fix(ci): Release edited (#1276 )

fix(ci): Remove check-update (#1275 )
docs(readme): Fix spelling errors (#1274 )
2026-01-25 02:08:11 +00:00 · 2022-07-21 17:44:26 +02:00 · 2022-07-21 17:33:28 +02:00 · 2022-07-21 17:06:03 +02:00 · 2022-07-21 10:48:32 +02:00 · 2022-07-21 10:42:40 +02:00
369 changed files with 12101 additions and 3944 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,16 @@
+# Ignore git files
 .git/
+.github/
+
+# Ignore Dodckerfile
+Dockerfile
+
+# Ignore hidden files
+.pre-commit-config.yaml
+.dockerignore
+.gitignore
+.pytest*
+.DS_Store

 # Ignore output directories
 output/
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @prowler-cloud/prowler-team
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,50 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug]: "
+labels: bug, status/needs-triage
+assignees: ''
+
+---
+
+<!--
+Please use this template to create your bug report. By providing as much info as possible you help us understand the issue, reproduce it and resolve it for you quicker. Therefore, take a couple of extra minutes to make sure you have provided all info needed.
+
+PROTIP: record your screen and attach it as a gif to showcase the issue.
+
+- How to record and attach gif: https://bit.ly/2Mi8T6K
+-->
+
+**What happened?**  
+A clear and concise description of what the bug is or what is not working as expected
+
+
+**How to reproduce it**  
+Steps to reproduce the behavior:
+1. What command are you running?
+2. Environment you have, like single account, multi-account, organizations, etc.
+3. See error
+
+
+**Expected behavior**  
+A clear and concise description of what you expected to happen.
+
+
+**Screenshots or Logs**  
+If applicable, add screenshots to help explain your problem.
+Also, you can add logs (anonymize them first!). Here a command that may help to share a log
+`bash -x ./prowler -options > debug.log 2>&1` then attach here `debug.log`
+
+
+**From where are you running Prowler?**  
+Please, complete the following information:
+ - Resource: [e.g. EC2 instance, Fargate task, Docker container manually, EKS, Cloud9, CodeBuild, workstation, etc.)  
+ - OS: [e.g. Amazon Linux 2, Mac, Alpine, Windows, etc. ]
+ - AWS-CLI Version [`aws --version`]:
+ - Prowler Version [`./prowler -V`]:
+ - Shell and version:
+ - Others:
+
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement, status/needs-triage
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1 +1,13 @@
+### Context 
+
+Please include relevant motivation and context for this PR.
+
+
+### Description
+
+Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.
+
+
+### License
+
 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
--- a/.github/workflows/build-lint-push-containers.yml
+++ b/.github/workflows/build-lint-push-containers.yml
@@ -0,0 +1,198 @@
+name: build-lint-push-containers
+
+on:
+  push:
+    branches:
+      - 'master'
+    paths-ignore:
+      - '.github/**'
+      - 'README.md'
+      
+  release:
+    types: [published, edited]
+
+env:
+  AWS_REGION_STG: eu-west-1
+  AWS_REGION_PRO: us-east-1
+  IMAGE_NAME: prowler
+  LATEST_TAG: latest
+  TEMPORARY_TAG: temporary
+  DOCKERFILE_PATH: ./Dockerfile
+
+jobs:
+  # Lint Dockerfile using Hadolint
+  # dockerfile-linter:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     -
+  #       name: Checkout
+  #       uses: actions/checkout@v3
+  #     -
+  #       name: Install Hadolint
+  #       run: |
+  #         VERSION=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | \
+  #           grep '"tag_name":' | \
+  #           sed -E 's/.*"v([^"]+)".*/\1/' \
+  #           ) && curl -L -o /tmp/hadolint https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 \
+  #           && chmod +x /tmp/hadolint
+  #     -
+  #       name: Run Hadolint
+  #       run: |
+  #         /tmp/hadolint util/Dockerfile
+
+  # Build Prowler OSS container
+  container-build:
+    # needs: dockerfile-linter
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Build
+        uses: docker/build-push-action@v2
+        with:
+          # Without pushing to registries
+          push: false
+          tags: ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME }}.tar
+      -
+        name: Share image between jobs
+        uses: actions/upload-artifact@v2
+        with:
+          name: ${{ env.IMAGE_NAME }}.tar
+          path: /tmp/${{ env.IMAGE_NAME }}.tar
+
+  # Lint Prowler OSS container using Dockle
+  # container-linter:
+  #   needs: container-build
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     -
+  #       name: Get container image from shared
+  #       uses: actions/download-artifact@v2
+  #       with:
+  #         name: ${{ env.IMAGE_NAME }}.tar
+  #         path: /tmp
+  #     -
+  #       name: Load Docker image
+  #       run: |
+  #         docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
+  #         docker image ls -a
+  #     -
+  #       name: Install Dockle
+  #       run: |
+  #         VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
+  #           grep '"tag_name":' | \
+  #           sed -E 's/.*"v([^"]+)".*/\1/' \
+  #           ) && curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb \
+  #           && sudo dpkg -i dockle.deb && rm dockle.deb
+  #     -
+  #       name: Run Dockle
+  #       run: dockle ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }}
+
+  # Push Prowler OSS container to registries
+  container-push:
+    # needs: container-linter
+    needs: container-build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read    # This is required for actions/checkout
+    steps:
+      -
+        name: Get container image from shared
+        uses: actions/download-artifact@v2
+        with:
+          name: ${{ env.IMAGE_NAME }}.tar
+          path: /tmp
+      -
+        name: Load Docker image
+        run: |
+          docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
+          docker image ls -a
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Login to Public ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: ${{ env.AWS_REGION_PRO }}
+      -
+        name: Configure AWS Credentials -- STG
+        if: github.event_name == 'push'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ env.AWS_REGION_STG }}
+          role-to-assume: ${{ secrets.STG_IAM_ROLE_ARN }}
+          role-session-name: build-lint-containers-stg
+      -
+        name: Login to ECR -- STG
+        if: github.event_name == 'push'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ secrets.STG_ECR }}
+      -
+        name: Configure AWS Credentials -- PRO
+        if: github.event_name == 'release'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ env.AWS_REGION_PRO }}
+          role-to-assume: ${{ secrets.PRO_IAM_ROLE_ARN }}
+          role-session-name: build-lint-containers-pro
+      -
+        name: Login to ECR -- PRO
+        if: github.event_name == 'release'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ secrets.PRO_ECR }}
+      -
+        # Push to master branch - push "latest" tag
+        name: Tag (latest)
+        if: github.event_name == 'push'
+        run: |
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.STG_ECR }}/${{ secrets.STG_ECR_REPOSITORY }}:${{ env.LATEST_TAG }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+      -
+        # Push to master branch - push "latest" tag
+        name: Push (latest)
+        if: github.event_name == 'push'
+        run: |
+          docker push ${{ secrets.STG_ECR }}/${{ secrets.STG_ECR_REPOSITORY }}:${{ env.LATEST_TAG }}
+          docker push ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+          docker push ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }}
+      -
+        # Push the new release
+        name: Tag (release)
+        if: github.event_name == 'release'
+        run: |
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PRO_ECR }}/${{ secrets.PRO_ECR_REPOSITORY }}:${{ github.event.release.tag_name }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.TEMPORARY_TAG }} ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+      -
+        # Push the new release
+        name: Push (release)
+        if: github.event_name == 'release'
+        run: |
+          docker push ${{ secrets.PRO_ECR }}/${{ secrets.PRO_ECR_REPOSITORY }}:${{ github.event.release.tag_name }}
+          docker push ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          docker push ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+      -
+        name: Delete artifacts
+        if: always()
+        uses: geekyeggo/delete-artifact@v1
+        with:
+          name: ${{ env.IMAGE_NAME }}.tar
--- a/.github/workflows/find-secrets.yml
+++ b/.github/workflows/find-secrets.yml
@@ -0,0 +1,18 @@
+name: find-secrets
+
+on: pull_request
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@v3.4.4
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
--- a/.github/workflows/refresh_aws_services_regions.yml
+++ b/.github/workflows/refresh_aws_services_regions.yml
@@ -0,0 +1,50 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Refresh regions of AWS services
+
+on:
+  schedule:
+    - cron: "0 9 * * *" #runs at 09:00 UTC everyday
+
+env:
+  GITHUB_BRANCH: "prowler-3.0-dev"
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ env.GITHUB_BRANCH }}
+
+      - name: setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9 #install the python needed
+
+      # Runs a single command using the runners shell
+      - name: Run a one-line script
+        run: python3 util/update_aws_services_regions.py
+
+      # Create pull request
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "feat(regions_update): Update regions for AWS services."
+          branch: "aws-services-regions-updated"
+          labels: "status/waiting-for-revision, severity/low"
+          title: "feat(regions_update): Changes in regions for AWS services."
+          body: |
+            ### Description
+
+            This PR updates the regions for AWS services.
+            
+            ### License
+
+            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ Sessionx.vim
 *~
 # Auto-generated tag files
 tags
+
 # Persistent undo
 [._]*.un~

@@ -23,8 +24,17 @@ tags
 # Prowler output
 output/

+# Prowler found secrets
+secrets-*/
+
 # JUnit Reports
 junit-reports/

 # VSCode files
 .vscode/
+
+terraform-kickstarter/.terraform.lock.hcl
+
+terraform-kickstarter/.terraform/providers/registry.terraform.io/hashicorp/aws/3.56.0/darwin_amd64/terraform-provider-aws_v3.56.0_x5
+
+terraform-kickstarter/terraform.tfstate
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,29 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.3.0
+    hooks:
+      - id: check-merge-conflict
+      - id: check-yaml
+        args: ['--unsafe']
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+        exclude: 'README.md'
+      - id: no-commit-to-branch
+      - id: pretty-format-json
+        args: ['--autofix']
+
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.8.0
+    hooks:
+    -   id: shellcheck
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.10.0
+    hooks:
+      - id: hadolint
+        name: Lint Dockerfiles
+        description: Runs hadolint to lint Dockerfiles
+        language: system
+        types: ["dockerfile"]
+        entry: hadolint
--- a/64
+++ b/64
@@ -0,0 +1,64 @@
+# Build command
+# docker build --platform=linux/amd64  --no-cache -t prowler:latest -f util/Dockerfile .
+
+# hadolint ignore=DL3007
+FROM public.ecr.aws/amazonlinux/amazonlinux:latest
+
+LABEL maintainer="https://github.com/prowler-cloud/prowler"
+
+ARG USERNAME=prowler
+ARG USERID=34000
+
+# Prepare image as root
+USER 0
+# System dependencies
+# hadolint ignore=DL3006,DL3013,DL3033
+RUN yum upgrade -y  && \
+  yum install -y python3 bash curl jq coreutils py3-pip which unzip shadow-utils && \
+  yum clean all && \
+  rm -rf /var/cache/yum
+
+RUN amazon-linux-extras install -y epel postgresql14 && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+# Create non-root user
+RUN  useradd -l -s /bin/bash -U -u ${USERID} ${USERNAME}
+
+USER ${USERNAME}
+
+# Python dependencies
+# hadolint ignore=DL3006,DL3013,DL3042
+RUN pip3 install --upgrade pip && \
+  pip3 install --no-cache-dir boto3 detect-secrets==1.0.3 && \
+  pip3 cache purge
+# Set Python PATH
+ENV PATH="/home/${USERNAME}/.local/bin:${PATH}"
+
+USER 0
+
+# Install AWS CLI
+RUN curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && \
+  unzip -q awscliv2.zip && \
+  aws/install && \
+  rm -rf aws awscliv2.zip
+
+# Keep Python2 for yum
+RUN sed -i '1 s/python/python2.7/' /usr/bin/yum
+
+# Set Python3
+RUN rm /usr/bin/python && \
+    ln -s /usr/bin/python3 /usr/bin/python
+
+# Set working directory
+WORKDIR /prowler
+
+# Copy all files
+COPY . ./
+
+# Set files ownership
+RUN chown -R prowler .
+
+USER ${USERNAME}
+
+ENTRYPOINT ["./prowler"]
--- a/205
+++ b/205
@@ -1,6 +1,201 @@
-All CIS based checks in the checks folder are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License.
-The link to the license terms can be found at
-https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
+                                Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/

-Any other piece of code is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
-http://www.apache.org/licenses/LICENSE-2.0
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+Copyright 2018 Netflix, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/LICENSE-APACHE-2.0
+++ b/LICENSE-APACHE-2.0
@@ -1,201 +0,0 @@
-Apache License
-Version 2.0, January 2004
-http://www.apache.org/licenses/
-
-TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-1. Definitions.
-
-"License" shall mean the terms and conditions for use, reproduction,
-and distribution as defined by Sections 1 through 9 of this document.
-
-"Licensor" shall mean the copyright owner or entity authorized by
-the copyright owner that is granting the License.
-
-"Legal Entity" shall mean the union of the acting entity and all
-other entities that control, are controlled by, or are under common
-control with that entity. For the purposes of this definition,
-"control" means (i) the power, direct or indirect, to cause the
-direction or management of such entity, whether by contract or
-otherwise, or (ii) ownership of fifty percent (50%) or more of the
-outstanding shares, or (iii) beneficial ownership of such entity.
-
-"You" (or "Your") shall mean an individual or Legal Entity
-exercising permissions granted by this License.
-
-"Source" form shall mean the preferred form for making modifications,
-including but not limited to software source code, documentation
-source, and configuration files.
-
-"Object" form shall mean any form resulting from mechanical
-transformation or translation of a Source form, including but
-not limited to compiled object code, generated documentation,
-and conversions to other media types.
-
-"Work" shall mean the work of authorship, whether in Source or
-Object form, made available under the License, as indicated by a
-copyright notice that is included in or attached to the work
-(an example is provided in the Appendix below).
-
-"Derivative Works" shall mean any work, whether in Source or Object
-form, that is based on (or derived from) the Work and for which the
-editorial revisions, annotations, elaborations, or other modifications
-represent, as a whole, an original work of authorship. For the purposes
-of this License, Derivative Works shall not include works that remain
-separable from, or merely link (or bind by name) to the interfaces of,
-the Work and Derivative Works thereof.
-
-"Contribution" shall mean any work of authorship, including
-the original version of the Work and any modifications or additions
-to that Work or Derivative Works thereof, that is intentionally
-submitted to Licensor for inclusion in the Work by the copyright owner
-or by an individual or Legal Entity authorized to submit on behalf of
-the copyright owner. For the purposes of this definition, "submitted"
-means any form of electronic, verbal, or written communication sent
-to the Licensor or its representatives, including but not limited to
-communication on electronic mailing lists, source code control systems,
-and issue tracking systems that are managed by, or on behalf of, the
-Licensor for the purpose of discussing and improving the Work, but
-excluding communication that is conspicuously marked or otherwise
-designated in writing by the copyright owner as "Not a Contribution."
-
-"Contributor" shall mean Licensor and any individual or Legal Entity
-on behalf of whom a Contribution has been received by Licensor and
-subsequently incorporated within the Work.
-
-2. Grant of Copyright License. Subject to the terms and conditions of
-this License, each Contributor hereby grants to You a perpetual,
-worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-copyright license to reproduce, prepare Derivative Works of,
-publicly display, publicly perform, sublicense, and distribute the
-Work and such Derivative Works in Source or Object form.
-
-3. Grant of Patent License. Subject to the terms and conditions of
-this License, each Contributor hereby grants to You a perpetual,
-worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-(except as stated in this section) patent license to make, have made,
-use, offer to sell, sell, import, and otherwise transfer the Work,
-where such license applies only to those patent claims licensable
-by such Contributor that are necessarily infringed by their
-Contribution(s) alone or by combination of their Contribution(s)
-with the Work to which such Contribution(s) was submitted. If You
-institute patent litigation against any entity (including a
-cross-claim or counterclaim in a lawsuit) alleging that the Work
-or a Contribution incorporated within the Work constitutes direct
-or contributory patent infringement, then any patent licenses
-granted to You under this License for that Work shall terminate
-as of the date such litigation is filed.
-
-4. Redistribution. You may reproduce and distribute copies of the
-Work or Derivative Works thereof in any medium, with or without
-modifications, and in Source or Object form, provided that You
-meet the following conditions:
-
-(a) You must give any other recipients of the Work or
-Derivative Works a copy of this License; and
-
-(b) You must cause any modified files to carry prominent notices
-stating that You changed the files; and
-
-(c) You must retain, in the Source form of any Derivative Works
-that You distribute, all copyright, patent, trademark, and
-attribution notices from the Source form of the Work,
-excluding those notices that do not pertain to any part of
-the Derivative Works; and
-
-(d) If the Work includes a "NOTICE" text file as part of its
-distribution, then any Derivative Works that You distribute must
-include a readable copy of the attribution notices contained
-within such NOTICE file, excluding those notices that do not
-pertain to any part of the Derivative Works, in at least one
-of the following places: within a NOTICE text file distributed
-as part of the Derivative Works; within the Source form or
-documentation, if provided along with the Derivative Works; or,
-within a display generated by the Derivative Works, if and
-wherever such third-party notices normally appear. The contents
-of the NOTICE file are for informational purposes only and
-do not modify the License. You may add Your own attribution
-notices within Derivative Works that You distribute, alongside
-or as an addendum to the NOTICE text from the Work, provided
-that such additional attribution notices cannot be construed
-as modifying the License.
-
-You may add Your own copyright statement to Your modifications and
-may provide additional or different license terms and conditions
-for use, reproduction, or distribution of Your modifications, or
-for any such Derivative Works as a whole, provided Your use,
-reproduction, and distribution of the Work otherwise complies with
-the conditions stated in this License.
-
-5. Submission of Contributions. Unless You explicitly state otherwise,
-any Contribution intentionally submitted for inclusion in the Work
-by You to the Licensor shall be under the terms and conditions of
-this License, without any additional terms or conditions.
-Notwithstanding the above, nothing herein shall supersede or modify
-the terms of any separate license agreement you may have executed
-with Licensor regarding such Contributions.
-
-6. Trademarks. This License does not grant permission to use the trade
-names, trademarks, service marks, or product names of the Licensor,
-except as required for reasonable and customary use in describing the
-origin of the Work and reproducing the content of the NOTICE file.
-
-7. Disclaimer of Warranty. Unless required by applicable law or
-agreed to in writing, Licensor provides the Work (and each
-Contributor provides its Contributions) on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-implied, including, without limitation, any warranties or conditions
-of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-PARTICULAR PURPOSE. You are solely responsible for determining the
-appropriateness of using or redistributing the Work and assume any
-risks associated with Your exercise of permissions under this License.
-
-8. Limitation of Liability. In no event and under no legal theory,
-whether in tort (including negligence), contract, or otherwise,
-unless required by applicable law (such as deliberate and grossly
-negligent acts) or agreed to in writing, shall any Contributor be
-liable to You for damages, including any direct, indirect, special,
-incidental, or consequential damages of any character arising as a
-result of this License or out of the use or inability to use the
-Work (including but not limited to damages for loss of goodwill,
-work stoppage, computer failure or malfunction, or any and all
-other commercial damages or losses), even if such Contributor
-has been advised of the possibility of such damages.
-
-9. Accepting Warranty or Additional Liability. While redistributing
-the Work or Derivative Works thereof, You may choose to offer,
-and charge a fee for, acceptance of support, warranty, indemnity,
-or other liability obligations and/or rights consistent with this
-License. However, in accepting such obligations, You may act only
-on Your own behalf and on Your sole responsibility, not on behalf
-of any other Contributor, and only if You agree to indemnify,
-defend, and hold each Contributor harmless for any liability
-incurred by, or claims asserted against, such Contributor by reason
-of your accepting any such warranty or additional liability.
-
-END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work.
-
-To apply the Apache License to your work, attach the following
-boilerplate notice, with the fields enclosed by brackets "[]"
-replaced with your own identifying information. (Don't include
-the brackets!)  The text should be enclosed in the appropriate
-comment syntax for the file format. We also recommend that a
-file or class name and description of purpose be included on the
-same "printed page" as the copyright notice for easier
-identification within third-party archives.
-
-Copyright [yyyy] [name of copyright owner]
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--- a/LICENSE-CC-BY-SA-4.0
+++ b/LICENSE-CC-BY-SA-4.0
@@ -1,360 +0,0 @@
-Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
-Public License
-
-By exercising the Licensed Rights (defined below), You accept and agree
-to be bound by the terms and conditions of this Creative Commons
-Attribution-NonCommercial-ShareAlike 4.0 International Public License
-("Public License"). To the extent this Public License may be
-interpreted as a contract, You are granted the Licensed Rights in
-consideration of Your acceptance of these terms and conditions, and the
-Licensor grants You such rights in consideration of benefits the
-Licensor receives from making the Licensed Material available under
-these terms and conditions.
-
-
-Section 1 -- Definitions.
-
-  a. Adapted Material means material subject to Copyright and Similar
-     Rights that is derived from or based upon the Licensed Material
-     and in which the Licensed Material is translated, altered,
-     arranged, transformed, or otherwise modified in a manner requiring
-     permission under the Copyright and Similar Rights held by the
-     Licensor. For purposes of this Public License, where the Licensed
-     Material is a musical work, performance, or sound recording,
-     Adapted Material is always produced where the Licensed Material is
-     synched in timed relation with a moving image.
-
-  b. