Label version 2.3.0-18122020

Fix FreeBSD $OSTYPE check @ring-pete

.dockerignore

@@ -0,0 +1,5 @@
+.git/
+
+# Ignore output directories
+output/
+junit-reports/

.github/pull_request_template.md

@@ -0,0 +1 @@
+By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

.gitignore

@@ -0,0 +1,30 @@
+# Swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+# MacOs DS_Store
+*.DS_Store
+
+# Prowler output
+output/
+
+# JUnit Reports
+junit-reports/
+
+# VSCode files
+.vscode/

CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at community@prowler.cloud. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

Dockerfile

@@ -1,4 +0,0 @@
-FROM python
-MAINTAINER Steve Neuharth <steve@aethereal.io>
-RUN apt-get update && apt-get upgrade -y && pip install awscli ansi2html
-ADD prowler* /usr/local/bin/

LICENSE

@@ -1,360 +1,6 @@
-Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
-Public License
+All CIS based checks in the checks folder are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License.
+The link to the license terms can be found at
+https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
 
-By exercising the Licensed Rights (defined below), You accept and agree
-to be bound by the terms and conditions of this Creative Commons
-Attribution-NonCommercial-ShareAlike 4.0 International Public License
-("Public License"). To the extent this Public License may be
-interpreted as a contract, You are granted the Licensed Rights in
-consideration of Your acceptance of these terms and conditions, and the
-Licensor grants You such rights in consideration of benefits the
-Licensor receives from making the Licensed Material available under
-these terms and conditions.
-
-
-Section 1 -- Definitions.
-
-  a. Adapted Material means material subject to Copyright and Similar
-     Rights that is derived from or based upon the Licensed Material
-     and in which the Licensed Material is translated, altered,
-     arranged, transformed, or otherwise modified in a manner requiring
-     permission under the Copyright and Similar Rights held by the
-     Licensor. For purposes of this Public License, where the Licensed
-     Material is a musical work, performance, or sound recording,
-     Adapted Material is always produced where the Licensed Material is
-     synched in timed relation with a moving image.
-
-  b. Adapter's License means the license You apply to Your Copyright
-     and Similar Rights in Your contributions to Adapted Material in
-     accordance with the terms and conditions of this Public License.
-
-  c. BY-NC-SA Compatible License means a license listed at
-     creativecommons.org/compatiblelicenses, approved by Creative
-     Commons as essentially the equivalent of this Public License.
-
-  d. Copyright and Similar Rights means copyright and/or similar rights
-     closely related to copyright including, without limitation,
-     performance, broadcast, sound recording, and Sui Generis Database
-     Rights, without regard to how the rights are labeled or
-     categorized. For purposes of this Public License, the rights
-     specified in Section 2(b)(1)-(2) are not Copyright and Similar
-     Rights.
-
-  e. Effective Technological Measures means those measures that, in the
-     absence of proper authority, may not be circumvented under laws
-     fulfilling obligations under Article 11 of the WIPO Copyright
-     Treaty adopted on December 20, 1996, and/or similar international
-     agreements.
-
-  f. Exceptions and Limitations means fair use, fair dealing, and/or
-     any other exception or limitation to Copyright and Similar Rights
-     that applies to Your use of the Licensed Material.
-
-  g. License Elements means the license attributes listed in the name
-     of a Creative Commons Public License. The License Elements of this
-     Public License are Attribution, NonCommercial, and ShareAlike.
-
-  h. Licensed Material means the artistic or literary work, database,
-     or other material to which the Licensor applied this Public
-     License.
-
-  i. Licensed Rights means the rights granted to You subject to the
-     terms and conditions of this Public License, which are limited to
-     all Copyright and Similar Rights that apply to Your use of the
-     Licensed Material and that the Licensor has authority to license.
-
-  j. Licensor means the individual(s) or entity(ies) granting rights
-     under this Public License.
-
-  k. NonCommercial means not primarily intended for or directed towards
-     commercial advantage or monetary compensation. For purposes of
-     this Public License, the exchange of the Licensed Material for
-     other material subject to Copyright and Similar Rights by digital
-     file-sharing or similar means is NonCommercial provided there is
-     no payment of monetary compensation in connection with the
-     exchange.
-
-  l. Share means to provide material to the public by any means or
-     process that requires permission under the Licensed Rights, such
-     as reproduction, public display, public performance, distribution,
-     dissemination, communication, or importation, and to make material
-     available to the public including in ways that members of the
-     public may access the material from a place and at a time
-     individually chosen by them.
-
-  m. Sui Generis Database Rights means rights other than copyright
-     resulting from Directive 96/9/EC of the European Parliament and of
-     the Council of 11 March 1996 on the legal protection of databases,
-     as amended and/or succeeded, as well as other essentially
-     equivalent rights anywhere in the world.
-
-  n. You means the individual or entity exercising the Licensed Rights
-     under this Public License. Your has a corresponding meaning.
-
-
-Section 2 -- Scope.
-
-  a. License grant.
-
-       1. Subject to the terms and conditions of this Public License,
-          the Licensor hereby grants You a worldwide, royalty-free,
-          non-sublicensable, non-exclusive, irrevocable license to
-          exercise the Licensed Rights in the Licensed Material to:
-
-            a. reproduce and Share the Licensed Material, in whole or
-               in part, for NonCommercial purposes only; and
-
-            b. produce, reproduce, and Share Adapted Material for
-               NonCommercial purposes only.
-
-       2. Exceptions and Limitations. For the avoidance of doubt, where
-          Exceptions and Limitations apply to Your use, this Public
-          License does not apply, and You do not need to comply with
-          its terms and conditions.
-
-       3. Term. The term of this Public License is specified in Section
-          6(a).
-
-       4. Media and formats; technical modifications allowed. The
-          Licensor authorizes You to exercise the Licensed Rights in
-          all media and formats whether now known or hereafter created,
-          and to make technical modifications necessary to do so. The
-          Licensor waives and/or agrees not to assert any right or
-          authority to forbid You from making technical modifications
-          necessary to exercise the Licensed Rights, including
-          technical modifications necessary to circumvent Effective
-          Technological Measures. For purposes of this Public License,
-          simply making modifications authorized by this Section 2(a)
-          (4) never produces Adapted Material.
-
-       5. Downstream recipients.
-
-            a. Offer from the Licensor -- Licensed Material. Every
-               recipient of the Licensed Material automatically
-               receives an offer from the Licensor to exercise the
-               Licensed Rights under the terms and conditions of this
-               Public License.
-
-            b. Additional offer from the Licensor -- Adapted Material.
-               Every recipient of Adapted Material from You
-               automatically receives an offer from the Licensor to
-               exercise the Licensed Rights in the Adapted Material
-               under the conditions of the Adapter's License You apply.
-
-            c. No downstream restrictions. You may not offer or impose
-               any additional or different terms or conditions on, or
-               apply any Effective Technological Measures to, the
-               Licensed Material if doing so restricts exercise of the
-               Licensed Rights by any recipient of the Licensed
-               Material.
-
-       6. No endorsement. Nothing in this Public License constitutes or
-          may be construed as permission to assert or imply that You
-          are, or that Your use of the Licensed Material is, connected
-          with, or sponsored, endorsed, or granted official status by,
-          the Licensor or others designated to receive attribution as
-          provided in Section 3(a)(1)(A)(i).
-
-  b. Other rights.
-
-       1. Moral rights, such as the right of integrity, are not
-          licensed under this Public License, nor are publicity,
-          privacy, and/or other similar personality rights; however, to
-          the extent possible, the Licensor waives and/or agrees not to
-          assert any such rights held by the Licensor to the limited
-          extent necessary to allow You to exercise the Licensed
-          Rights, but not otherwise.
-
-       2. Patent and trademark rights are not licensed under this
-          Public License.
-
-       3. To the extent possible, the Licensor waives any right to
-          collect royalties from You for the exercise of the Licensed
-          Rights, whether directly or through a collecting society
-          under any voluntary or waivable statutory or compulsory
-          licensing scheme. In all other cases the Licensor expressly
-          reserves any right to collect such royalties, including when
-          the Licensed Material is used other than for NonCommercial
-          purposes.
-
-
-Section 3 -- License Conditions.
-
-Your exercise of the Licensed Rights is expressly made subject to the
-following conditions.
-
-  a. Attribution.
-
-       1. If You Share the Licensed Material (including in modified
-          form), You must:
-
-            a. retain the following if it is supplied by the Licensor
-               with the Licensed Material:
-
-                 i. identification of the creator(s) of the Licensed
-                    Material and any others designated to receive
-                    attribution, in any reasonable manner requested by
-                    the Licensor (including by pseudonym if
-                    designated);
-
-                ii. a copyright notice;
-
-               iii. a notice that refers to this Public License;
-
-                iv. a notice that refers to the disclaimer of
-                    warranties;
-
-                 v. a URI or hyperlink to the Licensed Material to the
-                    extent reasonably practicable;
-
-            b. indicate if You modified the Licensed Material and
-               retain an indication of any previous modifications; and
-
-            c. indicate the Licensed Material is licensed under this
-               Public License, and include the text of, or the URI or
-               hyperlink to, this Public License.
-
-       2. You may satisfy the conditions in Section 3(a)(1) in any
-          reasonable manner based on the medium, means, and context in
-          which You Share the Licensed Material. For example, it may be
-          reasonable to satisfy the conditions by providing a URI or
-          hyperlink to a resource that includes the required
-          information.
-       3. If requested by the Licensor, You must remove any of the
-          information required by Section 3(a)(1)(A) to the extent
-          reasonably practicable.
-
-  b. ShareAlike.
-
-     In addition to the conditions in Section 3(a), if You Share
-     Adapted Material You produce, the following conditions also apply.
-
-       1. The Adapter's License You apply must be a Creative Commons
-          license with the same License Elements, this version or
-          later, or a BY-NC-SA Compatible License.
-
-       2. You must include the text of, or the URI or hyperlink to, the
-          Adapter's License You apply. You may satisfy this condition
-          in any reasonable manner based on the medium, means, and
-          context in which You Share Adapted Material.
-
-       3. You may not offer or impose any additional or different terms
-          or conditions on, or apply any Effective Technological
-          Measures to, Adapted Material that restrict exercise of the
-          rights granted under the Adapter's License You apply.
-
-
-Section 4 -- Sui Generis Database Rights.
-
-Where the Licensed Rights include Sui Generis Database Rights that
-apply to Your use of the Licensed Material:
-
-  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
-     to extract, reuse, reproduce, and Share all or a substantial
-     portion of the contents of the database for NonCommercial purposes
-     only;
-
-  b. if You include all or a substantial portion of the database
-     contents in a database in which You have Sui Generis Database
-     Rights, then the database in which You have Sui Generis Database
-     Rights (but not its individual contents) is Adapted Material,
-     including for purposes of Section 3(b); and
-
-  c. You must comply with the conditions in Section 3(a) if You Share
-     all or a substantial portion of the contents of the database.
-
-For the avoidance of doubt, this Section 4 supplements and does not
-replace Your obligations under this Public License where the Licensed
-Rights include other Copyright and Similar Rights.
-
-
-Section 5 -- Disclaimer of Warranties and Limitation of Liability.
-
-  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
-     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
-     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
-     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
-     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
-     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
-     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
-     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
-     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
-     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
-  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
-     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
-     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
-     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
-     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
-     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
-     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
-     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
-     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
-  c. The disclaimer of warranties and limitation of liability provided
-     above shall be interpreted in a manner that, to the extent
-     possible, most closely approximates an absolute disclaimer and
-     waiver of all liability.
-
-
-Section 6 -- Term and Termination.
-
-  a. This Public License applies for the term of the Copyright and
-     Similar Rights licensed here. However, if You fail to comply with
-     this Public License, then Your rights under this Public License
-     terminate automatically.
-
-  b. Where Your right to use the Licensed Material has terminated under
-     Section 6(a), it reinstates:
-
-       1. automatically as of the date the violation is cured, provided
-          it is cured within 30 days of Your discovery of the
-          violation; or
-
-       2. upon express reinstatement by the Licensor.
-
-     For the avoidance of doubt, this Section 6(b) does not affect any
-     right the Licensor may have to seek remedies for Your violations
-     of this Public License.
-
-  c. For the avoidance of doubt, the Licensor may also offer the
-     Licensed Material under separate terms or conditions or stop
-     distributing the Licensed Material at any time; however, doing so
-     will not terminate this Public License.
-
-  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
-     License.
-
-
-Section 7 -- Other Terms and Conditions.
-
-  a. The Licensor shall not be bound by any additional or different
-     terms or conditions communicated by You unless expressly agreed.
-
-  b. Any arrangements, understandings, or agreements regarding the
-     Licensed Material not stated herein are separate from and
-     independent of the terms and conditions of this Public License.
-
-
-Section 8 -- Interpretation.
-
-  a. For the avoidance of doubt, this Public License does not, and
-     shall not be interpreted to, reduce, limit, restrict, or impose
-     conditions on any use of the Licensed Material that could lawfully
-     be made without permission under this Public License.
-
-  b. To the extent possible, if any provision of this Public License is
-     deemed unenforceable, it shall be automatically reformed to the
-     minimum extent necessary to make it enforceable. If the provision
-     cannot be reformed, it shall be severed from this Public License
-     without affecting the enforceability of the remaining terms and
-     conditions.
-
-  c. No term or condition of this Public License will be waived and no
-     failure to comply consented to unless expressly agreed to by the
-     Licensor.
-
-  d. Nothing in this Public License constitutes or may be interpreted
-     as a limitation upon, or waiver of, any privileges and immunities
-     that apply to the Licensor or You, including from the legal
-     processes of any jurisdiction or authority.
+Any other piece of code is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
+http://www.apache.org/licenses/LICENSE-2.0

LICENSE-APACHE-2.0

@@ -0,0 +1,201 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or
+otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity
+exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or
+Object form, made available under the License, as indicated by a
+copyright notice that is included in or attached to the work
+(an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship. For the purposes
+of this License, Derivative Works shall not include works that remain
+separable from, or merely link (or bind by name) to the interfaces of,
+the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including
+the original version of the Work and any modifications or additions
+to that Work or Derivative Works thereof, that is intentionally
+submitted to Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, the
+Licensor for the purpose of discussing and improving the Work, but
+excluding communication that is conspicuously marked or otherwise
+designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity
+on behalf of whom a Contribution has been received by Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s)
+with the Work to which such Contribution(s) was submitted. If You
+institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work
+or a Contribution incorporated within the Work constitutes direct
+or contributory patent infringement, then any patent licenses
+granted to You under this License for that Work shall terminate
+as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You
+meet the following conditions:
+
+(a) You must give any other recipients of the Work or
+Derivative Works a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and
+attribution notices from the Source form of the Work,
+excluding those notices that do not pertain to any part of
+the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its
+distribution, then any Derivative Works that You distribute must
+include a readable copy of the attribution notices contained
+within such NOTICE file, excluding those notices that do not
+pertain to any part of the Derivative Works, in at least one
+of the following places: within a NOTICE text file distributed
+as part of the Derivative Works; within the Source form or
+documentation, if provided along with the Derivative Works; or,
+within a display generated by the Derivative Works, if and
+wherever such third-party notices normally appear. The contents
+of the NOTICE file are for informational purposes only and
+do not modify the License. You may add Your own attribution
+notices within Derivative Works that You distribute, alongside
+or as an addendum to the NOTICE text from the Work, provided
+that such additional attribution notices cannot be construed
+as modifying the License.
+
+You may add Your own copyright statement to Your modifications and
+may provide additional or different license terms and conditions
+for use, reproduction, or distribution of Your modifications, or
+for any such Derivative Works as a whole, provided Your use,
+reproduction, and distribution of the Work otherwise complies with
+the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work
+by You to the Licensor shall be under the terms and conditions of
+this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify
+the terms of any separate license agreement you may have executed
+with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor,
+except as required for reasonable and customary use in describing the
+origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work (and each
+Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied, including, without limitation, any warranties or conditions
+of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any
+risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work (including but not limited to damages for loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all
+other commercial damages or losses), even if such Contributor
+has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer,
+and charge a fee for, acceptance of support, warranty, indemnity,
+or other liability obligations and/or rights consistent with this
+License. However, in accepting such obligations, You may act only
+on Your own behalf and on Your sole responsibility, not on behalf
+of any other Contributor, and only if You agree to indemnify,
+defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason
+of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following
+boilerplate notice, with the fields enclosed by brackets "[]"
+replaced with your own identifying information. (Don't include
+the brackets!)  The text should be enclosed in the appropriate
+comment syntax for the file format. We also recommend that a
+file or class name and description of purpose be included on the
+same "printed page" as the copyright notice for easier
+identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

LICENSE-CC-BY-SA-4.0

@@ -0,0 +1,360 @@
+Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
+Public License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-NonCommercial-ShareAlike 4.0 International Public License
+("Public License"). To the extent this Public License may be
+interpreted as a contract, You are granted the Licensed Rights in
+consideration of Your acceptance of these terms and conditions, and the
+Licensor grants You such rights in consideration of benefits the
+Licensor receives from making the Licensed Material available under
+these terms and conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. BY-NC-SA Compatible License means a license listed at
+     creativecommons.org/compatiblelicenses, approved by Creative
+     Commons as essentially the equivalent of this Public License.
+
+  d. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  e. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  f. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  g. License Elements means the license attributes listed in the name
+     of a Creative Commons Public License. The License Elements of this
+     Public License are Attribution, NonCommercial, and ShareAlike.
+
+  h. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  i. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  j. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  k. NonCommercial means not primarily intended for or directed towards
+     commercial advantage or monetary compensation. For purposes of
+     this Public License, the exchange of the Licensed Material for
+     other material subject to Copyright and Similar Rights by digital
+     file-sharing or similar means is NonCommercial provided there is
+     no payment of monetary compensation in connection with the
+     exchange.
+
+  l. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  m. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  n. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part, for NonCommercial purposes only; and
+
+            b. produce, reproduce, and Share Adapted Material for
+               NonCommercial purposes only.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. Additional offer from the Licensor -- Adapted Material.
+               Every recipient of Adapted Material from You
+               automatically receives an offer from the Licensor to
+               exercise the Licensed Rights in the Adapted Material
+               under the conditions of the Adapter's License You apply.
+
+            c. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties, including when
+          the Licensed Material is used other than for NonCommercial
+          purposes.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+  b. ShareAlike.
+
+     In addition to the conditions in Section 3(a), if You Share
+     Adapted Material You produce, the following conditions also apply.
+
+       1. The Adapter's License You apply must be a Creative Commons
+          license with the same License Elements, this version or
+          later, or a BY-NC-SA Compatible License.
+
+       2. You must include the text of, or the URI or hyperlink to, the
+          Adapter's License You apply. You may satisfy this condition
+          in any reasonable manner based on the medium, means, and
+          context in which You Share Adapted Material.
+
+       3. You may not offer or impose any additional or different terms
+          or conditions on, or apply any Effective Technological
+          Measures to, Adapted Material that restrict exercise of the
+          rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database for NonCommercial purposes
+     only;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material,
+     including for purposes of Section 3(b); and
+
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.

LIST_OF_CHECKS_AND_GROUPS.md

@@ -0,0 +1,5 @@
+```
+./prowler -l # to see all available checks and their groups.
+./prowler -L # to see all available groups only.
+./prowler -l -g groupname # to see checks in a particular group
+```

Pipfile

@@ -0,0 +1,13 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+
+[packages]
+boto3 = ">=1.9.188"
+detect-secrets = ">=0.12.4"
+
+[requires]
+python_version = "3.7"

README.md

@@ -1,412 +1,651 @@
 # Prowler: AWS CIS Benchmark Tool
 
-## Table of Contents  
+## Table of Contents
+
 - [Description](#description)
-- [Features](#features)  
-- [Requirements](#requirements)  
+- [Features](#features)
+- [Requirements and Installation](#requirements-and-installation)
 - [Usage](#usage)
-- [Fix](#fix)
 - [Screenshots](#screenshots)
+- [Advanced Usage](#advanced-usage)
+- [Security Hub integration](#security-hub-integration)
+- [CodeBuild deployment](#codebuild-deployment)
+- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources)
+- [Fix](#how-to-fix-every-fail)
 - [Troubleshooting](#troubleshooting)
 - [Extras](#extras)
 - [Forensics Ready Checks](#forensics-ready-checks)
+- [GDPR Checks](#gdpr-checks)
+- [HIPAA Checks](#hipaa-checks)
+- [Trust Boundaries Checks](#trust-boundaries-checks)
+- [Multi Account and Continuous Monitoring](util/org-multi-account/README.md)
 - [Add Custom Checks](#add-custom-checks)
 - [Third Party Integrations](#third-party-integrations)
+- [Full list of checks and groups](/LIST_OF_CHECKS_AND_GROUPS.md)
+- [License](#license)
 
 ## Description
 
-Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the [CIS Amazon Web Services Foundations Benchmark 1.1 ](https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf)
+Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
+
+It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.
+
+Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
 
 ## Features
 
-It covers hardening and security best practices for all AWS regions related to:
++150 checks covering security best practices across all AWS regions and most of AWS services and related to the next groups:
 
-- Identity and Access Management (24 checks)
-- Logging (8 checks)
-- Monitoring (15 checks)
-- Networking (5 checks)
-- Extras (22 checks) *see Extras section*
-- Forensics related group of checks
-
-For a comprehesive list and resolution look at the guide on the link above.
+- Identity and Access Management [group1]
+- Logging  [group2]
+- Monitoring [group3]
+- Networking [group4]
+- CIS Level 1 [cislevel1]
+- CIS Level 2 [cislevel2]
+- Extras *see Extras section* [extras]
+- Forensics related group of checks [forensics-ready]
+- GDPR [gdpr] Read more [here](#gdpr-checks)
+- HIPAA [hipaa] Read more [here](#hipaa-checks)
+- Trust Boundaries [trustboundaries] Read more [here](#trustboundaries-checks)
+- Secrets 
+- PCI-DSS
+- ISO-27001
+- Internet exposed resources
+- EKS-CIS
+- FFIEC
+- SOC2
+- ENS (Esquema Nacional de Seguridad of Spain)
 
 With Prowler you can:
-- get a colourish or monochrome report
-- a CSV format report for diff
-- run specific checks without having to run the entire report
-- check multiple AWS accounts in parallel
 
-## Requirements
-This script has been written in bash using AWS-CLI and it works in Linux and OSX.
+- get a direct colorful or monochrome report 
+- a HTML, CSV, JUNIT, JSON or JSON ASFF format report
+- send findings directly to Security Hub
+- run specific checks and groups or create your own
+- check multiple AWS accounts in parallel or sequentially
+- and more! Read examples below
 
-- Make sure your AWS-CLI is installed on your workstation, with Python pip already installed:
-```
-pip install awscli
-```
-Or install it using "brew", "apt", "yum" or manually from https://aws.amazon.com/cli/
+## Requirements and Installation
+
+Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
+
+- Make sure the latest version of AWS-CLI is installed on your workstation (it works with either v1 or v2), and other components needed, with Python pip already installed:
+
+    ```sh
+    pip install awscli detect-secrets
+    ```
+
+    AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from <https://aws.amazon.com/cli/>, but `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get the most from Prowler.
+
+- Make sure jq is installed (example below with "apt" but use a valid package manager for your OS):
+
+    ```sh
+    sudo apt install jq
+    ```
 
 - Previous steps, from your workstation:
-```
-git clone https://github.com/Alfresco/prowler
-cd prowler
-```
 
-- Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
-```
-aws configure
-```
+    ```sh
+    git clone https://github.com/toniblyx/prowler
+    cd prowler
+    ```
 
-- Make sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
+- Since Prowler users AWS CLI under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence). Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or intance profile):
 
-```
-arn:aws:iam::aws:policy/SecurityAudit
-```
-> In some cases you may need more list or get permissions in some services, look at the Troubleshooting section for a more comprehensive policy if you find issues with the default SecurityAudit policy.
+    ```sh
+    aws configure
+    ```
+
+    or
+
+    ```sh
+    export AWS_ACCESS_KEY_ID="ASXXXXXXX"
+    export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
+    export AWS_SESSION_TOKEN="XXXXXXXXX"
+    ```
+
+- Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the AWS managed policies, SecurityAudit and ViewOnlyAccess, to the user or role being used.  Policy ARNs are:
+
+    ```sh
+    arn:aws:iam::aws:policy/SecurityAudit
+    arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
+    ```
+
+    > Additional permissions needed: to make sure Prowler can scan all services included in the group *Extras*, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/toniblyx/prowler/blob/master/iam/prowler-additions-policy.json) to the role you are using. If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/toniblyx/prowler/blob/master/iam/prowler-security-hub.json).
 
 ## Usage
 
-1 - Run the prowler.sh command without options (it will use your environment variable credentials if exist or default in ~/.aws/credentials file and run checks over all regions when needed, default region is us-east-1):
+1. Run the `prowler` command without options (it will use your environment variable credentials if they exist or will default to using the `~/.aws/credentials` file and run checks over all regions when needed. The default region is us-east-1):
 
-```
-./prowler
-```
+    ```sh
+    ./prowler
+    ```
 
-2 - For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
+    Use `-l` to list all available checks and the groups (sections) that reference them. To list all groups use `-L` and to list content of a group use `-l -g <groupname>`.
 
-```
-./prowler -p custom-profile -r us-east-1
-```
+    If you want to avoid installing dependencies run it using Docker:
 
-3 - For a single check use option -c:
+    ```sh
+    docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest
+    ```
 
-```
-./prowler -c check310
-```
-or for custom profile and region
-```
-./prowler -p custom-profile -r us-east-1 -c check11
-```
-or for a group of checks use group name:
-```
-./prowler -c check3
-```
+1. For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
 
-Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
+    ```sh
+    ./prowler -p custom-profile -r us-east-1
+    ```
 
-4 - If you want to save your report for later analysis:
-```
-./prowler > prowler-report.txt
-```
-or if you want a colored HTML report do:
-```
-pip install ansi2html
-./prowler | ansi2html -la > report.html
-```
-or if you want a pipe-delimited report file, do:
-```
-./prowler -M csv > output.psv
-```
+1. For a single check use option `-c`:
 
-5 - To perform an assessment based on CIS Profile Definitions you can use level1 or level2 with `-c` flag, more information about this [here, page 8](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf):
-```
-./prowler -c level1
-```
+    ```sh
+    ./prowler -c check310
+    ```
 
-6 - If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`):
+    With Docker:
 
-```
-grep -E '^\[([0-9A-Aa-z_-]+)\]'  ~/.aws/credentials | tr -d '][' | shuf |  \
-xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv  2> /dev/null  >> all-accounts.csv
-```
+    ```sh
+    docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest "-c check310"
+    ```
 
-7 - For help use:
+    or multiple checks separated by comma:
 
-```
-./prowler -h
+    ```sh
+    ./prowler -c check310,check722
+    ```
 
-USAGE:
-      prowler -p <profile> -r <region> [ -h ]
-  Options:
-      -p <profile>        specify your AWS profile to use (i.e.: default)
-      -r <region>         specify an AWS region to direct API requests to
-                            (i.e.: us-east-1), all regions are checked anyway
-      -c <check_id>       specify a check number or group from the AWS CIS benchmark
-                            (i.e.: "check11" for check 1.1, "check3" for entire section 3, "level1" for CIS Level 1 Profile Definitions or "forensics-ready")
-      -f <filterregion>   specify an AWS region to run checks against
-                            (i.e.: us-west-1)
-      -m <maxitems>       specify the maximum number of items to return for long-running requests (default: 100)
-      -M <mode>           output mode: text (defalut), mono, csv (separator is ","; data is on stdout; progress on stderr)
-      -k                  keep the credential report
-      -n                  show check numbers to sort easier
-                            (i.e.: 1.01 instead of 1.1)
-      -l                  list all available checks only (does not perform any check)
-      -e                  exclude extras
-      -h                  this help
+    or all checks but some of them:
 
-```
-## Fix:
- Check your report and fix the issues following all specific guidelines per check in https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf
+    ```sh
+    ./prowler -E check42,check43
+    ```
+
+    or for custom profile and region:
+
+    ```sh
+    ./prowler -p custom-profile -r us-east-1 -c check11
+    ```
+
+    or for a group of checks use group name:
+
+    ```sh
+    ./prowler -g group1 # for iam related checks
+    ```
+
+    or exclude some checks in the group:
+
+    ```sh
+    ./prowler -g group4 -E check42,check43
+    ```
+
+    Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
 
 ## Screenshots
 
 - Sample screenshot of report first lines:
- <img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
 
-- Sample screnshot of single check for check 3.3:
-<img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
+    <img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
+
+- Sample screenshot of single check for check 3.3:
+
+    <img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
+
+- Sample screenshot of the html output `-M html`:
+    <img width="1006" alt="Prowler html" src="https://user-images.githubusercontent.com/3985464/82838608-0229ce80-9ecd-11ea-860c-468f66aa2790.png">
+
+### Save your reports
+
+1. If you want to save your report for later analysis thare are different ways, natively (supported text, mono, csv, json, json-asff, junit-xml and html, see note below for more info):
+
+    ```sh
+    ./prowler -M csv
+    ```
+
+    or with multiple formats at the same time:
+
+    ```sh
+    ./prowler -M csv,json,json-asff,html
+    ```
+
+    or just a group of checks in multiple formats:
+
+    ```sh
+    ./prowler -g gdpr -M csv,json,json-asff
+    ```
+
+    or if you want a sorted and dynamic HTML report do:
+
+    ```sh
+    ./prowler -M html
+    ```
+
+    Now `-M` creates a file inside the prowler `output` directory named `prowler-output-AWSACCOUNTID-YYYYMMDDHHMMSS.format`. You don't have to specify anything else, no pipes, no redirects.
+
+    or just saving the output to a file like below:
+
+    ```sh
+    ./prowler -M mono > prowler-report.txt
+    ```
+
+    To generate JUnit report files, include the junit-xml format. This can be combined with any other format. Files are written inside a prowler root directory named `junit-reports`:
+
+    ```sh
+    ./prowler -M text,junit-xml
+    ```
+
+    >Note about output formats to use with `-M`: "text" is the default one with colors, "mono" is like default one but monochrome, "csv" is comma separated values, "json" plain basic json (without comma between lines) and "json-asff" is also json with Amazon Security Finding Format that you can ship to Security Hub using `-S`.
+
+    or save your report in an S3 bucket (this only works for text or mono. For csv, json or json-asff it has to be copied afterwards):
+
+    ```sh
+    ./prowler -M mono | aws s3 cp - s3://bucket-name/prowler-report.txt
+    ```
+
+    When generating multiple formats and running using Docker, to retrieve the reports, bind a local directory to the container, e.g.:
+
+    ```sh
+    docker run -ti --rm --name prowler --volume "$(pwd)":/prowler/output --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest -M csv,json
+    ```
+
+1. To perform an assessment based on CIS Profile Definitions you can use cislevel1 or cislevel2 with `-g` flag, more information about this [here, page 8](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf):
+
+    ```sh
+    ./prowler -g cislevel1
+    ```
+
+1. If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`) but you may want to read below in Advanced Usage section to do so assuming a role:
+
+    ```sh
+    grep -E '^\[([0-9A-Aa-z_-]+)\]'  ~/.aws/credentials | tr -d '][' | shuf |  \
+    xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv  2> /dev/null  >> all-accounts.csv
+    ```
+
+1. For help about usage run:
+
+    ```
+    ./prowler -h
+    ```
+
+## Advanced Usage
+
+### Assume Role:
+
+Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. To create a role to assume in multiple accounts easier eather as CFN Stack or StackSet, look at [this CloudFormation template](iam/create_role_to_assume_cfn.yaml) and adapt it.
+
+```sh
+./prowler -A 123456789012 -R ProwlerRole
+```
+
+```sh
+./prowler -A 123456789012 -R ProwlerRole -I 123456
+```
+
+> *NOTE 1 about Session Duration*: By default it gets credentials valid for 1 hour (3600 seconds). Depending on the mount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>`  to allow up to 12h (43200 seconds). To allow more than 1h you need to modify *"Maximum CLI/API session duration"* for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
+
+> *NOTE 2 about Session Duration*: Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).
+
+For example, if you want to get only the fails in CSV format from all checks regarding RDS without banner from the AWS Account 123456789012 assuming the role RemoteRoleToAssume and set a fixed session duration of 1h:
+
+```sh
+./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -b -M cvs -q -g rds
+```
+or with a given External ID:
+```sh
+./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -I 123456 -b -M cvs -q -g rds
+```
+
+### Assume Role and across all accounts in AWS Organizations or just a list of accounts:
+
+If you want to run Prowler or just a check or a group across all accounts of AWS Organizations you can do this:
+
+First get a list of accounts that are not suspended:
+```
+ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text)
+```
+Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check:
+```
+for accountId in $ACCOUNTS_IN_ORGS; do ./prowler -A $accountId -R RemoteRoleToAssume -c extra79; done
+```
+Usig the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'`
+
+### GovCloud
+
+Prowler runs in GovCloud regions as well. To make sure it points to the right API endpoint use `-r` to either `us-gov-west-1` or `us-gov-east-1`. If not filter region is used it will look for resources in both GovCloud regions by default:
+```
+./prowler -r us-gov-west-1
+```
+> For Security Hub integration see below in Security Hub section.
+
+### Custom folder for custom checks
+
+Flag `-x /my/own/checks` will include any check in that particular directory. To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
+
+### Show or log only FAILs
+
+In order to remove noise and get only FAIL findings there is a `-q` flag that makes Prowler to show and log only FAILs. It can be combined with any other option.
+
+```sh
+./prowler -q -M csv -b
+```
+
+### Set the entropy limit for detect-secrets
+
+Sets the entropy limit for high entropy base64 strings from environment variable `BASE64_LIMIT`. Value must be between 0.0 and 8.0, defaults is 4.5.
+Sets the entropy limit for high entropy hex strings from environment variable `HEX_LIMIT`. Value must be between 0.0 and 8.0, defaults is 3.0.
+
+```sh
+export BASE64_LIMIT=4.5
+export HEX_LIMIT=3.0
+```
+
+## Security Hub integration
+
+Since October 30th 2020 (version v2.3RC5), Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free. 
+
+Before sending findings to Prowler, you need to perform next steps:
+1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+    - `aws securityhub enable-security-hub --region <region>`.
+2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+    - `aws securityhub enable-import-findings-for-product --region <region> --product-arn arn:aws:securityhub:<region>::product/prowler/prowler` (change region also inside the ARN).
+    - Using the AWS Management Console:
+    ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
+3. As mentioned in section "Custom IAM Policy", to allow Prowler to import its findings to AWS Security Hub you need to add the policy below to the role or user running Prowler:
+    - [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
+
+Once it is enabled, it is as simple as running the command below (for all regions):
+
+```sh
+./prowler -M json-asff -S
+```
+or for only one filtered region like eu-west-1:
+```sh
+./prowler -M json-asff -q -S -f eu-west-1
+```
+> Note 1: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command. 
+
+> Note 2: Since Prowler perform checks to all regions by defaults you may need to filter by region when runing Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs).
+
+> Note 3: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
+
+Once you run findings for first time you will be able to see Prowler findings in Findings section:
+
+![Screenshot 2020-10-29 at 10 29 05 PM](https://user-images.githubusercontent.com/3985464/97634676-66c9f600-1a36-11eb-9341-70feb06f6331.png)
+
+### Security Hub in GovCloud regions
+
+To use Prowler and Security Hub integration in GovCloud there is an additional requirement, usage of `-r` is needed to point the API queries to the right API endpoint. Here is a sample command that sends only failed findings to Security Hub in region `us-gov-west-1`:
+```
+./prowler -r us-gov-west-1 -f us-gov-west-1 -S -M csv,json-asff -q
+```
+
+### Security Hub in China regions
+
+To use Prowler and Security Hub integration in China regions there is an additional requirement, usage of `-r` is needed to point the API queries to the right API endpoint. Here is a sample command that sends only failed findings to Security Hub in region `cn-north-1`:
+```
+./prowler -r cn-north-1 -f cn-north-1 -q -S -M csv,json-asff
+```
+
+## CodeBuild deployment
+
+Either to run Prowler once or based on a schedule this template makes it pretty straight forward. This template will create a CodeBuild environment and run Prowler directly leaving all reports in a bucket and creating a report also inside CodeBuild basedon the JUnit output from Prowler. Scheduling can be cron based like `cron(0 22 * * ? *)` or rate based like `rate(5 hours)` since CloudWatch Event rules (or Eventbridge) is used here.
+
+The Cloud Formation template that helps you doing that is [here](https://github.com/toniblyx/prowler/blob/master/util/codebuild/codebuild-prowler-audit-account-cfn.yaml). 
+
+> This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md).
+
+## Whitelist or allowlist or remove a fail from resources
+
+Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command:
+
+```
+./prowler -w whitelist_sample.txt
+```
+
+Whitelist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`.
+
+## How to fix every FAIL
+
+Check your report and fix the issues following all specific guidelines per check in <https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf>
 
 ## Troubleshooting
 
 ### STS expired token
+
 If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
 
-```
+```sh
 A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired
 ```
-To fix it, please renew your token by authenticating again to the AWS API.
+
+To fix it, please renew your token by authenticating again to the AWS API, see next section below if you use MFA.
+
+### Run Prowler with MFA protected credentials
+
+To run Prowler using a profile that requires MFA you just need to get the session token before hand. Just make sure you use this command:
+
+```sh
+aws --profile <YOUR_AWS_PROFILE> sts get-session-token --duration 129600 --serial-number <ARN_OF_MFA> --token-code <MFA_TOKEN_CODE> --output text
+```
+
+Once you get your token you can export it as environment variable:
+
+```sh
+export AWS_PROFILE=YOUR_AWS_PROFILE
+export AWS_SESSION_TOKEN=YOUR_NEW_TOKEN
+AWS_SECRET_ACCESS_KEY=YOUR_SECRET
+export AWS_ACCESS_KEY_ID=YOUR_KEY
+```
+
+or set manually up your `~/.aws/credentials` file properly.
+
+There are some helpfull tools to save time in this process like [aws-mfa-script](https://github.com/asagage/aws-mfa-script) or [aws-cli-mfa](https://github.com/sweharris/aws-cli-mfa).
+
+### AWS Managed IAM Policies
+
+[ViewOnlyAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_view-only-user)
+- Use case: This user can view a list of AWS resources and basic metadata in the account across all services. The user cannot read resource content or metadata that goes beyond the quota and list information for resources.
+- Policy description: This policy grants List*, Describe*, Get*, View*, and Lookup* access to resources for most AWS services. To see what actions this policy includes for each service, see [ViewOnlyAccess Permissions](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/ViewOnlyAccess)
+
+[SecurityAudit](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor)
+- Use case: This user monitors accounts for compliance with security requirements. This user can access logs and events to investigate potential security breaches or potential malicious activity.
+- Policy description: This policy grants permissions to view configuration data for many AWS services and to review their logs. To see what actions this policy includes for each service, see [SecurityAudit Permissions](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/SecurityAudit)
 
 ### Custom IAM Policy
-Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list, not change!) here you go a good example for a "ProwlerPolicyReadOnly":
 
-```
-{
-    "Version": "2012-10-17",
-    "Statement": [{
-        "Action": [
-            "acm:describecertificate",
-            "acm:listcertificates",
-            "autoscaling:describe*",
-            "cloudformation:describestack*",
-            "cloudformation:getstackpolicy",
-            "cloudformation:gettemplate",
-            "cloudformation:liststack*",
-            "cloudfront:get*",
-            "cloudfront:list*",
-            "cloudtrail:describetrails",
-            "cloudtrail:gettrailstatus",
-            "cloudtrail:listtags",
-            "cloudwatch:describe*",
-            "cloudwatchlogs:describeloggroups",
-            "cloudwatchlogs:describemetricfilters",
-            "codecommit:batchgetrepositories",
-            "codecommit:getbranch",
-            "codecommit:getobjectidentifier",
-            "codecommit:getrepository",
-            "codecommit:list*",
-            "codedeploy:batch*",
-            "codedeploy:get*",
-            "codedeploy:list*",
-            "config:deliver*",
-            "config:describe*",
-            "config:get*",
-            "datapipeline:describeobjects",
-            "datapipeline:describepipelines",
-            "datapipeline:evaluateexpression",
-            "datapipeline:getpipelinedefinition",
-            "datapipeline:listpipelines",
-            "datapipeline:queryobjects",
-            "datapipeline:validatepipelinedefinition",
-            "directconnect:describe*",
-            "dynamodb:listtables",
-            "ec2:describe*",
-            "ecs:describe*",
-            "ecs:list*",
-            "elasticache:describe*",
-            "elasticbeanstalk:describe*",
-            "elasticloadbalancing:describe*",
-            "elasticmapreduce:describejobflows",
-            "elasticmapreduce:listclusters",
-            "es:describeelasticsearchdomainconfig",
-            "es:listdomainnames",
-            "firehose:describe*",
-            "firehose:list*",
-            "glacier:listvaults",
-            "iam:generatecredentialreport",
-            "iam:get*",
-            "iam:list*",
-            "kms:describe*",
-            "kms:get*",
-            "kms:list*",
-            "lambda:getpolicy",
-            "lambda:listfunctions",
-            "logs:DescribeMetricFilters",
-            "rds:describe*",
-            "rds:downloaddblogfileportion",
-            "rds:listtagsforresource",
-            "redshift:describe*",
-            "route53:getchange",
-            "route53:getcheckeripranges",
-            "route53:getgeolocation",
-            "route53:gethealthcheck",
-            "route53:gethealthcheckcount",
-            "route53:gethealthchecklastfailurereason",
-            "route53:gethostedzone",
-            "route53:gethostedzonecount",
-            "route53:getreusabledelegationset",
-            "route53:listgeolocations",
-            "route53:listhealthchecks",
-            "route53:listhostedzones",
-            "route53:listhostedzonesbyname",
-            "route53:listresourcerecordsets",
-            "route53:listreusabledelegationsets",
-            "route53:listtagsforresource",
-            "route53:listtagsforresources",
-            "route53domains:getdomaindetail",
-            "route53domains:getoperationdetail",
-            "route53domains:listdomains",
-            "route53domains:listoperations",
-            "route53domains:listtagsfordomain",
-            "s3:getbucket*",
-            "s3:getlifecycleconfiguration",
-            "s3:getobjectacl",
-            "s3:getobjectversionacl",
-            "s3:listallmybuckets",
-            "sdb:domainmetadata",
-            "sdb:listdomains",
-            "ses:getidentitydkimattributes",
-            "ses:getidentityverificationattributes",
-            "ses:listidentities",
-            "ses:listverifiedemailaddresses",
-            "ses:sendemail",
-            "sns:gettopicattributes",
-            "sns:listsubscriptionsbytopic",
-            "sns:listtopics",
-            "sqs:getqueueattributes",
-            "sqs:listqueues",
-            "tag:getresources",
-            "tag:gettagkeys"
-        ],
-        "Effect": "Allow",
-        "Resource": "*"
-    }]
-}
-```
+[Prowler-Additions-Policy](iam/prowler-additions-policy.json)
 
-### Incremental IAM Policy
+Some new and specific checks require Prowler to inherit more permissions than SecurityAudit and ViewOnlyAccess to work properly. In addition to the AWS managed policies, "SecurityAudit" and "ViewOnlyAccess", the user/role you use for checks may need to be granted a custom policy with a few more read-only permissions (to support additional services mostly). Here is an example policy with the additional rights, "Prowler-Additions-Policy" (see below bootstrap script for set it up):
 
-Alternatively, here is a policy which defines the permissions which are NOT present in the AWS Managed SecurityAudit policy. Attach both this policy and the AWS Managed SecurityAudit policy to the group and you're good to go.  
+- [iam/prowler-additions-policy.json](iam/prowler-additions-policy.json)
 
-```
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "acm:DescribeCertificate",
-        "acm:ListCertificates",
-        "cloudwatchlogs:describeLogGroups",
-        "cloudwatchlogs:DescribeMetricFilters",
-        "es:DescribeElasticsearchDomainConfig",
-        "ses:GetIdentityVerificationAttributes",
-        "sns:ListSubscriptionsByTopic"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-```
+[Prowler-Security-Hub Policy](iam/prowler-security-hub.json)
+
+Allows Prowler to import its findings to [AWS Security Hub](https://aws.amazon.com/security-hub). More information in [Security Hub integration](#security-hub-integration):
+
+- [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
 
 ### Bootstrap Script
 
-Quick bash script to set up a "prowler" IAM user and "SecurityAudit" group with the required permissions. To run the script below, you need user with administrative permissions; set the AWS_DEFAULT_PROFILE to use that account.
+Quick bash script to set up a "prowler" IAM user with "SecurityAudit" and "ViewOnlyAccess" group with the required permissions (including "Prowler-Additions-Policy"). To run the script below, you need user with administrative permissions; set the `AWS_DEFAULT_PROFILE` to use that account:
 
-```
+```sh
 export AWS_DEFAULT_PROFILE=default
 export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"')
-aws iam create-group --group-name SecurityAudit
-aws iam create-policy --policy-name ProwlerAuditAdditions --policy-document file://$(pwd)/prowler-policy-additions.json
-aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit
-aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerAuditAdditions
+aws iam create-group --group-name Prowler
+aws iam create-policy --policy-name Prowler-Additions-Policy --policy-document file://$(pwd)/iam/prowler-additions-policy.json
+aws iam attach-group-policy --group-name Prowler --policy-arn arn:aws:iam::aws:policy/SecurityAudit
+aws iam attach-group-policy --group-name Prowler --policy-arn arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
+aws iam attach-group-policy --group-name Prowler --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/Prowler-Additions-Policy
 aws iam create-user --user-name prowler
-aws iam add-user-to-group --user-name prowler --group-name SecurityAudit
+aws iam add-user-to-group --user-name prowler --group-name Prowler
 aws iam create-access-key --user-name prowler
 unset ACCOUNT_ID AWS_DEFAULT_PROFILE
 ```
 
-The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown.  If you loose it, you will need to generate a replacement.
+The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with Prowler. This is the only time they secret key will be shown.  If you lose it, you will need to generate a replacement.
+
+> [This CloudFormation template](iam/create_role_to_assume_cfn.yaml) may also help you on that task.
 
 ## Extras
+
 We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
 
-Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
+Some of these checks look for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
 
-At this moment we have 22 extra checks:
+To list all existing checks in the extras group run the command below:
 
-- 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
-- 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
-- 7.3 (`extra73`) Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)
-- 7.4 (`extra74`) Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmark)
-- 7.5 (`extra75`) Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)
-- 7.6 (`extra76`) Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
-- 7.7 (`extra77`) Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
-- 7.8 (`extra78`) Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
-- 7.9 (`extra79`) Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)
-- 7.10 (`extra710`) Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)
-- 7.11 (`extra711`) Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
-- 7.12 (`extra712`) Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
-- 7.13 (`extra713`) Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
-- 7.14 (`extra714`) Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.15 (`extra715`) Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.16 (`extra716`) Check if Elasticsearch Service domains allow open access (Not Scored) (Not part of CIS benchmark)
-- 7.17 (`extra717`) Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.18 (`extra718`) Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.19 (`extra719`) Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
-- 7.20 (`extra720`) Check if Lambda functions are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
-- 7.21 (`extra721`) Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.22 (`extra722`) Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
+```sh
+./prowler -l -g extras
+```
 
+>There are some checks not included in that list, they are experimental or checks that takes long to run like `extra759` and `extra760` (search for secrets in Lambda function variables and code).
 
 To check all extras in one command:
+
+```sh
+./prowler -g extras
 ```
-./prowler -c extras
-```
+
 or to run just one of the checks:
-```
+
+```sh
 ./prowler -c extraNUMBER
 ```
 
+or to run multiple extras in one go:
+
+```sh
+./prowler -c extraNumber,extraNumber
+```
+
+
 ## Forensics Ready Checks
 
-With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded and collected for an eventual digital forensic investigation in case of incident. List of checks part of this group:
-- 2.1  Ensure CloudTrail is enabled in all regions (Scored)
-- 2.2  Ensure CloudTrail log file validation is enabled (Scored)
-- 2.3  Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
-- 2.4  Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
-- 2.5  Ensure AWS Config is enabled in all regions (Scored)
-- 2.6  Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
-- 2.7  Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
-- 4.3  Ensure VPC Flow Logging is Enabled in all VPCs (Scored)
-- 7.12  Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
-- 7.13  Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)
-- 7.14  Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.15  Check if Elasticsearch Service domains have logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.17  Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.18  Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.19  Check if Route53 hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
-- 7.20  Check if Lambda functions are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)
-- 7.21  Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
-- 7.22  Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
+With this group of checks, Prowler looks if each service with logging or audit capabilities has them enabled to ensure all needed evidences are recorded and collected for an eventual digital forensic investigation in case of incident. List of checks part of this group (you can also see all groups with `./prowler -L`). The list of checks can be seen in the group file at:
+
+[groups/group8_forensics](groups/group8_forensics)
 
 The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
+
+```sh
+./prowler -g forensics-ready
 ```
-./prowler -c forensics-ready
+
+## GDPR Checks
+
+With this group of checks, Prowler shows result of checks related to GDPR, more information [here](https://github.com/toniblyx/prowler/issues/189). The list of checks can be seen in the group file at:
+
+[groups/group9_gdpr](groups/group9_gdpr)
+
+The `gdpr` group of checks uses existing and extra checks. To get a GDPR report, run this command:
+
+```sh
+./prowler -g gdpr
 ```
 
