are launched as one finishes
+
+## Architecture Explanation
+
+ The solution is designed to be very simple. Prowler is run via an ECS Task definition that launches a single Fargate container. This Task Definition is executed on a schedule using an EventBridge Rule.
+
+## CloudFormation Templates
+
+ ### CF-Prowler-IAM.yml
+Creates the following IAM Roles:
+
+ 1. **ECSExecutionRole**: Required for the Task Definition to be able to fetch the container image from ECR and launch the container.
+ 2. **ProwlerTaskRole**: Role that the container itself runs with. It allows it to assume the ProwlerCrossAccountRole.
+ 3. **ECSEventRoleName**: Required for the EventBridge Rule to execute the Task Definition.
+
+### CF-Prowler-ECS.yml
+Creates the following resources:
+
+ 1. **ProwlerECSCluster**: Cluster to be used to execute the Task Definition.
+ 2. **ProwlerECSCloudWatchLogsGroup**: Log group for the Prowler container logs. This is required because it's the only log driver supported by Fargate. The Prowler executable logs are suppressed to prevent unnecessary logs, but error logs are kept for debugging.
+ 3. **ProwlerECSTaskDefinition**: Task Definition for the Fargate container. CPU and memory can be increased as needed. In my experience, 1 CPU per parallel Prowler job is ideal, but further performance testing may be required to find the optimal configuration for a specific organization. Enabling container insights helps a lot with this.
+ 4. **ProwlerSecurityGroup**: Security Group for the container. It only allows TCP 443 outbound, as it is the only port needed for awscli.
+ 5. **ProwlerTaskScheduler**: EventBridge Rule that schedules the execution of the Task Definition. The cron expression is specified as a CloudFormation template parameter.
+
+### CF-Prowler-CrossAccountRole.yml
+Creates the cross account IAM Role required for Prowler to run. Deploy it as StackSet in every account in the AWS Organization.
+
+## Docker Container
+
+### Dockerfile
+The Dockerfile does the following:
+ 1. Uses amazonlinux:2022 as a base.
+ 2. Downloads required dependencies.
+ 3. Copies the .awsvariables and run-prowler-securityhub.sh files into the root.
+ 4. Downloads the specified version of Prowler as recommended in the release notes.
+ 5. Assigns permissions to a lower privileged user and then drops to it.
+ 6. Runs the script.
+
+### .awsvariables
+The .awsvariables file is used to pass required configuration to the script:
+
+ 1. **ROLE**: The cross account Role to be assumed for the Prowler assessments.
+ 2. **PARALLEL_ACCOUNTS**: The number of accounts to be scanned in parallel.
+ 3. **REGION**: Region where Prowler will run its assessments.
+
+### run-prowler-securityhub.sh
+The script gets the list of accounts in AWS Organizations, and then executes Prowler as a job for each account, up to PARALLEL_ACCOUNT accounts at the same time.
+The logs that are generated and sent to Cloudwatch are error logs, and assessment start and finish logs.
+
+## Instructions
+ 1. Create a Private ECR Repository in the account that will host the Prowler container. The Audit account is recommended, but any account can be used.
+ 2.  Configure the .awsvariables file. Note the ROLE name chosen as it will be the CrossAccountRole.
+ 3. Follow the steps from "View Push Commands" to build and upload the container image. You need to have Docker and AWS CLI installed, and use the cli to login to the account first.  After upload note the Image URI, as it is required for the CF-Prowler-ECS template.
+ 4.  Make sure SecurityHub is enabled in every account in AWS Organizations, and that the SecurityHub integration is enabled as explained in [Prowler - Security Hub Integration](https://github.com/prowler-cloud/prowler#security-hub-integration)
+ 5. Deploy **CF-Prowler-CrossAccountRole.yml** in the Master Account as a single stack. You will have to choose the CrossAccountRole name (ProwlerXA-Role by default) and the ProwlerTaskRoleName (ProwlerECSTask-Role by default)
+ 6. Deploy **CF-Prowler-CrossAccountRole.yml** in every Member Account as a StackSet. Choose the same CrossAccountName and ProwlerTaskRoleName as the previous step.
+ 7. Deploy **CF-Prowler-IAM.yml** in the account that will host the Prowler container (the same from step 1).  The following template parameters must be provided:
+    - **ProwlerCrossAccountRoleName**: Name of the from CF-Prowler-CrossAccountRole (default ProwlerXA-Role).
+    - **ECSExecutionRoleName**: Name for the ECS Task Execution Role (default ECSTaskExecution-Role).
+    - **ProwlerTaskRoleName**: Name for the ECS Prowler Task Role (default ProwlerECSTask-Role).
+    - **ECSEventRoleName**: Name for the Eventbridge Task Role (default ProwlerEvents-Role).
+ 8. Deploy **CF-Prowler-ECS.yml** in the account that will host the Prowler container (the same from step 1).  The following template parameters must be provided:
+	- **ProwlerClusterName**: Name for the ECS Cluster (default ProwlerCluster)
+	- **ProwlerContainerName**: Name for the Prowler container (default prowler)
+	- **ProwlerContainerInfo**: ECR URI from step 1.
+	- **ProwlerECSLogGroupName**: CloudWatch Log Group name (default /aws/ecs/SecurityHub-Prowler)
+	- **SecurityGroupVPCId**: VPC ID for the VPC where the container will run.
+	- **ProwlerScheduledSubnet1 and 2**: Subnets IDs from the VPC specified. Choose private subnets if possible.
+	- **ECSExecutionRole**: ECS Execution Task Role ARN from CF-Prowler-IAM outputs.
+	- **ProwlerTaskRole**: Prowler ECS Task Role ARN from CF-Prowler-IAM outputs.
+	- **ECSEventRole**: Eventbridge Task Role ARN from CF-Prowler-IAM outputs.
+	- **CronExpression**: Valid Cron Expression for the scheduling of the Task Definition.
+ 9. Verify that Prowler runs correctly by checking the CloudWatch logs after the scheduled task is executed.
+
+---
+## Troubleshooting
+
+If you permission find errors in the CloudWatch logs, the culprit might be a [Service Control Policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html). You will need to exclude the Prowler Cross Account Role from those SCPs.
+
+---
+## Upgrading Prowler
+
+Prowler version is controlled by the PROWLERVER argument in the Dockerfile, change it to the desired version and follow the ECR Push Commands to update the container image.
+Old images can be deleted from the ECR Repository after the new image is confirmed to work. They will show as "untagged" as only one image can hold the "latest" tag.

contrib/multi-account-securityhub/run-prowler-securityhub.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+# Run Prowler against All AWS Accounts in an AWS Organization
+
+# Show Prowler Version
+prowler -v
+
+# Source .awsvariables
+# shellcheck disable=SC1091
+source .awsvariables
+
+# Get Values from Environment Variables
+echo "ROLE:               ${ROLE}"
+echo "PARALLEL_ACCOUNTS:  ${PARALLEL_ACCOUNTS}"
+echo "REGION:             ${REGION}"
+
+# Function to unset AWS Profile Variables
+unset_aws() {
+    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+unset_aws
+
+# Find THIS Account AWS Number
+CALLER_ARN=$(aws sts get-caller-identity --output text --query "Arn")
+PARTITION=$(echo "${CALLER_ARN}" | cut -d: -f2)
+THISACCOUNT=$(echo "${CALLER_ARN}" | cut -d: -f5)
+echo "THISACCOUNT:    ${THISACCOUNT}"
+echo "PARTITION:      ${PARTITION}"
+
+# Function to Assume Role to THIS Account & Create Session
+this_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"${PARTITION}":iam::"${THISACCOUNT}":role/"${ROLE}" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "${role_credentials}" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "${role_credentials}" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "${role_credentials}" | jq -r .Credentials.SessionToken)
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Find AWS Master Account
+this_account_session
+AWSMASTER=$(aws organizations describe-organization --query Organization.MasterAccountId --output text)
+echo "AWSMASTER:      ${AWSMASTER}"
+
+# Function to Assume Role to Master Account & Create Session
+master_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"${PARTITION}":iam::"${AWSMASTER}":role/"${ROLE}" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "${role_credentials}" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "${role_credentials}" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "${role_credentials}" | jq -r .Credentials.SessionToken)
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Lookup All Accounts in AWS Organization
+master_account_session
+ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text)
+
+# Run Prowler against Accounts in AWS Organization
+echo "AWS Accounts in Organization"
+echo "${ACCOUNTS_IN_ORGS}"
+for accountId in ${ACCOUNTS_IN_ORGS}; do
+    # shellcheck disable=SC2015
+    test "$(jobs | wc -l)" -ge "${PARALLEL_ACCOUNTS}" && wait -n || true
+    {
+        START_TIME=${SECONDS}
+        # Unset AWS Profile Variables
+        unset_aws
+        # Run Prowler
+        echo -e "Assessing AWS Account: ${accountId}, using Role: ${ROLE} on $(date)"
+        # Pipe stdout to /dev/null to reduce unnecessary Cloudwatch logs
+        prowler aws -R arn:"${PARTITION}":iam::"${accountId}":role/"${ROLE}" -q -S -f "${REGION}" > /dev/null
+        TOTAL_SEC=$((SECONDS - START_TIME))
+        printf "Completed AWS Account: ${accountId} in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
+        echo ""
+    } &
+done
+
+# Wait for All Prowler Processes to finish
+wait
+echo "Prowler Assessments Completed against All Accounts in AWS Organization"
+
+# Unset AWS Profile Variables
+unset_aws

contrib/multi-account-securityhub/templates/CF-Prowler-CrossAccountRole.yml

@@ -0,0 +1,97 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create the Cross-Account IAM Prowler Role
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: ECS Settings
+        Parameters:
+          - ProwlerEcsAccount
+          - ProwlerTaskRoleName
+      - Label:
+          default: CrossAccount Role
+        Parameters:
+          - ProwlerCrossAccountRole
+Parameters:
+  ProwlerEcsAccount:
+    Type: String
+    Description: Enter AWS Account Number where Prowler ECS Task will reside.
+    AllowedPattern: ^\d{12}$
+    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
+  ProwlerTaskRoleName:
+    Type: String
+    Description: Enter Instance Role that will be given to the Prowler ECS Instance (needed to grant sts:AssumeRole rights).
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerECSTask-Role
+  ProwlerCrossAccountRole:
+    Type: String
+    Description: Enter Name for CrossAccount Role to be created for Prowler to assess all Accounts in the AWS Organization.
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerXA-Role
+Resources:
+  ProwlerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Provides Prowler ECS tasks permissions to assess security of Accounts in AWS Organization
+      RoleName: !Ref ProwlerCrossAccountRole
+      Tags:
+        - Key: App
+          Value: Prowler
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Sub arn:${AWS::Partition}:iam::${ProwlerEcsAccount}:role/${ProwlerTaskRoleName}
+            Action:
+              - sts:AssumeRole
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess
+      Policies:
+        - PolicyName: Prowler-Additions-Policy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowMoreReadForProwler
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - ds:ListAuthorizedApplications
+                  - ec2:GetEbsEncryptionByDefault
+                  - ecr:Describe*
+                  - elasticfilesystem:DescribeBackupPolicy
+                  - glue:GetConnections
+                  - glue:GetSecurityConfiguration
+                  - glue:SearchTables
+                  - lambda:GetFunction
+                  - s3:GetAccountPublicAccessBlock
+                  - shield:DescribeProtection
+                  - shield:GetSubscriptionState
+                  - ssm:GetDocument
+                  - support:Describe*
+                  - tag:GetTagKeys
+        - PolicyName: Prowler-Security-Hub
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowProwlerSecurityHub
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - securityhub:BatchImportFindings
+                  - securityhub:GetFindings
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: "Prowler requires these rights to perform its Security Assessment."
+          - id: W28
+            reason: "Using a defined Role Name."
+Outputs:
+  ProwlerCrossAccountRole:
+    Description: CrossAccount Role to be used by Prowler to assess AWS Accounts in the AWS Organization.
+    Value: !Ref ProwlerCrossAccountRole

contrib/multi-account-securityhub/templates/CF-Prowler-ECS.yml

@@ -0,0 +1,102 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This Template will create the infrastructure for Prowler with ECS Fargate
+Parameters:
+  ProwlerClusterName:
+    Type: String
+    Description: Name of the ECS Cluster that the Prowler Fargate Task will run in
+    Default: ProwlerCluster
+  ProwlerContainerName:
+    Type: String
+    Description: Name of the Prowler Container Definition within the ECS Task
+    Default: prowler
+  ProwlerContainerInfo:
+    Type: String
+    Description: ECR URI of the Prowler container
+  ProwlerECSLogGroupName:
+    Type: String
+    Description: Name for the log group to be created
+    Default: /aws/ecs/SecurityHub-Prowler
+  SecurityGroupVPCId:
+    Type: String
+    Description: VPC Id for the Security Group to be created
+  ProwlerScheduledSubnet1:
+    Type: String
+    Description: Subnet Id in which Prowler can be scheduled to Run
+  ProwlerScheduledSubnet2:
+    Type: String
+    Description: A secondary Subnet Id in which Prowler can be scheduled to Run
+  ECSExecutionRole:
+    Type: String
+    Description: ECS Execution Task Role ARN.
+  ProwlerTaskRole:
+    Type: String
+    Description: Prowler ECS Task Role ARN.
+  ECSEventRole:
+    Type: String
+    Description: Eventbridge Task Role ARN.
+  CronExpression:
+    Type: String
+    Description: Cron schedule for the event rule.
+    Default: cron(0 23 * * ? *)
+Resources:
+  ProwlerECSCloudWatchLogsGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Ref ProwlerECSLogGroupName
+      RetentionInDays: 90
+  ProwlerECSCluster:
+    Type: AWS::ECS::Cluster
+    Properties:
+      ClusterName: !Ref ProwlerClusterName
+  ProwlerECSTaskDefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        - Image: !Ref ProwlerContainerInfo
+          Name: !Ref ProwlerContainerName
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-group: !Ref ProwlerECSCloudWatchLogsGroup
+              awslogs-region: !Ref 'AWS::Region'
+              awslogs-stream-prefix: ecs
+      Cpu: 1024
+      ExecutionRoleArn: !Ref ECSExecutionRole
+      Memory: 2048
+      NetworkMode: awsvpc
+      TaskRoleArn: !Ref ProwlerTaskRole
+      Family: SecurityHubProwlerTask
+      RequiresCompatibilities:
+        - FARGATE
+  ProwlerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+        GroupDescription: Allow HTTPS Out - Prowler
+        VpcId: !Ref SecurityGroupVPCId
+        SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: 0.0.0.0/0
+  ProwlerTaskScheduler:
+    Type: AWS::Events::Rule
+    Properties:
+      ScheduleExpression: !Ref CronExpression
+      State: ENABLED
+      Targets:
+        - Arn: !GetAtt ProwlerECSCluster.Arn
+          RoleArn: !Ref ECSEventRole
+          Id: prowlerTaskScheduler
+          EcsParameters:
+            TaskDefinitionArn: !Ref ProwlerECSTaskDefinition
+            TaskCount: 1
+            LaunchType: FARGATE
+            PlatformVersion: 'LATEST'
+            NetworkConfiguration:
+              AwsVpcConfiguration:
+                AssignPublicIp: DISABLED
+                SecurityGroups:
+                  - !Ref ProwlerSecurityGroup
+                Subnets:
+                  - !Ref ProwlerScheduledSubnet1
+                  - !Ref ProwlerScheduledSubnet2

contrib/multi-account-securityhub/templates/CF-Prowler-IAM.yml

@@ -0,0 +1,105 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This Template will create the IAM Roles needed for the Prowler infrastructure
+Parameters:
+  ProwlerCrossAccountRoleName:
+    Type: String
+    Description: Name of the cross account Prowler IAM Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerXA-Role
+  ECSExecutionRoleName:
+    Type: String
+    Description: Name for the ECS Task Execution Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ECSTaskExecution-Role
+  ProwlerTaskRoleName:
+    Type: String
+    Description: Name for the ECS Prowler Task Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerECSTask-Role
+  ECSEventRoleName:
+    Type: String
+    Description: Name for the Eventbridge Task Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerEvents-Role
+Resources:
+  ECSExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ECSExecutionRoleName
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: ECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: ecs-tasks.amazonaws.com
+          Action: sts:AssumeRole
+  ProwlerTaskRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ProwlerTaskRoleName
+      Policies:
+      - PolicyName: ProwlerAssumeRole
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Sid: AllowProwlerAssumeRole
+            Effect: Allow
+            Action: sts:AssumeRole
+            Resource:
+            - !Sub arn:aws:iam::*:role/${ProwlerCrossAccountRoleName}
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: ECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: ecs-tasks.amazonaws.com
+          Action: sts:AssumeRole
+  ECSEventRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ECSEventRoleName
+      Policies:
+      - PolicyName: AllowProwlerEventsECS
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - ecs:RunTask
+            Resource:
+            - "*"
+            Sid: EventRunECS
+          - Effect: Allow
+            Action: iam:PassRole
+            Resource:
+            - "*"
+            Sid: EventPassRole
+            Condition:
+              StringLike:
+                iam:PassedToService: ecs-tasks.amazonaws.com
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: EventsECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: events.amazonaws.com
+          Action: sts:AssumeRole
+Outputs:
+  ECSExecutionRoleARN:
+    Description: ARN of the ECS Task Execution Role
+    Value: !GetAtt ECSExecutionRole.Arn
+  ProwlerTaskRoleARN:
+    Description: ARN of the ECS Prowler Task Role
+    Value: !GetAtt ProwlerTaskRole.Arn
+  ECSEventRoleARN:
+    Description: ARN of the Eventbridge Task Role
+    Value: !GetAtt ECSEventRole.Arn

contrib/org-multi-account/ProwlerEC2.yaml

@@ -0,0 +1,374 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create Prowler EC2 with UserData (Shell Scripts, & AWS CLI Profiles)
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Prowler EC2 Instance Settings
+        Parameters:
+          - BuildNumber
+          - ProwlerEc2Name
+          - InstanceType
+          - KeyPair
+          - SubnetId
+          - VpcId
+          - Ec2Role
+          - LatestAmazonLinux2AmiId
+          - ProwlerCron
+      - Label:
+          default: S3 Settings
+        Parameters:
+          - ProwlerS3
+          - ProwlerS3Account
+      - Label:
+          default: CrossAccount Role
+        Parameters:
+          - AwsOrgId
+          - CrossAccountRole
+
+Parameters:
+  BuildNumber:
+    Type: String
+    Description: Enter Build Number (increment with Updates for cfn-init)
+    AllowedPattern: ^\d*$
+    ConstraintDescription: Build Number must be a numeric string.
+    Default: 1
+  ProwlerEc2Name:
+    Type: String
+    Description: Enter Name for Prowler EC2 Instance to create
+    AllowedPattern: ^[\w\s_.\/=+-]{1,128}$
+    ConstraintDescription: Max 128 alphanumeric characters. Also special characters supported [whitespace, _, ., /, =, +, -]
+    Default: Prowler-EC2
+  InstanceType:
+    Description: Enter Instance Type
+    Type: String
+    Default: t2.micro
+  KeyPair:
+    Description: Choose a KeyPair
+    Type: AWS::EC2::KeyPair::KeyName
+  SubnetId:
+    Description: Choose Subnet
+    Type: AWS::EC2::Subnet::Id
+  VpcId:
+    Description: Choose VPC
+    Type: AWS::EC2::VPC::Id
+  Ec2Role:
+    Description: Enter Name for EC2 Instance Role to create and attach to Prowler EC2 Instance
+    Type: String
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerEC2-Role
+  ProwlerCron:
+    Description: Enter cron schedule.  Default, runs everyday at 1am. See https://crontab.guru/, for syntax help.
+    Type: String
+    Default: "0 1 * * *"
+  LatestAmazonLinux2AmiId:
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
+    Description: Latest AMI ID for Amazon Linux 2 (via AWS Publis SSM Parameters. See https://tinyurl.com/aws-public-ssm-parameters.
+    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-ebs
+
+  ProwlerS3:
+    Type: String
+    Description: Enter S3 Bucket for Prowler Reports.  prefix-awsaccount-awsregion
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
+    ConstraintDescription: Max 63 characters. Can't start or end with dash.  Can use numbers and lowercase letters.
+    Default: prowler-123456789012-us-east-1
+  ProwlerS3Account:
+    Type: String
+    Description: Enter AWS Account Number where Prowler S3 Bucket resides.
+    AllowedPattern: ^\d{12}$
+    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
+    Default: 123456789012
+
+  AwsOrgId:
+    Type: String
+    Description: Enter AWS Organizations ID
+    AllowedPattern: ^o-[a-z0-9]{10,32}$
+    ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
+    Default: o-abcde12345
+  CrossAccountRole:
+    Type: String
+    Description: Enter CrossAccount Role Prowler will be using to assess AWS Accounts in the AWS Organization. (ProwlerCrossAccountRole)
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters [+, =, ., @, -]
+    Default: ProwlerXA-Role
+
+Resources:
+  ProwlerEc2:
+    Type: AWS::EC2::Instance
+    CreationPolicy:
+      ResourceSignal:
+        Timeout: PT5M
+    Properties:
+      KeyName: !Ref KeyPair
+      ImageId: !Ref LatestAmazonLinux2AmiId
+      IamInstanceProfile: !Ref ProwlerInstanceProfile
+      InstanceType: !Ref InstanceType
+      SubnetId: !Ref SubnetId
+      SecurityGroupIds:
+        - !Ref ProwlerSecurityGroup
+      BlockDeviceMappings:
+        - DeviceName: /dev/xvda
+          Ebs:
+            Encrypted: true
+            KmsKeyId: alias/aws/ebs
+            VolumeType: standard
+            DeleteOnTermination: true
+            VolumeSize: 8
+      Tags:
+        - Key: Name
+          Value: !Ref ProwlerEc2Name
+        - Key: App
+          Value: Prowler
+      UserData:
+        Fn::Base64:
+          !Sub |
+            #!/bin/bash
+            yum update -y aws-cfn-bootstrap
+            /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource ProwlerEc2 --configsets onfirstboot --region ${AWS::Region}
+            yum -y update
+            /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ProwlerEc2 --region ${AWS::Region}
+    Metadata:
+      AWS::CloudFormation::Authentication:
+        S3AccessCreds:
+          type: S3
+          buckets:
+            - !Ref ProwlerS3
+          roleName:
+            Ref: ProwlerEc2Role
+      AWS::CloudFormation::Init:
+        configSets:
+          onfirstboot:
+            - build-number
+            - configure-cfn
+            - prowler-prereqs
+            - prowler-reports
+            - prowler-schedule
+          onupdate:
+            - build-number
+            - prowler-prereqs
+            - prowler-reports
+            - prowler-schedule
+        build-number:
+          commands:
+            show-build-number:
+              command: !Sub |
+                echo "BUILDNUMBER:   ${BuildNumber}"
+        configure-cfn:
+          files:
+            /etc/cfn/hooks.d/cfn-auto-reloader.conf:
+              content: !Sub |
+                [cfn-auto-reloader-hook]
+                triggers=post.update
+                path=Resources.ProwlerEc2.Metadata.AWS::CloudFormation::Init
+                action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource ProwlerEc2 --configsets onupdate --region ${AWS::Region}
+                runas=root
+              mode: "000400"
+              owner: root
+              group: root
+            /etc/cfn/cfn-hup.conf:
+              content: !Sub |
+                [main]
+                stack=${AWS::StackId}
+                region=${AWS::Region}
+                verbose=true
+                interval=5
+              mode: "000400"
+              owner: root
+              group: root
+          services:
+            sysvinit:
+              cfn-hup:
+                enabled: true
+                ensureRunning: true
+                files:
+                  - /etc/cfn/cfn-hup.conf
+                  - /etc/cfn/hooks.d/cfn-auto-reloader.conf
+        prowler-prereqs:
+          files:
+            /home/ec2-user/.awsvariables:
+              content: !Sub |
+                export S3=s3://${ProwlerS3}
+                export S3ACCOUNT=${ProwlerS3Account}
+                export ROLE=${CrossAccountRole}
+              mode: "000600"
+              owner: ec2-user
+              group: ec2-user
+          commands:
+            01-install-prowler-prereqs-yum:
+              command: |
+                sudo yum -y install openssl-devel bzip2-devel libffi-devel gcc
+            02-upgrade-python3.9:
+              command: |
+                cd /tmp && wget https://www.python.org/ftp/python/3.9.13/Python-3.9.13.tgz
+                tar zxf Python-3.9.13.tgz
+                cd Python-3.9.13/
+                ./configure --enable-optimizations
+                sudo make altinstall
+            03-install-prowler:
+              command: |
+                cd ~
+                python3.9 -m pip install prowler-cloud
+        prowler-reports:
+          files:
+            /home/ec2-user/run-prowler-reports.sh:
+              source: !Sub https://${ProwlerS3}.s3.${AWS::Region}.amazonaws.com/run-prowler-reports.sh
+              mode: "000700"
+              owner: ec2-user
+              group: ec2-user
+        prowler-schedule:
+          files:
+            /home/ec2-user/mycron-prowler:
+              content: !Sub |
+                ${ProwlerCron} bash -lc ./run-prowler-reports.sh > mycron-prowler.log
+              mode: "000600"
+              owner: ec2-user
+              group: ec2-user
+          commands:
+            01-create-prowler-cron-job:
+              command: |
+                sudo -u ec2-user crontab /home/ec2-user/mycron-prowler
+
+  ProwlerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupName: Prowler-EC2-RemoteAdministration
+      GroupDescription: Allow Remote Administration
+      Tags:
+        - Key: App
+          Value: Prowler
+      VpcId: !Ref VpcId
+      SecurityGroupEgress:
+        - Description: Allow HTTP Outbound
+          IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+          CidrIp: 0.0.0.0/0
+        - Description: Allow HTTPS Outbound
+          IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: 0.0.0.0/0
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W5
+            reason: "Using http/https to Internet for updates."
+          - id: W28
+            reason: "Using a defined Security Group Name."
+
+  ProwlerInstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Roles:
+        - !Ref ProwlerEc2Role
+
+  ProwlerEc2Role:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Prowler EC2 Instance Role
+      RoleName: !Ref Ec2Role
+      Tags:
+        - Key: App
+          Value: Prowler
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Policies:
+        - PolicyName: SSM-Agent
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowSsmAgent
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - ssm:UpdateInstanceInformation
+                  - ssm:ListInstanceAssociations
+                  - ssm:UpdateInstanceAssociationStatus
+                  - ssm:PutConfigurePackageResult
+                  - ssm:GetManifest
+                  - ssm:PutComplianceItems
+                  - ec2messages:AcknowledgeMessage
+                  - ec2messages:DeleteMessage
+                  - ec2messages:FailMessage
+                  - ec2messages:GetEndpoint
+                  - ec2messages:GetMessages
+                  - ec2messages:SendReply
+        - PolicyName: SSM-Inventory
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowPutInventory
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - ssm:PutInventory
+              - Sid: AllowGatherInventory
+                Effect: Allow
+                Resource: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}::document/AWS-GatherSoftwareInventory
+                Action:
+                  - ssm:GetDocument
+                  - ssm:DescribeDocument
+        - PolicyName: SSM-SessionManager
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowSessionManager
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - ssmmessages:CreateControlChannel
+                  - ssmmessages:CreateDataChannel
+                  - ssmmessages:OpenControlChannel
+                  - ssmmessages:OpenDataChannel
+        - PolicyName: Prowler-S3-Reports
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowGetPutListObject
+                Effect: Allow
+                Resource:
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+                Action:
+                  - s3:GetObject
+                  - s3:PutObject
+                  - s3:ListBucket
+                  - s3:PutObjectAcl
+        - PolicyName: Prowler-CrossAccount-AssumeRole
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowStsAssumeRole
+                Effect: Allow
+                Resource: !Sub arn:${AWS::Partition}:iam::*:role/${CrossAccountRole}
+                Action: sts:AssumeRole
+                Condition:
+                  StringEquals:
+                    aws:PrincipalOrgId: !Ref AwsOrgId
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: "Using a defined Role Name."
+          - id: W11
+            reason: "Needed for SSM features."
+
+Outputs:
+  ProwlerEc2Account:
+    Description: AWS Account Number where Prowler EC2 Instance resides.
+    Value: !Ref AWS::AccountId
+  ProwlerEc2Role:
+    Description: Instance Role given to the Prowler EC2 Instance (needed to grant sts:AssumeRole rights).
+    Value: !Ref ProwlerEc2Role
+  ProwlerS3:
+    Description: S3 Bucket for Prowler Reports
+    Value: !Ref ProwlerS3

