Label version 2.3.0-18122020

Fix FreeBSD $OSTYPE check @ring-pete
2026-05-19 02:32:54 +00:00 · 2020-12-18 13:09:47 +01:00 · 2020-12-18 10:24:48 +01:00 · 2020-12-18 10:24:25 +01:00 · 2020-12-18 10:17:52 +01:00 · 2020-12-17 17:15:17 +01:00
225 changed files with 4754 additions and 282 deletions
@@ -0,0 +1,5 @@
+.git/
+
+# Ignore output directories
+output/
+junit-reports/
@@ -21,7 +21,7 @@ tags
 *.DS_Store

 # Prowler output
-prowler-output-*
+output/

 # JUnit Reports
 junit-reports/
@@ -7,7 +7,6 @@ verify_ssl = true

 [packages]
 boto3 = ">=1.9.188"
-ansi2html = ">=1.5.2"
 detect-secrets = ">=0.12.4"

 [requires]
@@ -6,16 +6,19 @@
 - [Features](#features)
 - [Requirements and Installation](#requirements-and-installation)
 - [Usage](#usage)
+- [Screenshots](#screenshots)
 - [Advanced Usage](#advanced-usage)
 - [Security Hub integration](#security-hub-integration)
- [Fix](#fix)
- [Screenshots](#screenshots)
+- [CodeBuild deployment](#codebuild-deployment)
+- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources)
+- [Fix](#how-to-fix-every-fail)
 - [Troubleshooting](#troubleshooting)
 - [Extras](#extras)
 - [Forensics Ready Checks](#forensics-ready-checks)
 - [GDPR Checks](#gdpr-checks)
 - [HIPAA Checks](#hipaa-checks)
 - [Trust Boundaries Checks](#trust-boundaries-checks)
+- [Multi Account and Continuous Monitoring](util/org-multi-account/README.md)
 - [Add Custom Checks](#add-custom-checks)
 - [Third Party Integrations](#third-party-integrations)
 - [Full list of checks and groups](/LIST_OF_CHECKS_AND_GROUPS.md)
@@ -25,46 +28,54 @@

 Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.

-It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.
+It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.

 Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)

 ## Features

-~140 checks controls covering security best practices across all AWS regions and most of AWS services and related to the next groups:
+150 checks covering security best practices across all AWS regions and most of AWS services and related to the next groups:

 - Identity and Access Management [group1]
 - Logging  [group2]
- Monitoring (14 checks) [group3]
- Networking (4 checks) [group4]
+- Monitoring [group3]
+- Networking [group4]
 - CIS Level 1 [cislevel1]
 - CIS Level 2 [cislevel2]
- Extras (39 checks) *see Extras section* [extras]
+- Extras *see Extras section* [extras]
 - Forensics related group of checks [forensics-ready]
 - GDPR [gdpr] Read more [here](#gdpr-checks)
 - HIPAA [hipaa] Read more [here](#hipaa-checks)
 - Trust Boundaries [trustboundaries] Read more [here](#trustboundaries-checks)
+- Secrets 
+- PCI-DSS
+- ISO-27001
+- Internet exposed resources
+- EKS-CIS
+- FFIEC
+- SOC2
+- ENS (Esquema Nacional de Seguridad of Spain)

 With Prowler you can:

- get a colorful or monochrome report
- a CSV, JSON or JSON ASFF format report
+- get a direct colorful or monochrome report 
+- a HTML, CSV, JUNIT, JSON or JSON ASFF format report
 - send findings directly to Security Hub
- run specific checks
+- run specific checks and groups or create your own
 - check multiple AWS accounts in parallel or sequentially
 - and more! Read examples below

 ## Requirements and Installation

-This script has been written in bash using AWS-CLI and it works in Linux and OSX.
+Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.

- Make sure the latest version of AWS-CLI is installed on your workstation, and other components needed, with Python pip already installed:
+- Make sure the latest version of AWS-CLI is installed on your workstation (it works with either v1 or v2), and other components needed, with Python pip already installed:

    ```sh
-    pip install awscli ansi2html detect-secrets
+    pip install awscli detect-secrets
    ```

-    AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from <https://aws.amazon.com/cli/>, but `ansi2html` and `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get more accuracy in some checks.
+    AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from <https://aws.amazon.com/cli/>, but `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get the most from Prowler.

 - Make sure jq is installed (example below with "apt" but use a valid package manager for your OS):

@@ -79,7 +90,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
    cd prowler
    ```

- Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or intance profile):
+- Since Prowler users AWS CLI under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence). Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or intance profile):

    ```sh
    aws configure
@@ -110,7 +121,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
    ./prowler
    ```

-    Use `-l` to list all available checks and the groups (sections) that reference them
+    Use `-l` to list all available checks and the groups (sections) that reference them. To list all groups use `-L` and to list content of a group use `-l -g <groupname>`.

    If you want to avoid installing dependencies run it using Docker:

@@ -168,9 +179,22 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX

    Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310

+## Screenshots
+
+- Sample screenshot of report first lines:
+
+    <img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
+
+- Sample screenshot of single check for check 3.3:
+
+    <img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
+
+- Sample screenshot of the html output `-M html`:
+    <img width="1006" alt="Prowler html" src="https://user-images.githubusercontent.com/3985464/82838608-0229ce80-9ecd-11ea-860c-468f66aa2790.png">
+
 ### Save your reports

-1. If you want to save your report for later analysis thare are different ways, natively (supported text, mono, csv, json, json-asff and junit-xml see note below for more info):
+1. If you want to save your report for later analysis thare are different ways, natively (supported text, mono, csv, json, json-asff, junit-xml and html, see note below for more info):

    ```sh
    ./prowler -M csv
@@ -179,7 +203,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
    or with multiple formats at the same time:

    ```sh
-    ./prowler -M csv,json,json-asff
+    ./prowler -M csv,json,json-asff,html
    ```

    or just a group of checks in multiple formats:
@@ -188,7 +212,13 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
    ./prowler -g gdpr -M csv,json,json-asff
    ```

-    Now `-M` creates a file inside the prowler root directory named `prowler-output-AWSACCOUNTID-YYYYMMDDHHMMSS.format`. You don't have to specify anything else, no pipes, no redirects.
+    or if you want a sorted and dynamic HTML report do:
+
+    ```sh
+    ./prowler -M html
+    ```
+
+    Now `-M` creates a file inside the prowler `output` directory named `prowler-output-AWSACCOUNTID-YYYYMMDDHHMMSS.format`. You don't have to specify anything else, no pipes, no redirects.

    or just saving the output to a file like below:

@@ -196,13 +226,6 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
    ./prowler -M mono > prowler-report.txt
    ```

-    or if you want a coloured HTML report do:
-
-    ```sh
-    pip install ansi2html
-    ./prowler | ansi2html -la > report.html
-    ```
-
    To generate JUnit report files, include the junit-xml format. This can be combined with any other format. Files are written inside a prowler root directory named `junit-reports`:

    ```sh
@@ -211,75 +234,42 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX

    >Note about output formats to use with `-M`: "text" is the default one with colors, "mono" is like default one but monochrome, "csv" is comma separated values, "json" plain basic json (without comma between lines) and "json-asff" is also json with Amazon Security Finding Format that you can ship to Security Hub using `-S`.

-    or save your report in a S3 bucket (this only works for text or mono, for csv, json or json-asff it has to be copied afterwards):
+    or save your report in an S3 bucket (this only works for text or mono. For csv, json or json-asff it has to be copied afterwards):

    ```sh
    ./prowler -M mono | aws s3 cp - s3://bucket-name/prowler-report.txt
    ```

+    When generating multiple formats and running using Docker, to retrieve the reports, bind a local directory to the container, e.g.:
+
+    ```sh
+    docker run -ti --rm --name prowler --volume "$(pwd)":/prowler/output --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest -M csv,json
+    ```
+
 1. To perform an assessment based on CIS Profile Definitions you can use cislevel1 or cislevel2 with `-g` flag, more information about this [here, page 8](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf):

    ```sh
    ./prowler -g cislevel1
    ```

-1. If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`):
+1. If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously `-P 4`) but you may want to read below in Advanced Usage section to do so assuming a role:

    ```sh
    grep -E '^\[([0-9A-Aa-z_-]+)\]'  ~/.aws/credentials | tr -d '][' | shuf |  \
    xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv  2> /dev/null  >> all-accounts.csv
    ```

-1. For help use:
+1. For help about usage run:

    ```
    ./prowler -h
-
-    USAGE:
-      prowler [ -p <profile> -r <region>  -h ]
-
-      -p <profile>        specify your AWS profile to use (i.e.: default)
-      -r <region>         specify an AWS region to direct API requests to
-                            (i.e.: us-east-1), all regions are checked anyway if the check requires it
-      -c <check_id>       specify one or multiple check ids separated by commas, to see all available checks use -l option
-                            (i.e.: check11 for check 1.1 or extra71,extra72 for extra check 71 and extra check 72)
-      -g <group_id>       specify a group of checks by id, to see all available group of checks use -L
-                            (i.e.: check3 for entire section 3, level1 for CIS Level 1 Profile Definitions or forensics-ready)
-      -f <filterregion>   specify an AWS region to run checks against
-                            (i.e.: us-west-1)
-      -m <maxitems>       specify the maximum number of items to return for long-running requests (default: 100)
-      -M <mode>           output mode: text (default), mono, json, json-asff, junit-xml, csv. They can be used combined comma separated.
-                            (separator is ,; data is on stdout; progress on stderr).
-      -k                  keep the credential report
-      -n                  show check numbers to sort easier
-                            (i.e.: 1.01 instead of 1.1)
-      -l                  list all available checks only (does not perform any check). Add -g <group_id> to only list checks within the specified group
-      -L                  list all groups (does not perform any check)
-      -e                  exclude group extras
-      -E                  execute all tests except a list of specified checks separated by comma (i.e. check21,check31)
-      -b                  do not print Prowler banner
-      -s                  show scoring report
-      -S                  send check output to AWS Security Hub - only valid when the output mode is json-asff (i.e. -M json-asff -S)
-      -x                  specify external directory with custom checks (i.e. /my/own/checks, files must start by check)
-      -q                  suppress info messages and passing test output
-      -A                  account id for the account where to assume a role, requires -R and -T
-                            (i.e.: 123456789012)
-      -R                  role name to assume in the account, requires -A and -T
-                            (i.e.: ProwlerRole)
-      -T                  session duration given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
-                            (i.e.: 43200)
-      -I                  External ID to be used when assuming roles (not mandatory), requires -A and -R
-      -w                  whitelist file. See whitelist_sample.txt for reference and format
-                            (i.e.: whitelist_sample.txt)
-      -V                  show version number & exit
-      -h                  this help
    ```

 ## Advanced Usage

 ### Assume Role:

-Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account.
+Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. To create a role to assume in multiple accounts easier eather as CFN Stack or StackSet, look at [this CloudFormation template](iam/create_role_to_assume_cfn.yaml) and adapt it.

 ```sh
 ./prowler -A 123456789012 -R ProwlerRole
@@ -298,23 +288,32 @@ For example, if you want to get only the fails in CSV format from all checks reg
 ```sh
 ./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -b -M cvs -q -g rds
 ```
-
+or with a given External ID:
 ```sh
 ./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -I 123456 -b -M cvs -q -g rds
 ```

-### Assume Role and across all accounts in AWS Organizations:
+### Assume Role and across all accounts in AWS Organizations or just a list of accounts:

 If you want to run Prowler or just a check or a group across all accounts of AWS Organizations you can do this:

-First get a list of accounts:
+First get a list of accounts that are not suspended:
 ```
-ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text)
+ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text)
 ```
 Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check:
 ```
 for accountId in $ACCOUNTS_IN_ORGS; do ./prowler -A $accountId -R RemoteRoleToAssume -c extra79; done
 ```
+Usig the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'`
+
+### GovCloud
+
+Prowler runs in GovCloud regions as well. To make sure it points to the right API endpoint use `-r` to either `us-gov-west-1` or `us-gov-east-1`. If not filter region is used it will look for resources in both GovCloud regions by default:
+```
+./prowler -r us-gov-west-1
+```
+> For Security Hub integration see below in Security Hub section.

 ### Custom folder for custom checks

@@ -340,21 +339,60 @@ export HEX_LIMIT=3.0

 ## Security Hub integration

-Since version v2.3, Prowler supports natively sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and now from Prowler. It is as simple as running the command below:
+Since October 30th 2020 (version v2.3RC5), Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free. 
+
+Before sending findings to Prowler, you need to perform next steps:
+1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+    - `aws securityhub enable-security-hub --region <region>`.
+2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+    - `aws securityhub enable-import-findings-for-product --region <region> --product-arn arn:aws:securityhub:<region>::product/prowler/prowler` (change region also inside the ARN).
+    - Using the AWS Management Console:
+    ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
+3. As mentioned in section "Custom IAM Policy", to allow Prowler to import its findings to AWS Security Hub you need to add the policy below to the role or user running Prowler:
+    - [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
+
+Once it is enabled, it is as simple as running the command below (for all regions):

 ```sh
 ./prowler -M json-asff -S
 ```
+or for only one filtered region like eu-west-1:
+```sh
+./prowler -M json-asff -q -S -f eu-west-1
+```
+> Note 1: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command. 

-There are two requirements:
+> Note 2: Since Prowler perform checks to all regions by defaults you may need to filter by region when runing Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs).

-1. Security Hub must be enabled for the active region from where you are calling Prowler (if no region is used with `-r` then `us-east-1` is used). It can be enabled by calling `aws securityhub enable-security-hub`
-2. As mentioned in section "Custom IAM Policy", to allow Prowler to import its findings to AWS Security Hub you need to add the policy below to the role or user running Prowler:
-    - [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
+> Note 3: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.

->Note: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
+Once you run findings for first time you will be able to see Prowler findings in Findings section:

-## Whitelist or remove FAIL from resources
+![Screenshot 2020-10-29 at 10 29 05 PM](https://user-images.githubusercontent.com/3985464/97634676-66c9f600-1a36-11eb-9341-70feb06f6331.png)
+
+### Security Hub in GovCloud regions
+
+To use Prowler and Security Hub integration in GovCloud there is an additional requirement, usage of `-r` is needed to point the API queries to the right API endpoint. Here is a sample command that sends only failed findings to Security Hub in region `us-gov-west-1`:
+```
+./prowler -r us-gov-west-1 -f us-gov-west-1 -S -M csv,json-asff -q
+```
+
+### Security Hub in China regions
+
+To use Prowler and Security Hub integration in China regions there is an additional requirement, usage of `-r` is needed to point the API queries to the right API endpoint. Here is a sample command that sends only failed findings to Security Hub in region `cn-north-1`:
+```
+./prowler -r cn-north-1 -f cn-north-1 -q -S -M csv,json-asff
+```
+
+## CodeBuild deployment
+
+Either to run Prowler once or based on a schedule this template makes it pretty straight forward. This template will create a CodeBuild environment and run Prowler directly leaving all reports in a bucket and creating a report also inside CodeBuild basedon the JUnit output from Prowler. Scheduling can be cron based like `cron(0 22 * * ? *)` or rate based like `rate(5 hours)` since CloudWatch Event rules (or Eventbridge) is used here.
+
+The Cloud Formation template that helps you doing that is [here](https://github.com/toniblyx/prowler/blob/master/util/codebuild/codebuild-prowler-audit-account-cfn.yaml). 
+
+> This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md).
+
+## Whitelist or allowlist or remove a fail from resources

 Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command:

@@ -368,16 +406,6 @@ Whitelist option works along with other options and adds a `WARNING` instead of

 Check your report and fix the issues following all specific guidelines per check in <https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf>

-## Screenshots
-
- Sample screenshot of report first lines:
-
-    <img width="1125" alt="screenshot 2016-09-13 16 05 42" src="https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png">
-
- Sample screenshot of single check for check 3.3:
-
-    <img width="1006" alt="screenshot 2016-09-14 13 20 46" src="https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png">
-
 ## Troubleshooting

 ### STS expired token
@@ -453,7 +481,9 @@ aws iam create-access-key --user-name prowler
 unset ACCOUNT_ID AWS_DEFAULT_PROFILE
 ```

-The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown.  If you lose it, you will need to generate a replacement.
+The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with Prowler. This is the only time they secret key will be shown.  If you lose it, you will need to generate a replacement.
+
+> [This CloudFormation template](iam/create_role_to_assume_cfn.yaml) may also help you on that task.

 ## Extras

@@ -461,10 +491,10 @@ We are adding additional checks to improve the information gather from each acco

 Some of these checks look for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.

-To list all existing checks please run the command below:
+To list all existing checks in the extras group run the command below:

 ```sh
-./prowler -l
+./prowler -l -g extras
 ```

 >There are some checks not included in that list, they are experimental or checks that takes long to run like `extra759` and `extra760` (search for secrets in Lambda function variables and code).
@@ -603,10 +633,6 @@ In order to add any new check feel free to create a new extra check in the extra

 ## Third Party Integrations

-### AWS Security Hub
-
-There is a blog post about that integration in the AWS Security blog here <https://aws.amazon.com/blogs/security/use-aws-fargate-prowler-send-security-configuration-findings-about-aws-services-security-hub/>
-
 ### Telegram

 Javier Pecete has done an awesome job integrating Prowler with Telegram, you have more details here <https://github.com/i4specete/ServerTelegramBot>
@@ -617,15 +643,9 @@ The guys of SecurityFTW have added Prowler in their Cloud Security Suite along w

 ## License

-All CIS based checks in the checks folder are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License.
-The link to the license terms can be found at
-<https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode>
-Any other piece of code is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
+Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
 <http://www.apache.org/licenses/LICENSE-2.0>

-NOTE: If you are interested in using Prowler for commercial purposes remember that due to the CC4.0 license “The distributors or partners that are interested and using Prowler would need to enroll as CIS SecureSuite Members to incorporate this product, which includes references to CIS resources, in their offering.". Information about CIS pricing for vendors here: <https://www.cisecurity.org/cis-securesuite/pricing-and-categories/product-vendor/>
-
 **I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**

-If you want to contact me visit <https://blyx.com/contact>
-
+If you want to contact me visit <https://blyx.com/contact> or follow me on Twitter <https://twitter.com/toniblyx> my DMs are open.
@@ -12,6 +12,7 @@ CHECK_ID_check11="1.1"
 CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)"
 CHECK_SCORED_check11="SCORED"
 CHECK_TYPE_check11="LEVEL1"
+CHECK_SEVERITY_check11="High"
 CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check101="check11"