+## HIPAA Checks
+
+With this group of checks, Prowler shows results of controls related to the "Security Rule" of the Health Insurance Portability and Accountability Act aka [HIPAA](https://www.hhs.gov/hipaa/for-professionals/security/index.html) as defined in [45 CFR Subpart C - Security Standards for the Protection of Electronic Protected Health Information](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) within [PART 160 - GENERAL ADMINISTRATIVE REQUIREMENTS](https://www.law.cornell.edu/cfr/text/45/part-160) and [Subpart A](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-A) and [Subpart C](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) of PART 164 - SECURITY AND PRIVACY
+
+More information on the original PR is [here](https://github.com/toniblyx/prowler/issues/227).
+
+### Note on Business Associate Addendum's (BAA)
+
+Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates. The Business Associate Addendum (BAA) is an AWS contract that is required under HIPAA rules to ensure that AWS appropriately safeguards protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by AWS, based on the relationship between AWS and our customers, and the activities or services being performed by AWS. Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services defined in the Business Associate Addendum (BAA). For the latest list of HIPAA-eligible AWS services, see [HIPAA Eligible Services Reference](https://aws.amazon.com/compliance/hipaa-eligible-services-reference/).
+
+More information on AWS & HIPAA can be found [here](https://aws.amazon.com/compliance/hipaa-compliance/)
+
+The list of checks showed by this group is as follows, they will be mostly relevant for Subsections [164.306 Security standards: General rules](https://www.law.cornell.edu/cfr/text/45/164.306) and [164.312 Technical safeguards](https://www.law.cornell.edu/cfr/text/45/164.312). Prowler is only able to make checks in the spirit of the technical requirements outlined in these Subsections, and cannot cover all procedural controls required. They be found in the group file at:
+
+[groups/group10_hipaa](groups/group10_hipaa)
+
+The `hipaa` group of checks uses existing and extra checks. To get a HIPAA report, run this command:
+
+```sh
+./prowler -g hipaa
+```
+
+## Trust Boundaries Checks
+
+### Definition and Terms
+
+The term "trust boundary" is originating from the threat modelling process and the most popular contributor Adam Shostack and author of "Threat Modeling: Designing for Security" defines it as following ([reference](https://adam.shostack.org/uncover.html)):
+
+> Trust boundaries are perhaps the most subjective of all: these represent the border between trusted and untrusted elements. Trust is complex. You might trust your mechanic with your car, your dentist with your teeth, and your banker with your money, but you probably don't trust your dentist to change your spark plugs.
+
+AWS is made to be flexible for service links within and between different AWS accounts, we all know that.
+
+This group of checks helps to analyse a particular AWS account (subject) on existing links to other AWS accounts across various AWS services, in order to identify untrusted links.
+
+### Run
+To give it a quick shot just call:
+
+```sh
+./prowler -g trustboundaries
+```
+
+### Scenarios
+
+Currently this check group supports two different scenarios:
+
+1. Single account environment: no action required, the configuration is happening automatically for you.
+2. Multi account environment: in case you environment has multiple trusted and known AWS accounts you maybe want to append them manually to [groups/group16_trustboundaries](groups/group16_trustboundaries) as a space separated list into `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable, then just run prowler.
+
+### Coverage
+
+Current coverage of Amazon Web Service (AWS) taken from [here](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html):
+| Topic                           | Service    | Trust Boundary                                                            |
+|---------------------------------|------------|---------------------------------------------------------------------------|
+| Networking and Content Delivery | Amazon VPC | VPC endpoints connections ([extra786](checks/check_extra786))             |
+|                                 |            | VPC endpoints whitelisted principals ([extra787](checks/check_extra787))  |
+
+All ideas or recommendations to extend this group are very welcome [here](https://github.com/toniblyx/prowler/issues/new/choose).
+
+### Detailed Explanation of the Concept
+
+The diagrams depict two common scenarios, single account and multi account environments.
+Every circle represents one AWS account.
+The dashed line represents the trust boundary, that separates trust and untrusted AWS accounts.
+The arrow simply describes the direction of the trust, however the data can potentially flow in both directions.
+
+Single Account environment assumes that only the AWS account subject to this analysis is trusted. However there is a chance that two VPCs are existing within that one AWS account which are still trusted as a self reference.
+![single-account-environment](/docs/images/prowler-single-account-environment.png)
+
+Multi Account environments assumes a minimum of two trusted or known accounts. For this particular example all trusted and known accounts will be tested. Therefore `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable in [groups/group16_trustboundaries](groups/group16_trustboundaries) should include all trusted accounts Account #A, Account #B, Account #C, and Account #D in order to finally raise Account #E and Account #F for being untrusted or unknown.
+![multi-account-environment](/docs/images/prowler-multi-account-environment.png)
+
 ## Add Custom Checks
 
-In order to add any new check feel free to create a new extra check in the extras section. To do so, you will need to follow these steps:
+In order to add any new check feel free to create a new extra check in the extras group or other group. To do so, you will need to follow these steps:
 
-1. use any existing extra check as reference
-2. add `ID7N` and `TITLE7N`, where N is a new check number part of the extras section (7) around line 361 `# List of checks IDs and Titles`
-3. add your new extra check function name at `callCheck` function (around line 1817) and below in that case inside extras option (around line 1853)
-4. finally add it in `# List only check tittles` around line 1930
-5. save changes and run it as ./prowler -c extraNN
-6. send me a pull request! :)
+1. Follow structure in file `checks/check_sample`
+2. Name your check with a number part of an existing group or a new one
+3. Save changes and run it as `./prowler -c extraNN`
+4. Send me a pull request! :)
+
+## Add Custom Groups
+
+1. Follow structure in file `groups/groupN_sample`
+1. Name your group with a non existing number
+1. Save changes and run it as `./prowler -g extraNN`
+1. Send me a pull request! :)
+
+- You can also create a group with only the checks that you want to perform in your company, for instance a group named `group9_mycompany` with only the list of checks that you care or your particular compliance applies.
 
 ## Third Party Integrations
 
 ### Telegram
-Javier Pecete has done an awesome job integrating Prowler with Telegram, you have more details here https://github.com/i4specete/ServerTelegramBot
+
+Javier Pecete has done an awesome job integrating Prowler with Telegram, you have more details here <https://github.com/i4specete/ServerTelegramBot>
+
 ### Cloud Security Suite
-The guys of SecurityFTW have added Prowler in their Cloud Security Suite along with other cool security tools https://github.com/SecurityFTW/cs-suite
+
+The guys of SecurityFTW have added Prowler in their Cloud Security Suite along with other cool security tools <https://github.com/SecurityFTW/cs-suite>
+
+## License
+
+Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
+<http://www.apache.org/licenses/LICENSE-2.0>
+
+**I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
+
+If you want to contact me visit <https://blyx.com/contact> or follow me on Twitter <https://twitter.com/toniblyx> my DMs are open.

checks/check11

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check11="1.1"
+CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)"
+CHECK_SCORED_check11="SCORED"
+CHECK_TYPE_check11="LEVEL1"
+CHECK_SEVERITY_check11="High"
+CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check101="check11"
+
+check11(){
+  # "Avoid the use of the root account (Scored)."
+  MAX_DAYS=-1
+  last_login_dates=$(cat $TEMP_REPORT_FILE | awk -F, '{ print $1,$5,$11,$16 }' | grep '<root_account>' | cut -d' ' -f2,3,4)
+
+  failures=0
+  for date in $last_login_dates; do
+    if [[ ${date%T*} =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]];then
+      days_not_in_use=$(how_many_days_from_today ${date%T*})
+      if [ "$days_not_in_use" -gt "$MAX_DAYS" ];then
+          failures=1
+          textFail "Root user in the account was last accessed ${MAX_DAYS#-} day ago"
+          break
+      fi
+    fi
+  done
+
+  if [[ $failures == 0 ]]; then
+      textPass "Root user in the account wasn't accessed in the last ${MAX_DAYS#-} days"
+  fi
+}

checks/check110

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check110="1.10"
+CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
+CHECK_SCORED_check110="SCORED"
+CHECK_TYPE_check110="LEVEL1"
+CHECK_SEVERITY_check110="Medium"
+CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check110="check110"
+
+check110(){
+  # "Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
+  COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
+  if [[ $COMMAND110 ]];then
+    if [[ $COMMAND110 -gt "23" ]];then
+      textPass "Password Policy limits reuse"
+    else
+      textFail "Password Policy has weak reuse requirement (lower than 24)"
+    fi
+  else
+    textFail "Password Policy missing reuse requirement"
+  fi
+}

checks/check111

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check111="1.11"
+CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)"
+CHECK_SCORED_check111="SCORED"
+CHECK_TYPE_check111="LEVEL1"
+CHECK_SEVERITY_check111="Medium"
+CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check111="check111"
+
+check111(){
+  # "Ensure IAM password policy expires passwords within 90 days or less (Scored)"
+  COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query PasswordPolicy.MaxPasswordAge --output text 2> /dev/null)
+  if [[ $COMMAND111 == [0-9]* ]];then
+    if [[ "$COMMAND111" -le "90" ]];then
+      textPass "Password Policy includes expiration (Value: $COMMAND111)"
+    else
+      textFail "Password expiration is set greater than 90 days"
+    fi
+  else
+    textFail "Password expiration is not set"
+  fi
+}

checks/check112

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check112="1.12"
+CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)"
+CHECK_SCORED_check112="SCORED"
+CHECK_TYPE_check112="LEVEL1"
+CHECK_SEVERITY_check112="Critical"
+CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check112="check112"
+
+check112(){
+  # "Ensure no root account access key exists (Scored)"
+  # ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
+  ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
+  ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
+  if [ "$ROOTKEY1" == "false" ];then
+    textPass "No access key 1 found for root"
+  else
+    textFail "Found access key 1 for root"
+  fi
+  if [ "$ROOTKEY2" == "false" ];then
+    textPass "No access key 2 found for root"
+  else
+    textFail "Found access key 2 for root"
+  fi
+}

checks/check113

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check113="1.13"
+CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)"
+CHECK_SCORED_check113="SCORED"
+CHECK_TYPE_check113="LEVEL1"
+CHECK_SEVERITY_check113="Critical"
+CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check113="check113"
+
+check113(){
+  # "Ensure MFA is enabled for the root account (Scored)"
+  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
+  if [ "$COMMAND113" == "1" ]; then
+    textPass "Virtual MFA is enabled for root"
+  else
+    textFail "MFA is not ENABLED for root account"
+  fi
+}

checks/check114

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check114="1.14"
+CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)"
+CHECK_SCORED_check114="SCORED"
+CHECK_TYPE_check114="LEVEL2"
+CHECK_SEVERITY_check114="Critical"
+CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check114="check114"
+
+check114(){
+  # "Ensure hardware MFA is enabled for the root account (Scored)"
+  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
+  if [ "$COMMAND113" == "1" ]; then
+    COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep "^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$")
+    if [[ "$COMMAND114" ]]; then
+      textFail "Only Virtual MFA is enabled for root"
+    else
+      textPass "Hardware MFA is enabled for root"
+    fi
+  else
+    textFail "MFA is not ENABLED for root account"
+  fi
+}

checks/check115

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check115="1.15"
+CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)"
+CHECK_SCORED_check115="NOT_SCORED"
+CHECK_TYPE_check115="LEVEL1"
+CHECK_SEVERITY_check115="Medium"
+CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check115="check115"
+
+check115(){
+  # "Ensure security questions are registered in the AWS account (Not Scored)"
+  textInfo "No command available for check 1.15 "
+  textInfo "Login to the AWS Console as root & click on the Account "
+  textInfo "Name -> My Account -> Configure Security Challenge Questions "
+}

checks/check116

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check116="1.16"
+CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)"
+CHECK_SCORED_check116="SCORED"
+CHECK_TYPE_check116="LEVEL1"
+CHECK_SEVERITY_check116="Low"
+CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
+CHECK_ALTERNATE_check116="check116"
+CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"
+
+check116(){
+  # "Ensure IAM policies are attached only to groups or roles (Scored)"
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  C116_NUM_USERS=0
+  for user in $LIST_USERS;do
+    USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
+    if [[ $USER_POLICY ]]; then
+      textFail "$user has managed policy directly attached"
+      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
+    fi
+    USER_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
+    if [[ $USER_POLICY ]]; then
+      textFail "$user has inline policy directly attached"
+      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
+    fi
+  done
+  if [[ $C116_NUM_USERS -eq 0 ]]; then
+    textPass "No policies attached to users"
+  fi
+}

checks/check117

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check117="1.17"
+CHECK_TITLE_check117="[check117] Maintain current contact details (Not Scored)"
+CHECK_SCORED_check117="NOT_SCORED"
+CHECK_TYPE_check117="LEVEL1"
+CHECK_SEVERITY_check117="Medium"
+CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check117="check117"
+
+check117(){
+  # "Maintain current contact details (Scored)"
+  # No command available
+  textInfo "No command available for check 1.17 "
+  textInfo "See section 1.17 on the CIS Benchmark guide for details "
+}

checks/check118

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check118="1.18"
+CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Not Scored)"
+CHECK_SCORED_check118="NOT_SCORED"
+CHECK_TYPE_check118="LEVEL1"
+CHECK_SEVERITY_check118="Medium"
+CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check118="check118"
+
+check118(){
+  # "Ensure security contact information is registered (Scored)"
+  # No command available
+  textInfo "No command available for check 1.18 "
+  textInfo "See section 1.18 on the CIS Benchmark guide for details "
+}

checks/check119

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check119="1.19"
+CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
+CHECK_SCORED_check119="NOT_SCORED"
+CHECK_TYPE_check119="LEVEL2"
+CHECK_SEVERITY_check119="Medium"
+CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance"
+CHECK_ALTERNATE_check119="check119"
+
+check119(){
+  for regx in $REGIONS; do
+    EC2_DATA=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[].Instances[].[InstanceId, IamInstanceProfile.Arn, State.Name]' --output json)
+    EC2_DATA=$(echo $EC2_DATA | jq '.[]|{InstanceId: .[0], ProfileArn: .[1], StateName: .[2]}')
+    INSTANCE_LIST=$(echo $EC2_DATA | jq -r '.InstanceId')
+    if [[ $INSTANCE_LIST ]]; then
+      for instance in $INSTANCE_LIST; do
+        STATE_NAME=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.StateName')
+        if [[ $STATE_NAME != "terminated" && $STATE_NAME != "shutting-down" ]]; then
+          PROFILEARN=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.ProfileArn')
+          if [[ $PROFILEARN == "null" ]]; then
+            textFail "$regx: Instance $instance not associated with an instance role" $regx
+          else
+            textPass "$regx: Instance $instance associated with role ${PROFILEARN##*/}" $regx
+          fi
+        fi
+      done
+    else
+      textInfo "$regx: No EC2 instances found" $regx
+    fi
+  done
+}

checks/check12

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check12="1.2"
+CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
+CHECK_SCORED_check12="SCORED"
+CHECK_TYPE_check12="LEVEL1"
+CHECK_SEVERITY_check12="High"
+CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
+CHECK_ALTERNATE_check102="check12"
+CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
+
+check12(){
+  # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
+  # List users with password enabled
+  COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }')
+  COMMAND12=$(
+    for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
+      cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }'
+    done)
+    if [[ $COMMAND12 ]]; then
+      for u in $COMMAND12; do
+        textFail "User $u has Password enabled but MFA disabled"
+      done
+    else
+      textPass "No users found with Password enabled and MFA disabled"
+    fi
+}

checks/check120

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check120="1.20"
+CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
+CHECK_SCORED_check120="SCORED"
+CHECK_TYPE_check120="LEVEL1"
+CHECK_SEVERITY_check120="Medium"
+CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
+CHECK_ALTERNATE_check120="check120"
+CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
+
+check120(){
+  # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
+  SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
+  if [[ $SUPPORTPOLICYARN ]];then
+    for policyarn in $SUPPORTPOLICYARN;do
+      POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output text | awk -F$'\t' '{ print $3 }')
+      if [[ $POLICYROLES ]];then
+        for name in $POLICYROLES; do
+          textPass "Support Policy attached to $name"
+        done
+        # for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
+        #   textInfo "User $user has support access via $policyarn"
+        # done
+      else
+        textFail "Support Policy not applied to any Role"
+      fi
+    done
+  else
+    textFail "No Support Policy found"
+  fi
+}

checks/check121

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check121="1.21"
+CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
+CHECK_SCORED_check121="NOT_SCORED"
+CHECK_TYPE_check121="LEVEL1"
+CHECK_SEVERITY_check121="Medium"
+CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
+CHECK_ALTERNATE_check121="check121"
+CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
+
+check121(){
+  # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  # List of USERS with KEY1 last_used_date as N/A
+  LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
+  # List of USERS with KEY1 active, last_used_date as N/A and have a console password
+  LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
+  if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
+    for user in $LIST_USERS_KEY1_ACTIVE; do
+      textFail "User $user has never used access key 1"
+    done
+  else
+    textPass "No users found with access key 1 never used"
+  fi
+  # List of USERS with KEY2 last_used_date as N/A
+  LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
+  # List of USERS with KEY2 active, last_used_date as N/A and have a console password
+  LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done)
+  if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
+    for user in $LIST_USERS_KEY2_ACTIVE; do
+      textFail "User $user has never used access key 2"
+    done
+  else
+    textPass "No users found with access key 2 never used"
+  fi
+}

checks/check122

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check122="1.22"
+CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
+CHECK_SCORED_check122="SCORED"
+CHECK_TYPE_check122="LEVEL1"
+CHECK_SEVERITY_check122="Medium"
+CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
+CHECK_ALTERNATE_check122="check122"
+
+check122(){
+  # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
+  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
+  if [[ $LIST_CUSTOM_POLICIES ]]; then
+    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
+    for policy in $LIST_CUSTOM_POLICIES; do
+      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
+      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
+      POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
+      if [[ $POLICY_WITH_FULL ]]; then
+        POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
+      fi
+    done
+    if [[ $POLICIES_ALLOW_LIST ]]; then
+      textInfo "List of custom policies: "
+      for policy in $POLICIES_ALLOW_LIST; do
+        textFail "Policy $policy allows \"*:*\""
+      done
+    else
+        textPass "No custom policy found that allow full \"*:*\" administrative privileges"
+    fi
+  else
+    textPass "No custom policies found"
+  fi
+}

checks/check13

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check13="1.3"
+CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)"
+CHECK_SCORED_check13="SCORED"
+CHECK_TYPE_check13="LEVEL1"
+CHECK_SEVERITY_check13="Medium"
+CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
+CHECK_ALTERNATE_check103="check13"
+CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4"
+
+check13(){
+  check_creds_used_in_last_days 90
+}