contrib/org-multi-account/ProwlerRole.yaml

@@ -0,0 +1,116 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create the Cross-Account IAM Prowler Role
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: EC2 Settings
+        Parameters:
+          - ProwlerEc2Account
+          - ProwlerEc2Role
+      - Label:
+          default: S3 Settings
+        Parameters:
+          - ProwlerS3
+      - Label:
+          default: CrossAccount Role
+        Parameters:
+          - ProwlerCrossAccountRole
+
+Parameters:
+  ProwlerS3:
+    Type: String
+    Description: Enter S3 Bucket for Prowler Reports.  prefix-awsaccount-awsregion
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
+    Default: prowler-123456789012-us-east-1
+  ProwlerEc2Account:
+    Type: String
+    Description: Enter AWS Account Number where Prowler EC2 Instance will reside.
+    AllowedPattern: ^\d{12}$
+    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
+  ProwlerEc2Role:
+    Type: String
+    Description: Enter Instance Role that will be given to the Prowler EC2 Instance (needed to grant sts:AssumeRole rights).
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerEC2-Role
+  ProwlerCrossAccountRole:
+    Type: String
+    Description: Enter Name for CrossAccount Role to be created for Prowler to assess all Accounts in the AWS Organization.
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerXA-Role
+
+Resources:
+  ProwlerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Provides Prowler EC2 instance permissions to assess security of Accounts in AWS Organization
+      RoleName: !Ref ProwlerCrossAccountRole
+      Tags:
+        - Key: App
+          Value: Prowler
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Sub arn:${AWS::Partition}:iam::${ProwlerEc2Account}:root
+            Action:
+              - sts:AssumeRole
+            Condition:
+              StringLike:
+                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::${ProwlerEc2Account}:role/${ProwlerEc2Role}
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess
+      Policies:
+        - PolicyName: Prowler-Additions-Policy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowMoreReadForProwler
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - ds:ListAuthorizedApplications
+                  - ec2:GetEbsEncryptionByDefault
+                  - ecr:Describe*
+                  - elasticfilesystem:DescribeBackupPolicy
+                  - glue:GetConnections
+                  - glue:GetSecurityConfiguration
+                  - glue:SearchTables
+                  - lambda:GetFunction
+                  - s3:GetAccountPublicAccessBlock
+                  - shield:DescribeProtection
+                  - shield:GetSubscriptionState
+                  - ssm:GetDocument
+                  - support:Describe*
+                  - tag:GetTagKeys
+        - PolicyName: Prowler-S3-Reports
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowGetPutListObject
+                Effect: Allow
+                Resource:
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+                Action:
+                  - s3:GetObject
+                  - s3:PutObject
+                  - s3:ListBucket
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: "Prowler requires these rights to perform its Security Assessment."
+          - id: W28
+            reason: "Using a defined Role Name."
+
+Outputs:
+  ProwlerCrossAccountRole:
+    Description: CrossAccount Role to be used by Prowler to assess AWS Accounts in the AWS Organization.
+    Value: !Ref ProwlerCrossAccountRole

contrib/org-multi-account/ProwlerS3.yaml

@@ -0,0 +1,106 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create Prowler S3 Bucket for Prowler Reports
+
+Parameters:
+  AwsOrgId:
+    Type: String
+    Description: >
+      Enter AWS Organizations ID.
+      This is used to restrict permissions to least privilege.
+    AllowedPattern: ^o-[a-z0-9]{10,32}$
+    ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
+    Default: o-abcde12345
+  S3Prefix:
+    Type: String
+    Description: >
+      Enter S3 Bucket Name Prefix (in lowercase).
+      Bucket will be named: prefix-awsaccount-awsregion (i.e., prowler-123456789012-us-east-1)
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,33}[a-z0-9]$
+    ConstraintDescription: >
+      Max 35 characters, as "-awsaccount-awsregion" will be added, and max name is 63 characters.
+      Can't start or end with dash.  Can use numbers and lowercase letters.
+    Default: prowler
+
+Resources:
+  ProwlerS3:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub ${S3Prefix}-${AWS::AccountId}-${AWS::Region}
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "AES256"
+      AccessControl: Private
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: True
+        BlockPublicPolicy: True
+        IgnorePublicAcls: True
+        RestrictPublicBuckets: True
+      VersioningConfiguration:
+        Status: Enabled
+      Tags:
+        - Key: App
+          Value: Prowler
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W35
+            reason: "This S3 Bucket is only being used by the AWS Organization to download/upload prowler reports."
+
+  ProwlerS3BucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref ProwlerS3
+      PolicyDocument:
+        Statement:
+          - Sid: AllowGetPutListObject
+            Effect: Allow
+            Principal: "*"
+            Action:
+              - s3:GetObject
+              - s3:PutObject
+              - s3:ListBucket
+              - s3:PutObjectAcl
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            Condition:
+              StringEquals:
+                aws:PrincipalOrgId: !Ref AwsOrgId
+          - Sid: DenyNonSSLRequests
+            Effect: Deny
+            Action: s3:*
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            Principal: "*"
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+          - Sid: DenyIncorrectEncryptionHeader
+            Effect: Deny
+            Principal: "*"
+            Action: s3:PutObject
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            # Allow uploads with No Encryption, as S3 Default Encryption still applies.
+            # If Encryption is set, only allow uploads with AES256.
+            Condition:
+              "Null":
+                s3:x-amz-server-side-encryption: false
+              StringNotEquals:
+                s3:x-amz-server-side-encryption: AES256
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F16
+            reason: "This S3 Bucket Policy has a condition that only allows access to the AWS Organization."
+
+
+Outputs:
+  ProwlerS3:
+    Description: S3 Bucket for Prowler Reports
+    Value: !Ref ProwlerS3
+  ProwlerS3Account:
+    Description: AWS Account Number where Prowler S3 Bucket resides.
+    Value: !Ref AWS::AccountId

contrib/org-multi-account/README.md

@@ -0,0 +1,151 @@
+# Example Solution:  Organizational Prowler Deployment
+
+Deploys [Prowler](https://github.com/prowler-cloud/prowler) to assess all Accounts in an AWS Organization on a schedule, creates assessment reports in HTML, and stores them in an S3 bucket.
+
+---
+
+## Example Solution Goals
+
+- Using minimal technologies, so solution can be more easily adopted, and further enhanced as needed.
+  - [Amazon EC2](https://aws.amazon.com/ec2/), to run Prowler
+  - [Amazon S3](https://aws.amazon.com/s3/), to store Prowler script & reports.
+  - [AWS CloudFormation](https://aws.amazon.com/cloudformation/), to provision the AWS resources.
+  - [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html), Optional, but recommended, to manage the Prowler EC2 instance, without having to allow inbound ssh.
+- Staying cohesive with Prowler, for scripting, only leveraging:
+  - Bash Shell
+  - AWS CLI
+- Adhering to the principle of least privilege.
+- Supporting an AWS Multi-Account approach
+  - Runs Prowler against All accounts in the AWS Organization
+- ***NOTE: If using this solution, you are responsible for making your own independent assessment of the solution and ensuring it complies with your company security and operational standards.***
+
+---
+
+## Components
+
+1. [ProwlerS3.yaml](ProwlerS3.yaml)
+    - Creates Private S3 Bucket for Prowler script and reports.
+    - Enables [Amazon S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html)
+    - Enables SSE-S3 with [Amazon S3 Default Encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html)
+    - Versioning Enabled
+    - Bucket Policy limits API actions to Principals from the same AWS Organization.
+1. [ProwlerRole.yaml](ProwlerRole.yaml)
+    - Creates Cross-Account Role for Prowler to assess accounts in AWS Organization
+    - Allows Role to be assumed by the Prowler EC2 instance role in the AWS account where Prowler EC2 resides (preferably the Audit/Security account).
+    - Role has [permissions](https://github.com/prowler-cloud/prowler#custom-iam-policy) needed for Prowler to assess accounts.
+    - Role has rights to Prowler S3 from Component #1.
+1. [ProwlerEC2.yaml](ProwlerEC2.yaml)
+    - Creates Prowler EC2 instance
+      - Uses the Latest Amazon Linux 2 AMI
+      - Uses ```t2.micro``` Instance Type
+      - Encrypts Root Volume with AWS Managed Key "aws/ebs"
+    - Uses [cfn-init](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-init.html) for prepping the Prowler EC2
+      - Installs necessary [packages](https://github.com/prowler-cloud/prowler#requirements-and-installation) for Prowler
+      - Downloads [run-prowler-reports.sh](src/run-prowler-reports.sh) script from Prowler S3 from Component #1.
+      - Creates ```/home/ec2-user/.awsvariables```, to store CloudFormation data as variables to be used in script.
+      - Creates cron job for Prowler to run on a schedule.
+    - Creates Prowler Security Group
+      - Denies inbound access.  If using ssh to manage Prowler, then update Security Group with pertinent rule.
+      - Allows outbound 80/443 for updates, and Amazon S3 communications      -
+    - Creates Instance Role that is used for Prowler EC2
+      - Role has permissions for [Systems Manager Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) communications, and [Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html)
+      - Role has rights to Prowler S3 from Component #1.
+      - Role has rights to Assume Cross-Account Role from Component #2.
+1. [run-prowler-reports.sh](src/run-prowler-reports.sh)
+    - Script is documented accordingly.
+    - Script loops through all AWS Accounts in AWS Organization, and by default, Runs Prowler as follows:
+      - -R: used to specify Cross-Account role for Prowler to assume to run its assessment.
+      - -A: used to specify AWS Account number for Prowler to run assessment against.
+      - -g cislevel1: used to specify cislevel1 checks for Prowler to assess
+
+        ```bash
+        ./prowler/prowler -R "$ROLE" -A "$accountId" -g cislevel1 -M html
+        ```
+
+      - NOTE: Script can be modified to run Prowler as desired.
+    - Script runs Prowler against 1 AWS Account at a time.
+      - Update PARALLEL_ACCOUNTS variable in script, to specify how many Accounts to assess with Prowler in parallel.
+      - If running against multiple AWS Accounts in parallel, monitor performance, and upgrade Instance Type as necessary.
+
+        ```bash
+        PARALLEL_ACCOUNTS="1"
+        ```
+
+    - In summary:
+      - Download latest version of [Prowler](https://github.com/prowler-cloud/prowler)
+      - Find AWS Master Account
+      - Lookup All Accounts in AWS Organization
+      - Run Prowler against All Accounts in AWS Organization
+      - Save Reports to reports prefix in S3 from Component #1
+      - Report Names: date+time-accountid-report.html
+
+---
+
+## Instructions
+
+1. Deploy [ProwlerS3.yaml](ProwlerS3.yaml) in the Logging Account.
+    - Could be deployed to any account in the AWS Organizations, if desired.
+    - See [How to get AWS Organization ID](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_org)
+    - Take Note of CloudFormation Outputs, that will be needed in deploying the below CloudFormation templates.
+1. Upload [run-prowler-reports.sh](src/run-prowler-reports.sh) to the root of the S3 Bucket created in Step #1.
+1. Deploy [ProwlerRole.yaml](ProwlerRole.yaml) in the Master Account
+    - Use CloudFormation Stacks, to deploy to Master Account, as organizational StackSets don't apply to the Master Account.
+    - Use CloudFormation StackSet, to deploy to all Member Accounts. See [Create Stack Set with Service-Managed Permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org)
+    - Take Note of CloudFormation Outputs, that will be needed in deploying the below CloudFormation templates.
+1. Deploy [ProwlerEC2.yaml](ProwlerEC2.yaml) in the Audit/Security Account
+    - Could be deployed to any account in the AWS Organizations, if desired.
+1. Prowler will run against all Accounts in AWS Organization, per the schedule you provided, and set in a cron job for ```ec2-user```
+
+---
+
+## Post-Setup
+
+### Run Prowler on a Schedule against all Accounts in AWS Organization
+
+1. Prowler will run on the Schedule you provided.
+1. Cron job for ```ec2-user``` is managing the schedule.
+1. This solution implemented this automatically. Nothing for you to do.
+
+### Ad hoc Run Prowler against all Accounts in AWS Organization
+
+1. Connect to Prowler EC2 Instance
+    - If using Session Manager, then after login, switch to ```ec2-user```, via: ```sudo bash``` and ```su - ec2-user```
+    - If using SSH, then login as ```ec2-user```
+1. Run Prowler Script
+
+    ```bash
+    cd /home/ec2-user
+    ./run-prowler-reports.sh
+    ```
+
+### Ad hoc Run Prowler Interactively
+
+1. Connect to Prowler EC2 Instance
+    - If using Session Manager, then after login, switch to ```ec2-user```, via: ```sudo bash``` and ```su - ec2-user```
+    - If using SSH, then login as ```ec2-user```
+1. See Cross-Account Role and S3 Bucket being used for Prowler
+
+      ```bash
+      cd /home/ec2-user
+      cat .awsvariables
+      ```
+
+1. Run Prowler interactively. See [Usage Examples](https://github.com/prowler-cloud/prowler#usage)
+
+      ```bash
+      cd /home/ec2-user
+      ./prowler/prowler
+      ```
+
+### Upgrading Prowler to Latest Version
+
+1. Connect to Prowler EC2 Instance
+    - If using Session Manager, then after login, switch to ```ec2-user```, via: ```sudo bash``` and ```su - ec2-user```
+    - If using SSH, then login as ```ec2-user```
+1. Delete the existing version of Prowler, and download the latest version of Prowler
+
+    ```bash
+    cd /home/ec2-user
+    rm -rf prowler
+    git clone https://github.com/prowler-cloud/prowler.git
+    ```

contrib/org-multi-account/serverless_codebuild/README.md

@@ -0,0 +1,48 @@
+# Organizational Prowler with Serverless
+
+Language: [Korean](README_kr.md)
+
+This project is created to apply prowler in a multi-account environment within AWS Organizations.
+CloudWatch triggers CodeBuild every fixed time.
+CodeBuild executes the script which clones the latest prowler from [here](https://github.com/prowler-cloud/prowler) and performs security assessment on all the accounts in AWS Organizations. The assessment reports are sent to S3 bucket in Log Archive Account.
+
+For more information on how to use prowler, see [here](https://github.com/prowler-cloud/prowler#usage).
+
+![Untitled](docs/images/prowler_org_architecture.png)
+
+1. **Log Archive Account**
+   1. Deploy [ProwlerS3.yaml](templates/ProwlerS3.yaml) in CloudFormation console.
+      The template creates S3 bucket for reports and bucket policy that limits API actions to principals from its AWS Organizations.
+      - AwsOrgId : AWS Organizations' Organization ID
+      - S3Prefix : The prefix included in the bucket name
+2. **Master Account**
+   1. Deploy [ProwlerRole.yaml](templates/ProwlerRole.yaml) stack to CloudFormation in a bid to create resources to master account itself.
+      (The template will be also deployed for other member accounts as a StackSet)
+      - ProwlerCodeBuildAccount :  Audit Account ID where CodeBuild resides. (preferably Audit/Security account)
+      - ProwlerCodeBuildRole : Role name to use in CodeBuild service
+      - ProwlerCrossAccountRole : Role name to assume for Cross account
+      - ProwlerS3 : The S3 bucket name where reports will be put
+   1. Create **StackSet** with [ProwlerRole.yaml](templates/ProwlerRole.yaml) to deploy Role into member accounts in AWS Organizations.
+      - ProwlerCodeBuildAccount :  Audit Account ID where CodeBuild resides. (preferably Audit/Security account)
+      - ProwlerCodeBuildRole : Role name to use in CodeBuild service
+      - ProwlerCrossAccountRole : Role name to assume for Cross account
+      - ProwlerS3 : The S3 bucket name where reports will be put
+      - Permission : Service-managed permissions
+      - Deploy target : Deploy to organization 선택, Enable, Delete stacks 선택
+      - Specify regions : Region to deploy
+3. **Audit Account**
+   1. Go to S3 console, create a bucket, upload [run-prowler-reports.sh.zip](src/run-prowler-reports.sh.zip)
+      - bucket name : prowler-util-*[Account ID]*-*[region]*
+     ![Untitled](docs/images/s3_screenshot.png)
+
+   1. Deploy  [ProwlerCodeBuildStack.yaml](templates/ProwlerCodeBuildStack.yaml) which creates CloudWatch Rule to trigger CodeBuild every fixed time, allowing prowler to audit multi-accounts.
+      - AwsOrgId : AWS Organizations' Organization ID
+      - CodeBuildRole : Role name to use in CodeBuild service
+      - CodeBuildSourceS3 : Object location uploaded from i
+         - prowler-util-*[Account ID]*-*[region]/**run-prowler-reports.sh.zip**
+      - CrossAccountRole : Role name for cross account created in the process **2** above.
+      - ProwlerReportS3 : The S3 bucket name where reports will be put
+      - ProwlerReportS3Account : The account where the report S3 bucket resides.
+   1. If you'd like to change the scheduled time,
+      1. You can change the cron expression of ScheduleExpression within [ProwlerCodeBuildStack.yaml](templates/ProwlerCodeBuildStack.yaml).
+      2. Alternatively, you can make changes directly from Events > Rules > ProwlerExecuteRule > Actions > Edit in CloudWatch console.

contrib/org-multi-account/serverless_codebuild/README_kr.md

@@ -0,0 +1,62 @@
+# Organizational Prowler with Serverless
+
+Language: [English](README.md)
+
+이 문서는 AWS Organization 내의 multi account 환경에서 prowler 를 적용하기 위해 작성된 문서입니다.
+일정 시간마다 CloudWatch는 CodeBuild 를 트리거합니다.
+CodeBuild 는 최신의 [prowler](https://github.com/prowler-cloud/prowler) 소스를 클론받고,
+Organization 내의 모든 Account 에 대해 security assessment 를 수행합니다.
+prowler 의 자세한 사용방법은 [이 곳](https://github.com/prowler-cloud/prowler#usagee) 을 참고합니다.
+
+![Untitled](docs/images/prowler_org_architecture.png)
+
+1. **Log Archive Account**에 접속합니다.
+   1. 아래 템플릿을 CloudFormation console 에서 배포합니다. 이를 통해 prowler 의 security assessment report 가 저장되는 bucket 과 bucket policy 를 생성합니다.
+
+      [ProwlerS3.yaml](templates/ProwlerS3.yaml)
+
+      - AwsOrgId : AWS Organizations의 Organization ID
+      - S3Prefix : 생성될 버킷의 이름에 포함되는 prefix
+2. **Master Account** 에 접속합니다.
+   1. 아래 템플릿을 이용하여 CloudFormation **Stack**을 생성합니다. StackSet은 Master account 에 적용되지 않으므로 Stack 으로도 배포가 필요합니다.
+
+      [ProwlerRole.yaml](templates/ProwlerRole.yaml)
+
+      - ProwlerCodeBuildAccount : CodeBuild 가 있는 Audit Account ID
+      - ProwlerCodeBuildRole : CodeBuild의 생성될 Role 이름
+      - ProwlerCrossAccountRole : Cross account 용 Assume할 Role 이름
+      - ProwlerS3 : report 가 저장될 S3 bucket 명
+   2. 아래 템플릿을 이용하여 CloudFormation **StackSet**을 생성하여, Organazation에 포함된 account 대상으로도 아래 템플릿을 배포합니다.
+
+      [ProwlerRole.yaml](templates/ProwlerRole.yaml)
+
+      - ProwlerCodeBuildAccount : CodeBuild 가 있는 Audit Account
+      - ProwlerCodeBuildRole : CodeBuild에서 사용할 Role 이름
+      - ProwlerCrossAccountRole : Cross account 용 Assume할 Role 이름
+      - ProwlerS3 : report 가 저장될 S3 bucket 명
+      - Permission : Service-managed permissions
+      - Deploy target : Deploy to organization 선택, Enable, Delete stacks 선택
+      - Specify regions : 배포할 대상 리전을 선택
+3. **Audit Account**에 접속합니다.
+   1. **S3 console** 로 이동하여 버킷을 생성하고 아래 항목을 **업로드**한 후, 버킷명을 복사해둡니다.
+
+      [run-prowler-reports.sh.zip](src/run-prowler-reports.sh.zip)
+
+      - bucket name : prowler-util-*<Account ID>*-*<region>*
+
+        ![Untitled](docs/images/s3_screenshot.png)
+
+   2. 아래 템플릿으로 **CloudFormation stack** 을 생성합니다. 이 템플릿은 CloudWatch Rule 을 생성하여 일정 시간마다 CodeBuild 를 실행하여 prowler 가 multi accounts 를 audit 할 수 있도록 합니다.
+
+      [ProwlerCodeBuildStack.yaml](templates/ProwlerCodeBuildStack.yaml)
+
+      - AwsOrgId : AWS Organizations의 Organization ID
+      - CodeBuildRole : CodeBuild의 서비스 Role 이름
+      - CodeBuildSourceS3 : a 에서 업로드한 object 위치
+         - prowler-util-*<Account ID>*-*<region>/***run-prowler-reports.sh.zip**
+      - CrossAccountRole : 2번에서 생성한 Cross Account 용 Role 이름
+      - ProwlerReportS3 : report 가 저장될 S3 bucket 명
+      - ProwlerReportS3Account : report 가 저장될 S3 bucket이 위치한 Account
+   3. 스케줄 된 시간을 변경하고 싶은 경우
+      1. [ProwlerCodeBuildStack.yaml](templates/ProwlerCodeBuildStack.yaml) 내에서 ScheduleExpression의 크론 표현식을 변경할 수 있습니다.
+      2. 또는 CloudWatch console 에서 Events > Rules > ProwlerExecuteRule > Actions > Edit 에서 직접 변경할 수 있습니다.

contrib/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh

@@ -0,0 +1,119 @@
+#!/bin/bash -e
+#
+# Run Prowler against All AWS Accounts in an AWS Organization
+
+# Change Directory (rest of the script, assumes your in the ec2-user home directory)
+# cd /home/ec2-user || exit
+
+# Show Prowler Version, and Download Prowler, if it doesn't already exist
+if ! ./prowler/prowler -V 2>/dev/null; then
+    git clone https://github.com/prowler-cloud/prowler.git
+    ./prowler/prowler -V
+fi
+
+# Source .awsvariables (to read in Environment Variables from CloudFormation Data)
+# shellcheck disable=SC1091
+# source .awsvariables
+
+# Get Values from Environment Variables Created on EC2 Instance from CloudFormation Data
+echo "S3:             $S3"
+echo "S3ACCOUNT:      $S3ACCOUNT"
+echo "ROLE:           $ROLE"
+echo "FORMAT:         $FORMAT"
+
+# CleanUp Last Ran Prowler Reports, as they are already stored in S3.
+rm -rf prowler/output/*.html
+
+# Function to unset AWS Profile Variables
+unset_aws() {
+    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+unset_aws
+
+# Find THIS Account AWS Number
+CALLER_ARN=$(aws sts get-caller-identity --output text --query "Arn")
+PARTITION=$(echo "$CALLER_ARN" | cut -d: -f2)
+THISACCOUNT=$(echo "$CALLER_ARN" | cut -d: -f5)
+echo "THISACCOUNT:    $THISACCOUNT"
+echo "PARTITION:      $PARTITION"
+
+# Function to Assume Role to THIS Account & Create Session
+this_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$THISACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
+    echo "this_account_session done..."
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Find AWS Master Account
+this_account_session
+AWSMASTER=$(aws organizations describe-organization --query Organization.MasterAccountId --output text)
+echo "AWSMASTER:      $AWSMASTER"
+
+# Function to Assume Role to Master Account & Create Session
+master_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$AWSMASTER":role/"$ROLE" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
+    echo "master_account_session done..."
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Lookup All Accounts in AWS Organization
+master_account_session
+ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text)
+
+# Function to Assume Role to S3 Account & Create Session
+s3_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$S3ACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
+    echo "s3_account_session done..."
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Run Prowler against Accounts in AWS Organization
+echo "AWS Accounts in Organization"
+echo "$ACCOUNTS_IN_ORGS"
+PARALLEL_ACCOUNTS="1"
+for accountId in $ACCOUNTS_IN_ORGS; do
+    # shellcheck disable=SC2015
+    test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait || true
+    {
+        START_TIME=$SECONDS
+        # Unset AWS Profile Variables
+        unset_aws
+        # Run Prowler
+        echo -e "Assessing AWS Account: $accountId, using Role: $ROLE on $(date)"
+        # remove -g cislevel for a full report and add other formats if needed
+        ./prowler/prowler -R "$ROLE" -A "$accountId" -g cislevel1 -M $FORMAT -z
+        echo "Report stored locally at: prowler/output/ directory"
+        TOTAL_SEC=$((SECONDS - START_TIME))
+        echo -e "Completed AWS Account: $accountId, using Role: $ROLE on $(date)"
+        printf "Completed AWS Account: $accountId in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
+        echo ""
+    } &
+done
+
+# Wait for All Prowler Processes to finish
+wait
+echo "Prowler Assessments Completed against All Accounts in the AWS Organization. Starting S3 copy operations..."
+
+# Upload Prowler Report to S3
+s3_account_session
+aws s3 cp prowler/output/ "$S3/reports/" --recursive --include "*.html" --acl bucket-owner-full-control
+echo "Assessment reports successfully copied to S3 bucket"
+
+# Final Wait for All Prowler Processes to finish
+wait
+echo "Prowler Assessments Completed"
+
+# Unset AWS Profile Variables
+unset_aws

contrib/org-multi-account/serverless_codebuild/templates/ProwlerCodeBuildStack.yaml

@@ -0,0 +1,214 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates a CodeBuild project to audit an AWS account with Prowler and stores the html report in a S3 bucket.
+Parameters:
+  AwsOrgId:
+    Type: String
+    Description: Enter AWS Organizations ID
+    AllowedPattern: ^o-[a-z0-9]{10,32}$
+    ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
+    Default: o-itdezkbz6h
+  CodeBuildRole:
+    Description: Enter Name for CodeBuild Role to create
+    Type: String
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerCodeBuild-Role
+  CodeBuildSourceS3:
+    Type: String
+    Description: Enter like <bucket-name>/<path>/<object-name>.zip
+    ConstraintDescription: Max 63 characters. Can't start or end with dash.  Can use numbers and lowercase letters.
+    Default: prowler-util-411267690458-ap-northeast-2/run-prowler-reports.sh.zip
+  ProwlerReportS3:
+    Type: String
+    Description: Enter S3 Bucket for Prowler Reports.  prefix-awsaccount-awsregion
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
+    ConstraintDescription: Max 63 characters. Can't start or end with dash.  Can use numbers and lowercase letters.
+    Default: prowler-954896828174-ap-northeast-2
+  ProwlerReportS3Account:
+    Type: String
+    Description: Enter AWS Account Number where Prowler S3 Bucket resides.
+    AllowedPattern: ^\d{12}$
+    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
+    Default: 954896828174
+  CrossAccountRole:
+    Type: String
+    Description: Enter CrossAccount Role Prowler will be using to assess AWS Accounts in the AWS Organization. (ProwlerCrossAccountRole)
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters [+, =, ., @, -]
+    Default: ProwlerXA-CBRole
+  ProwlerReportFormat:
+    Type: String
+    Description: Enter Prowler Option like html, csv, json
+    Default: html
+
+Resources:
+  ProwlerCodeBuildRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Prowler CodeBuild Role
+      RoleName: !Ref CodeBuildRole
+      Tags:
+        - Key: App
+          Value: Prowler
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - codebuild.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Policies:
+        - PolicyName: Prowler-S3
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowGetPutListObject
+                Effect: Allow
+                Resource:
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}/*
+                Action:
+                  - s3:GetObject
+                  - s3:PutObject
+                  - s3:ListBucket
+                  - s3:PutObjectAcl
+              - Sid: AllowReadOnlyS3Access
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - "s3:Get*"
+                  - "s3:List*"
+        - PolicyName: Prowler-CrossAccount-AssumeRole
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowStsAssumeRole
+                Effect: Allow
+                Resource: !Sub arn:${AWS::Partition}:iam::*:role/${CrossAccountRole}
+                Action: sts:AssumeRole
+                Condition:
+                  StringEquals:
+                    aws:PrincipalOrgId: !Ref AwsOrgId
+        - PolicyName: Prowler-CloudWatch
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowCreateLogs
+                Effect: Allow
+                Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*
+                Action:
+                  - logs:CreateLogGroup
+                  - logs:CreateLogStream
+              - Sid: AllowPutevent
+                Effect: Allow
+                Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*:log-stream:*
+                Action:
+                  - logs:PutLogEvents
+
+  ProwlerCodeBuild:
+    Type: AWS::CodeBuild::Project
+    Properties:
+      Artifacts:
+        Type: NO_ARTIFACTS
+      Source:
+        Type: S3
+        Location: !Ref CodeBuildSourceS3
+        BuildSpec: |
+          version: 0.2
+          phases:
+            install:
+              runtime-versions:
+                python: 3.8
+              commands:
+                - echo "Updating yum ..."
+                - yum -y update --skip-broken
+                - echo "Updating pip ..."
+                - python -m pip install --upgrade pip
+                - echo "Installing requirements ..."
+                - pip install "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
+            build:
+              commands:
+                - echo "Running Prowler with script"
+                - chmod +x run-prowler-reports.sh
+                - ./run-prowler-reports.sh
+            post_build:
+              commands:
+                - echo "Done!"
+      Environment:
+        # AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month.
+        # BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute.
+        # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute.
+        # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute.
+        # BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute.
+        ComputeType: "BUILD_GENERAL1_SMALL"
+        Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+        Type: "LINUX_CONTAINER"
+        EnvironmentVariables:
+          - Name: "S3"
+            Value: !Sub s3://${ProwlerReportS3}
+            Type: PLAINTEXT
+          - Name: "S3ACCOUNT"
+            Value: !Ref ProwlerReportS3Account
+            Type: PLAINTEXT
+          - Name: "ROLE"
+            Value: !Ref CrossAccountRole
+            Type: PLAINTEXT
+          - Name: "FORMAT"
+            Value: !Ref ProwlerReportFormat
+            Type: PLAINTEXT
+      Description: Run Prowler assessment
+      ServiceRole: !GetAtt ProwlerCodeBuildRole.Arn
+      TimeoutInMinutes: 300
+
+  ProwlerCWRuleRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - events.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Description: ProwlerCWRuleRole
+      RoleName: ProwlerCWRule-Role
+      Policies:
+        - PolicyName: Rule-Events
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AWSEventInvokeCodeBuild
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - codebuild:StartBuild
+
+  ProwlerRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: This rule will trigger CodeBuild to audit AWS Accounts in my Organization with Prowler
+      ScheduleExpression: cron(0 21 * * ? *)
+      RoleArn: !GetAtt ProwlerCWRuleRole.Arn
+      Name: ProwlerExecuteRule
+      State: ENABLED
+      Targets:
+        - Arn: !Sub ${ProwlerCodeBuild.Arn}
+          Id: Prowler-CodeBuild-Target
+          RoleArn: !GetAtt ProwlerCWRuleRole.Arn
+
+
+Outputs:
+  ProwlerEc2Account:
+    Description: AWS Account Number where Prowler EC2 Instance resides.
+    Value: !Ref AWS::AccountId
+  ProwlerCodeBuildRole:
+    Description: Instance Role given to the Prowler EC2 Instance (needed to grant sts:AssumeRole rights).
+    Value: !Ref ProwlerCodeBuildRole
+  ProwlerReportS3:
+    Description: S3 Bucket for Prowler Reports
+    Value: !Ref ProwlerReportS3

contrib/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml

@@ -0,0 +1,127 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create the Cross-Account IAM Prowler Role
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: CodeBuild Settings
+        Parameters:
+          - ProwlerCodeBuildAccount
+          - ProwlerCodeBuildRole
+      - Label:
+          default: S3 Settings
+        Parameters:
+          - ProwlerS3
+      - Label:
+          default: CrossAccount Role
+        Parameters:
+          - ProwlerCrossAccountRole
+
+Parameters:
+  ProwlerS3:
+    Type: String
+    Description: Enter S3 Bucket for Prowler Reports.  prefix-awsaccount-awsregion
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
+    Default: prowler-954896828174-ap-northeast-2
+  ProwlerCodeBuildAccount:
+    Type: String
+    Description: Enter AWS Account Number where Prowler CodeBuild Instance will reside.
+    AllowedPattern: ^\d{12}$
+    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
+    Default: 411267690458
+  ProwlerCodeBuildRole:
+    Type: String
+    Description: Enter Instance Role that will be given to the Prowler CodeBuild (needed to grant sts:AssumeRole rights).
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerCodeBuild-Role
+  ProwlerCrossAccountRole:
+    Type: String
+    Description: Enter Name for CrossAccount Role to be created for Prowler to assess all Accounts in the AWS Organization.
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerXA-CBRole
+
+Resources:
+  ProwlerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: Provides Prowler CodeBuild permissions to assess security of Accounts in AWS Organization
+      RoleName: !Ref ProwlerCrossAccountRole
+      Tags:
+        - Key: App
+          Value: Prowler
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !Sub arn:${AWS::Partition}:iam::${ProwlerCodeBuildAccount}:root
+            Action:
+              - sts:AssumeRole
+            Condition:
+              StringLike:
+                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::${ProwlerCodeBuildAccount}:role/${ProwlerCodeBuildRole}
+      ManagedPolicyArns:
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess
+      Policies:
+        - PolicyName: Prowler-Additions-Policy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowMoreReadForProwler
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  - access-analyzer:List*
+                  - apigateway:Get*
+                  - apigatewayv2:Get*
+                  - aws-marketplace:ViewSubscriptions
+                  - dax:ListTables
+                  - ds:ListAuthorizedApplications
+                  - ds:DescribeRoles
+                  - ec2:GetEbsEncryptionByDefault
+                  - ecr:Describe*
+                  - lambda:GetAccountSettings
+                  - lambda:GetFunctionConfiguration
+                  - lambda:GetLayerVersionPolicy
+                  - lambda:GetPolicy
+                  - opsworks-cm:Describe*
+                  - opsworks:Describe*
+                  - secretsmanager:ListSecretVersionIds
+                  - sns:List*
+                  - sqs:ListQueueTags
+                  - states:ListActivities
+                  - support:Describe*
+                  - tag:GetTagKeys
+                  - shield:GetSubscriptionState
+                  - shield:DescribeProtection
+                  - elasticfilesystem:DescribeBackupPolicy
+        - PolicyName: Prowler-S3-Reports
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Sid: AllowGetPutListObject
+                Effect: Allow
+                Resource:
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+                Action:
+                  - s3:GetObject
+                  - s3:PutObject
+                  - s3:ListBucket
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W11
+            reason: "Prowler requires these rights to perform its Security Assessment."
+          - id: W28
+            reason: "Using a defined Role Name."
+
+Outputs:
+  ProwlerCrossAccountRole:
+    Description: CrossAccount Role to be used by Prowler to assess AWS Accounts in the AWS Organization.
+    Value: !Ref ProwlerCrossAccountRole

contrib/org-multi-account/serverless_codebuild/templates/ProwlerS3.yaml

@@ -0,0 +1,106 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create Prowler S3 Bucket for Prowler Reports
+
+Parameters:
+  AwsOrgId:
+    Type: String
+    Description: >
+      Enter AWS Organizations ID.
+      This is used to restrict permissions to least privilege.
+    AllowedPattern: ^o-[a-z0-9]{10,32}$
+    ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
+    Default: o-abcde12345
+  S3Prefix:
+    Type: String
+    Description: >
+      Enter S3 Bucket Name Prefix (in lowercase).
+      Bucket will be named: prefix-awsaccount-awsregion (i.e., prowler-123456789012-us-east-1)
+    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,33}[a-z0-9]$
+    ConstraintDescription: >
+      Max 35 characters, as "-awsaccount-awsregion" will be added, and max name is 63 characters.
+      Can't start or end with dash.  Can use numbers and lowercase letters.
+    Default: prowler
+
+Resources:
+  ProwlerS3:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub ${S3Prefix}-${AWS::AccountId}-${AWS::Region}
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "AES256"
+      AccessControl: Private
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: True
+        BlockPublicPolicy: True
+        IgnorePublicAcls: True
+        RestrictPublicBuckets: True
+      VersioningConfiguration:
+        Status: Enabled
+      Tags:
+        - Key: App
+          Value: Prowler
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W35
+            reason: "This S3 Bucket is only being used by the AWS Organization to download/upload prowler reports."
+
+  ProwlerS3BucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref ProwlerS3
+      PolicyDocument:
+        Statement:
+          - Sid: AllowGetPutListObject
+            Effect: Allow
+            Principal: "*"
+            Action:
+              - s3:GetObject
+              - s3:PutObject
+              - s3:ListBucket
+              - s3:PutObjectAcl
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            Condition:
+              StringEquals:
+                aws:PrincipalOrgId: !Ref AwsOrgId
+          - Sid: DenyNonSSLRequests
+            Effect: Deny
+            Action: s3:*
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            Principal: "*"
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+          - Sid: DenyIncorrectEncryptionHeader
+            Effect: Deny
+            Principal: "*"
+            Action: s3:PutObject
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/*
+            # Allow uploads with No Encryption, as S3 Default Encryption still applies.
+            # If Encryption is set, only allow uploads with AES256.
+            Condition:
+              "Null":
+                s3:x-amz-server-side-encryption: false
+              StringNotEquals:
+                s3:x-amz-server-side-encryption: AES256
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F16
+            reason: "This S3 Bucket Policy has a condition that only allows access to the AWS Organization."
+
+
+Outputs:
+  ProwlerS3:
+    Description: S3 Bucket for Prowler Reports
+    Value: !Ref ProwlerS3
+  ProwlerS3Account:
+    Description: AWS Account Number where Prowler S3 Bucket resides.
+    Value: !Ref AWS::AccountId

contrib/org-multi-account/src/run-prowler-reports.sh

@@ -0,0 +1,115 @@
+#!/bin/bash -e
+#
+# Run Prowler against All AWS Accounts in an AWS Organization
+
+# Change Directory (rest of the script, assumes your in the ec2-user home directory)
+cd /home/ec2-user || exit
+
+# Show Prowler Version, and Download Prowler, if it doesn't already exist
+if ! ./prowler/prowler -V 2>/dev/null; then
+    git clone https://github.com/prowler-cloud/prowler.git
+    ./prowler/prowler -V
+fi
+
+# Source .awsvariables (to read in Environment Variables from CloudFormation Data)
+# shellcheck disable=SC1091
+source .awsvariables
+
+# Get Values from Environment Variables Created on EC2 Instance from CloudFormation Data
+echo "S3:             $S3"
+echo "S3ACCOUNT:      $S3ACCOUNT"
+echo "ROLE:           $ROLE"
+
+# CleanUp Last Ran Prowler Reports, as they are already stored in S3.
+rm -rf prowler/output/*.html
+
+# Function to unset AWS Profile Variables
+unset_aws() {
+    unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+unset_aws
+
+# Find THIS Account AWS Number
+CALLER_ARN=$(aws sts get-caller-identity --output text --query "Arn")
+PARTITION=$(echo "$CALLER_ARN" | cut -d: -f2)
+THISACCOUNT=$(echo "$CALLER_ARN" | cut -d: -f5)
+echo "THISACCOUNT:    $THISACCOUNT"
+echo "PARTITION:      $PARTITION"
+
+# Function to Assume Role to THIS Account & Create Session
+this_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$THISACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Find AWS Master Account
+this_account_session
+AWSMASTER=$(aws organizations describe-organization --query Organization.MasterAccountId --output text)
+echo "AWSMASTER:      $AWSMASTER"
+
+# Function to Assume Role to Master Account & Create Session
+master_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$AWSMASTER":role/"$ROLE" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Lookup All Accounts in AWS Organization
+master_account_session
+ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text)
+
+# Function to Assume Role to S3 Account & Create Session
+s3_account_session() {
+    unset_aws
+    role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$S3ACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json)
+    AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId)
+    AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey)
+    AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken)
+    export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+# Run Prowler against Accounts in AWS Organization
+echo "AWS Accounts in Organization"
+echo "$ACCOUNTS_IN_ORGS"
+PARALLEL_ACCOUNTS="1"
+for accountId in $ACCOUNTS_IN_ORGS; do
+    # shellcheck disable=SC2015
+    test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait || true
+    {
+        START_TIME=$SECONDS
+        # Unset AWS Profile Variables
+        unset_aws
+        # Run Prowler
+        echo -e "Assessing AWS Account: $accountId, using Role: $ROLE on $(date)"
+        # remove -g cislevel for a full report and add other formats if needed
+        ./prowler/prowler.py --role arn:"$PARTITION":iam::"$accountId":role/"$ROLE" --compliance cis_1.5_aws -M html
+        echo "Report stored locally at: prowler/output/ directory"
+        TOTAL_SEC=$((SECONDS - START_TIME))
+        echo -e "Completed AWS Account: $accountId, using Role: $ROLE on $(date)"
+        printf "Completed AWS Account: $accountId in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
+        echo ""
+    } &
+done
+
+# Wait for All Prowler Processes to finish
+wait
+echo "Prowler Assessments Completed against All Accounts in the AWS Organization. Starting S3 copy operations..."
+
+# Upload Prowler Report to S3
+s3_account_session
+aws s3 cp prowler/output/ "$S3/reports/" --recursive --include "*.html" --acl bucket-owner-full-control
+echo "Assessment reports successfully copied to S3 bucket"
+
+# Final Wait for All Prowler Processes to finish
+wait
+echo "Prowler Assessments Completed"
+
+# Unset AWS Profile Variables
+unset_aws

contrib/other-contrib/multi-account/Audit_Exec_Role.yaml

@@ -0,0 +1,75 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Prowler Auditing Role - in Control Tower pick AWSControlTowerStackSetRole for IAM role and AWSControlTowerExecution for execution
+
+Parameters:
+
+  AuditorAccountId:
+    Default: 987600001234
+    Description: AWS Account ID where the audit tooling executes
+    Type: Number
+  AuditRolePathName:
+    Default: '/audit/prowler/XA_AuditRole_Prowler'
+    Description: Path for role name in audit tooling account
+    Type: String
+
+Resources:
+  XAAuditRole:
+    Type: "AWS::IAM::Role"
+    Properties: # /audit/prowler/XA_AuditRole_Prowler
+      RoleName: XA_AuditRole_Prowler
+      Path: "/audit/prowler/"
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/SecurityAudit
+        - arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess
+        - arn:aws:iam::aws:policy/IAMReadOnlyAccess
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: # TODO: review permissions to see if this can be narrowed down - code build only perhaps
+                - !Sub "arn:aws:iam::${AuditorAccountId}:root"
+            Action:
+              - "sts:AssumeRole"
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "codebuild.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+            # TODO: restrict to only AuditorAccount only
+      Policies:
+        - PolicyName: "ProwlerPolicyAdditions"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: "ProwlerPolicyAdditions"
+                Effect: "Allow"
+                Resource: "*"
+                Action:
+                  - "acm:describecertificate"
+                  - "acm:listcertificates"
+                  - "apigateway:GET"
+                  - "cloudtrail:GetEventSelectors"
+                  - "ec2:GetEbsEncryptionByDefault"
+                  - "es:describeelasticsearchdomainconfig"
+                  - "guardduty:ListDetectors"
+                  - "guardduty:GetDetector"
+                  - "logs:DescribeLogGroups"
+                  - "logs:DescribeMetricFilters"
+                  - "s3:GetEncryptionConfiguration"
+                  - "ses:getidentityverificationattributes"
+                  - "sns:listsubscriptionsbytopic"
+                  - "support:*"
+                  - "trustedadvisor:Describe*"
+
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: "the role name is intentionally static"
+          - id: W11
+            reason: "the policy grants read/view/audit access only, to all resources, by design"
+          - id: F3
+            reason: "Support does not allow or deny access to individual actions"

contrib/other-contrib/multi-account/Audit_Pipeline.yaml

@@ -0,0 +1,411 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Prowler Auditing Tools Stack
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "Organizations and Accounts"
+        Parameters:
+          - pOrgMasterAccounts
+          - pOrgExcludedAccounts
+          - pStandAloneAccounts
+      - Label:
+          default: "Check Group and Execution"
+        Parameters:
+          - pProwlerCheckGroup
+          - pAuditEveryXHours
+      - Label:
+          default: "Advanced"
+        Parameters:
+          - pTimeoutMinutes
+          - pAuditRolePathName
+          - pCustomProwlerRepo
+          - pCustomProwlerCloneArgs
+    ParameterLabels:
+      pOrgMasterAccounts:
+        default: "Organization Master Accounts"
+      pOrgExcludedAccounts:
+        default: "Excluded Organiztion Members"
+      pStandAloneAccounts:
+        default: "Stand-alone Accounts"
+      pProwlerCheckGroup:
+        default: "Prowler Check Group"
+      pAuditEveryXHours:
+        default: "Perform Audit every X hours"
+      pTimeoutMinutes:
+        default: "Permit Audit to run for X minutes"
+      pAuditRolePathName:
+        default: "Custom audit role path"
+      pCustomProwlerRepo:
+        default: "Custom git repo location for prowler"
+      pCustomProwlerCloneArgs:
+        default: "Custom arguments to git clone --depth 1"
+
+Parameters:
+  pAuditEveryXHours:
+    Default: 24
+    Type: Number
+    Description: Number of hours between prowler audit runs.
+    MinValue: 2
+    MaxValue: 168
+  pTimeoutMinutes:
+    Default: 30
+    Type: Number
+    Description: Timeout for running prowler across the fleet
+    MinValue: 5
+    MaxValue: 480
+  pAuditRolePathName:
+    Default: '/audit/prowler/XA_AuditRole_Prowler'
+    Type: String
+    Description: Role path and name which prowler will assume in the target accounts (Audit_Exec_Role.yaml)
+    # TODO: Validation: begins with "/" and does NOT end with "/"
+  pOrgMasterAccounts:
+    Description: Comma Separated list of Organization Master Accounts, or 'none'
+    Default: 'none'
+    Type: String
+    MinLength: 4
+    AllowedPattern: ^(none|([0-9]{12}(,[0-9]{12})*))$
+    ConstraintDescription: comma separated list 12-digit account numbers, or 'none'
+  pOrgExcludedAccounts: # Comma Separated list of Org Member Accounts to EXCLUDE
+    Description: Comma Separated list of Skipped Organization Member Accounts, or 'none'
+    Default: 'none'
+    Type: String
+    MinLength: 4
+    AllowedPattern: ^(none|([0-9]{12}(,[0-9]{12})*))$
+    ConstraintDescription: comma separated list 12-digit account numbers, or 'none'
+  pStandAloneAccounts: # Comma Separated list of Stand-Alone Accounts
+    Description: Comma Separated list of Stand-alone Accounts, or 'none'
+    Default: 'none'
+    Type: String
+    MinLength: 4
+    AllowedPattern: ^(none|([0-9]{12}(,[0-9]{12})*))$
+    ConstraintDescription: comma separated list 12-digit account numbers, or 'none'
+  pProwlerCheckGroup:
+    Default: 'cislevel1'
+    Type: String
+    Description: Which group of checks should prowler run
+    AllowedValues:
+     - 'group1'
+     - 'group2'
+     - 'group3'
+     - 'group4'
+     - 'cislevel1'
+     - 'cislevel2'
+     - 'extras'
+     - 'forensics-ready'
+     - 'gdpr'
+     - 'hipaa'
+     - 'secrets'
+     - 'apigateway'
+     - 'rds'
+  pCustomProwlerRepo:
+    Type: String
+    Default: 'https://github.com/prowler-cloud/prowler.git'
+    MinLength: 10
+  pCustomProwlerCloneArgs:
+    Type: String
+    Default: '--branch master'
+    MinLength: 0
+  ##### TODO
+  # pResultsBucket: # if specified, use an existing bucket for the data
+  # pEnableAthena:
+  #   Default: false
+  #   Type: Boolean
+  #   Description: Set to true to enable creation of Athena/QuickSight resources
+
+#### TODO
+# Conditions:
+#   cUseAthena: False
+
+Resources:
+
+  # S3 Bucket for Results, Config
+  ProwlerResults:
+    Type: "AWS::S3::Bucket"
+    Properties:
+      # BucketName: !Sub "audit-results-${AWS::AccountId}"
+      Tags:
+        - Key: "data-type"
+          Value: "it-audit:sensitive"
+        - Key: "data-public"
+          Value: "NO"
+      AccessControl: Private
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+            - ServerSideEncryptionByDefault:
+                SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: True
+        BlockPublicPolicy: True
+        IgnorePublicAcls: True
+        RestrictPublicBuckets: True
+      # LoggingConfiguration:
+      # TODO: Enable BucketLogging - requires more parameters
+    DeletionPolicy: "Retain"
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W35
+            reason: "Bucket logging requires additional configuration not yet supported by this template"
+
+  # Policy to allow assuming the XA_AuditRole_Prowler in target accounts
+  ProwlerAuditManagerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: AuditManagerRole_Prowler
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: codebuild.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Path: /
+      Policies:
+        - PolicyName: AssumeRole-XA_AuditRole_Prowler
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - sts:AssumeRole
+                Resource:
+                  - !Sub "arn:aws:iam::*:role${pAuditRolePathName}"
+              - Effect: Allow
+                Action:
+                  - s3:PutObject
+                  - s3:GetObject
+                  - s3:GetObjectVersion
+                Resource:
+                  - !Sub "${ProwlerResults.Arn}/*"
+              - Effect: Allow
+                Action:
+                  - s3:ListBucket
+                  - s3:HeadBucket
+                  - s3:GetBucketLocation
+                  - s3:GetBucketAcl
+                Resource:
+                  - !Sub "${ProwlerResults.Arn}"
+              - Effect: Allow
+                Action:
+                  - logs:CreateLogGroup
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+                Resource:
+                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"
+                  - !Sub "${ProwlerResults.Arn}"
+              - Effect: Allow
+                Action:
+                  - ssm:GetParameters
+                Resource:
+                  - !Sub "arn:aws:ssm:us-east-1:${AWS::AccountId}:parameter/audit/prowler/config/*"
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W28
+            reason: "the role name is intentionally static"
+          - id: W11
+            reason: "not sure where the violation of w11 is"
+
+  ## Code Build Job
+  ProwlerBuildProject:
+    Type: "AWS::CodeBuild::Project"
+    Properties:
+      Name: PerformProwlerAudit
+      Description: "Run Prowler audit on accounts in targeted organizations"
+      QueuedTimeoutInMinutes: 480
+      TimeoutInMinutes: !Ref pTimeoutMinutes
+      ServiceRole: !Ref ProwlerAuditManagerRole
+      EncryptionKey: !Sub "arn:aws:kms:us-east-1:${AWS::AccountId}:alias/aws/s3"
+      Environment:
+        Type: "LINUX_CONTAINER"
+        ComputeType: "BUILD_GENERAL1_MEDIUM"
+        PrivilegedMode: False
+        Image: "aws/codebuild/standard:2.0-1.12.0"
+        ImagePullCredentialsType: "CODEBUILD"
+      Artifacts: # s3://stack-prowlerresults-randomness/prowler/results/...
+        Name: "results"
+        Type: "S3"
+        Location: !Ref ProwlerResults
+        Path: "prowler"
+        NamespaceType: NONE
+        Packaging: NONE
+        OverrideArtifactName: False
+        EncryptionDisabled: False
+      LogsConfig: # S3/logs/pipeline/
+        CloudWatchLogs:
+          Status: ENABLED
+          GroupName: "audit/prowler"
+          StreamName: "codebuild_runs"
+        S3Logs:
+          Status: DISABLED
+          # Location: !Sub "${ProwlerResults.Arn}/codebuild_run_logs"
+          EncryptionDisabled: False
+      BadgeEnabled: False
+      Tags:
+        - Key: "data-type"
+          Value: "it-audit:sensitive"
+        - Key: "data-public"
+          Value: "NO"
+      Cache:
+        Type: "NO_CACHE"
+      Source:
+        Type: NO_SOURCE
+        BuildSpec: |
+          version: 0.2
+          env:
+            parameter-store:
+              PROWL_CHECK_GROUP:         /audit/prowler/config/check_group
+              PROWL_MASTER_ACCOUNTS:     /audit/prowler/config/orgmaster_accounts
+              PROWL_STANDALONE_ACCOUNTS: /audit/prowler/config/standalone_accounts
+              PROWL_SKIP_ACCOUNTS:       /audit/prowler/config/skip_accounts
+              PROWL_AUDIT_ROLE:          /audit/prowler/config/audit_role
+              PROWLER_REPO:              /audit/prowler/config/gitrepo
+              PROWLER_CLONE_ARGS:        /audit/prowler/config/gitcloneargs
+          phases:
+            install:
+              runtime-versions:
+                python: 3.7
+              commands:
+                - aws --version
+                - git clone --depth 1 $PROWLER_REPO $PROWLER_CLONE_ARGS
+            pre_build:
+              commands:
+                - env | grep PROWL_
+                - export OUTBASE=$(date -u +"out/diagnostics/%Y/%m/%d")
+                - export STAMP=$(date -u +"%Y%m%dT%H%M%SZ")
+                - mkdir -p $OUTBASE || true
+                - prowler/prowler -V
+                - aws sts get-caller-identity > ${OUTBASE}/${STAMP}-caller-id.json
+            build:
+              commands:
+                #### Run Prowler against this account, but don't fail the build
+                # - export PROWLER_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+                # - /bin/bash prowler/prowler -g cislevel1 -M csv -n -k > ${OUTBASE}/${STAMP}.${PROWLER_ACCOUNT_ID}.prowler.cislevel1.csv || /bin/true
+                # - /bin/bash prowler/prowler -g forensics-ready -M csv -n -k > ${OUTBASE}/${STAMP}.${PROWLER_ACCOUNT_ID}.prowler.forensics-ready.csv || /bin/true
+                #### Run Prowler targeting all accounts in the configured organizations
+                - test -f prowler/util/multi-account/config
+                - /bin/bash prowler/util/multi-account/megaprowler.sh out
+              finally:
+                - ps axuwww | grep -E 'parallel|sem|prowler'
+            post_build:
+              commands:
+                - echo "attempting to collect any prowler credential reports ..."
+                - find /tmp/ -name prowler\* | xargs -I % cp % ${OUTDIAG} || true
+          artifacts:
+            files:
+              - '**/*'
+            discard-paths: no
+            base-directory: out
+
+  ProwlerAuditTriggerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      # RoleName: Let cloudformation create this
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Path: /
+      Policies:
+        - PolicyName: AssumeRole-XA_AuditRole_Prowler
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - codebuild:StartBuild
+                Resource:
+                  - !GetAtt ProwlerBuildProject.Arn
+
+  ProwlerAuditTrigger:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: !Sub "Execute Prowler audit every ${pAuditEveryXHours} hours"
+      Name: "ScheduledProwler"
+      RoleArn: !GetAtt ProwlerAuditTriggerRole.Arn
+      ## Other ways to define scheduling
+      # ScheduleExpression: "cron(MM HH ? * * *)"
+      # ScheduleExpression: "cron(45 15 ? * * *)"
+      # ScheduleExpression: !Sub "rate( ${pAuditEveryXHours} hours)"
+      ScheduleExpression: !Sub "rate(${pAuditEveryXHours} hours)"
+      State: ENABLED
+      Targets:
+        - Arn: !GetAtt ProwlerBuildProject.Arn
+          Id: 'ScheduledProwler'
+          RoleArn: !GetAtt ProwlerAuditTriggerRole.Arn
+
+  ProwlerConfigCheckGroup:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: "Name of the prowler check group to use"
+      Name: "/audit/prowler/config/check_group"
+      Type: "String"
+      Value: !Ref pProwlerCheckGroup
+
+  ProwlerConfigMasterAccounts:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: "List of organization master accounts"
+      Name: "/audit/prowler/config/orgmaster_accounts"
+      Type: "String"
+      Value: !Ref pOrgMasterAccounts
+
+  ProwlerConfigStandAloneAccounts:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: "List of stand-alone accounts"
+      Name: "/audit/prowler/config/standalone_accounts"
+      Type: "String"
+      Value: !Ref pStandAloneAccounts
+
+  ProwlerConfigSkipAccounts:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: "List of skipped organization member accounts"
+      Name: "/audit/prowler/config/skip_accounts"
+      Type: "String"
+      Value: !Ref pOrgExcludedAccounts
+
+  ProwlerConfigAuditRole:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: "Role used to audit target accounts"
+      Name: "/audit/prowler/config/audit_role"
+      Type: "String"
+      Value: !Ref pAuditRolePathName
+
+  ProwlerConfigGitRepo:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: "Git repository where prowler is gathered"
+      Name: "/audit/prowler/config/gitrepo"
+      Type: "String"
+      Value: !Ref pCustomProwlerRepo
+
+  ProwlerConfigGitCloneArgs:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: "Git clone arguments"
+      Name: "/audit/prowler/config/gitcloneargs"
+      Type: "String"
+      Value: !Ref pCustomProwlerCloneArgs
+
+
+  # -- Conditional "cUseAthena"
+  # Athena
+  # QuickSight
+  # ???
+
+
+Outputs:
+  ResultsBucket:
+    Description: S3 Bucket with Prowler Results, Logs, Configs
+    Value: !Ref ProwlerResults

contrib/other-contrib/multi-account/config

@@ -0,0 +1,33 @@
+#!/bin/bash
+########### CODEBUILD CONFIGURATION ##################
+# shellcheck disable=SC2034
+## Collect environment parameters set by buildspec
+CHECKGROUP=${PROWL_CHECK_GROUP}
+
+if [ "none" == "${PROWL_MASTER_ACCOUNTS}" ]; then
+  ORG_MASTERS=""
+else
+  ORG_MASTERS=$(echo "${PROWL_MASTER_ACCOUNTS}" | tr "," " ")
+fi
+
+if [ "none" == "${PROWL_STANDALONE_ACCOUNTS}" ]; then
+  STANDALONE_ACCOUNTS=""
+else
+  STANDALONE_ACCOUNTS=$(echo "${PROWL_STANDALONE_ACCOUNTS}" | tr "," " ")
+fi
+
+if [ "none" == "${PROWL_SKIP_ACCOUNTS}" ]; then
+  SKIP_ACCOUNTS_REGEX='^$'
+else
+  skip_inside=$(echo "${PROWL_SKIP_ACCOUNTS}" | tr "," "|")
+  # shellcheck disable=SC2116
+  SKIP_ACCOUNTS_REGEX=$(echo "(${skip_inside})" )
+fi
+
+AUDIT_ROLE=${PROWL_AUDIT_ROLE}
+
+# Adjust if you clone prowler from somewhere other than the default location
+PROWLER='prowler/prowler'
+
+# Change this if you want to ensure it breaks in code build
+CREDSOURCE='EcsContainer'

contrib/other-contrib/multi-account/megaprowler.sh

@@ -0,0 +1,202 @@
+#!/bin/bash
+
+BASEDIR=$(dirname "${0}")
+# source the configuration data from "config" in this directory
+if [[ -f "${BASEDIR}/config" ]]; then
+  # shellcheck disable=SC1090
+  . "${BASEDIR}/config"
+
+else
+  echo "CONFIG file missing - ${BASEDIR}/config"
+  exit 255
+fi
+
+## Check Environment variables which are set by config
+if [[ "${ORG_MASTERS}X" == "X" && "${STANDALONE_ACCOUNTS}X" == "X" ]]; then
+  echo "No audit targets specified. Failing."
+  exit 15
+fi
+if [[ -z $SKIP_ACCOUNTS_REGEX ]]; then
+  SKIP_ACCOUNTS_REGEX=""
+fi
+
+if [[ -z $CHECKGROUP ]]; then
+  echo "Missing check group from config file"
+  exit 255
+fi
+if [[ -z $AUDIT_ROLE ]]; then
+  echo "Missing audit role from config file"
+  exit 255
+fi
+
+## ========================================================================================
+
+## Check Arguments
+if [ $# -lt 1 ]; then
+  echo "NEED AN OUTPUT DIRECTORY"
+  exit 2
+else
+  if [[ -d $1 && -w $1 ]]; then
+    OUTBASE=$1
+  else
+    echo "Output directory missing or write-protected"
+    exit 1
+  fi
+fi
+
+
+## Check Requirements
+if [[ -x $(command -v aws) ]]; then
+  aws --version
+else
+  echo "AWS CLI is not in PATH ... giving up"
+  exit 4
+fi
+
+if [[ -x $(command -v jq) ]]; then
+  jq --version
+else
+  echo "JQ is not in PATH ... giving up"
+  exit 4
+fi
+
+# Ensure AWS Credentials are present in environment
+if [[ -z $CREDSOURCE ]]; then
+  echo "No source for base credentials ... giving up"
+  exit 5
+fi
+
+if [[ -f ${PROWLER} && -x ${PROWLER} ]]; then
+  ${PROWLER} -V
+else
+  echo "Unable to execute prowler from ${PROWLER}"
+  exit 3
+fi
+
+
+## Preflight checks complete
+
+DAYPATH=$(date -u +%Y/%m/%d)
+STAMP=$(date -u +%Y%m%dT%H%M%SZ)
+## Create output subdirs
+OUTDATA="${OUTBASE}/data/${DAYPATH}"
+OUTLOGS="${OUTBASE}/logs/${DAYPATH}"
+mkdir -p "${OUTDATA}" "${OUTLOGS}"
+
+
+if [[ -x $(command -v parallel) ]]; then
+  # Note: the "standard" codebuild container includes parallel
+  echo "Using GNU sem/parallel, with NCPU+4 jobs"
+  parallel --citation > /dev/null 2> /dev/null
+  PARALLEL_START="parallel --semaphore --fg --id p_${STAMP} --jobs +4 --env AWS_SHARED_CREDENTIALS_FILE"
+  PARALLEL_START_SUFFIX=''
+  PARALLEL_END="parallel --semaphore --wait --id p_${STAMP}"
+else
+  echo "Consider installing GNU Parallel to avoid punishing your system"
+  PARALLEL_START=''
+  PARALLEL_START_SUFFIX=' &'
+  # shellcheck disable=SC2089
+  PARALLEL_END="echo 'WAITING BLINDLY FOR PROCESSES TO COMPLETE'; wait ; sleep 30 ; wait"
+fi
+
+echo "Execution Timestamp: ${STAMP}"
+
+ALL_ACCOUNTS=""
+
+
+# Create a temporary credential file
+AWS_MASTERS_CREDENTIALS_FILE=$(mktemp -t prowler.masters-XXXXXX)
+echo "Preparing Credentials ${AWS_MASTERS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
+echo "# Master Credentials ${STAMP}"   >> "${AWS_MASTERS_CREDENTIALS_FILE}"
+echo ""                                >> "${AWS_MASTERS_CREDENTIALS_FILE}"
+
+AWS_TARGETS_CREDENTIALS_FILE=$(mktemp -t prowler.targets-XXXXXX)
+echo "Preparing Credentials ${AWS_TARGETS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
+echo "# Target Credentials ${STAMP}" >> "${AWS_TARGETS_CREDENTIALS_FILE}"
+echo ""                              >> "${AWS_TARGETS_CREDENTIALS_FILE}"
+
+
+## Visit the Organization Master accounts & build a list of all member accounts
+export AWS_SHARED_CREDENTIALS_FILE=$AWS_MASTERS_CREDENTIALS_FILE
+for org in $ORG_MASTERS ; do
+  echo -n "Preparing organization $org "
+  # create credential profile
+  {
+  echo "[audit_${org}]"
+  echo "role_arn = arn:aws:iam::${org}:role${AUDIT_ROLE}"
+  echo "credential_source = ${CREDSOURCE}"
+  echo ""
+  } >> "${AWS_MASTERS_CREDENTIALS_FILE}"
+
+  # Get the Organization ID to use for output paths, collecting info, etc
+  org_id=$(aws --output json --profile "audit_${org}" organizations describe-organization | jq -r '.Organization.Id' )
+
+  echo "( $org_id )"
+  ORG_ID_LIST="${ORG_ID_LIST} ${org_id}"
+
+
+  # Build the list of all accounts in the organizations
+  aws --output json --profile "audit_${org}" organizations list-accounts > "${OUTLOGS}/${STAMP}-${org_id}-account-list.json"
+  # shellcheck disable=SC2002
+  ORG_ACCOUNTS=$( cat "${OUTLOGS}/${STAMP}-${org_id}-account-list.json" | jq -r '.Accounts[].Id' | tr "\n" " ")
+  ALL_ACCOUNTS="${ALL_ACCOUNTS} ${ORG_ACCOUNTS}"
+
+  # Add the Org's Accounts (including master) to the TARGETS_CREDENTIALS file
+  for target in $ORG_ACCOUNTS ; do
+    if echo "$target" | grep -qE "${SKIP_ACCOUNTS_REGEX}"; then
+      echo " skipping account      ${target} ( ${org_id} )"
+      continue
+    fi
+    # echo "  ${org_id}_${target}"
+    {
+    echo "[${org_id}_${target}]"
+    echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
+    echo "credential_source = ${CREDSOURCE}"
+    echo ""
+    } >> "${AWS_TARGETS_CREDENTIALS_FILE}"
+  done
+
+done
+
+# Prepare credentials for standalone accounts
+if [[ "" != "${STANDALONE_ACCOUNTS}" ]] ; then
+  # mkdir -p ${OUTBASE}/data/standalone/${DAYPATH} ${OUTBASE}/logs/standalone/${DAYPATH}
+  for target in $STANDALONE_ACCOUNTS ; do
+    echo "Preparing account      ${target} ( standalone )"
+    {
+    echo "[standalone_${target}]"
+    echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
+    echo "credential_source = ${CREDSOURCE}"
+    echo ""
+    } >> "${AWS_TARGETS_CREDENTIALS_FILE}"
+  done
+  ALL_ACCOUNTS="${ALL_ACCOUNTS} ${STANDALONE_ACCOUNTS}"
+fi
+
+# grep -E '^\[' $AWS_MASTERS_CREDENTIALS_FILE $AWS_TARGETS_CREDENTIALS_FILE
+
+
+# Switch to Target Credential Set
+export AWS_SHARED_CREDENTIALS_FILE=${AWS_TARGETS_CREDENTIALS_FILE}
+
+## visit each target account
+NUM_ACCOUNTS=$(grep -cE '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}")
+echo "Launching ${CHECKGROUP} audit of ${NUM_ACCOUNTS} accounts"
+for member in $(grep -E '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}" | tr -d '][') ; do
+  ORG_ID=$(echo "$member" | cut -d'_' -f1)
+  ACCOUNT_NUM=$(echo "$member" | cut -d'_' -f2)
+
+  # shellcheck disable=SC2086
+  ${PARALLEL_START} "${PROWLER} -p ${member} -n -M csv -g ${CHECKGROUP} 2> ${OUTLOGS}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.log  > ${OUTDATA}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.csv ; echo \"${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP} finished\" " ${PARALLEL_START_SUFFIX}
+done
+
+echo -n "waiting for parallel threads to complete - " ; date
+# shellcheck disable=SC2090
+${PARALLEL_END}
+
+echo "Completed ${CHECKGROUP} audit with stamp ${STAMP}"
+
+# mkdir -p ${OUTBASE}/logs/debug/${DAYPATH}
+# cp "$AWS_MASTERS_CREDENTIALS_FILE" "${OUTLOGS}/${STAMP}-master_creds.txt"
+# cp "$AWS_TARGETS_CREDENTIALS_FILE" "${OUTLOGS}/${STAMP}-target_creds.txt"
+rm "$AWS_MASTERS_CREDENTIALS_FILE" "$AWS_TARGETS_CREDENTIALS_FILE"

contrib/terraform-kickstarter/data.tf

@@ -0,0 +1,212 @@
+/*
+© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross_claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third_party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON_INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third_party archives.
+
+   Copyright [2020] [© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE_2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+data "aws_iam_policy" "SecurityAudit" {
+  arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+data "aws_caller_identity" "current" {
+}
+data "aws_region" "current" {
+}

contrib/terraform-kickstarter/docs/tf.md

@@ -0,0 +1,53 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.54 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.55.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_event_rule.prowler_check_scheduler_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.run_prowler_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_codebuild_project.prowler_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_iam_policy.prowler_event_trigger_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.prowler_kickstarter_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment.prowler_event_trigger_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_policy_attachment.prowler_kickstarter_iam_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.prowler_event_trigger_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.prowler_kick_start_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_s3_bucket.prowler_report_storage_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.prowler_report_storage_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.prowler_report_storage_bucket_block_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_securityhub_account.securityhub_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource |
+| [aws_securityhub_product_subscription.security_hub_enable_prowler_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_product_subscription) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.SecurityAudit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_codebuild_timeout"></a> [codebuild\_timeout](#input\_codebuild\_timeout) | Codebuild timeout setting | `number` | `300` | no |
+| <a name="input_enable_security_hub"></a> [enable\_security\_hub](#input\_enable\_security\_hub) | Enable AWS SecurityHub. | `bool` | `true` | no |
+| <a name="input_enable_security_hub_prowler_subscription"></a> [enable\_security\_hub\_prowler\_subscription](#input\_enable\_security\_hub\_prowler\_subscription) | Enable a Prowler Subscription. | `bool` | `true` | no |
+| <a name="input_prowler_cli_options"></a> [prowler\_cli\_options](#input\_prowler\_cli\_options) | Run Prowler With The Following Command | `string` | `"_q _M json_asff _S _f us_east_1"` | no |
+| <a name="input_prowler_schedule"></a> [prowler\_schedule](#input\_prowler\_schedule) | Run Prowler based on cron schedule | `string` | `"cron(0 0 ? * * *)"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | TODO Move these to outputs file |

contrib/terraform-kickstarter/main.tf

@@ -0,0 +1,499 @@
+/*
+© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross_claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third_party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON_INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third_party archives.
+
+   Copyright [2020] [© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE_2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+/*
+Security Hub Import Commands
+
+Run this to get state of SecurityHub
+
+terraform import aws_securityhub_account.securityhubresource 123456789012
+
+*/
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.54"
+    }
+  }
+}
+provider "aws" {
+  region = var.select_region
+}
+
+resource "aws_iam_role" "prowler_kick_start_role" {
+  name                = "security_baseline_kickstarter_iam_role"
+  managed_policy_arns = ["${data.aws_iam_policy.SecurityAudit.arn}",
+                         "arn:aws:iam::aws:policy/job-function/SupportUser",
+                         "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action="sts:AssumeRole"
+        Effect="Allow"
+        Sid = "CodeBuildProwler"
+        Principal = {Service="codebuild.amazonaws.com"}
+      }
+    ]
+  })
+  force_detach_policies=true
+}
+resource "aws_iam_role" "prowler_event_trigger_role" {
+    name = "security_baseline_kickstarter_event_trigger_iam_role"
+    assume_role_policy = jsonencode({
+                              Version = "2012-10-17"
+                              Statement = [
+                                {
+                                  Action="sts:AssumeRole"
+                                  Effect="Allow"
+                                  Sid = "TriggerCodeBuild"
+                                  Principal = {Service="events.amazonaws.com"}
+                                }
+                              ]
+                            })
+
+}
+resource "aws_iam_policy" "prowler_event_trigger_policy" {
+  depends_on        = [aws_codebuild_project.prowler_codebuild]
+  name        = "security_baseline_kickstarter_trigger_iam_policy"
+  path        = "/"
+  description = "IAM Policy used to trigger the Prowler in AWS Codebuild"
+  policy = jsonencode({
+     Version = "2012-10-17"
+    Statement = [
+      {
+        Action =  ["codebuild:StartBuild"],
+        Effect   = "Allow"
+        Resource =  aws_codebuild_project.prowler_codebuild.arn
+      }]
+  })
+}
+resource "aws_iam_policy_attachment" "prowler_event_trigger_policy_attach" {
+  depends_on = [aws_iam_policy.prowler_event_trigger_policy]
+  name       = "prowler_event_trigger_policy_attach"
+  roles      = toset([aws_iam_role.prowler_event_trigger_role.id])
+  policy_arn = aws_iam_policy.prowler_event_trigger_policy.arn
+}
+resource "aws_iam_policy" "prowler_kickstarter_iam_policy" {
+  name        = "security_baseline_kickstarter_iam_policy"
+  path        = "/"
+  description = "IAM Policy used to run prowler from codebuild"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action =  [
+            "logs:PutLogEvents"
+            ],
+        Effect   = "Allow"
+        Resource =  "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*"
+      },
+       {
+        Action =  [
+            "logs:CreateLogStream",
+            "logs:CreateLogGroup"
+            ],
+        Effect   = "Allow"
+        Resource =  "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*"
+      },
+       {
+        Action =  ["sts:AssumeRole"],
+        Effect   = "Allow"
+        Resource =  "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.prowler_kick_start_role.name}"
+      },
+      {
+        Action =  [
+                  "ds:ListAuthorizedApplications",
+                  "ec2:GetEbsEncryptionByDefault",
+                  "ecr:Describe*",
+                  "elasticfilesystem:DescribeBackupPolicy",
+                  "glue:GetConnections",
+                  "glue:GetSecurityConfiguration",
+                  "glue:SearchTables",
+                  "lambda:GetFunction",
+                  "s3:GetAccountPublicAccessBlock",
+                  "shield:DescribeProtection",
+                  "shield:GetSubscriptionState",
+                  "ssm:GetDocument",
+                  "support:Describe*",
+                  "tag:GetTagKeys"
+                  ]
+        Effect   = "Allow"
+        Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"
+
+      },
+      {
+        Action =  [
+                "codebuild:CreateReportGroup",
+                "codebuild:CreateReport",
+                "codebuild:UpdateReport",
+                "codebuild:BatchPutTestCases",
+                "codebuild:BatchPutCodeCoverages"
+                                    ]
+        Effect   = "Allow"
+        Resource = "arn:aws:codebuild:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:report-group/*"
+
+      },
+       {
+        Action =  [ "securityhub:BatchImportFindings"]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+             {
+        Action =  [ "securityhub:GetFindings"]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+            "Action": "codebuild:StartBuild",
+            "Resource": "arn:aws:codebuild:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:project/*",
+            "Effect": "Allow"
+      },
+      {
+            "Action": ["s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketAcl", "s3:GetBucketLocation"],
+            "Resource": "arn:aws:s3:::prowler-kickstart-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}-reports/*",
+            "Effect": "Allow"
+      },
+    ]
+  })
+}
+resource "aws_iam_policy_attachment" "prowler_kickstarter_iam_policy_attach" {
+  depends_on = [aws_iam_policy.prowler_kickstarter_iam_policy]
+  name       = "security_baseline_kickstarter_policy_attach"
+  roles      = toset([aws_iam_role.prowler_kick_start_role.id])
+  policy_arn = aws_iam_policy.prowler_kickstarter_iam_policy.arn
+}
+resource "aws_s3_bucket" "prowler_report_storage_bucket" {
+    bucket = "prowler-kickstart-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}-reports"
+    acl = "log-delivery-write"
+    versioning {
+        enabled = true
+    }
+    server_side_encryption_configuration {
+        rule {
+            apply_server_side_encryption_by_default {
+                sse_algorithm     = "AES256"
+            }
+        }
+    }
+    }
+
+resource "aws_s3_bucket_policy" "prowler_report_storage_bucket_policy" {
+    depends_on = [aws_s3_bucket.prowler_report_storage_bucket]
+    bucket = aws_s3_bucket.prowler_report_storage_bucket.id
+    policy = jsonencode({Version = "2012-10-17"
+                            Id      = "ProwlerBucketReportPolicy"
+                            Statement = [
+                            {
+                                Sid       = "S3ForceSSL"
+                                Effect    = "Deny"
+                                Principal = "*"
+                                Action    = "s3:*"
+                                Resource = ["${aws_s3_bucket.prowler_report_storage_bucket.arn}/*"]
+                                Condition = {
+                                Bool = {
+                                    "aws:SecureTransport" = "false"
+                                    }
+                                }
+                            },
+                            {
+                                Sid       = "DenyUnEncryptedObjectUploads"
+                                Effect    = "Deny"
+                                Principal = "*"
+                                Action    = "s3:*"
+                                Resource = ["${aws_s3_bucket.prowler_report_storage_bucket.arn}/*"]
+                                Condition = {
+                                Null = {
+                                    "s3:x-amz-server-side-encryption" = "true"
+                                    }
+                                }
+                            }
+
+                            ]
+                        })
+                        }
+
+
+
+resource "aws_s3_bucket_public_access_block" "prowler_report_storage_bucket_block_public" {
+    depends_on = [aws_s3_bucket.prowler_report_storage_bucket, aws_s3_bucket_policy.prowler_report_storage_bucket_policy]
+    bucket = aws_s3_bucket.prowler_report_storage_bucket.id
+    block_public_acls   = true
+    block_public_policy = true
+    ignore_public_acls = true
+    restrict_public_buckets = true
+    }
+
+resource "aws_codebuild_project" "prowler_codebuild" {
+  name          = "security_baseline_kickstarter_codebuild"
+  description   = "Run a Prowler Assessment with Prowler"
+  build_timeout = var.codebuild_timeout
+  service_role  = aws_iam_role.prowler_kick_start_role.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+    type                        = "LINUX_CONTAINER"
+
+    environment_variable {
+      name  = "BUCKET_REPORT"
+      value = "${aws_s3_bucket.prowler_report_storage_bucket.id}"
+    }
+
+    environment_variable {
+      name  = "PROWLER_OPTIONS"
+      type  = "PLAINTEXT"
+      value = var.prowler_cli_options
+        }
+    }
+
+
+  source {
+    type            = "NO_SOURCE"
+    buildspec       =  "${file("prowler_build_spec.yml")}"
+    }
+
+  tags = {
+    Environment = "Prowler KickStarter"
+        }
+    }
+
+
+
+
+
+resource "aws_securityhub_account" "securityhub_resource" {
+    }
+
+resource "aws_securityhub_product_subscription" "security_hub_enable_prowler_findings" {
+  depends_on  = [aws_securityhub_account.securityhub_resource]
+  //arn:aws:securityhub:<REGION>::product/prowler/prowler
+  product_arn = "arn:aws:securityhub:${data.aws_region.current.name}::product/prowler/prowler"
+    }
+
+resource "aws_cloudwatch_event_rule" "prowler_check_scheduler_event" {
+
+    name = "security_baseline_kickstarter_event_cron"
+    description = "Run Prowler every night"
+    schedule_expression = var.prowler_schedule
+    }
+
+resource "aws_cloudwatch_event_target" "run_prowler_scan" {
+
+  arn       = aws_codebuild_project.prowler_codebuild.arn
+  rule      = aws_cloudwatch_event_rule.prowler_check_scheduler_event.name
+  role_arn  = aws_iam_role.prowler_event_trigger_role.arn
+
+    }

contrib/terraform-kickstarter/outputs.tf

@@ -0,0 +1,209 @@
+/*
+© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross_claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third_party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON_INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third_party archives.
+
+   Copyright [2020] [© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE_2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+output "account_id" {
+  value = data.aws_caller_identity.current.account_id
+}

contrib/terraform-kickstarter/prowler_build_spec.yml

@@ -0,0 +1,24 @@
+version: 0.2
+phases:
+  install:
+    runtime-versions:
+      python: 3.8
+    commands:
+      - echo "Installing Prowler and dependencies..."
+      - pip3 install detect-secrets
+      - yum -y install jq
+      - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+      - unzip awscliv2.zip
+      - ./aws/install
+      - git clone https://github.com/prowler-cloud/prowler
+      - cd prowler
+
+  build:
+    commands:
+      - echo "Running Prowler as ./prowler $PROWLER_OPTIONS"
+      - ./prowler $PROWLER_OPTIONS || true
+  post_build:
+    commands:
+      - echo "Scan Complete"
+      - aws s3 cp --sse AES256 output/ s3://$BUCKET_REPORT/ --recursive
+      - echo "Done!"

contrib/terraform-kickstarter/readme.md

@@ -0,0 +1,93 @@
+# Install Security Baseline Kickstarter with Prowler
+
+## Introduction
+
+The following demonstrates how to quickly install the resources necessary to perform a security baseline using Prowler.  The speed is based on the prebuilt terraform module that can configure all the resources necessary to run Prowler with the findings being sent to AWS Security Hub.
+
+## Install
+
+Installing Prowler with Terraform is simple and can be completed in under 1 minute.
+
+- Start AWS CloudShell
+- Run the following commands to install Terraform and clone the Prowler git repo
+  ```
+  git clone https://github.com/prowler-cloud/prowler.git
+  cd prowler
+  sudo yum install -y yum-utils
+  sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
+  sudo yum -y install terraform
+  cd util/terraform-kickstarter
+  ```
+- Issue a `terraform init`
+
+- Issue a `terraform apply`
+
+  ![Prowler Install](https://prowler-docs.s3.amazonaws.com/Prowler-Terraform-Install.gif)
+
+   - It is likely an error will return related to the SecurityHub subscription.  This appears to be Terraform related and you can validate the configuration by navigating to the SecurityHub console.  Click Integrations and search for Prowler. Take note of the green check where it says *Accepting findings*
+
+  ![Prowler Subscription](https://prowler-docs.s3.amazonaws.com/Validate-Prowler-Subscription.gif)
+
+
+Thats it!  Install is now complete.  The resources include a Cloudwatch event that will trigger the AWS Codebuild to run daily at 00:00 GMT.  If you'd like to run an assessment after the deployment then simply navigate to the Codebuild console and start the job manually.
+
+## Terraform Resources
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.54 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.56.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_event_rule.prowler_check_scheduler_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.run_prowler_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_codebuild_project.prowler_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_iam_policy.prowler_event_trigger_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.prowler_kickstarter_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment.prowler_event_trigger_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_policy_attachment.prowler_kickstarter_iam_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.prowler_event_trigger_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.prowler_kick_start_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_s3_bucket.prowler_report_storage_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.prowler_report_storage_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.prowler_report_storage_bucket_block_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_securityhub_account.securityhub_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource |
+| [aws_securityhub_product_subscription.security_hub_enable_prowler_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_product_subscription) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.SecurityAudit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_codebuild_timeout"></a> [codebuild\_timeout](#input\_codebuild\_timeout) | Codebuild timeout setting | `number` | `300` | no |
+| <a name="input_enable_security_hub"></a> [enable\_security\_hub](#input\_enable\_security\_hub) | Enable AWS SecurityHub. | `bool` | `true` | no |
+| <a name="input_enable_security_hub_prowler_subscription"></a> [enable\_security\_hub\_prowler\_subscription](#input\_enable\_security\_hub\_prowler\_subscription) | Enable a Prowler Subscription. | `bool` | `true` | no |
+| <a name="input_prowler_cli_options"></a> [prowler\_cli\_options](#input\_prowler\_cli\_options) | Run Prowler With The Following Command | `string` | `"-q -M json-asff -S -f us-east-1"` | no |
+| <a name="input_prowler_schedule"></a> [prowler\_schedule](#input\_prowler\_schedule) | Run Prowler based on cron schedule | `string` | `"cron(0 0 ? * * *)"` | no |
+| <a name="input_select_region"></a> [select\_region](#input\_select\_region) | Uses the following AWS Region. | `string` | `"us-east-1"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | n/a |
+
+## Kickoff Prowler Assessment From Install to Assessment Demo (Link to YouTube)
+
+  [![Prowler Install](https://img.youtube.com/vi/ShhzIArO8X0/0.jpg)](https://www.youtube.com/watch?v=ShhzIArO8X0 "Prowler Install")

contrib/terraform-kickstarter/tf_install.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+#AMZN-Linux Terraform Install Script
+git clone https://github.com/singergs/prowler.git
+git fetch
+cd prowler
+git checkout -t origin/terraform-kickstart
+sudo yum install -y yum-utils
+sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
+sudo yum -y install terraform

contrib/terraform-kickstarter/variables.tf

@@ -0,0 +1,251 @@
+/*
+© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non_exclusive, no_charge, royalty_free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross_claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third_party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON_INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third_party archives.
+
+   Copyright [2020] [© 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE_2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+/*
+Security Hub Import Commands
+
+Run this to get state of SecurityHub
+
+terraform import aws_securityhub_account.securityhubresource 123456789012
+
+*/
+
+variable "select_region" {
+  description = "Uses the following AWS Region."
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "enable_security_hub" {
+  description = "Enable AWS SecurityHub."
+  type        = bool
+  default     = true
+}
+
+variable "enable_security_hub_prowler_subscription" {
+  description = "Enable a Prowler Subscription."
+  type        = bool
+  default     = true
+}
+
+variable "prowler_cli_options" {
+  description = "Run Prowler With The Following Command"
+  type        = string
+  default     =  "-q -M json-asff -S -f us-east-1"
+}
+
+variable "prowler_schedule"{
+  description = "Run Prowler based on cron schedule"
+  default="cron(0 0 ? * * *)"
+  type=string
+
+}
+
+variable "codebuild_timeout" {
+  description = "Codebuild timeout setting"
+  default = 300
+  type=number
+}

contrib/wazuh/README.md

@@ -0,0 +1,115 @@
+# Prowler integration with Wazuh (DRAFT)
+
+## Table of Contents
+
+- [Description](#description)
+- [Features](#features)
+- [Requirements](#requirements)
+- [Integration steps](#integration-steps)
+- [Troubleshooting](#troubleshooting)
+- [Thanks](#thanks)
+- [License](#license)
+
+## Description
+
+Prowler integration with WAZUH using a python wrapper. Due to the wrapper limitations, this integration can be considered as a proof of concept at this time.
+
+## Features
+
+Wazuh, using a wodle, runs Prowler every certain time and stores alerts (failed checks) using JSON output which Wazuh processes and sends to Elastic Search to be queried from Kibana.
+
+## Requirements
+
+1. Latest AWS-CLI client (`pip install awscli`). If you have it already installed, make sure you are using the latest version, upgrade it: `pip install awscli --upgrade`.
+2. Also `jq` is needed (`pip install jq`).
+
+Remember, you must have AWS-CLI credentials already configured in the same instance running Wazuh (run `aws configure` if needed). In this DRAFT I'm using `/root/.aws/credentials` file with [default] as AWS-CLI profile and access keys but you can use assume role configuration as well. For the moment instance profile is not supported in this wrapper.
+
+It may work in previous versions of Wazuh, but this document and integration was tested on Wazuh 3.7.1. So to have a Wazuh running installation is obviously required.
+
+## Integration steps
+
+Add Prowler to Wazuh's integrations:
+```
+cd /var/ossec/integrations/
+git clone https://github.com/toniblyx/prowler
+```
+Copy `prowler-wrapper.py` to integrations folder:
+
+```
+cp /var/ossec/integrations/prowler/integrations/prowler-wrapper.py /var/ossec/integrations/prowler-wrapper.py
+```
+Then make sure it is executable:
+```
+chmod +x /var/ossec/integrations/prowler-wrapper.py
+```
+Run Prowler wrapper manually to make sure it works fine, use `--debug 1` or `--debug 2`):
+```
+/var/ossec/integrations/prowler-wrapper.py --aws_profile default --aws_account_alias default --debug 2
+```
+
+Copy rules file to its location:
+
+```
+cp /var/ossec/integrations/prowler/integrations/prowler_rules.xml /var/ossec/etc/rules/prowler_rules.xml
+```
+
+Edit `/var/ossec/etc/ossec.conf` and add the following wodle configuration. Remember that here `timeout 21600 seconds` is 6 hours, just to allow Prowler runs completely in case of a large account. The interval recommended is 1d:
+```xml
+  <wodle name="command">
+    <disabled>no</disabled>
+    <tag>aws-prowler: account1</tag>
+    <command>/var/ossec/integrations/prowler-wrapper.py --aws_profile default --aws_account_alias default</command>
+    <interval>1d</interval>
+    <ignore_output>no</ignore_output>
+    <run_on_start>no</run_on_start>
+    <timeout>21600</timeout>
+  </wodle>
+```
+To check multiple AWS accounts, add a wodle per account.
+
+Now restart `wazuh-manager` and look at `/var/ossec/logs/alerts/alerts.json`, eventually you should see FAIL checks detected by Prowler, then you will find them using Kibana. Some Kibana search examples are:
+```
+data.integration:"prowler" and data.prowler.status:"Fail"
+data.integration:"prowler" AND rule.level >= 5
+data.integration:"prowler" AND rule.level : 7 or 9
+```
+
+Adjust the level range to what alerts you want to include, as alerts, Elastic Search only gets fail messages (7 and 9).
+
+1 - pass
+3 - info
+5 - error
+7 - fail: not scored
+9 - fail: scored
+
+## Troubleshooting
+
+To make sure rules are working fine, run `/var/ossec/bin/ossec-logtest` and copy/paste this sample JSON:
+
+```json
+{"prowler":{"Timestamp":"2018-11-29T03:15:50Z","Region":"us-east-1","Profile":"default","Account Number”:”1234567890”,”Control":"[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)","Message":"No CloudWatch group found for CloudTrail events","Status":"Fail","Scored":"Scored","Level":"Level 1","Control ID":"3.4"}, "integration": "prowler"}
+```
+You must see 3 phases goin on.
+
+To check if there is any error you can enable the debug mode of `modulesd` setting the `wazuh_modules.debug=0` variable to 2 in `/var/ossec/etc/internal_options.conf` file. Restart wazuh-manager and errors should appear in the `/var/ossec/logs/ossec.log` file.
+
+## Thanks
+
+To Jeremy Phillips <jeremy@uranusbytes.com>, who wrote the initial rules file and wrapper and helped me to understand how it works and debug it.
+
+To [Marta Gomez](https://github.com/mgmacias95) and the [Wazuh](https://www.wazuh.com) team for their support to debug this integration and make it work properly. Their job on Wazuh and willingness to help is invaluable.
+
+## License
+
+All CIS based checks in the checks folder are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License.
+The link to the license terms can be found at
+<https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode>
+Any other piece of code is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
+<http://www.apache.org/licenses/LICENSE-2.0>
+
+NOTE: If you are interested in using Prowler for commercial purposes remember that due to the CC4.0 license “The distributors or partners that are interested and using Prowler would need to enroll as CIS SecureSuite Members to incorporate this product, which includes references to CIS resources, in their offering.". Information about CIS pricing for vendors here: <https://www.cisecurity.org/cis-securesuite/pricing-and-categories/product-vendor/>
+
+**I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
+
+If you want to contact me visit <https://blyx.com/contact>