@@ -12,6 +12,7 @@ CHECK_ID_check110="1.10"
 CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
 CHECK_SCORED_check110="SCORED"
 CHECK_TYPE_check110="LEVEL1"
+CHECK_SEVERITY_check110="Medium"
 CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check110="check110"

@@ -12,6 +12,7 @@ CHECK_ID_check111="1.11"
 CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)"
 CHECK_SCORED_check111="SCORED"
 CHECK_TYPE_check111="LEVEL1"
+CHECK_SEVERITY_check111="Medium"
 CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check111="check111"

@@ -12,6 +12,7 @@ CHECK_ID_check112="1.12"
 CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)"
 CHECK_SCORED_check112="SCORED"
 CHECK_TYPE_check112="LEVEL1"
+CHECK_SEVERITY_check112="Critical"
 CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check112="check112"

@@ -12,6 +12,7 @@ CHECK_ID_check113="1.13"
 CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)"
 CHECK_SCORED_check113="SCORED"
 CHECK_TYPE_check113="LEVEL1"
+CHECK_SEVERITY_check113="Critical"
 CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check113="check113"

@@ -12,6 +12,7 @@ CHECK_ID_check114="1.14"
 CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)"
 CHECK_SCORED_check114="SCORED"
 CHECK_TYPE_check114="LEVEL2"
+CHECK_SEVERITY_check114="Critical"
 CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check114="check114"

@@ -19,7 +20,7 @@ check114(){
  # "Ensure hardware MFA is enabled for the root account (Scored)"
  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
  if [ "$COMMAND113" == "1" ]; then
-    COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep '^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$')
+    COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep "^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$")
    if [[ "$COMMAND114" ]]; then
      textFail "Only Virtual MFA is enabled for root"
    else
@@ -12,6 +12,7 @@ CHECK_ID_check115="1.15"
 CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)"
 CHECK_SCORED_check115="NOT_SCORED"
 CHECK_TYPE_check115="LEVEL1"
+CHECK_SEVERITY_check115="Medium"
 CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check115="check115"

@@ -12,9 +12,11 @@ CHECK_ID_check116="1.16"
 CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)"
 CHECK_SCORED_check116="SCORED"
 CHECK_TYPE_check116="LEVEL1"
+CHECK_SEVERITY_check116="Low"
 CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
 CHECK_ALTERNATE_check116="check116"
+CHECK_ASFF_COMPLIANCE_TYPE_check116="ens-op.acc.3.aws.iam.1"

 check116(){
  # "Ensure IAM policies are attached only to groups or roles (Scored)"
@@ -12,6 +12,7 @@ CHECK_ID_check117="1.17"
 CHECK_TITLE_check117="[check117] Maintain current contact details (Not Scored)"
 CHECK_SCORED_check117="NOT_SCORED"
 CHECK_TYPE_check117="LEVEL1"
+CHECK_SEVERITY_check117="Medium"
 CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check117="check117"

@@ -12,6 +12,7 @@ CHECK_ID_check118="1.18"
 CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Not Scored)"
 CHECK_SCORED_check118="NOT_SCORED"
 CHECK_TYPE_check118="LEVEL1"
+CHECK_SEVERITY_check118="Medium"
 CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check118="check118"

@@ -12,19 +12,20 @@ CHECK_ID_check119="1.19"
 CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
 CHECK_SCORED_check119="NOT_SCORED"
 CHECK_TYPE_check119="LEVEL2"
+CHECK_SEVERITY_check119="Medium"
 CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance"
 CHECK_ALTERNATE_check119="check119"

 check119(){
  for regx in $REGIONS; do
-    EC2_DATA=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[].Instances[].[InstanceId, IamInstanceProfile.Arn, State.Name]')
+    EC2_DATA=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[].Instances[].[InstanceId, IamInstanceProfile.Arn, State.Name]' --output json)
    EC2_DATA=$(echo $EC2_DATA | jq '.[]|{InstanceId: .[0], ProfileArn: .[1], StateName: .[2]}')
    INSTANCE_LIST=$(echo $EC2_DATA | jq -r '.InstanceId')
    if [[ $INSTANCE_LIST ]]; then
      for instance in $INSTANCE_LIST; do
        STATE_NAME=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.StateName')
-        if [[ $STATE_NAME != "terminated" ]]; then
+        if [[ $STATE_NAME != "terminated" && $STATE_NAME != "shutting-down" ]]; then
          PROFILEARN=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.ProfileArn')
          if [[ $PROFILEARN == "null" ]]; then
            textFail "$regx: Instance $instance not associated with an instance role" $regx
@@ -12,14 +12,16 @@ CHECK_ID_check12="1.2"
 CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
 CHECK_SCORED_check12="SCORED"
 CHECK_TYPE_check12="LEVEL1"
+CHECK_SEVERITY_check12="High"
 CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
 CHECK_ALTERNATE_check102="check12"
+CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"

 check12(){
  # "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
  # List users with password enabled
-  COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep -F ' true$' | awk '{ print $1 }')
+  COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED=$(cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$4 }' |grep 'true$' | awk '{ print $1 }')
  COMMAND12=$(
    for i in $COMMAND12_LIST_USERS_WITH_PASSWORD_ENABLED; do
      cat $TEMP_REPORT_FILE|awk -F, '{ print $1,$8 }' |grep "^$i " |grep false | awk '{ print $1 }'
@@ -12,9 +12,11 @@ CHECK_ID_check120="1.20"
 CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
 CHECK_SCORED_check120="SCORED"
 CHECK_TYPE_check120="LEVEL1"
+CHECK_SEVERITY_check120="Medium"
 CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
 CHECK_ALTERNATE_check120="check120"
+CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"

 check120(){
  # "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
@@ -12,9 +12,11 @@ CHECK_ID_check121="1.21"
 CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
 CHECK_SCORED_check121="NOT_SCORED"
 CHECK_TYPE_check121="LEVEL1"
+CHECK_SEVERITY_check121="Medium"
 CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
 CHECK_ALTERNATE_check121="check121"
+CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"

 check121(){
  # "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
@@ -12,6 +12,7 @@ CHECK_ID_check122="1.22"
 CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
 CHECK_SCORED_check122="SCORED"
 CHECK_TYPE_check122="LEVEL1"
+CHECK_SEVERITY_check122="Medium"
 CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
 CHECK_ALTERNATE_check122="check122"
@@ -12,9 +12,11 @@ CHECK_ID_check13="1.3"
 CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)"
 CHECK_SCORED_check13="SCORED"
 CHECK_TYPE_check13="LEVEL1"
+CHECK_SEVERITY_check13="Medium"
 CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
 CHECK_ALTERNATE_check103="check13"
+CHECK_ASFF_COMPLIANCE_TYPE_check13="ens-op.acc.1.aws.iam.3,ens-op.acc.5.aws.iam.4"

 check13(){
  check_creds_used_in_last_days 90
@@ -12,9 +12,11 @@ CHECK_ID_check14="1.4"
 CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)"
 CHECK_SCORED_check14="SCORED"
 CHECK_TYPE_check14="LEVEL1"
+CHECK_SEVERITY_check14="Medium"
 CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
 CHECK_ALTERNATE_check104="check14"
+CHECK_ASFF_COMPLIANCE_TYPE_check14="ens-op.acc.1.aws.iam.4,ens-op.acc.5.aws.iam.3"

 check14(){
  # "Ensure access keys are rotated every 90 days or less (Scored)" # also checked by Security Monkey
@@ -12,6 +12,7 @@ CHECK_ID_check15="1.5"
 CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)"
 CHECK_SCORED_check15="SCORED"
 CHECK_TYPE_check15="LEVEL1"
+CHECK_SEVERITY_check15="Medium"
 CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check105="check15"

@@ -12,6 +12,7 @@ CHECK_ID_check16="1.6"
 CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)"
 CHECK_SCORED_check16="SCORED"
 CHECK_TYPE_check16="LEVEL1"
+CHECK_SEVERITY_check16="medium"
 CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check106="check16"

@@ -12,6 +12,7 @@ CHECK_ID_check17="1.7"
 CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)"
 CHECK_SCORED_check17="SCORED"
 CHECK_TYPE_check17="LEVEL1"
+CHECK_SEVERITY_check17="Medium"
 CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check107="check17"

@@ -12,6 +12,7 @@ CHECK_ID_check18="1.8"
 CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)"
 CHECK_SCORED_check18="SCORED"
 CHECK_TYPE_check18="LEVEL1"
+CHECK_SEVERITY_check18="Medium"
 CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check108="check18"

@@ -12,6 +12,7 @@ CHECK_ID_check19="1.9"
 CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
 CHECK_SCORED_check19="SCORED"
 CHECK_TYPE_check19="LEVEL1"
+CHECK_SEVERITY_check19="Medium"
 CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check109="check19"

@@ -12,9 +12,11 @@ CHECK_ID_check21="2.1"
 CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)"
 CHECK_SCORED_check21="SCORED"
 CHECK_TYPE_check21="LEVEL1"
+CHECK_SEVERITY_check21="High"
 CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check201="check21"
+CHECK_ASFF_COMPLIANCE_TYPE_check21="ens-op.acc.7.aws.iam.1,ens-op.mon.1.aws.trail.1"

 check21(){
  trail_count=0
@@ -12,9 +12,11 @@ CHECK_ID_check22="2.2"
 CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)"
 CHECK_SCORED_check22="SCORED"
 CHECK_TYPE_check22="LEVEL2"
+CHECK_SEVERITY_check22="Medium"
 CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check202="check22"
+CHECK_ASFF_COMPLIANCE_TYPE_check22="ens-op.exp.10.aws.trail.1"

 check22(){
  # "Ensure CloudTrail log file validation is enabled (Scored)"
@@ -12,9 +12,11 @@ CHECK_ID_check23="2.3"
 CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
 CHECK_SCORED_check23="SCORED"
 CHECK_TYPE_check23="LEVEL1"
+CHECK_SEVERITY_check23="Critical"
 CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
 CHECK_ALTERNATE_check203="check23"
+CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3,ens-op.exp.10.aws.trail.4"

 check23(){
  # "Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
@@ -12,9 +12,11 @@ CHECK_ID_check24="2.4"
 CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
 CHECK_SCORED_check24="SCORED"
 CHECK_TYPE_check24="LEVEL1"
+CHECK_SEVERITY_check24="Low"
 CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check204="check24"
+CHECK_ASFF_COMPLIANCE_TYPE_check24="ens-op.exp.8.aws.cw.1"

 check24(){
  # "Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
@@ -12,8 +12,10 @@ CHECK_ID_check25="2.5"
 CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)"
 CHECK_SCORED_check25="SCORED"
 CHECK_TYPE_check25="LEVEL1"
+CHECK_SEVERITY_check25="Medium"
 CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check205="check25"
+CHECK_ASFF_COMPLIANCE_TYPE_check25="ens-op.exp.1.aws.cfg.1"

 check25(){
  # "Ensure AWS Config is enabled in all regions (Scored)"
@@ -12,6 +12,7 @@ CHECK_ID_check26="2.6"
 CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
 CHECK_SCORED_check26="SCORED"
 CHECK_TYPE_check26="LEVEL1"
+CHECK_SEVERITY_check26="Medium"
 CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket"
 CHECK_ALTERNATE_check206="check26"
@@ -12,9 +12,11 @@ CHECK_ID_check27="2.7"
 CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
 CHECK_SCORED_check27="SCORED"
 CHECK_TYPE_check27="LEVEL2"
+CHECK_SEVERITY_check27="Medium"
 CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check207="check27"
+CHECK_ASFF_COMPLIANCE_TYPE_check27="ens-op.exp.10.aws.trail.5"

 check27(){
  # "Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
@@ -12,6 +12,7 @@ CHECK_ID_check28="2.8"
 CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)"
 CHECK_SCORED_check28="SCORED"
 CHECK_TYPE_check28="LEVEL2"
+CHECK_SEVERITY_check28="Medium"
 CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
 CHECK_ALTERNATE_check208="check28"
@@ -12,9 +12,11 @@ CHECK_ID_check29="2.9"
 CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
 CHECK_SCORED_check29="SCORED"
 CHECK_TYPE_check29="LEVEL2"
+CHECK_SEVERITY_check29="Medium"
 CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
 CHECK_ALTERNATE_check209="check29"
+CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"

 check29(){
  # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
@@ -37,9 +37,11 @@ CHECK_ID_check31="3.1"
 CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
 CHECK_SCORED_check31="SCORED"
 CHECK_TYPE_check31="LEVEL1"
+CHECK_SEVERITY_check31="Medium"
 CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check301="check31"
+CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"

 check31(){
  check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
@@ -37,6 +37,7 @@ CHECK_ID_check310="3.10"
 CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)"
 CHECK_SCORED_check310="SCORED"
 CHECK_TYPE_check310="LEVEL2"
+CHECK_SEVERITY_check310="Medium"
 CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check310="check310"
@@ -37,6 +37,7 @@ CHECK_ID_check311="3.11"
 CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
 CHECK_SCORED_check311="SCORED"
 CHECK_TYPE_check311="LEVEL2"
+CHECK_SEVERITY_check311="Medium"
 CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check311="check311"
@@ -37,6 +37,7 @@ CHECK_ID_check312="3.12"
 CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
 CHECK_SCORED_check312="SCORED"
 CHECK_TYPE_check312="LEVEL1"
+CHECK_SEVERITY_check312="Medium"
 CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check312="check312"
@@ -37,6 +37,7 @@ CHECK_ID_check313="3.13"
 CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)"
 CHECK_SCORED_check313="SCORED"
 CHECK_TYPE_check313="LEVEL1"
+CHECK_SEVERITY_check313="Medium"
 CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check313="check313"
@@ -37,6 +37,7 @@ CHECK_ID_check314="3.14"
 CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)"
 CHECK_SCORED_check314="SCORED"
 CHECK_TYPE_check314="LEVEL1"
+CHECK_SEVERITY_check314="Medium"
 CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check314="check314"
@@ -37,9 +37,11 @@ CHECK_ID_check32="3.2"
 CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
 CHECK_SCORED_check32="SCORED"
 CHECK_TYPE_check32="LEVEL1"
+CHECK_SEVERITY_check32="Medium"
 CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check302="check32"
+CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"

 check32(){
  check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
@@ -37,9 +37,11 @@ CHECK_ID_check33="3.3"
 CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)"
 CHECK_SCORED_check33="SCORED"
 CHECK_TYPE_check33="LEVEL1"
+CHECK_SEVERITY_check33="Medium"
 CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check303="check33"
+CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"

 check33(){
  check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
@@ -37,9 +37,11 @@ CHECK_ID_check34="3.4"
 CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
 CHECK_SCORED_check34="SCORED"
 CHECK_TYPE_check34="LEVEL1"
+CHECK_SEVERITY_check34="Medium"
 CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check304="check34"
+CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"

 check34(){
  check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
@@ -37,9 +37,11 @@ CHECK_ID_check35="3.5"
 CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
 CHECK_SCORED_check35="SCORED"
 CHECK_TYPE_check35="LEVEL1"
+CHECK_SEVERITY_check35="Medium"
 CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check305="check35"
+CHECK_ASFF_COMPLIANCE_TYPE_check35="ens-op.exp.8.aws.trail.1"

 check35(){
  check3x '\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging'
@@ -37,9 +37,11 @@ CHECK_ID_check36="3.6"
 CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
 CHECK_SCORED_check36="SCORED"
 CHECK_TYPE_check36="LEVEL2"
+CHECK_SEVERITY_check36="Medium"
 CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check306="check36"
+CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"

 check36(){
  check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
@@ -37,9 +37,11 @@ CHECK_ID_check37="3.7"
 CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)"
 CHECK_SCORED_check37="SCORED"
 CHECK_TYPE_check37="LEVEL2"
+CHECK_SEVERITY_check37="Medium"
 CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check307="check37"
+CHECK_ASFF_COMPLIANCE_TYPE_check37="ens-op.exp.11.aws.kms.1"

 check37(){
  check3x '\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion'
@@ -37,6 +37,7 @@ CHECK_ID_check38="3.8"
 CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
 CHECK_SCORED_check38="SCORED"
 CHECK_TYPE_check38="LEVEL1"
+CHECK_SEVERITY_check38="Medium"
 CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check308="check38"
@@ -37,6 +37,7 @@ CHECK_ID_check39="3.9"
 CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
 CHECK_SCORED_check39="SCORED"
 CHECK_TYPE_check39="LEVEL2"
+CHECK_SEVERITY_check39="Medium"
 CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail"
 CHECK_ALTERNATE_check309="check39"
@@ -12,9 +12,11 @@ CHECK_ID_check41="4.1"
 CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
 CHECK_SCORED_check41="SCORED"
 CHECK_TYPE_check41="LEVEL2"
+CHECK_SEVERITY_check41="High"
 CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check401="check41"
+CHECK_ASFF_COMPLIANCE_TYPE_check41="ens-mp.com.4.aws.sg.4"

 check41(){
  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
@@ -12,9 +12,11 @@ CHECK_ID_check42="4.2"
 CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
 CHECK_SCORED_check42="SCORED"
 CHECK_TYPE_check42="LEVEL2"
+CHECK_SEVERITY_check42="High"
 CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check402="check42"
+CHECK_ASFF_COMPLIANCE_TYPE_check42="ens-mp.com.4.aws.sg.5"

 check42(){
  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
@@ -12,9 +12,11 @@ CHECK_ID_check43="4.3"
 CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)"
 CHECK_SCORED_check43="SCORED"
 CHECK_TYPE_check43="LEVEL2"
+CHECK_SEVERITY_check43="Medium"
 CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
 CHECK_ALTERNATE_check403="check43"
+CHECK_ASFF_COMPLIANCE_TYPE_check43="ens-mp.com.4.aws.sg.1"

 check43(){
  # "Ensure the default security group of every VPC restricts all traffic (Scored)"
@@ -12,6 +12,7 @@ CHECK_ID_check44="4.4"
 CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
 CHECK_SCORED_check44="NOT_SCORED"
 CHECK_TYPE_check44="LEVEL2"
+CHECK_SEVERITY_check44="Medium"
 CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc"
 CHECK_ALTERNATE_check404="check44"
@@ -14,10 +14,12 @@ CHECK_ID_extra71="7.1"
 CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra71="NOT_SCORED"
 CHECK_TYPE_extra71="EXTRA"
+CHECK_SEVERITY_extra71="High"
 CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
 CHECK_ALTERNATE_extra701="extra71"
 CHECK_ALTERNATE_check71="extra71"
 CHECK_ALTERNATE_check701="extra71"
+CHECK_ASFF_COMPLIANCE_TYPE_extra71="ens-op.exp.10.aws.trail.2"

 extra71(){
  # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
@@ -26,7 +28,7 @@ extra71(){
  for grp in $AWS_GROUPS; do
    # aws --profile onlinetraining iam list-attached-group-policies --group-name Administrators --query 'AttachedPolicies[].PolicyArn' | grep 'arn:aws:iam::aws:policy/AdministratorAccess'
    # list-attached-group-policies
-    CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep  'arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess')
+    CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep  "arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess")
    if [[ $CHECK_ADMIN_GROUP ]]; then
      ADMIN_GROUPS="$ADMIN_GROUPS $grp"
      textInfo "$grp group provides administrative access"
@@ -14,8 +14,10 @@ CHECK_ID_extra710="7.10"
 CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra710="NOT_SCORED"
 CHECK_TYPE_extra710="EXTRA"
+CHECK_SEVERITY_extra710="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
 CHECK_ALTERNATE_check710="extra710"
+CHECK_ASFF_COMPLIANCE_TYPE_extra710="ens-mp.com.4.aws.vpc.1"

 extra710(){
  # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building
+# on the hard work of others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7100="7.100"
+CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
+CHECK_SCORED_extra7100="NOT_SCORED"
+CHECK_TYPE_extra7100="EXTRA"
+CHECK_SEVERITY_extra7100="Critical"
+CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
+CHECK_ALTERNATE_check7100="extra7100"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
+
+extra7100(){
+  # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
+  #
+  # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined
+  # This is most often seen as sts:assumeRole on *, but can take other forms.
+  #
+  # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
+  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
+  if [[ $LIST_CUSTOM_POLICIES ]]; then
+    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
+    for policy in $LIST_CUSTOM_POLICIES; do
+      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
+      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
+
+      POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \
+        --output json \
+        --policy-arn $POLICY_ARN \
+        --version-id $POLICY_VERSION \
+        --query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \
+        $PROFILE_OPT \
+        --region $REGION
+      )
+
+      # Identify permissive policies by:
+      #   1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string)
+      #   3) Iterate over the policy statements
+      #   4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity)
+      #   5) Narrow the scope to Resources (IAM Roles) which include a wildcard
+      POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \
+        | jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \
+        | jq 'map( .Action |= (if type=="array" then . else [.] end) )' \
+        | jq '.[]' \
+        | jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \
+        | jq 'select(.Resource[] | contains("*"))')
+
+      if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then
+        PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN"
+      fi
+
+    done
+    if [[ $PERMISSIVE_POLICIES_LIST ]]; then
+      textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs"
+      textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
+      for policy in $PERMISSIVE_POLICIES_LIST; do
+        textFail "Policy $policy allows permissive STS Role assumption"
+      done
+    else
+      textPass "No custom policies found that allow permissive STS Role assumption"
+    fi
+  else
+    textPass "No custom policies found"
+  fi
+}
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7101="7.101"
+CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled"
+CHECK_SCORED_extra7101="NOT_SCORED"
+CHECK_TYPE_extra7101="EXTRA"
+CHECK_SEVERITY_extra7101="Low"
+CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain"
+CHECK_ALTERNATE_check7101="extra7101"
+
+# More info 
+# Works for  Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled 
+# https://aws.amazon.com/about-aws/whats-new/2020/09/audit-logs-launch/
+# https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html
+
+# Remediation
+# aws es update-elasticsearch-domain-config --domain-name test1 --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-log-group,Enabled=true}" --region eu-west-1
+
+extra7101(){
+  for regx in $REGIONS; do
+    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
+    if [[ $LIST_OF_DOMAINS ]]; then
+      for domain in $LIST_OF_DOMAINS;do
+        AUDIT_LOGS_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.AUDIT_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
+        if [[ $AUDIT_LOGS_ENABLED ]];then
+          textPass "$regx: Amazon ES domain $domain AUDIT_LOGS enabled" "$regx"
+        else
+          textFail "$regx: Amazon ES domain $domain AUDIT_LOGS disabled!" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No Amazon ES domain found" "$regx"
+    fi
+  done
+}
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7102="7.102"
+CHECK_TITLE_extra7102="[extra7102] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY)"
+CHECK_SCORED_extra7102="NOT_SCORED"
+CHECK_TYPE_extra7102="EXTRA"
+CHECK_SEVERITY_extra7102="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip"
+CHECK_ALTERNATE_check7102="extra7102"
+
+# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively 
+# your IP will be banned by Shodan
+
+# This is the right way to do so
+# curl -ks https://api.shodan.io/shodan/host/{ip}?key={YOUR_API_KEY}
+
+
+# Each finding will be saved in prowler/output folder for further review.
+
+extra7102(){
+  if [[ ! $SHODAN_API_KEY ]]; then
+    textInfo "[extra7102] Requires a Shodan API key to work. Use -N <shodan_api_key>"
+  else 
+    for regx in $REGIONS; do
+      LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-addresses --query 'Addresses[*].PublicIp' --output text)
+      if [[ $LIST_OF_EIP ]]; then
+        for ip in $LIST_OF_EIP;do
+          SHODAN_QUERY=$(curl -ks https://api.shodan.io/shodan/host/$ip?key=$SHODAN_API_KEY)
+	  # Shodan has a request rate limit of 1 request/second.
+          sleep 1
+          if [[ $SHODAN_QUERY == *"No information available for that IP"* ]]; then
+            textPass "$regx: IP $ip is not listed in Shodan" "$regx"
+          else
+            echo $SHODAN_QUERY > $OUTPUT_DIR/shodan-output-$ip.json
+            IP_SHODAN_INFO=$(cat $OUTPUT_DIR/shodan-output-$ip.json | jq -r '. | { ports: .ports, org: .org, country: .country_name }| @text' | tr -d \"\{\}\}\]\[ | tr , '\ ' )
+            textFail "$regx: IP $ip is listed in Shodan with data $IP_SHODAN_INFO. More info https://www.shodan.io/host/$ip and $OUTPUT_DIR/shodan-output-$ip.json" "$regx"
+          fi
+        done
+      else
+        textInfo "$regx: No Public or Elastic IPs found" "$regx"
+      fi
+    done
+  fi
+}
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+    
+CHECK_ID_extra7103="7.103"
+CHECK_TITLE_extra7103="[extra7103] Check if Amazon SageMaker Notebook instances have root access disabled"
+CHECK_SCORED_extra7103="NOT_SCORED"
+CHECK_TYPE_extra7103="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7103="extra7103"
+CHECK_SEVERITY_extra7103="Medium"
+
+extra7103(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_ROOTACCESS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'RootAccess' --output text)
+                if [[ "${SM_NB_ROOTACCESS}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has root access enabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has root access disabled" "${regx}"                    
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}
+	
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7104="7.104"
+CHECK_TITLE_extra7104="[extra7104] Check if Amazon SageMaker Notebook instances have VPC settings configured"
+CHECK_SCORED_extra7104="NOT_SCORED"
+CHECK_TYPE_extra7104="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7104="extra7104"
+CHECK_SEVERITY_extra7104="Medium"
+
+extra7104(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_SUBNETID=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'SubnetId' --output text)
+                if [[ "${SM_NB_SUBNETID}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has VPC settings disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance is in a VPC" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+	
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7105="7.105"
+CHECK_TITLE_extra7105="[extra7105] Check if Amazon SageMaker Models have network isolation enabled"
+CHECK_SCORED_extra7105="NOT_SCORED"
+CHECK_TYPE_extra7105="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
+CHECK_ALTERNATE_check7105="extra7105"
+CHECK_SEVERITY_extra7105="Medium"
+	
+extra7105(){
+	for regx in ${REGIONS}; do
+		LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+		if [[ $LIST_SM_NB_MODELS ]];then 
+			for nb_model_name in $LIST_SM_NB_MODELS; do
+				SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'EnableNetworkIsolation' --output text)
+				if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+					textFail "${regx}: SageMaker Model $nb_model_name has network isolation disabled" "${regx}"
+				else
+					textPass "${regx}: SageMaker Model $nb_model_name has network isolation enabled" "${regx}"
+				fi 
+			done
+		else 
+			textInfo "${regx}: No Sagemaker Models found" "${regx}"
+		fi 
+	done
+}
+		
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7106="7.106"
+CHECK_TITLE_extra7106="[extra7106] Check if Amazon SageMaker Models have VPC settings configured"
+CHECK_SCORED_extra7106="NOT_SCORED"
+CHECK_TYPE_extra7106="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
+CHECK_ALTERNATE_check7106="extra7106"
+CHECK_SEVERITY_extra7106="Medium"
+    
+extra7106(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+        if [[ $LIST_SM_NB_MODELS ]];then 
+            for nb_model_name in $LIST_SM_NB_MODELS; do
+                SM_NB_VPCCONFIG=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_VPCCONFIG == "None" ]]; then
+                    textFail "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings disabled" "${regx}"
+                else
+                    textPass "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Models found" "${regx}"
+        fi 
+    done
+}
+	
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7107="7.107"
+CHECK_TITLE_extra7107="[extra7107] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled"
+CHECK_SCORED_extra7107="NOT_SCORED"
+CHECK_TYPE_extra7107="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7107="extra7107"
+CHECK_SEVERITY_extra7107="Medium"
+    
+extra7107(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_INTERCONTAINERENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableInterContainerTrafficEncryption' --output text)
+                if [[ $SM_NB_INTERCONTAINERENCRYPTION == "False" ]]; then
+                    textFail "${regx}: SageMaker Training job $nb_job_name has intercontainer encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: SageMaker Training jobs $nb_job_name has intercontainer encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Training found" "${regx}"
+        fi 
+    done
+}
+	
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7108="7.108"
+CHECK_TITLE_extra7108="[extra7108] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled"
+CHECK_SCORED_extra7108="NOT_SCORED"
+CHECK_TYPE_extra7108="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7108="extra7108"
+CHECK_SEVERITY_extra7108="Medium"
+    
+extra7108(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_JOB_KMSENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'ResourceConfig.VolumeKmsKeyId' --output text)
+                if [[ "${SM_JOB_KMSENCRYPTION}" == "None" ]];then
+                    textFail "${regx}: Sagemaker Trainings job $nb_job_name has KMS encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Trainings job $nb_job_name has KSM encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7109="7.109"
+CHECK_TITLE_extra7109="[extra7109] Check if Amazon SageMaker Training jobs have network isolation enabled"
+CHECK_SCORED_extra7109="NOT_SCORED"
+CHECK_TYPE_extra7109="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7109="extra7109"
+CHECK_SEVERITY_extra7109="Medium"
+    
+extra7109(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableNetworkIsolation' --output text)
+                if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has network isolation disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has network isolation enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}
+	
@@ -14,6 +14,7 @@ CHECK_ID_extra711="7.11"
 CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra711="NOT_SCORED"
 CHECK_TYPE_extra711="EXTRA"
+CHECK_SEVERITY_extra711="High"
 CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
 CHECK_ALTERNATE_check711="extra711"

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7110="7.110"
+CHECK_TITLE_extra7110="[extra7110] Check if Amazon SageMaker Training job have VPC settings configured."
+CHECK_SCORED_extra7110="NOT_SCORED"
+CHECK_TYPE_extra7110="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7110="extra7110"
+CHECK_SEVERITY_extra7110="Medium"
+    
+extra7110(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        if [[ $LIST_SM_NB_JOBS ]];then 
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_SUBNETS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_SUBNETS == "None" ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi 
+    done
+}
+	
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7111="7.111"
+CHECK_TITLE_extra7111="[extra7111] Check if Amazon SageMaker Notebook instances have direct internet access"
+CHECK_SCORED_extra7111="NOT_SCORED"
+CHECK_TYPE_extra7111="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7111="extra7111"
+CHECK_SEVERITY_extra7111="Medium"
+
+extra7111(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_DIRECTINET=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'DirectInternetAccess' --output text)
+                if [[ "${SM_NB_DIRECTINET}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access enabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access disabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+    
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7112="7.112"
+CHECK_TITLE_extra7112="[extra7112] Check if Amazon SageMaker Notebook instances have data encryption enabled"
+CHECK_SCORED_extra7112="NOT_SCORED"
+CHECK_TYPE_extra7112="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7112="extra7112"
+CHECK_SEVERITY_extra7112="Medium"
+
+extra7112(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        if [[ $LIST_SM_NB_INSTANCES ]];then 
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_KMSKEY=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'KmsKeyId' --output text)
+                if [[ "${SM_NB_KMSKEY}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has data encryption disabled" "${regx}"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has data encryption enabled" "${regx}"
+                fi 
+            done
+        else 
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi 
+    done
+}
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+# https://www.cloudconformity.com/knowledge-base/aws/RDS/instance-deletion-protection.html
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
+#
+# aws rds modify-db-instance \
+#	--region us-east-1 \
+#	--db-instance-identifier test-db \
+#	--deletion-protection \
+#	[--apply-immediately | --no-apply-immediately]
+
+CHECK_ID_extra7113="7.113"
+CHECK_TITLE_extra7113="[extra7113] Check if RDS instances have deletion protection enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra7113="NOT_SCORED"
+CHECK_TYPE_extra7113="EXTRA"
+CHECK_SEVERITY_extra7113="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance"
+CHECK_ALTERNATE_check7113="extra7113"
+
+extra7113(){
+  textInfo "Looking for RDS Volumes in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
+    if [[ $LIST_OF_RDS_INSTANCES ]];then
+      for rdsinstance in $LIST_OF_RDS_INSTANCES; do
+        IS_DELETIONPROTECTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].DeletionProtection' --output text)
+        if [[ $IS_DELETIONPROTECTION == "False" ]]; then
+          textFail "$regx: RDS instance $rdsinstance deletion protection is not enabled!" "$regx"
+        else
+          textPass "$regx: RDS instance $rdsinstance deletion protection is enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No RDS instances found" "$regx"
+    fi
+  done
+}
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7114="7.114"
+CHECK_TITLE_extra7114="[extra7114] Check if Glue development endpoints have S3 encryption enabled."
+CHECK_SCORED_extra7114="NOT_SCORED"
+CHECK_TYPE_extra7114="EXTRA"
+CHECK_SEVERITY_extra7114="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue"
+CHECK_ALTERNATE_check7114="extra7114"
+
+extra7114(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text)
+          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}
+
+
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7115="7.115"
+CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection has SSL connection enabled."
+CHECK_SCORED_extra7115="NOT_SCORED"
+CHECK_TYPE_extra7115="EXTRA"
+CHECK_SEVERITY_extra7115="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
+CHECK_ALTERNATE_check7115="extra7115"
+
+extra7115(){
+  for regx in $REGIONS; do
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}')
+    if [[ $CONNECTION_LIST != '[]' ]]; then
+      for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do
+          CONNECTION_NAME=$(echo $connection | base64 --decode   | jq -r '.Name' )
+          CONNECTION_SSL_STATE=$(echo $connection | base64 --decode  | jq -r '.SSL')
+          if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then
+              textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled"  "$regx"
+          else 
+              textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled"  "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue connections" "$regx"
+    fi 
+  done     
+}
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7116="7.116"
+CHECK_TITLE_extra7116="[extra7116] Check if Glue data catalog settings have metadata encryption enabled."
+CHECK_SCORED_extra7116="NOT_SCORED"
+CHECK_TYPE_extra7116="EXTRA"
+CHECK_SEVERITY_extra7116="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
+CHECK_ALTERNATE_check7116="extra7116"
+
+extra7116(){
+  for regx in $REGIONS; do
+    TABLE_LIST=$($AWSCLI glue search-tables --max-results 1 $PROFILE_OPT --region $regx  --output text --query 'TableList[*]' )
+    if [[ ! -z $TABLE_LIST ]]; then
+      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode")
+      if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then
+        textFail "$regx: Glue data catalog settings have metadata encryption disabled" "$regx"
+      else
+        textPass "$regx: Glue data catalog settings have metadata encryption enabled" "$regx"
+      fi
+    else
+      textInfo "$regx: Glue data catalog settings metadata encryption does not apply since there are no tables" "$regx"
+    fi
+  done
+}
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7117="7.117"
+CHECK_TITLE_extra7117="[extra7117] Check if Glue data catalog settings have encrypt connection password enabled."
+CHECK_SCORED_extra7117="NOT_SCORED"
+CHECK_TYPE_extra7117="EXTRA"
+CHECK_SEVERITY_extra7117="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
+CHECK_ALTERNATE_check7117="extra7117"
+
+extra7117(){
+  for regx in $REGIONS; do
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output text --query 'ConnectionList[*]')
+    if [[ ! -z $CONNECTION_LIST ]]; then
+      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted")
+      if [[ "$METADATA_ENCRYPTED" == "False" ]]; then
+        textFail "$regx: Glue data catalog connection password is not encrypted" "$regx"
+      else
+        textPass "$regx: Glue data catalog connection password is encrypted" "$regx"
+      fi
+    else
+      textInfo "$regx: Glue data catalog connection password encryption does not apply since there are no connections" "$regx"
+    fi
+  done
+}
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7118="7.118"
+CHECK_TITLE_extra7118="[extra7118] Check if Glue ETL Jobs have S3 encryption enabled."
+CHECK_SCORED_extra7118="NOT_SCORED"
+CHECK_TYPE_extra7118="EXTRA"
+CHECK_SEVERITY_extra7118="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
+CHECK_ALTERNATE_check7118="extra7118"
+
+extra7118(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          JOB_ENCRYPTION=$(echo $job | base64 --decode | jq -r '.JobEncryption // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
+            if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then
+              if [[ ! -z "$JOB_ENCRYPTION" ]]; then
+                textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+              else 
+                textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+              fi 
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx"
+            fi
+          elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
+            textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+          else 
+            textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7119="7.119"
+CHECK_TITLE_extra7119="[extra7119] Check if Glue development endpoints have CloudWatch logs encryption enabled."
+CHECK_SCORED_extra7119="NOT_SCORED"
+CHECK_TYPE_extra7119="EXTRA"
+CHECK_SEVERITY_extra7119="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
+CHECK_ALTERNATE_check7119="extra7119"
+
+extra7119(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
+          if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}
@@ -14,6 +14,7 @@ CHECK_ID_extra712="7.12"
 CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra712="NOT_SCORED"
 CHECK_TYPE_extra712="EXTRA"
+CHECK_SEVERITY_extra712="Low"
 CHECK_ALTERNATE_check712="extra712"