checks/check14

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check14="1.4"
+CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)"
+CHECK_SCORED_check14="SCORED"
+CHECK_TYPE_check14="LEVEL1"
+CHECK_SEVERITY_check14="Medium"
+CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
+CHECK_ALTERNATE_check104="check14"
+CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3"
+
+check14(){
+  # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
+  LIST_OF_USERS_WITH_ACCESS_KEY1=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9 }' |grep "\ true" | awk '{ print $1 }')
+  LIST_OF_USERS_WITH_ACCESS_KEY2=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $14 }' |grep "\ true" | awk '{ print $1 }')
+  C14_NUM_USERS1=0
+  C14_NUM_USERS2=0
+    if [[ $LIST_OF_USERS_WITH_ACCESS_KEY1 ]]; then
+      # textFail "Users with access key 1 older than 90 days:"
+      for user in $LIST_OF_USERS_WITH_ACCESS_KEY1; do
+        # check access key 1
+        DATEROTATED1=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $10 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
+        HOWOLDER=$(how_older_from_today $DATEROTATED1)
+
+        if [ $HOWOLDER -gt "90" ];then
+          textFail "$user has not rotated access key 1 in over 90 days"
+          C14_NUM_USERS1=$(expr $C14_NUM_USERS1 + 1)
+        fi
+      done
+      if [[ $C14_NUM_USERS1 -eq 0 ]]; then
+        textPass "No users with access key 1 older than 90 days"
+      fi
+    else
+      textPass "No users with access key 1"
+    fi
+
+    if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then
+      # textFail "Users with access key 2 older than 90 days:"
+      for user in $LIST_OF_USERS_WITH_ACCESS_KEY2; do
+        # check access key 2
+        DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $15 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
+        HOWOLDER=$(how_older_from_today $DATEROTATED2)
+        if [ $HOWOLDER -gt "90" ];then
+          textFail "$user has not rotated access key 2 in over 90 days"
+          C14_NUM_USERS2=$(expr $C14_NUM_USERS2 + 1)
+        fi
+      done
+      if [[ $C14_NUM_USERS2 -eq 0 ]]; then
+        textPass "No users with access key 2 older than 90 days"
+      fi
+    else
+      textPass "No users with access key 2"
+    fi
+}

checks/check15

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check15="1.5"
+CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)"
+CHECK_SCORED_check15="SCORED"
+CHECK_TYPE_check15="LEVEL1"
+CHECK_SEVERITY_check15="Medium"
+CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check105="check15"
+
+check15(){
+  # "Ensure IAM password policy requires at least one uppercase letter (Scored)"
+  COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
+  if [[ "$COMMAND15" == "true" ]];then
+    textPass "Password Policy requires upper case"
+  else
+    textFail "Password Policy missing upper-case requirement"
+  fi
+}

checks/check16

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check16="1.6"
+CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)"
+CHECK_SCORED_check16="SCORED"
+CHECK_TYPE_check16="LEVEL1"
+CHECK_SEVERITY_check16="medium"
+CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check106="check16"
+
+check16(){
+  # "Ensure IAM password policy require at least one lowercase letter (Scored)"
+  COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
+  if [[ "$COMMAND16" == "true" ]];then
+    textPass "Password Policy requires lower case"
+  else
+    textFail "Password Policy missing lower-case requirement"
+  fi
+}

checks/check17

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check17="1.7"
+CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)"
+CHECK_SCORED_check17="SCORED"
+CHECK_TYPE_check17="LEVEL1"
+CHECK_SEVERITY_check17="Medium"
+CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check107="check17"
+
+check17(){
+  # "Ensure IAM password policy require at least one symbol (Scored)"
+  COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
+  if [[ "$COMMAND17" == "true" ]];then
+    textPass "Password Policy requires symbol"
+  else
+    textFail "Password Policy missing symbol requirement"
+  fi
+}

checks/check18

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check18="1.8"
+CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)"
+CHECK_SCORED_check18="SCORED"
+CHECK_TYPE_check18="LEVEL1"
+CHECK_SEVERITY_check18="Medium"
+CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check108="check18"
+
+check18(){
+  # "Ensure IAM password policy require at least one number (Scored)"
+  COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
+  if [[ "$COMMAND18" == "true" ]];then
+    textPass "Password Policy requires number"
+  else
+    textFail "Password Policy missing number requirement"
+  fi
+}

checks/check19

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check19="1.9"
+CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
+CHECK_SCORED_check19="SCORED"
+CHECK_TYPE_check19="LEVEL1"
+CHECK_SEVERITY_check19="Medium"
+CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check109="check19"
+
+check19(){
+  # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
+  COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
+  if [[ $COMMAND19 -gt "13" ]];then
+    textPass "Password Policy requires more than 13 characters"
+  else
+    textFail "Password Policy missing or weak length requirement"
+  fi
+}

checks/check21

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check21="2.1"
+CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)"
+CHECK_SCORED_check21="SCORED"
+CHECK_TYPE_check21="LEVEL1"
+CHECK_SEVERITY_check21="High"
+CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check201="check21"
+CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1"
+
+check21(){
+  trail_count=0
+  # "Ensure CloudTrail is enabled in all regions (Scored)"
+	for regx in $REGIONS; do
+		LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].Name' --output text --no-include-shadow-trails)
+		if [[ $LIST_OF_TRAILS ]];then
+			for trail in $LIST_OF_TRAILS;do
+				trail_count=$((trail_count + 1))
+				MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail)
+				if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then
+					textFail "$trail trail in $regx is not enabled in multi region mode"
+				else
+					textPass "$trail trail in $regx is enabled for all regions"
+				fi
+			done
+		fi
+	done
+
+	if [[ $trail_count == 0 ]]; then
+	  ORG_TRAIL=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region us-east-1 | jq '.trailList[] | select(.IsMultiRegionTrail and .IsOrganizationTrail) | .Name' | sed 's/"//g')
+	  if [[ $ORG_TRAIL != "" ]]; then
+      textPass "$ORG_TRAIL trail in $regx is enabled for all regions"
+    else
+      textFail "No CloudTrail trails were found in the account"
+    fi
+  fi
+}

checks/check22

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check22="2.2"
+CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)"
+CHECK_SCORED_check22="SCORED"
+CHECK_TYPE_check22="LEVEL2"
+CHECK_SEVERITY_check22="Medium"
+CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check202="check22"
+CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"
+
+check22(){
+  # "Ensure CloudTrail log file validation is enabled (Scored)"
+
+	for regx in $REGIONS; do
+	LIST_OF_TRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].Name' --output text --no-include-shadow-trails)
+	if [[ $LIST_OF_TRAILS ]];then
+		for trail in $LIST_OF_TRAILS;do
+		LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail)
+		if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then
+			textFail "$trail trail in $regx has not log file validation enabled"
+		else
+			textPass "$trail trail in $regx has log file validation enabled"
+		fi
+		done
+	fi
+	done
+}

checks/check23

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check23="2.3"
+CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
+CHECK_SCORED_check23="SCORED"
+CHECK_TYPE_check23="LEVEL1"
+CHECK_SEVERITY_check23="Critical"
+CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
+CHECK_ALTERNATE_check203="check23"
+CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4"
+
+check23(){
+  # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
+  CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails --query 'trailList[*].S3BucketName' --output text $PROFILE_OPT --region $REGION)
+  if [[ $CLOUDTRAILBUCKET ]]; then
+    for bucket in $CLOUDTRAILBUCKET;do
+      CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' $PROFILE_OPT --region $REGION --output text 2>&1)
+      if [[ $(echo "$CLOUDTRAILBUCKET_HASALLPERMISIONS" | grep AccessDenied) ]]; then
+        textInfo "Access Denied Trying to Get Bucket Acl for $bucket"
+        continue
+      fi
+      if [[ $CLOUDTRAILBUCKET_HASALLPERMISIONS ]]; then
+        textFail "check your $bucket CloudTrail bucket ACL and Policy!"
+      else
+        textPass "Bucket $bucket is set correctly"
+      fi
+    done
+  else
+    textFail "No CloudTrail bucket found!"
+  fi
+}

checks/check24

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check24="2.4"
+CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
+CHECK_SCORED_check24="SCORED"
+CHECK_TYPE_check24="LEVEL1"
+CHECK_SEVERITY_check24="Low"
+CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check204="check24"
+CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"
+
+check24(){
+  # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
+  TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].{Name:Name, HomeRegion:HomeRegion}' --output text | tr "	" ',')
+  if [[ $TRAILS_AND_REGIONS ]];then
+    for reg_trail in $TRAILS_AND_REGIONS;do
+      trail=$(echo $reg_trail | cut -d',' -f2)
+      TRAIL_REGION=$(echo $reg_trail | cut -d',' -f1)
+      LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None)
+      if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then
+        textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
+      else
+        LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP)
+        HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE)
+        if [ $HOWOLDER -gt "1" ];then
+          textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
+        else
+          textPass "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
+        fi
+      fi
+    done
+  else
+    textFail "No CloudTrail trails found!"
+  fi
+}

checks/check25

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check25="2.5"
+CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)"
+CHECK_SCORED_check25="SCORED"
+CHECK_TYPE_check25="LEVEL1"
+CHECK_SEVERITY_check25="Medium"
+CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ALTERNATE_check205="check25"
+CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"
+
+check25(){
+  # "Ensure AWS Config is enabled in all regions (Scored)"
+  for regx in $REGIONS; do
+    CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice get-status $PROFILE_OPT --region $regx --output json| grep "recorder: ON")
+    if [[ $CHECK_AWSCONFIG_STATUS ]];then
+      textPass "Region $regx has AWS Config recorder: ON" "$regx"
+    else
+      textFail "Region $regx has AWS Config disabled or not configured" "$regx"
+    fi
+  done
+}

checks/check26

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check26="2.6"
+CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
+CHECK_SCORED_check26="SCORED"
+CHECK_TYPE_check26="LEVEL1"
+CHECK_SEVERITY_check26="Medium"
+CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket"
+CHECK_ALTERNATE_check206="check26"
+
+check26(){
+  # "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
+
+  CLOUDTRAILS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].Name' --output text| tr '\011' '\012' | awk -F: '{print $1}')
+
+  if [[ $CLOUDTRAILS ]]; then
+    for trail in $CLOUDTRAILS; do
+      CLOUDTRAIL_ACCOUNT_ID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].TrailARN' --output text | tr '\011' '\012' | grep "$trail" | awk -F: '{ print $5 }'  | head -n 1)
+      CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].[Name, S3BucketName]' --output text  | tr '\011' ':' |  grep "$trail" | awk -F: '{ print $2 }' )
+
+      if [[ $CLOUDTRAILBUCKET ]]; then
+        bucket=$CLOUDTRAILBUCKET
+        if [ "$CLOUDTRAIL_ACCOUNT_ID" == "$ACCOUNT_NUM" ]; then
+          CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --region $REGION --query 'LoggingEnabled.TargetBucket' 2>&1)
+          if [[ $(echo "$CLOUDTRAILBUCKET_LOGENABLED" | grep AccessDenied) ]]; then
+            textInfo "Access Denied Trying to Get Bucket Logging for $bucket"
+            continue
+          fi
+          if [[ $CLOUDTRAILBUCKET_LOGENABLED != "null" ]]; then
+            textPass "Bucket access logging enabled in CloudTrail S3 bucket $bucket for $trail"
+          else
+            textFail "Bucket access logging is not enabled in CloudTrail S3 bucket $bucket for $trail"
+          fi
+        else
+          textInfo "CloudTrail S3 bucket $bucket for trail $trail is not in current account"
+        fi
+      else
+        textFail "CloudTrail bucket not found!"
+      fi
+    done
+
+  else
+    textFail "No CloudWatch group found and no CloudTrail bucket"
+  fi
+}

checks/check27

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check27="2.7"
+CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
+CHECK_SCORED_check27="SCORED"
+CHECK_TYPE_check27="LEVEL2"
+CHECK_SEVERITY_check27="Medium"
+CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check207="check27"
+CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"
+
+check27(){
+  # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
+  $AWSCLI cloudtrail describe-trails --query 'trailList[].[Name,KmsKeyId]' --output text $PROFILE_OPT --region $REGION | while read trail key; do
+    if [[ "$trail" ]] ; then
+        if [[ "$key" != "None" ]] ; then
+            textPass "KMS key found for $trail"
+        else
+            textFail "Encryption is not enabled in your CloudTrail trail $trail (KMS key not found)!"
+        fi
+    else
+        textFail "CloudTrail bucket doesn't exist!"
+    fi
+  done
+}

checks/check28

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check28="2.8"
+CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)"
+CHECK_SCORED_check28="SCORED"
+CHECK_TYPE_check28="LEVEL2"
+CHECK_SEVERITY_check28="Medium"
+CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
+CHECK_ALTERNATE_check208="check28"
+
+check28(){
+  # "Ensure rotation for customer created CMKs is enabled (Scored)"
+  for regx in $REGIONS; do
+  CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId')
+    if [[ $CHECK_KMS_KEYLIST ]];then
+      CHECK_KMS_KEYLIST_NO_DEFAULT=$(
+        for key in $CHECK_KMS_KEYLIST; do
+          $AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,state:KeyState,man:KeyManager}' --output text|grep Enabled$|grep -v AWS| awk '{ print $1 }'
+        done )
+      if [[ $CHECK_KMS_KEYLIST_NO_DEFAULT ]]; then
+        for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do
+          CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
+            if [[ "$CHECK_KMS_KEY_TYPE" == "EXTERNAL" ]];then
+              textPass "$regx: Key $key in Region $regx Customer Uploaded Key Material" "$regx"
+            else
+              CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text)
+              if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
+                textPass "$regx: Key $key is set correctly" "$regx"
+              else
+                textFail "$regx: Key $key is not set to rotate!" "$regx"
+              fi
+            fi
+        done
+      else
+        textInfo "$regx: This region doesn't have CUSTOM encryption keys" "$regx"
+      fi
+    else
+      textInfo "$regx: This region doesn't have ANY encryption keys" "$regx"
+    fi
+  done
+}

checks/check29

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check29="2.9"
+CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+CHECK_SCORED_check29="SCORED"
+CHECK_TYPE_check29="LEVEL2"
+CHECK_SEVERITY_check29="Medium"
+CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
+CHECK_ALTERNATE_check209="check29"
+CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
+
+check29(){
+  # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+  for regx in $REGIONS; do
+    AVAILABLE_VPC=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[?State==`available`].VpcId' --output text)
+    for vpcx in $AVAILABLE_VPC; do
+      CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --filter Name="resource-id",Values="${vpcx}" --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].FlowLogId' --output text)
+      if [[ $CHECK_FL ]];then
+        for FL in $CHECK_FL;do
+          textPass "VPC $vpcx: VPCFlowLog is enabled for LogGroupName: $FL in Region $regx" "$regx"
+        done
+      else
+        textFail "VPC $vpcx: No VPCFlowLog has been found in Region $regx" "$regx"
+      fi
+    done
+  done
+}

checks/check31

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/MyCloudTrailLG \
+#     --filter-name AWSAuthorizationFailures \
+#     --filter-pattern '{ $.errorCode = "*UnauthorizedOperation" || $.errorCode = "AccessDenied*" }' \
+#     --metric-transformations metricName=AuthorizationFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name "Authorization Failures" \
+#     --alarm-description "Alarm triggered when unauthorized API calls are made" \
+#     --metric-name AuthorizationFailureCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check31="3.1"
+CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
+CHECK_SCORED_check31="SCORED"
+CHECK_TYPE_check31="LEVEL1"
+CHECK_SEVERITY_check31="Medium"
+CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check301="check31"
+CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
+
+check31(){
+  check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
+}

checks/check310

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name SecurityGroupConfigChanges \
+#     --filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }' \
+#     --metric-transformations metricName=SecurityGroupEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name SecurityGroupConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS security group(s) config changes." \
+#     --metric-name SecurityGroupEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check310="3.10"
+CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)"
+CHECK_SCORED_check310="SCORED"
+CHECK_TYPE_check310="LEVEL2"
+CHECK_SEVERITY_check310="Medium"
+CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check310="check310"
+
+check310(){
+  check3x '\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup'
+}

checks/check311

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name NetworkACLConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }' \
+#     --metric-transformations metricName=NetworkAclEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name NetworkACLConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS Network ACL(s) config changes." \
+#     --metric-name NetworkAclEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check311="3.11"
+CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
+CHECK_SCORED_check311="SCORED"
+CHECK_TYPE_check311="LEVEL2"
+CHECK_SEVERITY_check311="Medium"
+CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check311="check311"
+
+check311(){
+  check3x '\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation'
+}

checks/check312

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name VPCGatewayConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' \
+#     --metric-transformations metricName=GatewayEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name VPCGatewayConfigChangesAlarm \
+#     --alarm-description "Triggered by VPC Customer/Internet Gateway changes." \
+#     --metric-name GatewayEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check312="3.12"
+CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
+CHECK_SCORED_check312="SCORED"
+CHECK_TYPE_check312="LEVEL1"
+CHECK_SEVERITY_check312="Medium"
+CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check312="check312"
+
+check312(){
+  check3x '\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway'
+}

checks/check313

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name RouteTableConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' \
+#     --metric-transformations metricName=RouteTableEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name RouteTableConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS Route Table config changes." \
+#     --metric-name RouteTableEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check313="3.13"
+CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)"
+CHECK_SCORED_check313="SCORED"
+CHECK_TYPE_check313="LEVEL1"
+CHECK_SEVERITY_check313="Medium"
+CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check313="check313"
+
+check313(){
+  check3x '\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable'
+}