contrib/wazuh/prowler-wrapper.py

@@ -0,0 +1,274 @@
+#!/usr/bin/env python
+#
+# Authored by Jeremy Phillips <jeremy@uranusbytes.com>
+# Copyright: Apache License 2.0
+#
+# Wrapper around prowler script to parse results and forward to Wazuh
+# Prowler - https://github.com/toniblyx/prowler
+#
+# TODO: Add ability to disable different groups (EXTRA, etc...
+# TODO: Allow to disable individual checks
+# TODO: Remove all the commented out stuff
+#
+# Error Codes:
+#   1 - Unknown
+#   2 - SIGINT
+#   3 - Error output from execution of Prowler
+#   4 - Output row is invalid json
+#   5 - Wazuh must be running
+#   6 - Error sending to socket
+
+
+import argparse
+import json
+import os
+import re
+import signal
+import socket
+import subprocess
+import sys
+from datetime import datetime
+
+################################################################################
+# Constants
+################################################################################
+WAZUH_PATH = open("/etc/ossec-init.conf").readline().split('"')[1]
+DEBUG_LEVEL = 0  # Enable/disable debug mode
+PATH_TO_PROWLER = "{0}/integrations/prowler".format(WAZUH_PATH)  # No trailing slash
+TEMPLATE_CHECK = """
+{{
+  "integration": "prowler",
+  "prowler": {0}
+}}
+"""
+TEMPLATE_MSG = "1:Wazuh-Prowler:{0}"
+TEMPLATE_ERROR = """{{
+  "aws_account_id": {aws_account_id},
+  "aws_profile": "{aws_profile}",
+  "prowler_error": "{prowler_error}",
+  "prowler_version": "{prowler_version}",
+  "timestamp": "{timestamp}",
+  "status": "Error"
+}}
+"""
+WAZUH_QUEUE = "{0}/queue/ossec/queue".format(WAZUH_PATH)
+FIELD_REMAP = {
+    "Profile": "aws_profile",
+    "Control": "control",
+    "Account Number": "aws_account_id",
+    "Level": "level",
+    "Account Alias": "aws_account_alias",
+    "Timestamp": "timestamp",
+    "Region": "region",
+    "Control ID": "control_id",
+    "Status": "status",
+    "Scored": "scored",
+    "Message": "message",
+}
+CHECKS_FILES_TO_IGNORE = ["check_sample"]
+
+
+################################################################################
+# Functions
+################################################################################
+def _send_msg(msg):
+    try:
+        _json_msg = json.dumps(_reformat_msg(msg))
+        _debug("Sending Msg: {0}".format(_json_msg), 3)
+        _socket = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+        _socket.connect(WAZUH_QUEUE)
+        _socket.send(TEMPLATE_MSG.format(_json_msg).encode())
+        _socket.close()
+    except socket.error as e:
+        if e.errno == 111:
+            print("ERROR: Wazuh must be running.")
+            sys.exit(5)
+        else:
+            print("ERROR: Error sending message to wazuh: {}".format(e))
+            sys.exit(6)
+    except Exception as e:
+        print("ERROR: Error sending message to wazuh: {}".format(e))
+        sys.exit(6)
+    return
+
+
+def _handler(signal, frame):
+    print("ERROR: SIGINT received.")
+    sys.exit(12)
+
+
+def _debug(msg, msg_level):
+    if DEBUG_LEVEL >= msg_level:
+        print("DEBUG-{level}: {debug_msg}".format(level=msg_level, debug_msg=msg))
+
+
+def _get_script_arguments():
+    _parser = argparse.ArgumentParser(
+        usage="usage: %(prog)s [options]",
+        description="Wazuh wodle for evaluating AWS security configuration",
+        formatter_class=argparse.RawTextHelpFormatter,
+    )
+    _parser.add_argument(
+        "-c",
+        "--aws_account_id",
+        dest="aws_account_id",
+        help="AWS Account ID for logs",
+        required=False,
+    )
+    _parser.add_argument(
+        "-d", "--debug", action="store", dest="debug", default=0, help="Enable debug"
+    )
+    _parser.add_argument(
+        "-p",
+        "--aws_profile",
+        dest="aws_profile",
+        help="The name of credential profile to use",
+        default=None,
+    )
+    _parser.add_argument(
+        "-n",
+        "--aws_account_alias",
+        dest="aws_account_alias",
+        help="AWS Account ID Alias",
+        default="",
+    )
+    _parser.add_argument(
+        "-e",
+        "--skip_on_error",
+        action="store_false",
+        dest="skip_on_error",
+        help="If check output is invalid json, error out instead of skipping the check",
+        default=True,
+    )
+    return _parser.parse_args()
+
+
+def _run_prowler(prowler_args):
+    _debug("Running prowler with args: {0}".format(prowler_args), 1)
+    _prowler_command = "{prowler}/prowler {args}".format(
+        prowler=PATH_TO_PROWLER, args=prowler_args
+    )
+    _debug("Running command: {0}".format(_prowler_command), 2)
+    _process = subprocess.Popen(_prowler_command, stdout=subprocess.PIPE, shell=True)
+    _output, _error = _process.communicate()
+    _debug("Raw prowler output: {0}".format(_output), 3)
+    _debug("Raw prowler error: {0}".format(_error), 3)
+    if _error is not None:
+        _debug("PROWLER ERROR: {0}".format(_error), 1)
+        exit(3)
+    return _output
+
+
+def _get_prowler_version(options):
+    _debug("+++ Get Prowler Version", 1)
+    # Execute prowler, but only display the version and immediately exit
+    return _run_prowler("-p {0} -V".format(options.aws_profile)).rstrip()
+
+
+def _get_prowler_results(options, prowler_check):
+    _debug("+++ Get Prowler Results - {check}".format(check=prowler_check), 1)
+    # Execute prowler with all checks
+    # -b = disable banner
+    # -p = credential profile
+    # -M = output json
+
+    return _run_prowler(
+        "-b -c {check} -p {aws_profile} -M json".format(
+            check=prowler_check, aws_profile=options.aws_profile
+        )
+    )
+
+
+def _get_prowler_checks():
+    _prowler_checks = []
+    for _directory_path, _directories, _files in os.walk(
+        "{path}/checks".format(path=PATH_TO_PROWLER)
+    ):
+        _debug("Checking in : {}".format(_directory_path), 3)
+        for _file in _files:
+            if _file in CHECKS_FILES_TO_IGNORE:
+                _debug("Ignoring check - {}".format(_directory_path, _file), 3)
+            elif re.match("check\d+", _file):
+                _prowler_checks.append(_file)
+            elif re.match("check_extra(\d+)", _file):
+                _prowler_checks.append(_file[6:])
+            else:
+                _debug("Unknown check file type- {}".format(_directory_path, _file), 3)
+    return _prowler_checks
+
+
+def _send_prowler_results(prowler_results, _prowler_version, options):
+    _debug("+++ Send Prowler Results", 1)
+    for _check_result in prowler_results.splitlines():
+        # Empty row
+        if len(_check_result) < 1:
+            continue
+        # Something failed during prowler check
+        elif _check_result[:17] == "An error occurred":
+            _debug("ERROR MSG --- {0}".format(_check_result), 2)
+            _temp_msg = TEMPLATE_ERROR.format(
+                aws_account_id=options.aws_account_id,
+                aws_profile=options.aws_profile,
+                prowler_error=_check_result.replace('"', '"'),
+                prowler_version=_prowler_version,
+                timestamp=datetime.now().isoformat(),
+            )
+            _error_msg = json.loads(TEMPLATE_CHECK.format(_temp_msg))
+            _send_msg(_error_msg)
+            continue
+        try:
+            _debug("RESULT MSG --- {0}".format(_check_result), 2)
+            _check_result = json.loads(TEMPLATE_CHECK.format(_check_result))
+        except:
+            _debug(
+                "INVALID JSON --- {0}".format(TEMPLATE_CHECK.format(_check_result)), 1
+            )
+            if not options.skip_on_error:
+                exit(4)
+        _check_result["prowler"]["prowler_version"] = _prowler_version
+        _check_result["prowler"]["aws_account_alias"] = options.aws_account_alias
+        _send_msg(_check_result)
+
+    return True
+
+
+def _reformat_msg(msg):
+    for field in FIELD_REMAP:
+        if field in msg["prowler"]:
+            msg["prowler"][FIELD_REMAP[field]] = msg["prowler"][field]
+            del msg["prowler"][field]
+    return msg
+
+
+# Main
+###############################################################################
+def main(argv):
+    _debug("+++ Begin script", 1)
+    # Parse arguments
+    _options = _get_script_arguments()
+
+    if int(_options.debug) > 0:
+        global DEBUG_LEVEL
+        DEBUG_LEVEL = int(_options.debug)
+        _debug("+++ Debug mode on - Level: {debug}".format(debug=_options.debug), 1)
+
+    _prowler_version = _get_prowler_version(_options)
+    _prowler_checks = _get_prowler_checks()
+    for _check in _prowler_checks:
+        _prowler_results = _get_prowler_results(_options, _check)
+        _send_prowler_results(_prowler_results, _prowler_version, _options)
+    _debug("+++ Finished script", 1)
+    return
+
+
+if __name__ == "__main__":
+    try:
+        _debug("Args: {args}".format(args=str(sys.argv)), 2)
+        signal.signal(signal.SIGINT, _handler)
+        main(sys.argv[1:])
+        sys.exit(0)
+    except Exception as e:
+        print("Unknown error: {}".format(e))
+        if DEBUG_LEVEL > 0:
+            raise
+        sys.exit(1)

contrib/wazuh/prowler_rules.xml

@@ -0,0 +1,45 @@
+<!--
+  Rules for parsing Prowler output
+  Authored by Jeremy Phillips <jeremy@uranusbytes.com>
+  Copyright: Apache License 2.0
+  ID: 110000-110009
+  Prowler - https://github.com/toniblyx/prowler
+-->
+
+<group name="local,amazon,prowler,">
+    <!-- Filter 1: Only prowler events -->
+    <rule id="110001" level="0">
+        <field name="integration">prowler</field>
+        <description>Prowler Check Result: $(prowler.status) - Control $(prowler.control_id)</description>
+    </rule>
+    <!-- Check Result: Pass -->
+    <rule id="110002" level="1">
+        <if_sid>110001</if_sid>
+        <field name="prowler.status">Pass</field>
+        <description>Prowler Check Result: $(prowler.status) - Control $(prowler.control_id)</description>
+    </rule>
+    <!-- Check Result: Info -->
+    <rule id="110003" level="3">
+        <if_sid>110001</if_sid>
+        <field name="prowler.status">Info</field>
+        <description>Prowler Check Result: $(prowler.status) - Control $(prowler.control_id)</description>
+    </rule>
+    <!-- Check Result: Error -->
+    <rule id="110004" level="5">
+        <if_sid>110001</if_sid>
+        <field name="prowler.status">Error</field>
+        <description>Prowler Check Result: $(prowler.status) - Control $(prowler.control_id)</description>
+    </rule>
+    <!-- Check Result: Fail, Scored -->
+    <rule id="110005" level="9">
+        <if_sid>110001</if_sid>
+        <field name="prowler.status">Fail</field>
+        <description>Prowler Check Result: $(prowler.status) - Control $(prowler.control_id)</description>
+    </rule>
+    <!-- Check Result: Fail, Not Scored -->
+    <rule id="110006" level="7">
+        <if_sid>110005</if_sid>
+        <field name="prowler.scored">Not Scored</field>
+        <description>Prowler Check Result: $(prowler.status) - Control $(prowler.control_id)</description>
+    </rule>
+</group>

docs/about.md

@@ -0,0 +1,24 @@
+---
+hide:
+- toc
+---
+# About
+
+## Author
+Prowler was created by **Toni de la Fuente** in 2016.
+
+| ![](img/toni.png)<br>[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/toniblyx.svg?style=social&label=Follow%20%40toniblyx)](https://twitter.com/toniblyx) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/prowlercloud.svg?style=social&label=Follow%20%40prowlercloud)](https://twitter.com/prowlercloud)|
+|:--:|
+| <b>Toni de la Fuente </b>|
+
+## Maintainers
+Prowler is maintained by the Engineers of the **Prowler Team** :
+
+| ![](img/nacho.png)[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/NachoRivCor.svg?style=social&label=Follow%20%40NachoRivCor)](https://twitter.com/NachoRivCor) | ![](img/sergio.png)[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/sergargar1.svg?style=social&label=Follow%20%40sergargar1)](https://twitter.com/sergargar1) |![](img/pepe.png)[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/jfagoagas.svg?style=social&label=Follow%20%40jfagoagas)](https://twitter.com/jfagoagas) |
+|:--:|:--:|:--:
+| <b>Nacho Rivera</b>| <b>Sergio Garcia</b>| <b>Pepe Fagoaga</b>|
+
+## License
+
+Prowler is licensed as **Apache License 2.0** as specified in each file. You may obtain a copy of the License at
+<http://www.apache.org/licenses/LICENSE-2.0>

docs/contact.md

@@ -0,0 +1,9 @@
+# Contact Us
+
+For technical support or any type of inquiries, you are very welcome to:
+
+- Reach out to community members on the [**Prowler Slack channel**](https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog)
+
+- Open an Issue or a Pull Request in our [**GitHub repository**](https://github.com/prowler-cloud/prowler).
+
+We will appreciate all types of feedback and contribution, Prowler would not be the same without our vibrant community! 😃

docs/developer-guide/audit-info.md

@@ -0,0 +1,9 @@
+# Audit Info
+
+In each Prowler provider we have a Python object called `audit_info` which is in charge of keeping the credentials, the configuration and the state of each audit, and it's passed to each service during the `__init__`.
+
+- AWS: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/lib/audit_info/models.py#L34-L54
+- GCP: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/lib/audit_info/models.py#L7-L30
+- Azure: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/azure/lib/audit_info/models.py#L17-L31
+
+This `audit_info` object is shared during the Prowler execution and for that reason is important to mock it in each test to isolate them. See the [testing guide](./unit-testing.md) for more information.

docs/developer-guide/checks.md

@@ -0,0 +1,316 @@
+# Create a new Check for a Provider
+
+Here you can find how to create new checks for Prowler.
+
+**To create a check is required to have a Prowler provider service already created, so if the service is not present or the attribute you want to audit is not retrieved by the service, please refer to the [Service](./services.md) documentation.**
+
+## Introduction
+To create a new check for a supported Prowler provider, you will need to create a folder with the check name inside the specific service for the selected provider.
+
+We are going to use the `ec2_ami_public` check form the `AWS` provider as an example. So the folder name will `prowler/providers/aws/services/ec2/ec2_ami_public` (following the format `prowler/providers/<provider>/services/<service>/<check_name>`), with the name of check following the pattern: `service_subservice/resource_action`.
+
+Inside that folder, we need to create three files:
+
+- An empty `__init__.py`: to make Python treat this check folder as a package.
+- A `check_name.py` with the above format containing the check's logic. Refer to the [check](./checks.md#check)
+- A `check_name.metadata.json` containing the check's metadata. Refer to the [check metadata](./checks.md#check-metadata)
+
+## Check
+
+The Prowler's check structure is very simple and following it there is nothing more to do to include a check in a provider's service because the load is done dynamically based on the paths.
+
+The following is the code for the `ec2_ami_public` check:
+```python title="Check Class"
+# At the top of the file we need to import the following:
+# - Check class which is in charge of the following:
+#   - Retrieve the check metadata and expose the `metadata()`
+#       to return a JSON representation of the metadata,
+#       read more at Check Metadata Model down below.
+#   - Enforce that each check requires to have the `execute()` function
+from prowler.lib.check.models import Check, Check_Report_AWS
+
+# Then you have to import the provider service client
+# read more at the Service documentation.
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
+
+# For each check we need to create a python class called the same as the
+# file which inherits from the Check class.
+class ec2_ami_public(Check):
+    """ec2_ami_public verifies if an EC2 AMI is publicly shared"""
+
+    # Then, within the check's class we need to create the "execute(self)"
+    # function, which is enforce by the "Check" class to implement
+    # the Check's interface and let Prowler to run this check.
+    def execute(self):
+
+        # Inside the execute(self) function we need to create
+        # the list of findings initialised to an empty list []
+        findings = []
+
+        # Then, using the service client we need to iterate by the resource we
+        # want to check, in this case EC2 AMIs stored in the
+        # "ec2_client.images" object.
+        for image in ec2_client.images:
+
+            # Once iterating for the images, we have to intialise
+            # the Check_Report_AWS class passing the check's metadata
+            # using the "metadata" function explained above.
+            report = Check_Report_AWS(self.metadata())
+
+            # For each Prowler check we MUST fill the following
+            # Check_Report_AWS fields:
+            # - region
+            # - resource_id
+            # - resource_arn
+            # - resource_tags
+            # - status
+            # - status_extended
+            report.region = image.region
+            report.resource_id = image.id
+            report.resource_arn = image.arn
+            # The resource_tags should be filled if the resource has the ability
+            # of having tags, please check the service first.
+            report.resource_tags = image.tags
+
+            # Then we need to create the business logic for the check
+            # which always should be simple because the Prowler service
+            # must do the heavy lifting and the check should be in charge
+            # of parsing the data provided
+            report.status = "PASS"
+            report.status_extended = f"EC2 AMI {image.id} is not public."
+
+            # In this example each "image" object has a boolean attribute
+            # called "public" to set if the AMI is publicly shared
+            if image.public:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"EC2 AMI {image.id} is currently public."
+                )
+
+            # Then at the same level as the "report"
+            # object we need to append it to the findings list.
+            findings.append(report)
+
+        # Last thing to do is to return the findings list to Prowler
+        return findings
+```
+
+### Check Status
+
+All the checks MUST fill the `report.status` and `report.status_extended` with the following criteria:
+
+- Status -- `report.status`
+    - `PASS` --> If the check is passing against the configured value.
+    - `FAIL` --> If the check is passing against the configured value.
+    - `INFO` --> This value cannot be used unless a manual operation is required in order to determine if the `report.status` is whether `PASS` or `FAIL`.
+- Status Extended -- `report.status_extended`
+    - MUST end in a dot `.`
+    - MUST include the service audited with the resource and a brief explanation of the result generated, e.g.: `EC2 AMI ami-0123456789 is not public.`
+
+### Check Region
+
+All the checks MUST fill the `report.region` with the following criteria:
+
+- If the audited resource is regional use the `region` attribute within the resource object.
+- If the audited resource is global use the `service_client.region` within the service client object.
+
+### Resource ID, Name and ARN
+All the checks MUST fill the `report.resource_id` and `report.resource_arn` with the following criteria:
+
+- AWS
+    - Resource ID -- `report.resource_id`
+        - AWS Account --> Account Number `123456789012`
+        - AWS Resource --> Resource ID / Name
+        - Root resource --> `<root_account>`
+    - Resource ARN -- `report.resource_arn`
+        - AWS Account --> Root ARN `arn:aws:iam::123456789012:root`
+        - AWS Resource --> Resource ARN
+        - Root resource --> Root ARN `arn:aws:iam::123456789012:root`
+- GCP
+    - Resource ID -- `report.resource_id`
+        - GCP Resource --> Resource ID
+    - Resource Name -- `report.resource_name`
+        - GCP Resource --> Resource Name
+- Azure
+    - Resource ID -- `report.resource_id`
+        - Azure Resource --> Resource ID
+    - Resource Name -- `report.resource_name`
+        - Azure Resource --> Resource Name
+
+### Python Model
+The following is the Python model for the check's class.
+
+As per August 5th 2023 the `Check_Metadata_Model` can be found [here](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py#L59-L80).
+
+```python
+class Check(ABC, Check_Metadata_Model):
+    """Prowler Check"""
+
+    def __init__(self, **data):
+        """Check's init function. Calls the CheckMetadataModel init."""
+        # Parse the Check's metadata file
+        metadata_file = (
+            os.path.abspath(sys.modules[self.__module__].__file__)[:-3]
+            + ".metadata.json"
+        )
+        # Store it to validate them with Pydantic
+        data = Check_Metadata_Model.parse_file(metadata_file).dict()
+        # Calls parents init function
+        super().__init__(**data)
+
+    def metadata(self) -> dict:
+        """Return the JSON representation of the check's metadata"""
+        return self.json()
+
+    @abstractmethod
+    def execute(self):
+        """Execute the check's logic"""
+```
+
+### Using the audit config
+
+Prowler has a [configuration file](../tutorials/configuration_file.md) which is used to pass certain configuration values to the checks, like the following:
+
+```python title="ec2_securitygroup_with_many_ingress_egress_rules.py"
+class ec2_securitygroup_with_many_ingress_egress_rules(Check):
+    def execute(self):
+        findings = []
+
+        # max_security_group_rules, default: 50
+        max_security_group_rules = ec2_client.audit_config.get(
+            "max_security_group_rules", 50
+        )
+        for security_group in ec2_client.security_groups:
+```
+
+```yaml title="config.yaml"
+# AWS Configuration
+aws:
+  # AWS EC2 Configuration
+
+  # aws.ec2_securitygroup_with_many_ingress_egress_rules
+  # The default value is 50 rules
+  max_security_group_rules: 50
+```
+
+As you can see in the above code, within the service client, in this case the `ec2_client`, there is an object called `audit_config` which is a Python dictionary containing the values read from the configuration file.
+
+In order to use it, you have to check first if the value is present in the configuration file. If the value is not present, you can create it in the `config.yaml` file and then, read it from the check.
+> It is mandatory to always use the `dictionary.get(value, default)` syntax to set a default value in the case the configuration value is not present.
+
+
+## Check Metadata
+
+Each Prowler check has metadata associated which is stored at the same level of the check's folder in a file called A `check_name.metadata.json` containing the check's metadata.
+
+> We are going to include comments in this example metadata JSON but they cannot be included because the JSON format does not allow comments.
+
+```json
+{
+  # Provider holds the Prowler provider which the checks belongs to
+  "Provider": "aws",
+  # CheckID holds check name
+  "CheckID": "ec2_ami_public",
+  # CheckTitle holds the title of the check
+  "CheckTitle": "Ensure there are no EC2 AMIs set as Public.",
+  # CheckType holds Software and Configuration Checks, check more here
+  # https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html#Types
+  "CheckType": [
+    "Infrastructure Security"
+  ],
+  # ServiceName holds the provider service name
+  "ServiceName": "ec2",
+  # SubServiceName holds the service's subservice or resource used by the check
+  "SubServiceName": "ami",
+  # ResourceIdTemplate holds the unique ID for the resource used by the check
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  # Severity holds the check's severity, always in lowercase (critical, high, medium, low or informational)
+  "Severity": "critical",
+  # ResourceType only for AWS, holds the type from here
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
+  "ResourceType": "Other",
+  # Description holds the title of the check, for now is the same as CheckTitle
+  "Description": "Ensure there are no EC2 AMIs set as Public.",
+  # Risk holds the check risk if the result is FAIL
+  "Risk": "When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.",
+  # RelatedUrl holds an URL with more information about the check purpose
+  "RelatedUrl": "",
+  # Remediation holds the information to help the practitioner to fix the issue in the case of the check raise a FAIL
+  "Remediation": {
+    # Code holds different methods to remediate the FAIL finding
+    "Code": {
+      # CLI holds the command in the provider native CLI to remediate it
+      "CLI": "https://docs.bridgecrew.io/docs/public_8#cli-command",
+      # NativeIaC holds the native IaC code to remediate it, use "https://docs.bridgecrew.io/docs"
+      "NativeIaC": "",
+      # Other holds the other commands, scripts or code to remediate it, use "https://www.trendmicro.com/cloudoneconformity"
+      "Other": "https://docs.bridgecrew.io/docs/public_8#aws-console",
+      # Terraform holds the Terraform code to remediate it, use "https://docs.bridgecrew.io/docs"
+      "Terraform": ""
+    },
+    # Recommendation holds the recommendation for this check with a description and a related URL
+    "Recommendation": {
+      "Text": "We recommend your EC2 AMIs are not publicly accessible, or generally available in the Community AMIs.",
+      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html"
+    }
+  },
+  # Categories holds the category or categories where the check can be included, if applied
+  "Categories": [
+    "internet-exposed"
+  ],
+  # DependsOn is not actively used for the moment but it will hold other
+  # checks wich this check is dependant to
+  "DependsOn": [],
+  # RelatedTo is not actively used for the moment but it will hold other
+  # checks wich this check is related to
+  "RelatedTo": [],
+  # Notes holds additional information not covered in this file
+  "Notes": ""
+}
+```
+
+### Remediation Code
+
+For the Remediation Code we use the following knowledge base to fill it:
+
+- Official documentation for the provider
+- https://docs.bridgecrew.io
+- https://www.trendmicro.com/cloudoneconformity
+- https://github.com/cloudmatos/matos/tree/master/remediations
+
+### RelatedURL and Recommendation
+
+The RelatedURL field must be filled with an URL from the provider's official documentation like https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
+
+Also, if not present you can use the Risk and Recommendation texts from the TrendMicro [CloudConformity](https://www.trendmicro.com/cloudoneconformity) guide.
+
+
+### Python Model
+The following is the Python model for the check's metadata model. We use the Pydantic's [BaseModel](https://docs.pydantic.dev/latest/api/base_model/#pydantic.BaseModel) as the parent class.
+
+As per August 5th 2023 the `Check_Metadata_Model` can be found [here](https://github.com/prowler-cloud/prowler/blob/master/prowler/lib/check/models.py#L34-L56).
+```python
+class Check_Metadata_Model(BaseModel):
+    """Check Metadata Model"""
+
+    Provider: str
+    CheckID: str
+    CheckTitle: str
+    CheckType: list[str]
+    ServiceName: str
+    SubServiceName: str
+    ResourceIdTemplate: str
+    Severity: str
+    ResourceType: str
+    Description: str
+    Risk: str
+    RelatedUrl: str
+    Remediation: Remediation
+    Categories: list[str]
+    DependsOn: list[str]
+    RelatedTo: list[str]
+    Notes: str
+    # We set the compliance to None to
+    # store the compliance later if supplied
+    Compliance: list = None
+```

docs/developer-guide/documentation.md

@@ -0,0 +1,8 @@
+## Contribute with documentation
+
+We use `mkdocs` to build this Prowler documentation site so you can easily contribute back with new docs or improving them.
+
+1. Install `mkdocs` with your favorite package manager.
+2. Inside the `prowler` repository folder run `mkdocs serve` and point your browser to `http://localhost:8000` and you will see live changes to your local copy of this documentation site.
+3. Make all needed changes to docs or add new documents. To do so just edit existing md files inside `prowler/docs` and if you are adding a new section or file please make sure you add it to `mkdocs.yaml` file in the root folder of the Prowler repo.
+4. Once you are done with changes, please send a pull request to us for review and merge. Thank you in advance!

docs/developer-guide/integration-testing.md

@@ -0,0 +1,3 @@
+# Integration Tests
+
+Coming soon ...

docs/developer-guide/integrations.md

@@ -0,0 +1,3 @@
+# Create a new integration
+
+Coming soon ...

docs/developer-guide/introduction.md

@@ -0,0 +1,59 @@
+# Developer Guide
+
+You can extend Prowler in many different ways, in most cases you will want to create your own checks and compliance security frameworks, here is where you can learn about how to get started with it. We also include how to create custom outputs, integrations and more.
+
+## Get the code and install all dependencies
+
+First of all, you need a version of Python 3.9 or higher and also pip installed to be able to install all dependencies required. Once that is satisfied go a head and clone the repo:
+
+```
+git clone https://github.com/prowler-cloud/prowler
+cd prowler
+```
+For isolation and avoid conflicts with other environments, we recommend usage of `poetry`:
+```
+pip install poetry
+```
+Then install all dependencies including the ones for developers:
+```
+poetry install
+poetry shell
+```
+
+## Contributing with your code or fixes to Prowler
+
+This repo has git pre-commit hooks managed via the [pre-commit](https://pre-commit.com/) tool. [Install](https://pre-commit.com/#install) it how ever you like, then in the root of this repo run:
+```shell
+pre-commit install
+```
+You should get an output like the following:
+```shell
+pre-commit installed at .git/hooks/pre-commit
+```
+
+Before we merge any of your pull requests we pass checks to the code, we use the following tools and automation to make sure the code is secure and dependencies up-to-dated (these should have been already installed if you ran `pipenv install -d`):
+
+- [`bandit`](https://pypi.org/project/bandit/) for code security review.
+- [`safety`](https://pypi.org/project/safety/) and [`dependabot`](https://github.com/features/security) for dependencies.
+- [`hadolint`](https://github.com/hadolint/hadolint) and [`dockle`](https://github.com/goodwithtech/dockle) for our containers security.
+- [`Snyk`](https://docs.snyk.io/integrations/snyk-container-integrations/container-security-with-docker-hub-integration) in Docker Hub.
+- [`clair`](https://github.com/quay/clair) in Amazon ECR.
+- [`vulture`](https://pypi.org/project/vulture/), [`flake8`](https://pypi.org/project/flake8/), [`black`](https://pypi.org/project/black/) and [`pylint`](https://pypi.org/project/pylint/) for formatting and best practices.
+
+You can see all dependencies in file `pyproject.toml`.
+
+## Pull Request Checklist
+
+If you create or review a PR in https://github.com/prowler-cloud/prowler please follow this checklist:
+
+- [ ] Make sure you've read the Prowler Developer Guide at https://docs.prowler.cloud/en/latest/developer-guide/introduction/
+- [ ] Are we following the style guide, hence installed all the linters and formatters? Please check https://docs.prowler.cloud/en/latest/developer-guide/introduction/#contributing-with-your-code-or-fixes-to-prowler
+- [ ] Are we increasing/decreasing the test coverage? Please, review if we need to include/modify tests for the new code.
+- [ ] Are we modifying outputs? Please review it carefully.
+- [ ] Do we need to modify the Prowler documentation to reflect the changes introduced?
+- [ ] Are we introducing possible breaking changes? Are we modifying a core feature?
+
+
+## Want some swag as appreciation for your contribution?
+
+If you are like us and you love swag, we are happy to thank you for your contribution with some laptop stickers or whatever other swag we may have at that time. Please, tell us more details and your pull request link in our [Slack workspace here](https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog). You can also reach out to Toni de la Fuente on Twitter [here](https://twitter.com/ToniBlyx), his DMs are open.

docs/developer-guide/outputs.md

@@ -0,0 +1,3 @@
+# Create a custom output format
+
+Coming soon ...

docs/developer-guide/security-compliance-framework.md

@@ -0,0 +1,41 @@
+# Create a new security compliance framework
+
+
+## Introduction
+If you want to create or contribute with your own security frameworks or add public ones to Prowler you need to make sure the checks are available if not you have to create your own. Then create a compliance file per provider like in `prowler/compliance/<provider>/` and name it as `<framework>_<version>_<provider>.json` then follow the following format to create yours.
+
+## Compliance Framework
+Each file version of a framework will have the following structure at high level with the case that each framework needs to be generally identified, one requirement can be also called one control but one requirement can be linked to multiple prowler checks.:
+
+- `Framework`: string. Distinguish name of the framework, like CIS
+- `Provider`: string. Provider where the framework applies, such as AWS, Azure, OCI,...
+- `Version`: string. Version of the framework itself, like 1.4 for CIS.
+- `Requirements`: array of objects. Include all requirements or controls with the mapping to Prowler.
+- `Requirements_Id`: string. Unique identifier per each requirement in the specific framework
+- `Requirements_Description`: string. Description as in the framework.
+- `Requirements_Attributes`: array of objects. Includes all needed attributes per each requirement, like levels, sections, etc. Whatever helps to create a dedicated report with the result of the findings. Attributes would be taken as closely as possible from the framework's own terminology directly.
+- `Requirements_Checks`: array. Prowler checks that are needed to prove this requirement. It can be one or multiple checks. In case of no automation possible this can be empty.
+
+```
+{
+  "Framework": "<framework>-<provider>",
+  "Version": "<version>",
+  "Requirements": [
+    {
+      "Id": "<unique-id>",
+      "Description": "Requiemente full description",
+      "Checks": [
+        "Here is the prowler check or checks that is going to be executed"
+      ],
+      "Attributes": [
+        {
+         <Add here your custom attributes.>
+        }
+      ]
+    },
+    ...
+  ]
+}
+```
+
+Finally, to have a proper output file for your reports, your framework data model has to be created in `prowler/lib/outputs/models.py` and also the CLI table output in `prowler/lib/outputs/compliance.py`.

docs/developer-guide/services.md

@@ -0,0 +1,235 @@
+# Create a new Provider Service
+
+Here you can find how to create a new service, or to complement an existing one, for a Prowler Provider.
+
+## Introduction
+
+To create a new service, you will need to create a folder inside the specific provider, i.e. `prowler/providers/<provider>/services/<service>/`.
+
+Inside that folder, you MUST create the following files:
+
+- An empty `__init__.py`: to make Python treat this service folder as a package.
+- A `<service>_service.py`, containing all the service's logic and API calls.
+- A `<service>_client_.py`, containing the initialization of the service's class we have just created so the checks's checks can use it.
+
+## Service
+
+The Prowler's service structure is the following and the way to initialise it is just by importing the service client in a check.
+
+## Service Base Class
+
+All the Prowler provider's services inherits from a base class depending on the provider used.
+
+- [AWS Service Base Class](https://github.com/prowler-cloud/prowler/blob/22f8855ad7dad2e976dabff78611b643e234beaf/prowler/providers/aws/lib/service/service.py)
+- [GCP Service Base Class](https://github.com/prowler-cloud/prowler/blob/22f8855ad7dad2e976dabff78611b643e234beaf/prowler/providers/gcp/lib/service/service.py)
+- [Azure Service Base Class](https://github.com/prowler-cloud/prowler/blob/22f8855ad7dad2e976dabff78611b643e234beaf/prowler/providers/azure/lib/service/service.py)
+
+Each class is used to initialize the credentials and the API's clients to be used in the service. If some threading is used it must be coded there.
+
+## Service Class
+
+Due to the complexity and differencies of each provider API we are going to use an example service to guide you in how can it be created.
+
+The following is the `<service>_service.py` file:
+
+```python title="Service Class"
+from datetime import datetime
+from typing import Optional
+
+# The following is just for the AWS provider
+from botocore.client import ClientError
+
+# To use the Pydantic's BaseModel
+from pydantic import BaseModel
+
+# Prowler logging library
+from prowler.lib.logger import logger
+
+# Prowler resource filter, only for the AWS provider
+from prowler.lib.scan_filters.scan_filters import is_resource_filtered
+
+# Provider parent class
+from prowler.providers.<provider>.lib.service.service import ServiceParentClass
+
+
+# Create a class for the Service
+################## <Service>
+class <Service>(ServiceParentClass):
+    def __init__(self, audit_info):
+        # Call Service Parent Class __init__
+        # We use the __class__.__name__ to get it automatically
+        # from the Service Class name but you can pass a custom
+        # string if the provider's API service name is different
+        super().__init__(__class__.__name__, audit_info)
+
+        # Create an empty dictionary of items to be gathered,
+        # using the unique ID as the dictionary key
+        # e.g., instances
+        self.<items> = {}
+
+        # If you can parallelize by regions or locations
+        # you can use the __threading_call__ function
+        # available in the Service Parent Class
+        self.__threading_call__(self.__describe_<items>__)
+
+        # Optionally you can create another function to retrieve
+        # more data about each item without parallel
+        self.__describe_<item>__()
+
+    def __describe_<items>__(self, regional_client):
+        """Get ALL <Service> <Items>"""
+        logger.info("<Service> - Describing <Items>...")
+
+        # We MUST include a try/except block in each function
+        try:
+
+            # Call to the provider API to retrieve the data we want
+            describe_<items>_paginator = regional_client.get_paginator("describe_<items>")
+
+            # Paginator to get every item
+            for page in describe_<items>_paginator.paginate():
+
+                # Another try/except within the loop for to continue looping
+                # if something unexpected happens
+                try:
+
+                    for <item> in page["<Items>"]:
+
+                        # For the AWS provider we MUST include the following lines to retrieve
+                        # or not data for the resource passed as argument using the --resource-arn
+                        if not self.audit_resources or (
+                            is_resource_filtered(<item>["<item_arn>"], self.audit_resources)
+                        ):
+                            # Then we have to include the retrieved resource in the object
+                            # previously created
+                            self.<items>[<item_unique_id>] =
+                                <Item>(
+                                    arn=stack["<item_arn>"],
+                                    name=stack["<item_name>"],
+                                    tags=stack.get("Tags", []),
+                                    region=regional_client.region,
+                                )
+
+                except Exception as error:
+                    logger.error(
+                        f"{<provider_specific_field>} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
+
+        # In the except part we have to use the following code to log the errors
+        except Exception as error:
+            # Depending on each provider we can use the following fields in the logger:
+            # - AWS: regional_client.region or self.region
+            # - GCP: project_id and location
+            # - Azure: subscription
+
+            logger.error(
+                f"{<provider_specific_field>} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def __describe_<item>__(self):
+        """Get Details for a <Service> <Item>"""
+        logger.info("<Service> - Describing <Item> to get specific details...")
+
+        # We MUST include a try/except block in each function
+        try:
+
+            # Loop over the items retrieved in the previous function
+            for <item> in self.<items>:
+
+                # When we perform calls to the Provider API within a for loop we have
+                # to include another try/except block because in the cloud there are
+                # ephemeral resources that can be deleted at the time we are checking them
+                try:
+                    <item>_details = self.regional_clients[<item>.region].describe_<item>(
+                        <Attribute>=<item>.name
+                    )
+
+                    # For example, check if item is Public. Here is important if we are
+                    # getting values from a dictionary we have to use the "dict.get()"
+                    # function with a default value in the case this value is not present
+                    <item>.public = <item>_details.get("Public", False)
+
+
+                # In this except block, for example for the AWS Provider we can use
+                # the botocore.ClientError exception and check for a specific error code
+                # to raise a WARNING instead of an ERROR if some resource is not present.
+                except ClientError as error:
+                    if error.response["Error"]["Code"] == "InvalidInstanceID.NotFound":
+                        logger.warning(
+                            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+                    else:
+                        logger.error(
+                            f"{<provider_specific_field>} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+                    continue
+
+         # In the except part we have to use the following code to log the errors
+        except Exception as error:
+            # Depending on each provider we can use the following fields in the logger:
+            # - AWS: regional_client.region or self.region
+            # - GCP: project_id and location
+            # - Azure: subscription
+
+            logger.error(
+                f"{<item>.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+```
+
+### Service Models
+
+For each class object we need to model we use the Pydantic's [BaseModel](https://docs.pydantic.dev/latest/api/base_model/#pydantic.BaseModel) to take advantage of the data validation.
+
+```python title="Service Model"
+# In each service class we have to create some classes using
+# the Pydantic's Basemodel for the resources we want to audit.
+class <Item>(BaseModel):
+    """<Item> holds a <Service> <Item>"""
+
+    arn: str
+    """<Items>[].arn"""
+
+    name: str
+    """<Items>[].name"""
+
+    region: str
+    """<Items>[].region"""
+
+    public: bool
+    """<Items>[].public"""
+
+    # We can create Optional attributes set to None by default
+    tags: Optional[list]
+     """<Items>[].tags"""
+```
+### Service Objects
+In the service each group of resources should be created as a Python [dictionary](https://docs.python.org/3/tutorial/datastructures.html#dictionaries). This is because we are performing lookups all the time and the Python dictionary lookup has [O(1) complexity](https://en.wikipedia.org/wiki/Big_O_notation#Orders_of_common_functions).
+
+We MUST set as the dictionary key a unique ID, like the resource Unique ID or ARN.
+
+Example:
+```python
+self.vpcs = {}
+self.vpcs["vpc-01234567890abcdef"] = VPC_Object_Class()
+```
+
+## Service Client
+
+Each Prowler service requires a service client to use the service in the checks.
+
+The following is the `<service>_client.py` containing the initialization of the service's class we have just created so the service's checks can use them:
+
+```python
+from prowler.providers.<provider>.lib.audit_info.audit_info import audit_info
+from prowler.providers.<provider>.services.<service>.<service>_service import <Service>
+
+<service>_client = <Service>(audit_info)
+```
+
+## Permissions
+
+It is really important to check if the current Prowler's permissions for each provider are enough to implement a new service. If we need to include more please refer to the following documentaion and update it:
+
+- AWS: https://docs.prowler.cloud/en/latest/getting-started/requirements/#aws-authentication
+- Azure: https://docs.prowler.cloud/en/latest/getting-started/requirements/#permissions
+- GCP: https://docs.prowler.cloud/en/latest/getting-started/requirements/#gcp-authentication

docs/developer-guide/unit-testing.md

@@ -0,0 +1,592 @@
+# Unit Tests
+
+The unit tests for the Prowler checks varies between each provider supported.
+
+Here we left some good reads about unit testing and things we've learnt through all the process.
+
+**Python Testing**
+
+- https://docs.python-guide.org/writing/tests/
+
+**Where to patch**
+
+- https://docs.python.org/3/library/unittest.mock.html#where-to-patch
+- https://stackoverflow.com/questions/893333/multiple-variables-in-a-with-statement
+- ​https://docs.python.org/3/reference/compound_stmts.html#the-with-statement
+
+**Utils to trace mocking and test execution**
+
+- https://news.ycombinator.com/item?id=36054868
+- https://docs.python.org/3/library/sys.html#sys.settrace
+- https://github.com/kunalb/panopticon
+
+## General Recommendations
+
+When creating tests for some provider's checks we follow these guidelines trying to cover as much test scenarios as possible:
+
+1. Create a test without resource to generate 0 findings, because Prowler will generate 0 findings if a service does not contain the resources the check is looking for audit.
+2. Create test to generate both a `PASS` and a `FAIL` result.
+3. Create tests with more than 1 resource to evaluate how the check behaves and if the number of findings is right.
+
+## How to run Prowler tests
+
+To run the Prowler test suite you need to install the testing dependencies already included in the `pyproject.toml` file. If you didn't install it yet please read the developer guide introduction [here](./introduction.md#get-the-code-and-install-all-dependencies).
+
+Then in the project's root path execute `pytest -n auto -vvv -s -x` or use the `Makefile` with `make test`.
+
+Other commands to run tests:
+
+- Run tests for a provider: `pytest -n auto -vvv -s -x tests/providers/<provider>/services`
+- Run tests for a provider service: `pytest -n auto -vvv -s -x tests/providers/<provider>/services/<service>`
+- Run tests for a provider check: `pytest -n auto -vvv -s -x tests/providers/<provider>/services/<service>/<check>`
+
+> Refer to the [pytest documentation](https://docs.pytest.org/en/7.1.x/getting-started.html) documentation for more information.
+
+## AWS
+
+For the AWS provider we have ways to test a Prowler check based on the following criteria:
+
+> Note: We use and contribute to the [Moto](https://github.com/getmoto/moto) library which allows us to easily mock out tests based on AWS infrastructure. **It's awesome!**
+
+- AWS API calls covered by [Moto](https://github.com/getmoto/moto):
+    - Service tests with `@mock_<service>`
+    - Checks tests with `@mock_<service>`
+- AWS API calls not covered by Moto:
+    - Service test with `mock_make_api_call`
+    - Checks tests with [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock)
+- AWS API calls partially covered by Moto:
+    - Service test with `@mock_<service>` and `mock_make_api_call`
+    - Checks tests with `@mock_<service>` and `mock_make_api_call`
+
+In the following section we are going to explain all of the above scenarios with examples. The main difference between those scenarios comes from if the [Moto](https://github.com/getmoto/moto) library covers the AWS API calls made by the service. You can check the covered API calls [here](https://github.com/getmoto/moto/blob/master/IMPLEMENTATION_COVERAGE.md).
+
+An important point for the AWS testing is that in each check we MUST have a unique `audit_info` which is the key object during the AWS execution to isolate the test execution.
+
+Check the [Audit Info](./audit-info.md) section to get more details.
+
+```python
+# We need to import the AWS_Audit_Info and the Audit_Metadata
+# to set the audit_info to call AWS APIs
+from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
+from prowler.providers.common.models import Audit_Metadata
+
+AWS_ACCOUNT_NUMBER = "123456789012"
+
+def set_mocked_audit_info(self):
+  audit_info = AWS_Audit_Info(
+      session_config=None,
+      original_session=None,
+      audit_session=session.Session(
+          profile_name=None,
+          botocore_session=None,
+      ),
+      audit_config=None,
+      audited_account=AWS_ACCOUNT_NUMBER,
+      audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
+      audited_user_id=None,
+      audited_partition="aws",
+      audited_identity_arn=None,
+      profile=None,
+      profile_region=None,
+      credentials=None,
+      assumed_role_info=None,
+      audited_regions=["us-east-1", "eu-west-1"],
+      organizations_metadata=None,
+      audit_resources=None,
+      mfa_enabled=False,
+      audit_metadata=Audit_Metadata(
+          services_scanned=0,
+          expected_checks=[],
+          completed_checks=0,
+          audit_progress=0,
+      ),
+  )
+
+  return audit_info
+```
+### Checks
+
+For the AWS tests examples we are going to use the tests for the `iam_password_policy_uppercase` check.
+
+This section is going to be divided based on the API coverage of the [Moto](https://github.com/getmoto/moto) library.
+
+#### API calls covered
+
+If the [Moto](https://github.com/getmoto/moto) library covers the API calls we want to test, we can use the `@mock_<service>` decorator. This will mocked out all the API calls made to AWS keeping the state within the code decorated, in this case the test function.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+# Boto3 client and session to call the AWS APIs
+from boto3 import client, session
+
+# Moto decorator for the IAM service we want to mock
+from moto import mock_iam
+
+# Constants used
+AWS_ACCOUNT_NUMBER = "123456789012"
+AWS_REGION = "us-east-1"
+
+
+# We always name the test classes like Test_<check_name>
+class Test_iam_password_policy_uppercase:
+
+  # We include the Moto decorator for the service we want to use
+  # You can include more than one if two or more services are
+  # involved in test
+  @mock_iam
+  # We name the tests with test_<service>_<check_name>_<test_action>
+  def test_iam_password_policy_no_uppercase_flag(self):
+    # First, we have to create an IAM client
+    iam_client = client("iam", region_name=AWS_REGION)
+
+    # Then, since all the AWS accounts have a password
+    # policy we want to set to False the RequireUppercaseCharacters
+    iam_client.update_account_password_policy(RequireUppercaseCharacters=False)
+
+    # We set a mocked audit_info for AWS not to share the same audit state
+    # between checks
+    current_audit_info = self.set_mocked_audit_info()
+
+    # The Prowler service import MUST be made within the decorated
+    # code not to make real API calls to the AWS service.
+    from prowler.providers.aws.services.iam.iam_service import IAM
+
+    # Prowler for AWS uses a shared object called `current_audit_info` where it stores
+    # the audit's state, credentials and configuration.
+    with mock.patch(
+        "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+        new=current_audit_info,
+    ),
+    # We have to mock also the iam_client from the check to enforce that the iam_client used is the one
+    # created within this check because patch != import, and if you execute tests in parallel some objects
+    # can be already initialised hence the check won't be isolated
+      mock.patch(
+        "prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase.iam_client",
+        new=IAM(current_audit_info),
+    ):
+        # We import the check within the two mocks not to initialise the iam_client with some shared information from
+        # the current_audit_info or the IAM service.
+        from prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase import (
+            iam_password_policy_uppercase,
+        )
+
+        # Once imported, we only need to instantiate the check's class
+        check = iam_password_policy_uppercase()
+
+        # And then, call the execute() function to run the check
+        # against the IAM client we've set up.
+        result = check.execute()
+
+        # Last but not least, we need to assert all the fields
+        # from the check's results
+        assert len(results) == 1
+        assert result[0].status == "FAIL"
+        assert result[0].status_extended == "IAM password policy does not require at least one uppercase letter."
+        assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+        assert result[0].resource_tags == []
+        assert result[0].region == AWS_REGION
+```
+
+#### API calls not covered
+
+If the IAM service for the check's we want to test is not covered by Moto, we have to inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock). As we have pointed above, we cannot instantiate the service since it will make real calls to the AWS APIs.
+
+> The following example uses the IAM GetAccountPasswordPolicy which is covered by Moto but this is only for demonstration purposes.
+
+The following code shows how to use MagicMock to create the service objects.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+# Constants used
+AWS_ACCOUNT_NUMBER = "123456789012"
+AWS_REGION = "us-east-1"
+
+
+# We always name the test classes like Test_<check_name>
+class Test_iam_password_policy_uppercase:
+
+  # We name the tests with test_<service>_<check_name>_<test_action>
+  def test_iam_password_policy_no_uppercase_flag(self):
+    # Mocked client with MagicMock
+    mocked_iam_client = mock.MagicMock
+
+    # Since the IAM Password Policy has their own model we have to import it
+    from prowler.providers.aws.services.iam.iam_service import PasswordPolicy
+
+    # Create the mock PasswordPolicy object
+    mocked_iam_client.password_policy = PasswordPolicy(
+        length=5,
+        symbols=True,
+        numbers=True,
+        # We set the value to False to test the check
+        uppercase=False,
+        lowercase=True,
+        allow_change=False,
+        expiration=True,
+    )
+
+    # We set a mocked audit_info for AWS not to share the same audit state
+    # between checks
+    current_audit_info = self.set_mocked_audit_info()
+
+    # In this scenario we have to mock also the IAM service and the iam_client from the check to enforce    # that the iam_client used is the one created within this check because patch != import, and if you     # execute tests in parallel some objects can be already initialised hence the check won't be isolated.
+    # In this case we don't use the Moto decorator, we use the mocked IAM client for both objects
+    with mock.patch(
+        "prowler.providers.aws.services.iam.iam_service.IAM",
+        new=mocked_iam_client,
+    ), mock.patch(
+        "prowler.providers.aws.services.iam.iam_client.iam_client",
+        new=mocked_iam_client,
+    ):
+        # We import the check within the two mocks not to initialise the iam_client with some shared information from
+        # the current_audit_info or the IAM service.
+        from prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase import (
+            iam_password_policy_uppercase,
+        )
+
+        # Once imported, we only need to instantiate the check's class
+        check = iam_password_policy_uppercase()
+
+        # And then, call the execute() function to run the check
+        # against the IAM client we've set up.
+        result = check.execute()
+
+        # Last but not least, we need to assert all the fields
+        # from the check's results
+        assert len(results) == 1
+        assert result[0].status == "FAIL"
+        assert result[0].status_extended == "IAM password policy does not require at least one uppercase letter."
+        assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+        assert result[0].resource_tags == []
+        assert result[0].region == AWS_REGION
+```
+
+As it can be seen in the above scenarios, the check execution should always be into the context of mocked/patched objects. This way we ensure it reviews only the objects created under the scope the test.
+
+#### API calls partially covered
+
+If the API calls we want to use in the service are partially covered by the Moto decorator we have to create our own mocked API calls to use it in combination.
+
+To do so, you need to mock the `botocore.client.BaseClient._make_api_call` function, which is the Boto3 function in charge of making the real API call to the AWS APIs, using `mock.patch <https://docs.python.org/3/library/unittest.mock.html#patch>`:
+
+
+```python
+
+import boto3
+import botocore
+from unittest.mock import patch
+from moto import mock_iam
+
+# Original botocore _make_api_call function
+orig = botocore.client.BaseClient._make_api_call
+
+# Mocked botocore _make_api_call function
+def mock_make_api_call(self, operation_name, kwarg):
+    # As you can see the operation_name has the get_account_password_policy snake_case form but
+    # we are using the GetAccountPasswordPolicy form.
+    # Rationale -> https://github.com/boto/botocore/blob/develop/botocore/client.py#L810:L816
+    if operation_name == 'GetAccountPasswordPolicy':
+        return {
+            'PasswordPolicy': {
+                'MinimumPasswordLength': 123,
+                'RequireSymbols': True|False,
+                'RequireNumbers': True|False,
+                'RequireUppercaseCharacters': True|False,
+                'RequireLowercaseCharacters': True|False,
+                'AllowUsersToChangePassword': True|False,
+                'ExpirePasswords': True|False,
+                'MaxPasswordAge': 123,
+                'PasswordReusePrevention': 123,
+                'HardExpiry': True|False
+            }
+        }
+    # If we don't want to patch the API call
+    return orig(self, operation_name, kwarg)
+
+# We always name the test classes like Test_<check_name>
+class Test_iam_password_policy_uppercase:
+
+  # We include the custom API call mock decorator for the service we want to use
+  @patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
+  # We include also the IAM Moto decorator for the API calls supported
+  @mock_iam
+  # We name the tests with test_<service>_<check_name>_<test_action>
+  def test_iam_password_policy_no_uppercase_flag(self):
+    # Check the previous section to see the check test since is the same
+```
+
+Note that this does not use Moto, to keep it simple, but if you use any `moto`-decorators in addition to the patch, the call to `orig(self, operation_name, kwarg)` will be intercepted by Moto.
+
+> The above code comes from here https://docs.getmoto.org/en/latest/docs/services/patching_other_services.html
+
+#### Mocking more than one service
+
+If the test your are creating belongs to a check that uses more than one provider service, you should mock each of the services used. For example, the check `cloudtrail_logs_s3_bucket_access_logging_enabled` requires the CloudTrail and the S3 client, hence the service's mock part of the test will be as follows:
+
+
+```python
+with mock.patch(
+    "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+    new=mock_audit_info,
+), mock.patch(
+    "prowler.providers.aws.services.cloudtrail.cloudtrail_logs_s3_bucket_access_logging_enabled.cloudtrail_logs_s3_bucket_access_logging_enabled.cloudtrail_client",
+    new=Cloudtrail(mock_audit_info),
+), mock.patch(
+    "prowler.providers.aws.services.cloudtrail.cloudtrail_logs_s3_bucket_access_logging_enabled.cloudtrail_logs_s3_bucket_access_logging_enabled.s3_client",
+    new=S3(mock_audit_info),
+):
+```
+
+
+As you can see in the above code, it is required to mock the AWS audit info and both services used.
+
+
+#### Patching vs. Importing
+
+This is an important topic within the Prowler check's unit testing. Due to the dynamic nature of the check's load, the process of importing the service client from a check is the following:
+
+1. `<check>.py`:
+```python
+from prowler.providers.<provider>.services.<service>.<service>_client import <service>_client
+```
+2. `<service>_client.py`:
+```python
+from prowler.providers.<provider>.lib.audit_info.audit_info import audit_info
+from prowler.providers.<provider>.services.<service>.<service>_service import <SERVICE>
+
+<service>_client = <SERVICE>(audit_info)
+```
+
+Due to the above import path it's not the same to patch the following objects because if you run a bunch of tests, either in parallel or not, some clients can be already instantiated by another check, hence your test execution will be using another test's service instance:
+
+- `<service>_client` imported at `<check>.py`
+- `<service>_client` initialised at `<service>_client.py`
+- `<SERVICE>` imported at `<service>_client.py`
+
+A useful read about this topic can be found in the following article: https://stackoverflow.com/questions/8658043/how-to-mock-an-import
+
+
+#### Different ways to mock the service client
+
+##### Mocking the service client at the service client level
+
+Mocking a service client using the following code ...
+
+```python title="Mocking the service_client"
+with mock.patch(
+    "prowler.providers.<provider>.lib.audit_info.audit_info.audit_info",
+    new=audit_info,
+), mock.patch(
+    "prowler.providers.aws.services.<service>.<check>.<check>.<service>_client",
+    new=<SERVICE>(audit_info),
+):
+```
+will cause that the service will be initialised twice:
+
+1. When the `<SERVICE>(audit_info)` is mocked out using `mock.patch` to have the object ready for the patching.
+2. At the `<service>_client.py` when we are patching it since the `mock.patch` needs to go to that object an initialise it, hence the `<SERVICE>(audit_info)` will be called again.
+
+Then, when we import the `<service>_client.py` at `<check>.py`, since we are mocking where the object is used, Python will use the mocked one.
+
+In the [next section](./unit-testing.md#mocking-the-service-and-the-service-client-at-the-service-client-level) you will see an improved version to mock objects.
+
+
+##### Mocking the service and the service client at the service client level
+Mocking a service client using the following code ...
+
+```python title="Mocking the service and the service_client"
+with mock.patch(
+    "prowler.providers.<provider>.lib.audit_info.audit_info.audit_info",
+    new=audit_info,
+), mock.patch(
+    "prowler.providers.aws.services.<service>.<SERVICE>",
+    new=<SERVICE>(audit_info),
+) as service_client, mock.patch(
+    "prowler.providers.aws.services.<service>.<service>_client.<service>_client",
+    new=service_client,
+):
+```
+will cause that the service will be initialised once, just when the `<SERVICE>(audit_info)` is mocked out using `mock.patch`.
+
+Then, at the check_level when Python tries to import the client with `from prowler.providers.<provider>.services.<service>.<service>_client`, since it is already mocked out, the execution will continue using the `service_client` without getting into the `<service>_client.py`.
+
+
+### Services
+
+For testing the AWS services we have to follow the same logic as with the AWS checks, we have to check if the AWS API calls made by the service are covered by Moto and we have to test the service `__init__` to verifiy that the information is being correctly retrieved.
+
+The service tests could act as *Integration Tests* since we test how the service retrieves the information from the provider, but since Moto or the custom mock objects mocks that calls this test will fall into *Unit Tests*.
+
+Please refer to the [AWS checks tests](./unit-testing.md#checks) for more information on how to create tests and check the existing services tests [here](https://github.com/prowler-cloud/prowler/tree/master/tests/providers/aws/services).
+
+## GCP
+
+### Checks
+
+For the GCP Provider we don't have any library to mock out the API calls we use. So in this scenario we inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock).
+
+The following code shows how to use MagicMock to create the service objects for a GCP check test.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+# GCP Constants
+GCP_PROJECT_ID = "123456789012"
+
+# We are going to create a test for the compute_firewall_rdp_access_from_the_internet_allowed check
+class Test_compute_firewall_rdp_access_from_the_internet_allowed:
+
+    # We name the tests with test_<service>_<check_name>_<test_action>
+    def test_compute_compute_firewall_rdp_access_from_the_internet_allowed_one_compliant_rule_with_valid_port(self):
+        # Mocked client with MagicMock
+        compute_client = mock.MagicMock
+
+        # Assign GCP client configuration
+        compute_client.project_ids = [GCP_PROJECT_ID]
+        compute_client.region = "global"
+
+        # Import the service resource model to create the mocked object
+        from prowler.providers.gcp.services.compute.compute_service import Firewall
+
+        # Create the custom Firewall object to be tested
+        firewall = Firewall(
+            name="test",
+            id="1234567890",
+            source_ranges=["0.0.0.0/0"],
+            direction="INGRESS",
+            allowed_rules=[{"IPProtocol": "tcp", "ports": ["443"]}],
+            project_id=GCP_PROJECT_ID,
+        )
+        compute_client.firewalls = [firewall]
+
+        # In this scenario we have to mock also the Compute service and the compute_client from the check to enforce that the compute_client used is the one created within this check because patch != import, and if you execute tests in parallel some objects can be already initialised hence the check won't be isolated.
+        # In this case we don't use the Moto decorator, we use the mocked Compute client for both objects
+        with mock.patch(
+            "prowler.providers.gcp.services.compute.compute_service.Compute",
+            new=defender_client,
+        ), mock.patch(
+            "prowler.providers.gcp.services.compute.compute_client.compute_client",
+            new=defender_client,
+        ):
+
+            # We import the check within the two mocks not to initialise the iam_client with some shared information from
+            # the current_audit_info or the Compute service.
+            from prowler.providers.gcp.services.compute.compute_firewall_rdp_access_from_the_internet_allowed.compute_firewall_rdp_access_from_the_internet_allowed import (
+                compute_firewall_rdp_access_from_the_internet_allowed,
+            )
+
+            # Once imported, we only need to instantiate the check's class
+            check = compute_firewall_rdp_access_from_the_internet_allowed()
+
+            # And then, call the execute() function to run the check
+            # against the IAM client we've set up.
+            result = check.execute()
+
+            # Last but not least, we need to assert all the fields
+            # from the check's results
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].status_extended == f"Firewall {firewall.name} does not expose port 3389 (RDP) to the internet."
+            assert result[0].resource_name = firewall.name
+            assert result[0].resource_id == firewall.id
+            assert result[0].project_id = GCP_PROJECT_ID
+            assert result[0].location = compute_client.region
+```
+
+### Services
+
+Coming soon ...
+
+## Azure
+
+### Checks
+
+For the Azure Provider we don't have any library to mock out the API calls we use. So in this scenario we inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock).
+
+The following code shows how to use MagicMock to create the service objects for a Azure check test.
+
+```python
+# We need to import the unittest.mock to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest import mock
+
+from uuid import uuid4
+
+# Azure Constants
+AZURE_SUSCRIPTION = str(uuid4())
+
+
+
+# We are going to create a test for the Test_defender_ensure_defender_for_arm_is_on check
+class Test_defender_ensure_defender_for_arm_is_on:
+
+    # We name the tests with test_<service>_<check_name>_<test_action>
+    def test_defender_defender_ensure_defender_for_arm_is_on_arm_pricing_tier_not_standard(self):
+        resource_id = str(uuid4())
+
+        # Mocked client with MagicMock
+        defender_client = mock.MagicMock
+
+        # Import the service resource model to create the mocked object
+        from prowler.providers.azure.services.defender.defender_service import Defender_Pricing
+
+        # Create the custom Defender object to be tested
+        defender_client.pricings = {
+            AZURE_SUSCRIPTION: {
+                "Arm": Defender_Pricing(
+                    resource_id=resource_id,
+                    pricing_tier="Not Standard",
+                    free_trial_remaining_time=0,
+                )
+            }
+        }
+
+        # In this scenario we have to mock also the Defender service and the defender_client from the check to enforce that the defender_client used is the one created within this check because patch != import, and if you execute tests in parallel some objects can be already initialised hence the check won't be isolated.
+        # In this case we don't use the Moto decorator, we use the mocked Defender client for both objects
+        with mock.patch(
+            "prowler.providers.azure.services.defender.defender_service.Defender",
+            new=defender_client,
+        ), mock.patch(
+            "prowler.providers.azure.services.defender.defender_client.defender_client",
+            new=defender_client,
+        ):
+
+            # We import the check within the two mocks not to initialise the iam_client with some shared information from
+            # the current_audit_info or the Defender service.
+            from prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on import (
+                defender_ensure_defender_for_arm_is_on,
+            )
+
+            # Once imported, we only need to instantiate the check's class
+            check = defender_ensure_defender_for_arm_is_on()
+
+            # And then, call the execute() function to run the check
+            # against the IAM client we've set up.
+            result = check.execute()
+
+            # Last but not least, we need to assert all the fields
+            # from the check's results
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Defender plan Defender for ARM from subscription {AZURE_SUSCRIPTION} is set to OFF (pricing tier not standard)"
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == "Defender plan ARM"
+            assert result[0].resource_id == resource_id
+```
+
+### Services
+
+Coming soon ...