 extra712(){ 
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7120="7.120"
+CHECK_TITLE_extra7120="[extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled."
+CHECK_SCORED_extra7120="NOT_SCORED"
+CHECK_TYPE_extra7120="EXTRA"
+CHECK_SEVERITY_extra7120="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
+CHECK_ALTERNATE_check7120="extra7120"
+
+extra7120(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration  // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode')
+            if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7121="7.121"
+CHECK_TITLE_extra7121="[extra7121] Check if Glue development endpoints have Job bookmark encryption enabled."
+CHECK_SCORED_extra7121="NOT_SCORED"
+CHECK_TYPE_extra7121="EXTRA"
+CHECK_SEVERITY_extra7121="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
+CHECK_ALTERNATE_check7121="extra7121"
+
+extra7121(){
+  for regx in $REGIONS; do
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    if [[ $LIST_EP_SC != '[]' ]]; then
+      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
+        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
+        ENDPOINT_SC=$(echo $ep | base64 --decode | jq -r '.Security // empty')
+        if [[ ! -z "$ENDPOINT_SC" ]]; then
+          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
+          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx"
+          else
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx"
+          fi
+        else
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: There are no Glue development endpoints" "$regx"
+    fi
+  done
+}
+
+
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7122="7.122"
+CHECK_TITLE_extra7122="[extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled."
+CHECK_SCORED_extra7122="NOT_SCORED"
+CHECK_TYPE_extra7122="EXTRA"
+CHECK_SEVERITY_extra7122="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
+CHECK_ALTERNATE_check7122="extra7122"
+
+extra7122(){
+  for regx in $REGIONS; do
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    if [[ $JOB_LIST != '[]' ]]; then
+      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
+          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
+          SECURITY_CONFIGURATION=$(echo $job | base64 --decode | jq -r '.SecurityConfiguration // empty')
+          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
+            JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode')
+            if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then
+              textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+            else
+              textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx"
+            fi
+          else
+            textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no Glue jobs" "$regx"
+    fi 
+  done
+}
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7123="7.123"
+CHECK_TITLE_extra7123="[extra7123] Check if IAM users have two active access keys"
+CHECK_SCORED_extra7123="NOT_SCORED"
+CHECK_TYPE_extra7123="EXTRA"
+CHECK_SEVERITY_extra7123="Medium"
+CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
+CHECK_ALTERNATE_check7123="extra7123"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7123="ens-op.acc.1.aws.iam.2"
+
+extra7123(){
+  LIST_OF_USERS_WITH_2ACCESS_KEYS=$(cat $TEMP_REPORT_FILE| awk -F, '{ print $1, $9, $14 }' |grep "\ true\ true" | awk '{ print $1 }')
+  if [[ $LIST_OF_USERS_WITH_2ACCESS_KEYS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_OF_USERS_WITH_2ACCESS_KEYS; do
+      textFail "User $user has 2 active access keys" 
+    done
+  else
+    textPass "No users with 2 active access keys"
+  fi
+}
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7124="7.124"
+CHECK_TITLE_extra7124="[extra7124] Check if EC2 instances are managed by Systems Manager."
+CHECK_SCORED_extra7124="NOT_SCORED"
+CHECK_TYPE_extra7124="EXTRA"
+CHECK_SEVERITY_extra7124="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
+CHECK_ALTERNATE_check7124="extra7124"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7124="ens-op.exp.1.aws.sys.1,ens-op.acc.4.aws.sys.1"
+
+extra7124(){
+  for regx in $REGIONS; do
+    # Filters running instances only 
+    LIST_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --query 'Reservations[*].Instances[*].[InstanceId]' --filters Name=instance-state-name,Values=running --region $regx --output text)
+    if [[ $LIST_EC2_INSTANCES ]]; then
+      LIST_SSM_MANAGED_INSTANCES=$($AWSCLI ssm describe-instance-information $PROFILE_OPT --query "InstanceInformationList[].InstanceId"  --region $regx | jq -r '.[]')
+      LIST_EC2_UNMANAGED=$(echo ${LIST_SSM_MANAGED_INSTANCES[@]} ${LIST_EC2_INSTANCES[@]} | tr ' ' '\n' | sort | uniq -u)
+      if [[ $LIST_EC2_UNMANAGED ]]; then
+        for instance in $LIST_EC2_UNMANAGED; do
+          textFail "$regx: EC2 instance $instance is not managed by Systems Manager" "$regx"
+        done
+      fi 
+      if [[ $LIST_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $LIST_SSM_MANAGED_INSTANCES; do 
+          textPass "$regx: EC2 instance $instance is managed by Systems Manager" "$regx"
+        done 
+      fi 
+    else 
+      textInfo "$regx: No EC2 instances running found" "$regx"
+    fi
+  done
+}
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7125="7.125"
+CHECK_TITLE_extra7125="[extra7125] Check if IAM users have Hardware MFA enabled."
+CHECK_SCORED_extra7125="NOT_SCORED"
+CHECK_TYPE_extra7125="EXTRA"
+CHECK_SEVERITY_extra7125="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
+CHECK_ALTERNATE_check7125="extra7125"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7125="ens-op.acc.5.aws.iam.2"
+
+extra7125(){
+  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
+  if [[ $LIST_USERS ]]; then
+    # textFail "Users with access key 1 older than 90 days:"
+    for user in $LIST_USERS; do
+      # Would be virtual if sms-mfa or mfa, hardware is u2f or different.
+      MFA_TYPE=$($AWSCLI iam list-mfa-devices --user-name $user $PROFILE_OPT --region $REGION --query MFADevices[].SerialNumber --output text | awk -F':' '{ print $6 }'| awk -F'/' '{ print $1 }')
+      if [[ $MFA_TYPE == "mfa" || $MFA_TYPE == "sms-mfa" ]]; then 
+        textInfo "User $user has virtual MFA enabled" 
+      elif [[ $MFA_TYPE == "" ]]; then 
+        textFail "User $user has not hardware MFA enabled"
+      else 
+        textPass "User $user has hardware MFA enabled"
+      fi
+    done
+  else
+    textPass "No users found"
+  fi
+}
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7126="7.126"
+CHECK_TITLE_extra7126="[extra7126] Check if there are CMK KMS keys not used"
+CHECK_SCORED_extra7126="NOT_SCORED"
+CHECK_TYPE_extra7126="EXTRA"
+CHECK_SEVERITY_extra7126="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
+CHECK_ALTERNATE_check7126="extra7126"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7126="op.exp.11.aws.kms.2"
+
+extra7126(){
+  for regx in $REGIONS; do
+    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --output text |grep -v :alias/aws/ |awk '{ print $4 }')
+    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
+      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
+        CHECK_STATUS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output json | jq -r '.KeyMetadata.KeyState')
+        if [[ $CHECK_STATUS == "PendingDeletion" ]]; then
+          textInfo "$regx: KMS key $key is pending deletion" "$regx"
+        elif [[ $CHECK_STATUS == "Disabled"  ]]; then
+          textInfo "$regx: KMS key $key is disabled" "$regx"
+        else
+          textPass "$regx: KMS key $key is not disabled or pending deletion" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No KMS keys found" "$regx"
+    fi
+  done
+}
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7127="7.127"
+CHECK_TITLE_extra7127="[extra7127] Check if EC2 instances managed by Systems Manager are compliant with patching requirements"
+CHECK_SCORED_extra7127="NOT_SCORED"
+CHECK_TYPE_extra7127="EXTRA"
+CHECK_SEVERITY_extra7127="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7127="AwsEc2Instance"
+CHECK_ASFF_TYPE_extra7127="Software and Configuration Checks/ENS op.exp.4.aws.sys.1"
+CHECK_ALTERNATE_check7127="extra7127"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7127="ens-op.exp.1.aws.sys.1,ens-op.exp.4.aws.sys.1"
+
+
+extra7127(){
+  for regx in $REGIONS; do
+    NON_COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=NON_COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    COMPLIANT_SSM_MANAGED_INSTANCES=$($AWSCLI ssm list-resource-compliance-summaries $PROFILE_OPT --region $regx --filters Key=Status,Values=COMPLIANT --query ResourceComplianceSummaryItems[].ResourceId --output text)
+    if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES || $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+      if [[ $NON_COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $NON_COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textFail "$regx: EC2 managed instance $instance is non-compliant" "$regx"
+        done
+      fi
+      if [[ $COMPLIANT_SSM_MANAGED_INSTANCES ]]; then
+        for instance in $COMPLIANT_SSM_MANAGED_INSTANCES; do
+          textPass "$regx: EC2 managed instance $instance is compliant" "$regx"
+        done
+      fi 
+    else 
+      textInfo "$regx: No EC2 managed instances found" "$regx"
+    fi
+  done
+}
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7128="7.128"
+CHECK_TITLE_extra7128="[extra7128] Check if DynamoDB table has encryption at rest enabled using CMK KMS"
+CHECK_SCORED_extra7128="NOT_SCORED"
+CHECK_TYPE_extra7128="EXTRA"
+CHECK_SEVERITY_extra7128="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7128="AwsDynamoDBTable"
+CHECK_ALTERNATE_check7128="extra7128"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7128="ens-mp.info.3.aws.dyndb.1"
+
+extra7128(){
+  for regx in $REGIONS; do
+    DDB_TABLES_LIST=$($AWSCLI dynamodb list-tables $PROFILE_OPT --region $regx --output text --query TableNames)
+    if [[ $DDB_TABLES_LIST ]]; then
+      for table in $DDB_TABLES_LIST; do
+          DDB_TABLE_WITH_KMS=$($AWSCLI dynamodb describe-table --table-name $table $PROFILE_OPT --region $regx --query Table.SSEDescription.SSEType --output text)
+          if [[ $DDB_TABLE_WITH_KMS == "KMS" ]]; then
+            textPass "$regx: DynamoDB table $table does have KMS encryption enabled" "$regx"
+          else
+            textInfo "$regx: DynamoDB table $table does have DEFAULT encryption enabled" "$regx"
+          fi
+      done
+    else 
+      textInfo "$regx: There are no DynamoDB tables" "$regx"
+    fi 
+  done
+}
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra7129="7.129"
+CHECK_TITLE_extra7129="[extra7129] Check if Application Load Balancer has a WAF ACL attached"
+CHECK_SCORED_extra7129="NOT_SCORED"
+CHECK_TYPE_extra7129="EXTRA"
+CHECK_SEVERITY_extra7129="Medium"
+CHECK_ASFF_RESOURCE_TYPE_extra7129="AwsElasticLoadBalancingV2LoadBalancer"
+CHECK_ALTERNATE_check7129="extra7129"
+CHECK_ASFF_COMPLIANCE_TYPE_extra7129="ens-mp.s.2.aws.waf.3"
+
+extra7129(){
+  for regx in $REGIONS; do
+    LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Scheme == `internet-facing` && Type == `application`].[LoadBalancerName]' --output text)
+    LIST_OF_WAFV2_WEBACL_ARN=$($AWSCLI wafv2 list-web-acls $PROFILE_OPT --region=$regx --scope=REGIONAL --query WebACLs[*].ARN --output text)
+    if [[ $LIST_OF_ELBSV2 ]]; then
+      for alb in $LIST_OF_ELBSV2; do
+        if [[ $LIST_OF_WAFV2_WEBACL_ARN ]]; then 
+          WAF_PROTECTED_ALBS=()
+          for wafaclarn in $LIST_OF_WAFV2_WEBACL_ARN; do
+            ALB_RESOURCES_IN_WEBACL=$($AWSCLI wafv2 list-resources-for-web-acl $PROFILE_OPT --web-acl-arn $wafaclarn --region=$regx --resource-type APPLICATION_LOAD_BALANCER --query ResourceArns --output text | xargs -n1 | awk -F'/' '{ print $3 }'| grep $alb)
+            if [[ $ALB_RESOURCES_IN_WEBACL ]]; then 
+              WAF_PROTECTED_ALBS+=($wafaclarn)
+            fi
+          done
+          if [[ ${#WAF_PROTECTED_ALBS[@]} -gt 0 ]]; then
+            for wafaclarn in "${WAF_PROTECTED_ALBS[@]}"; do
+              WAFV2_WEBACL_ARN_SHORT=$(echo $wafaclarn |  awk -F'/' '{ print $3 }')
+              textPass "$regx: Application Load Balancer $alb is protected by WAFv2 ACL $WAFV2_WEBACL_ARN_SHORT" "$regx"
+            done
+          else
+            textFail "$regx: Application Load Balancer $alb is not protected by WAFv2 ACL" "$regx"
+          fi
+        else 
+          textFail "$regx: Application Load Balancer $alb is not protected no WAFv2 ACL found" "$regx"
+        fi
+      done         
+    else
+      textInfo "$regx: No Application Load Balancers found" "$regx"
+    fi    
+  done
+}
@@ -14,7 +14,9 @@ CHECK_ID_extra713="7.13"
 CHECK_TITLE_extra713="[extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra713="NOT_SCORED"
 CHECK_TYPE_extra713="EXTRA"
+CHECK_SEVERITY_extra713="High"
 CHECK_ALTERNATE_check713="extra713"
+CHECK_ASFF_COMPLIANCE_TYPE_extra713="ens-op.mon.1.aws.duty.1"

 extra713(){
  # "Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)"
@@ -14,6 +14,7 @@ CHECK_ID_extra714="7.14"
 CHECK_TITLE_extra714="[extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra714="NOT_SCORED"
 CHECK_TYPE_extra714="EXTRA"
+CHECK_SEVERITY_extra714="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra714="AwsCloudFrontDistribution"
 CHECK_ALTERNATE_check714="extra714"

@@ -14,6 +14,7 @@ CHECK_ID_extra715="7.15"
 CHECK_TITLE_extra715="[extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled"
 CHECK_SCORED_extra715="NOT_SCORED"
 CHECK_TYPE_extra715="EXTRA"
+CHECK_SEVERITY_extra715="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra715="AwsElasticsearchDomain"
 CHECK_ALTERNATE_check715="extra715"

@@ -14,6 +14,7 @@ CHECK_ID_extra716="7.16"
 CHECK_TITLE_extra716="[extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access"
 CHECK_SCORED_extra716="NOT_SCORED"
 CHECK_TYPE_extra716="EXTRA"
+CHECK_SEVERITY_extra716="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra716="AwsElasticsearchDomain"
 CHECK_ALTERNATE_check716="extra716"

@@ -14,6 +14,7 @@ CHECK_ID_extra717="7.17"
 CHECK_TITLE_extra717="[extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra717="NOT_SCORED"
 CHECK_TYPE_extra717="EXTRA"
+CHECK_SEVERITY_extra717="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra717="AwsElbLoadBalancer"
 CHECK_ALTERNATE_check717="extra717"

@@ -14,6 +14,7 @@ CHECK_ID_extra718="7.18"
 CHECK_TITLE_extra718="[extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra718="NOT_SCORED"
 CHECK_TYPE_extra718="EXTRA"
+CHECK_SEVERITY_extra718="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra718="AwsS3Bucket"
 CHECK_ALTERNATE_check718="extra718"

@@ -14,6 +14,7 @@ CHECK_ID_extra719="7.19"
 CHECK_TITLE_extra719="[extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra719="NOT_SCORED"
 CHECK_TYPE_extra719="EXTRA"
+CHECK_SEVERITY_extra719="Medium"
 CHECK_ALTERNATE_check719="extra719"

 extra719(){
@@ -14,6 +14,7 @@ CHECK_ID_extra72="7.2"
 CHECK_TITLE_extra72="[extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra72="NOT_SCORED"
 CHECK_TYPE_extra72="EXTRA"
+CHECK_SEVERITY_extra72="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra72="AwsEc2Snapshot"
 CHECK_ALTERNATE_extra702="extra72"
 CHECK_ALTERNATE_check72="extra72"
@@ -14,6 +14,7 @@ CHECK_ID_extra720="7.20"
 CHECK_TITLE_extra720="[extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra720="NOT_SCORED"
 CHECK_TYPE_extra720="EXTRA"
+CHECK_SEVERITY_extra720="Low"
 CHECK_ASFF_RESOURCE_TYPE_extra720="AwsLambdaFunction"
 CHECK_ALTERNATE_check720="extra720"

@@ -14,6 +14,7 @@ CHECK_ID_extra721="7.21"
 CHECK_TITLE_extra721="[extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra721="NOT_SCORED"
 CHECK_TYPE_extra721="EXTRA"
+CHECK_SEVERITY_extra721="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra721="AwsRedshiftCluster"
 CHECK_ALTERNATE_check721="extra721"

@@ -14,6 +14,7 @@ CHECK_ID_extra722="7.22"
 CHECK_TITLE_extra722="[extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra722="NOT_SCORED"
 CHECK_TYPE_extra722="EXTRA"
+CHECK_SEVERITY_extra722="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra722="AwsApiGatewayRestApi"
 CHECK_ALTERNATE_check722="extra722"

@@ -14,6 +14,7 @@ CHECK_ID_extra723="7.23"
 CHECK_TITLE_extra723="[extra723] Check if RDS Snapshots and Cluster Snapshots are public (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra723="NOT_SCORED"
 CHECK_TYPE_extra723="EXTRA"
+CHECK_SEVERITY_extra723="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra723="AwsRdsDbSnapshot"
 CHECK_ALTERNATE_check723="extra723"

@@ -14,6 +14,7 @@ CHECK_ID_extra724="7.24"
 CHECK_TITLE_extra724="[extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra724="NOT_SCORED"
 CHECK_TYPE_extra724="EXTRA"
+CHECK_SEVERITY_extra724="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra724="AwsCertificateManagerCertificate"
 CHECK_ALTERNATE_check724="extra724"

--- a/Show More
+++ b/Show More