checks/check314

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name VPCNetworkConfigChanges \
+#     --filter-pattern '{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }' \
+#     --metric-transformations metricName=VpcEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name VPCNetworkConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS VPC(s) environment config changes." \
+#     --metric-name VpcEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check314="3.14"
+CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)"
+CHECK_SCORED_check314="SCORED"
+CHECK_TYPE_check314="LEVEL1"
+CHECK_SEVERITY_check314="Medium"
+CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check314="check314"
+
+check314(){
+  check3x '\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink'
+}

checks/check32

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name ConsoleSignInWithoutMfaCount \
+#     --filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes" }' \
+#     --metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name ConsoleSignInWithoutMfaAlarm \
+#     --alarm-description "Triggered by sign-in requests made without MFA." \
+#     --metric-name ConsoleSignInWithoutMfaCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check32="3.2"
+CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
+CHECK_SCORED_check32="SCORED"
+CHECK_TYPE_check32="LEVEL1"
+CHECK_SEVERITY_check32="Medium"
+CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check302="check32"
+CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
+
+check32(){
+  check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
+}

checks/check33

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name RootAccountUsage \
+#     --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' \
+#     --metric-transformations metricName=RootAccountUsageEventCount,metricNamespace=CloudTrailMetrics,metricValue=1 \
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name RootAccountUsageAlarm \
+#     --alarm-description "Triggered by AWS Root Account usage." \
+#     --metric-name RootAccountUsageEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check33="3.3"
+CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)"
+CHECK_SCORED_check33="SCORED"
+CHECK_TYPE_check33="LEVEL1"
+CHECK_SEVERITY_check33="Medium"
+CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check303="check33"
+CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
+
+check33(){
+  check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
+}

checks/check34

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name IAMAuthConfigChanges \
+#     --filter-pattern '{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) || ($.eventName = DeleteUserPolicy) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicyVersion) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) }' \
+#     --metric-transformations metricName=IAMPolicyEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name IAMAuthorizationActivityAlarm \
+#     --alarm-description "Triggered by AWS IAM authorization config changes." \
+#     --metric-name IAMPolicyEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check34="3.4"
+CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
+CHECK_SCORED_check34="SCORED"
+CHECK_TYPE_check34="LEVEL1"
+CHECK_SEVERITY_check34="Medium"
+CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check304="check34"
+CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
+
+check34(){
+  check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
+}

checks/check35

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/MyCloudTrailLG \
+#     --filter-name AWSCloudTrailChanges \
+#     --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' \
+#     --metric-transformations metricName=CloudTrailEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name "CloudTrail Changes" \
+#     --alarm-description "Triggered by AWS CloudTrail configuration changes." \
+#     --metric-name CloudTrailEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check35="3.5"
+CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
+CHECK_SCORED_check35="SCORED"
+CHECK_TYPE_check35="LEVEL1"
+CHECK_SEVERITY_check35="Medium"
+CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check305="check35"
+CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"
+
+check35(){
+  check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
+}

checks/check36

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/MyCloudTrailLG \
+#     --filter-name AWSConsoleSignInFailures \
+#     --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }' \
+#     --metric-transformations metricName=ConsoleSigninFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name "Console Sign-in Failures" \
+#     --alarm-description "AWS Management Console Sign-in Failure Alarm." \
+#     --metric-name ConsoleSigninFailureCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 3 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check36="3.6"
+CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
+CHECK_SCORED_check36="SCORED"
+CHECK_TYPE_check36="LEVEL2"
+CHECK_SEVERITY_check36="Medium"
+CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check306="check36"
+CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
+
+check36(){
+  check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
+}

checks/check37

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name AWSCMKChanges \
+#     --filter-pattern '{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }' \
+#     --metric-transformations metricName=CMKEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name AWSCMKChangesAlarm \
+#     --alarm-description "Triggered by AWS CMK changes." \
+#     --metric-name CMKEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check37="3.7"
+CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
+CHECK_SCORED_check37="SCORED"
+CHECK_TYPE_check37="LEVEL2"
+CHECK_SEVERITY_check37="Medium"
+CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check307="check37"
+CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"
+
+check37(){
+  check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
+}

checks/check38

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name S3BucketConfigChanges \
+#     --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' \
+#     --metric-transformations metricName=S3BucketEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name S3BucketConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS S3 Bucket config changes." \
+#     --metric-name S3BucketEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check38="3.8"
+CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
+CHECK_SCORED_check38="SCORED"
+CHECK_TYPE_check38="LEVEL1"
+CHECK_SEVERITY_check38="Medium"
+CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check308="check38"
+
+check38(){
+  check3x '\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication'
+}

checks/check39

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+#
+# Remediation:
+#
+#   https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
+#
+#   aws logs put-metric-filter \
+#     --region us-east-1 \
+#     --log-group-name CloudTrail/CloudWatchLogGroup \
+#     --filter-name AWSConfigChanges \
+#     --filter-pattern '{ ($.eventSource = config.amazonaws.com) && (($.eventName = StopConfigurationRecorder)||($.eventName = DeleteDeliveryChannel)||($.eventName = PutDeliveryChannel)||($.eventName = PutConfigurationRecorder)) }' \
+#     --metric-transformations metricName=ConfigEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
+#
+#   aws cloudwatch put-metric-alarm \
+#     --region us-east-1 \
+#     --alarm-name AWSConfigChangesAlarm \
+#     --alarm-description "Triggered by AWS Config changes." \
+#     --metric-name ConfigEventCount \
+#     --namespace CloudTrailMetrics \
+#     --statistic Sum \
+#     --comparison-operator GreaterThanOrEqualToThreshold \
+#     --evaluation-periods 1 \
+#     --period 300 \
+#     --threshold 1 \
+#     --actions-enabled \
+#     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
+
+CHECK_ID_check39="3.9"
+CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
+CHECK_SCORED_check39="SCORED"
+CHECK_TYPE_check39="LEVEL2"
+CHECK_SEVERITY_check39="Medium"
+CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail"
+CHECK_ALTERNATE_check309="check39"
+
+check39(){
+  check3x '\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder'
+}

checks/check41

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check41="4.1"
+CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
+CHECK_SCORED_check41="SCORED"
+CHECK_TYPE_check41="LEVEL2"
+CHECK_SEVERITY_check41="High"
+CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
+CHECK_ALTERNATE_check401="check41"
+CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"
+
+check41(){
+  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
+  for regx in $REGIONS; do
+    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    if [[ $SG_LIST ]];then
+      for SG in $SG_LIST;do
+        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
+      done
+    else
+      textPass "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0" "$regx"
+    fi
+  done
+}

checks/check42

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check42="4.2"
+CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
+CHECK_SCORED_check42="SCORED"
+CHECK_TYPE_check42="LEVEL2"
+CHECK_SEVERITY_check42="High"
+CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
+CHECK_ALTERNATE_check402="check42"
+CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"
+
+check42(){
+  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
+  for regx in $REGIONS; do
+    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    if [[ $SG_LIST ]];then
+      for SG in $SG_LIST;do
+        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
+      done
+    else
+      textPass "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0" "$regx"
+    fi
+  done
+}

checks/check43

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check43="4.3"
+CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)"
+CHECK_SCORED_check43="SCORED"
+CHECK_TYPE_check43="LEVEL2"
+CHECK_SEVERITY_check43="Medium"
+CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
+CHECK_ALTERNATE_check403="check43"
+CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"
+
+check43(){
+  # "Ensure the default security group of every VPC restricts all traffic (Scored)"
+  for regx in $REGIONS; do
+    CHECK_SGDEFAULT_IDS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].GroupId[]' --output text)
+    for CHECK_SGDEFAULT_ID in $CHECK_SGDEFAULT_IDS; do
+      CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '0.0.0.0|\:\:\/0')
+      if [[ $CHECK_SGDEFAULT_ID_OPEN ]];then
+        textFail "Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
+      else
+        textPass "No Default Security Groups ($CHECK_SGDEFAULT_ID) open to 0.0.0.0 found in Region $regx" "$regx"
+      fi
+    done
+  done
+}

checks/check44

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+#
+# This Prowler check is licensed under a
+# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+#
+# You should have received a copy of the license along with this
+# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+
+CHECK_ID_check44="4.4"
+CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
+CHECK_SCORED_check44="NOT_SCORED"
+CHECK_TYPE_check44="LEVEL2"
+CHECK_SEVERITY_check44="Medium"
+CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc"
+CHECK_ALTERNATE_check404="check44"
+
+check44(){
+  # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
+  textInfo "Looking for VPC peering in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId'| sort | paste -s -d" " -)
+    if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
+      textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
+      #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
+      #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
+      # for vpc in $LIST_OF_VPCS; do
+      #   VPCS_WITH_PEERING=$($AWSCLI ec2 describe-route-tables --filter "Name=vpc-id,Values=$vpc" $PROFILE_OPT --region $regx --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" |grep GatewayId|grep pcx-)
+      # done
+      #echo $VPCS_WITH_PEERING
+    else
+      textPass "$regx: No VPC peering found" "$regx"
+    fi
+  done
+}

checks/check_extra71

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra71="7.1"
+CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra71="NOT_SCORED"
+CHECK_TYPE_extra71="EXTRA"
+CHECK_SEVERITY_extra71="High"
+CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
+CHECK_ALTERNATE_extra701="extra71"
+CHECK_ALTERNATE_check71="extra71"
+CHECK_ALTERNATE_check701="extra71"
+CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"
+
+extra71(){
+  # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
+  ADMIN_GROUPS=''
+  AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --region $REGION --query 'Groups[].GroupName')
+  for grp in $AWS_GROUPS; do
+    # aws --profile onlinetraining iam list-attached-group-policies --group-name Administrators --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess'
+    # list-attached-group-policies
+    CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep  "arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess")
+    if [[ $CHECK_ADMIN_GROUP ]]; then
+      ADMIN_GROUPS="$ADMIN_GROUPS $grp"
+      textInfo "$grp group provides administrative access"
+      ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --region $REGION --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
+      for auser in $ADMIN_USERS; do
+        # users in group are Administrators
+        # users
+        # check for user MFA device in credential report
+        USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8)
+        if [[ "true" == $USER_MFA_ENABLED ]]; then
+          textPass "$auser / MFA Enabled / admin via group $grp"
+        else
+          textFail "$auser / MFA DISABLED / admin via group $grp"
+        fi
+      done
+    else
+      textInfo "$grp group provides non-administrative access"
+    fi
+  done
+}

checks/check_extra710

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra710="7.10"
+CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra710="NOT_SCORED"
+CHECK_TYPE_extra710="EXTRA"
+CHECK_SEVERITY_extra710="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
+CHECK_ALTERNATE_check710="extra710"
+CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"
+
+extra710(){
+  # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
+  textInfo "Looking for instances in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text)
+    if [[ $LIST_OF_PUBLIC_INSTANCES ]];then
+      while read -r instance;do
+        INSTANCE_ID=$(echo $instance | awk '{ print $1; }')
+        PUBLIC_IP=$(echo $instance | awk '{ print $2; }')
+        textFail "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx"
+      done <<< "$LIST_OF_PUBLIC_INSTANCES"
+      else
+        textPass "$regx: no Internet Facing EC2 Instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7100

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building
+# on the hard work of others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7100="7.100"
+CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
+CHECK_SCORED_extra7100="NOT_SCORED"
+CHECK_TYPE_extra7100="EXTRA"
+CHECK_SEVERITY_extra7100="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
+CHECK_ALTERNATE_check7100="extra7100"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
+
+extra7100(){
+  # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
+  #
+  # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined
+  # This is most often seen as sts:assumeRole on *, but can take other forms.
+  #
+  # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
+  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
+  if [[ $LIST_CUSTOM_POLICIES ]]; then
+    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
+    for policy in $LIST_CUSTOM_POLICIES; do
+      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
+      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
+
+      POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \
+        --output json \
+        --policy-arn $POLICY_ARN \
+        --version-id $POLICY_VERSION \
+        --query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \
+        $PROFILE_OPT \
+        --region $REGION
+      )
+
+      # Identify permissive policies by:
+      #   1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string)
+      #   3) Iterate over the policy statements
+      #   4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity)
+      #   5) Narrow the scope to Resources (IAM Roles) which include a wildcard
+      POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \
+        | jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \
+        | jq 'map( .Action |= (if type=="array" then . else [.] end) )' \
+        | jq '.[]' \
+        | jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \
+        | jq 'select(.Resource[] | contains("*"))')
+
+      if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then
+        PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN"
+      fi
+
+    done
+    if [[ $PERMISSIVE_POLICIES_LIST ]]; then
+      textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs"
+      textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
+      for policy in $PERMISSIVE_POLICIES_LIST; do
+        textFail "Policy $policy allows permissive STS Role assumption"
+      done
+    else
+      textPass "No custom policies found that allow permissive STS Role assumption"
+    fi
+  else
+    textPass "No custom policies found"
+  fi
+}

checks/check_extra7101

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7101="7.101"
+CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled"
+CHECK_SCORED_extra7101="NOT_SCORED"
+CHECK_TYPE_extra7101="EXTRA"
+CHECK_SEVERITY_extra7101="Low"
+CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain"
+CHECK_ALTERNATE_check7101="extra7101"
+
+# More info 
+# Works for  Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled 
+# https://aws.amazon.com/about-aws/whats-new/2020/09/audit-logs-launch/
+# https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html
+
+# Remediation
+# aws es update-elasticsearch-domain-config --domain-name test1 --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-log-group,Enabled=true}" --region eu-west-1
+
+extra7101(){
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        AUDIT_LOGS_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.AUDIT_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $AUDIT_LOGS_ENABLED ]];then
+          textPass "$regx: Amazon ES domain $domain AUDIT_LOGS enabled" "$regx"
+        else
+          textFail "$regx: Amazon ES domain $domain AUDIT_LOGS disabled!" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Amazon ES domain found" "$regx"
+    fi
+  done
+}

checks/check_extra7102

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7102="7.102"
+CHECK_TITLE_extra7102="[extra7102] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY)"
+CHECK_SCORED_extra7102="NOT_SCORED"
+CHECK_TYPE_extra7102="EXTRA"
+CHECK_SEVERITY_extra7102="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip"
+CHECK_ALTERNATE_check7102="extra7102"
+
+# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively 
+# your IP will be banned by Shodan
+
+# This is the right way to do so
+# curl -ks https://api.shodan.io/shodan/host/{ip}?key={YOUR_API_KEY}
+
+
+# Each finding will be saved in prowler/output folder for further review.
+
+extra7102(){
+  if [[ ! $SHODAN_API_KEY ]]; then
+    textInfo "[extra7102] Requires a Shodan API key to work. Use -N <shodan_api_key>"
+  else 
+    for regx in $REGIONS; do
+      LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-addresses --query 'Addresses[*].PublicIp' --output text)
+      if [[ $LIST_OF_EIP ]]; then
+        for ip in $LIST_OF_EIP;do
+          SHODAN_QUERY=$(curl -ks https://api.shodan.io/shodan/host/$ip?key=$SHODAN_API_KEY)
+	  # Shodan has a request rate limit of 1 request/second.
+          sleep 1
+          if [[ $SHODAN_QUERY == *"No information available for that IP"* ]]; then
+            textPass "$regx: IP $ip is not listed in Shodan" "$regx"
+          else
+            echo $SHODAN_QUERY > $OUTPUT_DIR/shodan-output-$ip.json
+            IP_SHODAN_INFO=$(cat $OUTPUT_DIR/shodan-output-$ip.json | jq -r '. | { ports: .ports, org: .org, country: .country_name }| @text' | tr -d \"\{\}\}\]\[ | tr , '\ ' )
+            textFail "$regx: IP $ip is listed in Shodan with data $IP_SHODAN_INFO. More info https://www.shodan.io/host/$ip and $OUTPUT_DIR/shodan-output-$ip.json" "$regx"
+          fi
+        done
+      else
+        textInfo "$regx: No Public or Elastic IPs found" "$regx"
+      fi
+    done
+  fi
+}

checks/check_extra7103

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+    
+CHECK_ID_extra7103="7.103"
+CHECK_TITLE_extra7103="[extra7103] Check if Amazon SageMaker Notebook instances have root access disabled"
+CHECK_SCORED_extra7103="NOT_SCORED"
+CHECK_TYPE_extra7103="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7103="extra7103"
+CHECK_SEVERITY_extra7103="Medium"
+
+extra7103(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_ROOTACCESS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'RootAccess' --output text)
+                if [[ "${SM_NB_ROOTACCESS}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has root access enabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has root access disabled" "${regx}"                    
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7104

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7104="7.104"
+CHECK_TITLE_extra7104="[extra7104] Check if Amazon SageMaker Notebook instances have VPC settings configured"
+CHECK_SCORED_extra7104="NOT_SCORED"
+CHECK_TYPE_extra7104="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7104="extra7104"
+CHECK_SEVERITY_extra7104="Medium"
+
+extra7104(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_SUBNETID=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'SubnetId' --output text)
+                if [[ "${SM_NB_SUBNETID}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has VPC settings disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance is in a VPC" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7105

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+	
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7105="7.105"
+CHECK_TITLE_extra7105="[extra7105] Check if Amazon SageMaker Models have network isolation enabled"
+CHECK_SCORED_extra7105="NOT_SCORED"
+CHECK_TYPE_extra7105="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
+CHECK_ALTERNATE_check7105="extra7105"
+CHECK_SEVERITY_extra7105="Medium"
+	
+extra7105(){
+	for regx in ${REGIONS}; do
+		LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+		if [[ $LIST_SM_NB_MODELS ]];then 
+			for nb_model_name in $LIST_SM_NB_MODELS; do
+				SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'EnableNetworkIsolation' --output text)
+				if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+					textFail "${regx}: SageMaker Model $nb_model_name has network isolation disabled" "${regx}"
+				else
+					textPass "${regx}: SageMaker Model $nb_model_name has network isolation enabled" "${regx}"
+				fi 
+			done
+		else 
+			textInfo "${regx}: No Sagemaker Models found" "${regx}"
+		fi 
+	done
+}
+		

checks/check_extra7106

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7106="7.106"
+CHECK_TITLE_extra7106="[extra7106] Check if Amazon SageMaker Models have VPC settings configured"
+CHECK_SCORED_extra7106="NOT_SCORED"
+CHECK_TYPE_extra7106="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
+CHECK_ALTERNATE_check7106="extra7106"
+CHECK_SEVERITY_extra7106="Medium"
+    
+extra7106(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+        if [[ $LIST_SM_NB_MODELS ]];then 
+            for nb_model_name in $LIST_SM_NB_MODELS; do
+                SM_NB_VPCCONFIG=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_VPCCONFIG == "None" ]]; then
+                    textFail "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings disabled" "${regx}"
+                else
+                    textPass "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Models found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7107

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7107="7.107"
+CHECK_TITLE_extra7107="[extra7107] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled"
+CHECK_SCORED_extra7107="NOT_SCORED"
+CHECK_TYPE_extra7107="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7107="extra7107"
+CHECK_SEVERITY_extra7107="Medium"
+    
+extra7107(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_INTERCONTAINERENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableInterContainerTrafficEncryption' --output text)
+                if [[ $SM_NB_INTERCONTAINERENCRYPTION == "False" ]]; then
+                    textFail "${regx}: SageMaker Training job $nb_job_name has intercontainer encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: SageMaker Training jobs $nb_job_name has intercontainer encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Training found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7108

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7108="7.108"
+CHECK_TITLE_extra7108="[extra7108] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled"
+CHECK_SCORED_extra7108="NOT_SCORED"
+CHECK_TYPE_extra7108="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7108="extra7108"
+CHECK_SEVERITY_extra7108="Medium"
+    
+extra7108(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_JOB_KMSENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'ResourceConfig.VolumeKmsKeyId' --output text)
+                if [[ "${SM_JOB_KMSENCRYPTION}" == "None" ]];then
+                    textFail "${regx}: Sagemaker Trainings job $nb_job_name has KMS encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Trainings job $nb_job_name has KSM encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7109

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7109="7.109"
+CHECK_TITLE_extra7109="[extra7109] Check if Amazon SageMaker Training jobs have network isolation enabled"
+CHECK_SCORED_extra7109="NOT_SCORED"
+CHECK_TYPE_extra7109="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7109="extra7109"
+CHECK_SEVERITY_extra7109="Medium"
+    
+extra7109(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableNetworkIsolation' --output text)
+                if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has network isolation disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has network isolation enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra711

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra711="7.11"
+CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra711="NOT_SCORED"
+CHECK_TYPE_extra711="EXTRA"
+CHECK_SEVERITY_extra711="High"
+CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
+CHECK_ALTERNATE_check711="extra711"
+
+extra711(){
+  # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
+  textInfo "Looking for Redshift clusters in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text)
+    if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then
+      while read -r cluster;do
+        CLUSTER_ID=$(echo $cluster | awk '{ print $1; }')
+        CLUSTER_ENDPOINT=$(echo $cluster | awk '{ print $2; }')
+        textFail "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx"
+      done <<< "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS"
+      else
+        textPass "$regx: no Publicly Accessible Redshift Clusters found" "$regx"
+    fi
+  done
+}

checks/check_extra7110

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7110="7.110"
+CHECK_TITLE_extra7110="[extra7110] Check if Amazon SageMaker Training job have VPC settings configured."
+CHECK_SCORED_extra7110="NOT_SCORED"
+CHECK_TYPE_extra7110="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7110="extra7110"
+CHECK_SEVERITY_extra7110="Medium"
+    
+extra7110(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_SUBNETS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_SUBNETS == "None" ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}
+	

checks/check_extra7111

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7111="7.111"
+CHECK_TITLE_extra7111="[extra7111] Check if Amazon SageMaker Notebook instances have direct internet access"
+CHECK_SCORED_extra7111="NOT_SCORED"
+CHECK_TYPE_extra7111="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7111="extra7111"
+CHECK_SEVERITY_extra7111="Medium"
+
+extra7111(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_DIRECTINET=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'DirectInternetAccess' --output text)
+                if [[ "${SM_NB_DIRECTINET}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access enabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access disabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7112

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7112="7.112"
+CHECK_TITLE_extra7112="[extra7112] Check if Amazon SageMaker Notebook instances have data encryption enabled"
+CHECK_SCORED_extra7112="NOT_SCORED"
+CHECK_TYPE_extra7112="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7112="extra7112"
+CHECK_SEVERITY_extra7112="Medium"
+
+extra7112(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_KMSKEY=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'KmsKeyId' --output text)
+                if [[ "${SM_NB_KMSKEY}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has data encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has data encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}

checks/check_extra7113

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7113="7.113"
+CHECK_TITLE_extra7113="[extra7113] Check if RDS instances have deletion protection enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7113="NOT_SCORED"
+CHECK_TYPE_extra7113="EXTRA"
+CHECK_SEVERITY_extra7113="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance"
+CHECK_ALTERNATE_check7113="extra7113"
+
+extra7113(){
+  textInfo "Looking for RDS Volumes in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
+    if [[ $LIST_OF_RDS_INSTANCES ]];then
+      for rdsinstance in $LIST_OF_RDS_INSTANCES; do
+        IS_DELETIONPROTECTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].DeletionProtection' --output text)
+        if [[ $IS_DELETIONPROTECTION == "False" ]]; then
+          textFail "$regx: RDS instance $rdsinstance deletion protection is not enabled!" "$regx"
+        else
+          textPass "$regx: RDS instance $rdsinstance deletion protection is enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No RDS instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7114

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7114="7.114"
+CHECK_TITLE_extra7114="[extra7114] Check if Glue development endpoints have S3 encryption enabled."
+CHECK_SCORED_extra7114="NOT_SCORED"
+CHECK_TYPE_extra7114="EXTRA"
+CHECK_SEVERITY_extra7114="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue"
+CHECK_ALTERNATE_check7114="extra7114"
+
+extra7114(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text)
+          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}
+
+

checks/check_extra7115

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7115="7.115"
+CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection has SSL connection enabled."
+CHECK_SCORED_extra7115="NOT_SCORED"
+CHECK_TYPE_extra7115="EXTRA"
+CHECK_SEVERITY_extra7115="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
+CHECK_ALTERNATE_check7115="extra7115"
+
+extra7115(){
+  for regx in $REGIONS; do
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}')
+    if [[ $CONNECTION_LIST != '[]' ]]; then
+      for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do
+          CONNECTION_NAME=$(echo $connection | base64 --decode   | jq -r '.Name' )
+          CONNECTION_SSL_STATE=$(echo $connection | base64 --decode  | jq -r '.SSL')
+          if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then
+              textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled"  "$regx"
+          else 
+              textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled"  "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue connections" "$regx"
+    fi 
+  done     
+}

checks/check_extra7116

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7116="7.116"
+CHECK_TITLE_extra7116="[extra7116] Check if Glue data catalog settings have metadata encryption enabled."
+CHECK_SCORED_extra7116="NOT_SCORED"
+CHECK_TYPE_extra7116="EXTRA"
+CHECK_SEVERITY_extra7116="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
+CHECK_ALTERNATE_check7116="extra7116"
+
+extra7116(){
+  for regx in $REGIONS; do
+    TABLE_LIST=$($AWSCLI glue search-tables --max-results 1 $PROFILE_OPT --region $regx  --output text --query 'TableList[*]' )
+    if [[ ! -z $TABLE_LIST ]]; then
+      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode")
+      if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then
+        textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx"
+      else
+        textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx"
+      fi
+    else
+      textInfo "$regx: Glue data catalog settings metadata encryption does not apply since there are no tables" "$regx"
+    fi
+  done
+}

checks/check_extra7117

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7117="7.117"
+CHECK_TITLE_extra7117="[extra7117] Check if Glue data catalog settings have encrypt connection password enabled."
+CHECK_SCORED_extra7117="NOT_SCORED"
+CHECK_TYPE_extra7117="EXTRA"
+CHECK_SEVERITY_extra7117="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
+CHECK_ALTERNATE_check7117="extra7117"
+
+extra7117(){
+  for regx in $REGIONS; do
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output text --query 'ConnectionList[*]')
+    if [[ ! -z $CONNECTION_LIST ]]; then
+      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted")
+      if [[ "$METADATA_ENCRYPTED" == "False" ]]; then
+        textFail "$regx: Glue data catalog connection password is not encrypted" "$regx"
+      else
+        textPass "$regx: Glue data catalog connection password is encrypted" "$regx"
+      fi
+    else
+      textInfo "$regx: Glue data catalog connection password encryption does not apply since there are no connections" "$regx"
+    fi
+  done
+}

checks/check_extra7118

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7118="7.118"
+CHECK_TITLE_extra7118="[extra7118] Check if Glue ETL Jobs have S3 encryption enabled."
+CHECK_SCORED_extra7118="NOT_SCORED"
+CHECK_TYPE_extra7118="EXTRA"
+CHECK_SEVERITY_extra7118="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
+CHECK_ALTERNATE_check7118="extra7118"
+
+extra7118(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
+            if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then
+              if [[ ! -z "$JOB_ENCRYPTION" ]]; then
+                textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+              else 
+                textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+              fi 
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx"
+            fi
+          elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
+            textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+          else 
+            textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}

checks/check_extra7119

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7119="7.119"
+CHECK_TITLE_extra7119="[extra7119] Check if Glue development endpoints have CloudWatch logs encryption enabled."
+CHECK_SCORED_extra7119="NOT_SCORED"
+CHECK_TYPE_extra7119="EXTRA"
+CHECK_SEVERITY_extra7119="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
+CHECK_ALTERNATE_check7119="extra7119"
+
+extra7119(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
+          if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}

checks/check_extra712

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra712="7.12"
+CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra712="NOT_SCORED"
+CHECK_TYPE_extra712="EXTRA"
+CHECK_SEVERITY_extra712="Low"
+CHECK_ALTERNATE_check712="extra712"
+
+ extra712(){ 
+   textInfo "No API commands available to check if Macie is enabled," 
+   textInfo "just looking if IAM Macie related permissions exist.  " 
+   MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) 
+   if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then 
+     textPass "Macie related IAM roles exist so it might be enabled. Check it out manually" 
+else
+     textFail "No Macie related IAM roles found. It is most likely not to be enabled" 
+fi
+}

checks/check_extra7120

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7120="7.120"
+CHECK_TITLE_extra7120="[extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled."
+CHECK_SCORED_extra7120="NOT_SCORED"
+CHECK_TYPE_extra7120="EXTRA"
+CHECK_SEVERITY_extra7120="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
+CHECK_ALTERNATE_check7120="extra7120"
+
+extra7120(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration  // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode')
+            if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}

checks/check_extra7121

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7121="7.121"
+CHECK_TITLE_extra7121="[extra7121] Check if Glue development endpoints have Job bookmark encryption enabled."
+CHECK_SCORED_extra7121="NOT_SCORED"
+CHECK_TYPE_extra7121="EXTRA"
+CHECK_SEVERITY_extra7121="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
+CHECK_ALTERNATE_check7121="extra7121"
+
+extra7121(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
+          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}
+
+

checks/check_extra7122

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7122="7.122"
+CHECK_TITLE_extra7122="[extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled."
+CHECK_SCORED_extra7122="NOT_SCORED"
+CHECK_TYPE_extra7122="EXTRA"
+CHECK_SEVERITY_extra7122="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
+CHECK_ALTERNATE_check7122="extra7122"
+
+extra7122(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode')
+            if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}

checks/check_extra7123

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7123="7.123"
+CHECK_TITLE_extra7123="[extra7123] Check if IAM users have two active access keys"
+CHECK_SCORED_extra7123="NOT_SCORED"
+CHECK_TYPE_extra7123="EXTRA"
+CHECK_SEVERITY_extra7123="Medium"
+CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
+CHECK_ALTERNATE_check7123="extra7123"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
+
+extra7123(){
+  LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')
+  if [[ $LIST_OF_USERS_WITH_2ACCESS_KEYS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_OF_USERS_WITH_2ACCESS_KEYS; do
+      textFail "User $user has 2 active access keys" 
+    done
+  else
+    textPass "No users with 2 active access keys"
+  fi
+}

checks/check_extra7124

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7124="7.124"
+CHECK_TITLE_extra7124="[extra7124] Check if EC2 instances are managed by Systems Manager."
+CHECK_SCORED_extra7124="NOT_SCORED"
+CHECK_TYPE_extra7124="EXTRA"
+CHECK_SEVERITY_extra7124="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
+CHECK_ALTERNATE_check7124="extra7124"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1,ens-op.acc.4.aws.sys.1"
+
+extra7124(){
+  for regx in $REGIONS; do
+    # Filters running instances only 
+    LIST_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --query 'Reservations[*].Instances[*].[InstanceId]' --filters Name=instance-state-name,Values=running --region $regx --output text)
+    if [[ $LIST_EC2_INSTANCES ]]; then
+      LIST_SSM_MANAGED_INSTANCES=$($AWSCLI ssm describe-instance-information $PROFILE_OPT --query "InstanceInformationList[].InstanceId"  --region $regx | jq -r '.[]')
+      LIST_EC2_UNMANAGED=$(echo ${LIST_SSM_MANAGED_INSTANCES[@]} ${LIST_EC2_INSTANCES[@]} | tr ' ' '\n' | sort | uniq -u)
+      if [[ $LIST_EC2_UNMANAGED ]]; then
+        for instance in $LIST_EC2_UNMANAGED; do
+          textFail "$regx: EC2 instance $instance is not managed by Systems Manager" "$regx"
+        done
+      fi 
+      if [[ $LIST_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $LIST_SSM_MANAGED_INSTANCES; do 
+          textPass "$regx: EC2 instance $instance is managed by Systems Manager" "$regx"
+        done 
+      fi 
+    else 
+      textInfo "$regx: No EC2 instances running found" "$regx"
+    fi
+  done
+}

checks/check_extra7125

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7125="7.125"
+CHECK_TITLE_extra7125="[extra7125] Check if IAM users have Hardware MFA enabled."
+CHECK_SCORED_extra7125="NOT_SCORED"
+CHECK_TYPE_extra7125="EXTRA"
+CHECK_SEVERITY_extra7125="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
+CHECK_ALTERNATE_check7125="extra7125"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
+
+extra7125(){
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  if [[ $LIST_USERS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_USERS; do
+      # Would be virtual if sms-mfa or mfa, hardware is u2f or different.
+      MFA_TYPE=$($AWSCLI iam list-mfa-devices --user-name $user $PROFILE_OPT --region $REGION --query MFADevices[].SerialNumber --output text | awk -F':' '{ print $6 }'| awk -F'/' '{ print $1 }')
+      if [[ $MFA_TYPE == "mfa" || $MFA_TYPE == "sms-mfa" ]]; then 
+        textInfo "User $user has virtual MFA enabled" 
+      elif [[ $MFA_TYPE == "" ]]; then 
+        textFail "User $user has not hardware MFA enabled"
+      else 
+        textPass "User $user has hardware MFA enabled"
+      fi
+    done
+  else
+    textPass "No users found"
+  fi
+}

checks/check_extra7126

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7126="7.126"
+CHECK_TITLE_extra7126="[extra7126] Check if there are CMK KMS keys not used"
+CHECK_SCORED_extra7126="NOT_SCORED"
+CHECK_TYPE_extra7126="EXTRA"
+CHECK_SEVERITY_extra7126="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
+CHECK_ALTERNATE_check7126="extra7126"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2"
+
+extra7126(){
+  for regx in $REGIONS; do
+    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --output text |grep -v :alias/aws/ |awk '{ print $4 }')
+    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
+      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
+        CHECK_STATUS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output json | jq -r '.KeyMetadata.KeyState')
+        if [[ $CHECK_STATUS == "PendingDeletion" ]]; then
+          textInfo "$regx: KMS key $key is pending deletion" "$regx"
+        elif [[ $CHECK_STATUS == "Disabled"  ]]; then
+          textInfo "$regx: KMS key $key is disabled" "$regx"
+        else
+          textPass "$regx: KMS key $key is not disabled or pending deletion" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No KMS keys found" "$regx"
+    fi
+  done
+}