docs/getting-started/requirements.md

@@ -0,0 +1,102 @@
+# Requirements
+
+Prowler has been written in Python using the [AWS SDK (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html#), [Azure SDK](https://azure.github.io/azure-sdk-for-python/) and [GCP API Python Client](https://github.com/googleapis/google-api-python-client/).
+## AWS
+
+Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence).
+
+### AWS Authentication
+
+Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
+
+```console
+aws configure
+```
+
+or
+
+```console
+export AWS_ACCESS_KEY_ID="ASXXXXXXX"
+export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
+export AWS_SESSION_TOKEN="XXXXXXXXX"
+```
+
+Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
+
+  - `arn:aws:iam::aws:policy/SecurityAudit`
+  - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
+
+  > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
+
+  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
+
+### Multi-Factor Authentication
+
+If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
+
+- ARN of your MFA device
+- TOTP (Time-Based One-Time Password)
+
+## Azure
+
+Prowler for azure supports the following authentication types:
+
+- Service principal authentication by environment variables (Enterprise Application)
+- Current az cli credentials stored
+- Interactive browser authentication
+- Managed identity authentication
+
+### Service Principal authentication
+
+To allow Prowler assume the service principal identity to start the scan it is needed to configure the following environment variables:
+
+```console
+export AZURE_CLIENT_ID="XXXXXXXXX"
+export AZURE_TENANT_ID="XXXXXXXXX"
+export AZURE_CLIENT_SECRET="XXXXXXX"
+```
+
+If you try to execute Prowler with the `--sp-env-auth` flag and those variables are empty or not exported, the execution is going to fail.
+### AZ CLI / Browser / Managed Identity authentication
+
+The other three cases does not need additional configuration, `--az-cli-auth` and `--managed-identity-auth` are automated options. To use `--browser-auth`  the user needs to authenticate against Azure using the default browser to start the scan, also `tenant-id` is required.
+
+### Permissions
+
+To use each one you need to pass the proper flag to the execution. Prowler fro Azure handles two types of permission scopes, which are:
+
+- **Azure Active Directory permissions**: Used to retrieve metadata from the identity assumed by Prowler and future AAD checks (not mandatory to have access to execute the tool)
+- **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool.
+
+
+#### Azure Active Directory scope
+
+Azure Active Directory (AAD) permissions required by the tool are the following:
+
+- `Directory.Read.All`
+- `Policy.Read.All`
+
+The best way to assign it is through the azure web console:
+
+![AAD Permissions](../img/AAD-permissions.png)
+
+#### Subscriptions scope
+
+Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription  to the entity that is going to be assumed by the tool:
+
+- `Security Reader`
+- `Reader`
+
+## Google Cloud
+
+### GCP Authentication
+
+Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order):
+
+1. [GOOGLE_APPLICATION_CREDENTIALS environment variable](https://cloud.google.com/docs/authentication/application-default-credentials#GAC)
+2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal)
+3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa)
+
+Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.
+
+> By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.

docs/img/ProwlerPro-icon.svg

@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 240.29 285.79"><defs><style>.cls-1{fill:url(#linear-gradient);}.cls-2{fill:#71be44;}</style><linearGradient id="linear-gradient" x1="157.45" y1="97.85" x2="211.7" y2="97.85" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#5a9b37"/><stop offset="1" stop-color="#71be44"/></linearGradient></defs><circle class="cls-1" cx="148.2" cy="97.85" r="67.45"/><path class="cls-2" d="M66.28,30.4H148.2a0,0,0,0,1,0,0V185.35a81.93,81.93,0,0,1-81.93,81.93h0a0,0,0,0,1,0,0V30.4A0,0,0,0,1,66.28,30.4Z"/></svg>

docs/index.md

@@ -0,0 +1,304 @@
+<p href="https://github.com/prowler-cloud/prowler">
+<img align="right" src="./img/prowler-logo.png" height="100">
+</p>
+<br>
+
+# Prowler Documentation
+
+**Welcome to [Prowler Open Source v3](https://github.com/prowler-cloud/prowler/) Documentation!** 📄
+
+For **Prowler v2 Documentation**, please go [here](https://github.com/prowler-cloud/prowler/tree/2.12.0) to the branch and its README.md.
+
+- You are currently in the **Getting Started** section where you can find general information and requirements to help you start with the tool.
+- In the [Tutorials](./tutorials/misc.md) section you will see how to take advantage of all the features in Prowler.
+- In the [Contact Us](./contact.md) section you can find how to reach us out in case of technical issues.
+- In the [About](./about.md) section you will find more information about the Prowler team and license.
+
+## About Prowler
+
+**Prowler** is an Open Source security tool to perform AWS, Azure and Google Cloud security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
+
+It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
+
+[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/prowlercloud.svg?style=social&label=Follow%20%40prowlercloud)](https://twitter.com/prowlercloud)
+
+## About ProwlerPro
+
+<a href="https://prowler.pro"><img align="right" src="./img/prowler-pro-light.png" width="350"></a> **ProwlerPro** gives you the benefits of Prowler Open Source plus continuous monitoring, faster execution, personalized support, visualization of your data with dashboards, alerts and much more.
+Visit <a href="https://prowler.pro">prowler.pro</a> for more info.
+
+
+## Quick Start
+### Installation
+
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with `Python >= 3.9`:
+
+
+=== "Generic"
+
+    _Requirements_:
+
+    * `Python >= 3.9`
+    * `Python pip >= 3.9`
+    * AWS, GCP and/or Azure credentials
+
+    _Commands_:
+
+    ``` bash
+    pip install prowler
+    prowler -v
+    ```
+
+=== "Docker"
+
+    _Requirements_:
+
+    * Have `docker` installed: https://docs.docker.com/get-docker/.
+    * AWS, GCP and/or Azure credentials
+    * In the command below, change `-v` to your local directory path in order to access the reports.
+
+    _Commands_:
+
+    ``` bash
+    docker run -ti --rm -v /your/local/dir/prowler-output:/home/prowler/output \
+    --name prowler \
+    --env AWS_ACCESS_KEY_ID \
+    --env AWS_SECRET_ACCESS_KEY \
+    --env AWS_SESSION_TOKEN toniblyx/prowler:latest
+    ```
+
+=== "Ubuntu"
+
+    _Requirements for Ubuntu 20.04.3 LTS_:
+
+    * AWS, GCP and/or Azure credentials
+    * Install python 3.9 with: `sudo apt-get install python3.9`
+    * Remove python 3.8 to avoid conflicts if you can: `sudo apt-get remove python3.8`
+    * Make sure you have the python3 distutils package installed: `sudo apt-get install python3-distutils`
+    * To make sure you use pip for 3.9 get the get-pip script with: `curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py`
+    * Execute it with the proper python version: `sudo python3.9 get-pip.py`
+    * Now you should have pip for 3.9 ready: `pip3.9 --version`
+
+    _Commands_:
+
+    ```
+    pip3.9 install prowler
+    export PATH=$PATH:/home/$HOME/.local/bin/
+    prowler -v
+    ```
+
+=== "GitHub"
+
+    _Requirements for Developers_:
+
+    * AWS, GCP and/or Azure credentials
+    * `git`, `Python >= 3.9`, `pip` and `poetry` installed (`pip install poetry`)
+
+    _Commands_:
+
+    ```
+    git clone https://github.com/prowler-cloud/prowler
+    cd prowler
+    poetry shell
+    poetry install
+    python prowler.py -v
+    ```
+
+=== "Amazon Linux 2"
+
+    _Requirements_:
+
+    * AWS, GCP and/or Azure credentials
+    * Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with: `sudo yum install -y python3-pip`.
+    * Make sure setuptools for python is already installed with: `pip3 install setuptools`
+
+    _Commands_:
+
+    ```
+    pip3.9 install prowler
+    export PATH=$PATH:/home/$HOME/.local/bin/
+    prowler -v
+    ```
+
+=== "Brew"
+
+    _Requirements_:
+
+    * `Brew` installed in your Mac or Linux
+    * AWS, GCP and/or Azure credentials
+
+    _Commands_:
+
+    ``` bash
+    brew install prowler
+    prowler -v
+    ```
+
+=== "AWS CloudShell"
+
+    Prowler can be easely executed in AWS CloudShell but it has some prerequsites to be able to to so. AWS CloudShell is a container running with `Amazon Linux release 2 (Karoo)` that comes with Python 3.7, since Prowler requires Python >= 3.9 we need to first install a newer version of Python. Follow the steps below to successfully execute Prowler v3 in AWS CloudShell:
+
+    _Requirements_:
+
+    * First install all dependences and then Python, in this case we need to compile it because there is not a package available at the time this document is written:
+    ```
+    sudo yum -y install gcc openssl-devel bzip2-devel libffi-devel
+    wget https://www.python.org/ftp/python/3.9.16/Python-3.9.16.tgz
+    tar zxf Python-3.9.16.tgz
+    cd Python-3.9.16/
+    ./configure --enable-optimizations
+    sudo make altinstall
+    python3.9 --version
+    cd
+    ```
+    _Commands_:
+
+    * Once Python 3.9 is available we can install Prowler from pip:
+    ```
+    pip3.9 install prowler
+    prowler -v
+    ```
+
+    > To download the results from AWS CloudShell, select Actions -> Download File and add the full path of each file. For the CSV file it will be something like `/home/cloudshell-user/output/prowler-output-123456789012-20221220191331.csv`
+
+=== "Azure CloudShell"
+
+    _Requirements_:
+
+    * Open Azure CloudShell `bash`.
+
+    _Commands_:
+
+    ```
+    pip install prowler
+    prowler -v
+    ```
+
+## Prowler container versions
+
+The available versions of Prowler are the following:
+
+- `latest`: in sync with master branch (bear in mind that it is not a stable version)
+- `<x.y.z>` (release): you can find the releases [here](https://github.com/prowler-cloud/prowler/releases), those are stable releases.
+- `stable`: this tag always point to the latest release.
+
+The container images are available here:
+
+- [DockerHub](https://hub.docker.com/r/toniblyx/prowler/tags)
+- [AWS Public ECR](https://gallery.ecr.aws/prowler-cloud/prowler)
+
+## High level architecture
+
+You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell, Cloud9 and many more.
+
+![Architecture](img/architecture.png)
+## Basic Usage
+
+To run Prowler, you will need to specify the provider (e.g aws, gcp or azure):
+> If no provider specified, AWS will be used for backward compatibility with most of v2 options.
+
+```console
+prowler <provider>
+```
+![Prowler Execution](img/short-display.png)
+> Running the `prowler` command without options will use your environment variable credentials, see [Requirements](./getting-started/requirements.md) section to review the credentials settings.
+
+If you miss the former output you can use `--verbose` but Prowler v3 is smoking fast, so you won't see much ;)
+
+By default, Prowler will generate a CSV, JSON and HTML reports, however you can generate a JSON-ASFF (used by AWS Security Hub) report with `-M` or `--output-modes`:
+
+```console
+prowler <provider> -M csv json json-asff html
+```
+The html report will be located in the output directory as the other files and it will look like:
+
+![Prowler Execution](img/html-output.png)
+
+You can use `-l`/`--list-checks` or `--list-services` to list all available checks or services within the provider.
+
+```console
+prowler <provider> --list-checks
+prowler <provider> --list-services
+```
+
+For executing specific checks or services you can use options `-c`/`checks` or `-s`/`services`:
+
+```console
+prowler azure --checks storage_blob_public_access_level_is_disabled
+prowler aws --services s3 ec2
+prowler gcp --services iam compute
+```
+
+Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
+
+```console
+prowler aws --excluded-checks s3_bucket_public_access
+prowler azure --excluded-services defender iam
+prowler gcp --excluded-services kms
+```
+
+More options and executions methods that will save your time in [Miscellaneous](tutorials/misc.md).
+
+You can always use `-h`/`--help` to access to the usage information and all the possible options:
+
+```console
+prowler --help
+```
+
+### AWS
+
+Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want to audit with `-f`/`--filter-region`:
+
+```console
+prowler aws --profile custom-profile -f us-east-1 eu-south-2
+```
+> By default, `prowler` will scan all AWS regions.
+
+See more details about AWS Authentication in [Requirements](getting-started/requirements.md)
+
+### Azure
+
+With Azure you need to specify which auth method is going to be used:
+
+```console
+# To use service principal authentication
+prowler azure --sp-env-auth
+
+# To use az cli authentication
+prowler azure --az-cli-auth
+
+# To use browser authentication
+prowler azure --browser-auth --tenant-id "XXXXXXXX"
+
+# To use managed identity auth
+prowler azure --managed-identity-auth
+```
+
+See more details about Azure Authentication in [Requirements](getting-started/requirements.md)
+
+Prowler by default scans all the subscriptions that is allowed to scan, if you want to scan a single subscription or various specific subscriptions you can use the following flag (using az cli auth as example):
+```console
+prowler azure --az-cli-auth --subscription-ids <subscription ID 1> <subscription ID 2> ... <subscription ID N>
+```
+
+### Google Cloud
+
+Prowler will use by default your User Account credentials, you can configure it using:
+
+- `gcloud init` to use a new account
+- `gcloud config set account <account>` to use an existing account
+
+Then, obtain your access credentials using: `gcloud auth application-default login`
+
+Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument:
+
+```console
+prowler gcp --credentials-file path
+```
+
+Prowler by default scans all the GCP Projects that is allowed to scan, if you want to scan a single project or various specific projects you can use the following flag:
+```console
+prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
+```
+
+See more details about GCP Authentication in [Requirements](getting-started/requirements.md)