checks/check_extra7127

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7127="7.127"
+CHECK_TITLE_extra7127="[extra7127] Check if EC2 instances managed by Systems Manager are compliant with patching requirements"
+CHECK_SCORED_extra7127="NOT_SCORED"
+CHECK_TYPE_extra7127="EXTRA"
+CHECK_SEVERITY_extra7127="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7127="AwsEc2Instance"
+CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sys.1"
+CHECK_ALTERNATE_check7127="extra7127"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1,ens-op.exp.4.aws.sys.1"
+
+
+extra7127(){
+  for regx in $REGIONS; do
+    NON_COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=NON_COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES || $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+      if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $NON_COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textFail "$regx: EC2 managed instance $instance is non-compliant" "$regx"
+        done
+      fi
+      if [[ $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textPass "$regx: EC2 managed instance $instance is compliant" "$regx"
+        done
+      fi 
+    else 
+      textInfo "$regx: No EC2 managed instances found" "$regx"
+    fi
+  done
+}

checks/check_extra7128

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7128="7.128"
+CHECK_TITLE_extra7128="[extra7128] Check if DynamoDB table has encryption at rest enabled using CMK KMS"
+CHECK_SCORED_extra7128="NOT_SCORED"
+CHECK_TYPE_extra7128="EXTRA"
+CHECK_SEVERITY_extra7128="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable"
+CHECK_ALTERNATE_check7128="extra7128"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1"
+
+extra7128(){
+  for regx in $REGIONS; do
+    DDB_TABLES_LIST=$($AWSCLI dynamodb list-tables $PROFILE_OPT --region $regx --output text --query TableNames)
+    if [[ $DDB_TABLES_LIST ]]; then
+      for table in $DDB_TABLES_LIST; do
+          DDB_TABLE_WITH_KMS=$($AWSCLI dynamodb describe-table --table-name $table $PROFILE_OPT --region $regx --query Table.SSEDescription.SSEType --output text)
+          if [[ $DDB_TABLE_WITH_KMS == "KMS" ]]; then
+            textPass "$regx: DynamoDB table $table does have KMS encryption enabled" "$regx"
+          else
+            textInfo "$regx: DynamoDB table $table does have DEFAULT encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no DynamoDB tables" "$regx"
+    fi 
+  done
+}

checks/check_extra7129

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7129="7.129"
+CHECK_TITLE_extra7129="[extra7129] Check if Application Load Balancer has a WAF ACL attached"
+CHECK_SCORED_extra7129="NOT_SCORED"
+CHECK_TYPE_extra7129="EXTRA"
+CHECK_SEVERITY_extra7129="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer"
+CHECK_ALTERNATE_check7129="extra7129"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3"
+
+extra7129(){
+  for regx in $REGIONS; do
+    LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing` && Type == `application`].[LoadBalancerName]' --output text)
+    LIST_OF_WAFV2_WEBACL_ARN=$($AWSCLI wafv2 list-web-acls $PROFILE_OPT --region=$regx --scope=REGIONAL --query WebACLs[*].ARN --output text)
+    if [[ $LIST_OF_ELBSV2 ]]; then
+      for alb in $LIST_OF_ELBSV2; do
+        if [[ $LIST_OF_WAFV2_WEBACL_ARN ]]; then 
+          WAF_PROTECTED_ALBS=()
+          for wafaclarn in $LIST_OF_WAFV2_WEBACL_ARN; do
+            ALB_RESOURCES_IN_WEBACL=$($AWSCLI wafv2 list-resources-for-web-acl $PROFILE_OPT --web-acl-arn $wafaclarn --region=$regx --resource-type APPLICATION_LOAD_BALANCER --query ResourceArns --output text | xargs -n1 | awk -F'/' '{ print $3 }'| grep $alb)
+            if [[ $ALB_RESOURCES_IN_WEBACL ]]; then 
+              WAF_PROTECTED_ALBS+=($wafaclarn)
+            fi
+          done
+          if [[ ${#WAF_PROTECTED_ALBS[@]} -gt 0 ]]; then
+            for wafaclarn in "${WAF_PROTECTED_ALBS[@]}"; do
+              WAFV2_WEBACL_ARN_SHORT=$(echo $wafaclarn |  awk -F'/' '{ print $3 }')
+              textPass "$regx: Application Load Balancer $alb is protected by WAFv2 ACL $WAFV2_WEBACL_ARN_SHORT" "$regx"
+            done
+          else
+            textFail "$regx: Application Load Balancer $alb is not protected by WAFv2 ACL" "$regx"
+          fi
+        else 
+          textFail "$regx: Application Load Balancer $alb is not protected no WAFv2 ACL found" "$regx"
+        fi
+      done         
+    else
+      textInfo "$regx: No Application Load Balancers found" "$regx"
+    fi    
+  done
+}

checks/check_extra713

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra713="7.13"
+CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra713="NOT_SCORED"
+CHECK_TYPE_extra713="EXTRA"
+CHECK_SEVERITY_extra713="High"
+CHECK_ALTERNATE_check713="extra713"
+CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"
+
+extra713(){
+  # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
+  for regx in $REGIONS; do
+    LIST_OF_GUARDDUTY_DETECTORS=$($AWSCLI guardduty list-detectors $PROFILE_OPT --region $regx --output text --query DetectorIds[*] 2> /dev/null)
+    RESULT=$?
+    if [ $RESULT -eq 0 ];then
+      if [[ $LIST_OF_GUARDDUTY_DETECTORS ]];then
+        while read -r detector;do
+          DETECTOR_ENABLED=$($AWSCLI guardduty get-detector --detector-id $detector $PROFILE_OPT --region $regx --query "Status" --output text|grep ENABLED)
+          if [[ $DETECTOR_ENABLED ]]; then
+            textPass "$regx: GuardDuty detector $detector enabled" "$regx"
+          else
+            textFail "$regx: GuardDuty detector $detector configured but suspended" "$regx"
+          fi
+        done <<< "$LIST_OF_GUARDDUTY_DETECTORS"
+        else
+          textFail "$regx: GuardDuty detector not configured!" "$regx"
+      fi
+      else 
+      # if list-detectors return any error 
+      textInfo "$regx: GuardDuty not checked" "$regx"
+    fi 
+  done
+}

checks/check_extra714

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra714="7.14"
+CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra714="NOT_SCORED"
+CHECK_TYPE_extra714="EXTRA"
+CHECK_SEVERITY_extra714="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution"
+CHECK_ALTERNATE_check714="extra714"
+
+extra714(){
+  # "Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
+  LIST_OF_DISTRIBUTIONS=$($AWSCLI cloudfront list-distributions $PROFILE_OPT --query 'DistributionList.Items[].Id' --output text | grep -v "^None")
+  if [[ $LIST_OF_DISTRIBUTIONS ]]; then
+    for dist in $LIST_OF_DISTRIBUTIONS; do
+      LOG_ENABLED=$($AWSCLI cloudfront get-distribution $PROFILE_OPT --id "$dist" --query 'Distribution.DistributionConfig.Logging.Enabled' | grep true)
+      if [[ $LOG_ENABLED ]]; then
+        textPass "CloudFront distribution $dist has logging enabled"
+      else
+        textFail "CloudFront distribution $dist has logging disabled"
+      fi
+    done
+  else
+    textInfo "No CloudFront distributions found"
+  fi
+}

checks/check_extra715

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra715="7.15"
+CHECK_TITLE_extra715="[extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled"
+CHECK_SCORED_extra715="NOT_SCORED"
+CHECK_TYPE_extra715="EXTRA"
+CHECK_SEVERITY_extra715="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain"
+CHECK_ALTERNATE_check715="extra715"
+
+extra715(){
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        SEARCH_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.SEARCH_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $SEARCH_SLOWLOG_ENABLED ]];then
+          textPass "$regx: Amazon ES domain $domain SEARCH_SLOW_LOGS enabled" "$regx"
+        else
+          textFail "$regx: Amazon ES domain $domain SEARCH_SLOW_LOGS disabled!" "$regx"
+        fi
+        INDEX_SLOWLOG_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.INDEX_SLOW_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $INDEX_SLOWLOG_ENABLED ]];then
+          textPass "$regx: Amazon ES domain $domain INDEX_SLOW_LOGS enabled" "$regx"
+        else
+          textFail "$regx: Amazon ES domain $domain INDEX_SLOW_LOGS disabled!" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Amazon ES domain found" "$regx"
+    fi
+  done
+}

checks/check_extra716

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra716="7.16"
+CHECK_TITLE_extra716="[extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access"
+CHECK_SCORED_extra716="NOT_SCORED"
+CHECK_TYPE_extra716="EXTRA"
+CHECK_SEVERITY_extra716="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain"
+CHECK_ALTERNATE_check716="extra716"
+
+extra716(){
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-es-domain.policy.XXXXXXXXXX)
+        # get endpoint or vpc endpoints
+        ES_DOMAIN_ENDPOINT=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.[Endpoint || Endpoints]' --output text)
+        # If the endpoint starts with "vpc-" it is in a VPC then it is fine.
+        if [[ "$ES_DOMAIN_ENDPOINT" =~ ^vpc-* ]];then
+          ES_DOMAIN_VPC=$($AWSCLI es describe-elasticsearch-domain --domain-name $domain $PROFILE_OPT --region $regx --query 'DomainStatus.VPCOptions.VPCId' --output text)
+          textInfo "$regx: Amazon ES domain $domain is in VPC $ES_DOMAIN_VPC run extra779 to make sure it is not exposed using custom proxy" "$regx"
+        else
+          $AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.AccessPolicies.Options --output text > $TEMP_POLICY_FILE 2> /dev/null
+          # check if the policy has a principal set up
+          CHECK_ES_POLICY_PRINCIPAL=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS != "*") or ((.Principal|type == "string") and .Principal != "*")) and select(has("Condition") | not))')
+          if [[ $CHECK_ES_POLICY_PRINCIPAL ]]; then 
+            textPass "$regx: Amazon ES domain $domain does have a Principal set up" "$regx"
+          fi 
+          CHECK_ES_DOMAIN_POLICY_OPEN=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and select(has("Condition") | not))')
+          CHECK_ES_DOMAIN_POLICY_HAS_CONDITION=$(cat $TEMP_POLICY_FILE | jq -r '. | .Statement[] | select(.Effect == "Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and select(has("Condition")))' )
+          if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION ]]; then
+            # get content of IpAddress."aws:SourceIp" and get a clean list
+            LIST_CONDITION_IPS=$(cat $TEMP_POLICY_FILE | jq '.Statement[0] .Condition.IpAddress."aws:SourceIp"'| awk -F'"' '{print $2}' | tr -d '",^$' | sed '/^$/d')
+            unset CONDITION_HAS_PUBLIC_IP_ARRAY
+            for condition_ip in "${LIST_CONDITION_IPS}";do
+              CONDITION_HAS_PRIVATE_IP=$(echo "${condition_ip}" | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)')
+              if [[ $CONDITION_HAS_PRIVATE_IP ]];then
+                CONDITION_HAS_PRIVATE_IP_ARRAY+=($condition_ip)
+              fi
+              CONDITION_HAS_PUBLIC_IP=$(echo "${condition_ip}" | grep -vE '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|0\.0\.0\.0|\*)')
+              if [[ $CONDITION_HAS_PUBLIC_IP ]];then
+                CONDITION_HAS_PUBLIC_IP_ARRAY+=($condition_ip)
+              fi
+              CONDITION_HAS_ZERO_NET=$(echo "${condition_ip}" | grep -E '^(0\.0\.0\.0)')
+              CONDITION_HAS_STAR=$(echo "${condition_ip}" | grep -E '^\*')
+            done
+            CHECK_ES_DOMAIN_POLICY_CONDITION_PRIVATE_IP=${CONDITION_HAS_PRIVATE_IP_ARRAY[@]}
+            CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP=${CONDITION_HAS_PUBLIC_IP_ARRAY[@]}
+            CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO=$CONDITION_HAS_ZERO_NET
+            CHECK_ES_DOMAIN_POLICY_CONDITION_STAR=$CONDITION_HAS_STAR
+          fi
+          if [[ $CHECK_ES_DOMAIN_POLICY_OPEN || $CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO || $CHECK_ES_DOMAIN_POLICY_CONDITION_STAR || ${CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP[@]} ]];then
+            if [[ $CHECK_ES_DOMAIN_POLICY_OPEN ]];then
+              textFail "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\") - use extra788 to test AUTH" "$regx"
+            fi
+            if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION && $CHECK_ES_DOMAIN_POLICY_CONDITION_ZERO ]];then
+              textFail "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and network 0.0.0.0) - use extra788 to test AUTH" "$regx"
+            fi
+            if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION && $CHECK_ES_DOMAIN_POLICY_CONDITION_STAR ]];then
+              textFail "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and network \"*\") - use extra788 to test AUTH" "$regx"
+            fi
+            if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION && ${CHECK_ES_DOMAIN_POLICY_CONDITION_PUBLIC_IP[@]} ]];then
+              textInfo "$regx: Amazon ES domain $domain policy allows access (Principal: \"*\" and Public IP or Network $(echo ${CONDITION_HAS_PUBLIC_IP_ARRAY[@]})) - use extra788 to test AUTH" "$regx"
+            fi
+          else
+            if [[ $CHECK_ES_DOMAIN_POLICY_HAS_CONDITION && ${CHECK_ES_DOMAIN_POLICY_CONDITION_PRIVATE_IP[@]} ]];then
+              textInfo "$regx: Amazon ES domain $domain policy allows access from a Private IP or CIDR RFC1918 $(echo ${CONDITION_HAS_PRIVATE_IP_ARRAY[@]})" "$regx"
+            else
+              textPass "$regx: Amazon ES domain $domain does not allow anonymous access" "$regx"
+            fi
+          fi
+          rm -f $TEMP_POLICY_FILE
+        fi
+      done
+    else
+      textInfo "$regx: No Amazon ES domain found" "$regx"
+    fi
+  done
+}

checks/check_extra717

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra717="7.17"
+CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra717="NOT_SCORED"
+CHECK_TYPE_extra717="EXTRA"
+CHECK_SEVERITY_extra717="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer"
+CHECK_ALTERNATE_check717="extra717"
+
+extra717(){
+  # "Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
+  for regx in $REGIONS; do
+    LIST_OF_ELBS=$($AWSCLI elb describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancerDescriptions[*].LoadBalancerName' --output text|xargs -n1)
+    LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[*].LoadBalancerArn' --output text|xargs -n1)
+    if [[ $LIST_OF_ELBS || $LIST_OF_ELBSV2 ]]; then
+      if [[ $LIST_OF_ELBS ]]; then
+        for elb in $LIST_OF_ELBS; do
+          CHECK_ELBS_LOG_ENABLED=$($AWSCLI elb describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-name $elb --query 'LoadBalancerAttributes.AccessLog.Enabled'|grep "^true")
+          if [[ $CHECK_ELBS_LOG_ENABLED ]]; then
+            textPass "$regx: $elb has access logs to S3 configured" "$regx"
+          else
+            textFail "$regx: $elb has not configured access logs" "$regx"
+          fi
+        done
+      fi
+      if [[ $LIST_OF_ELBSV2 ]]; then
+        for elbarn in $LIST_OF_ELBSV2; do
+          CHECK_ELBSV2_LOG_ENABLED=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $elbarn --query Attributes[*] --output text|grep "^access_logs.s3.enabled"|cut -f2|grep true)
+          ELBV2_NAME=$(echo $elbarn|cut -d\/ -f3)
+          if [[ $CHECK_ELBSV2_LOG_ENABLED ]]; then
+            textPass "$regx: $ELBV2_NAME has access logs to S3 configured" "$regx"
+          else
+            textFail "$regx: $ELBV2_NAME has not configured access logs" "$regx"
+          fi
+        done
+      fi
+    else
+      textInfo "$regx: No ELBs found" "$regx"
+    fi
+  done
+}

checks/check_extra718

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra718="7.18"
+CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra718="NOT_SCORED"
+CHECK_TYPE_extra718="EXTRA"
+CHECK_SEVERITY_extra718="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket"
+CHECK_ALTERNATE_check718="extra718"
+
+extra718(){
+  # "Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
+  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1)
+  if [[ $LIST_OF_BUCKETS ]]; then
+    for bucket in $LIST_OF_BUCKETS;do
+      BUCKET_SERVER_LOG_ENABLED=$($AWSCLI s3api get-bucket-logging --bucket $bucket $PROFILE_OPT --query [LoggingEnabled] --output text 2>&1)
+      if [[ $(echo "$BUCKET_SERVER_LOG_ENABLED" | grep AccessDenied) ]]; then
+        textFail "Access Denied Trying to Get Bucket Logging for $bucket"
+        continue
+      fi
+      if [[ $(echo "$BUCKET_SERVER_LOG_ENABLED" | grep "^None$") ]]; then
+        textFail "Bucket $bucket has server access logging disabled!"
+      else
+        textPass "Bucket $bucket has server access logging enabled"
+      fi
+    done
+  else
+    textInfo "No S3 Buckets found"
+  fi
+}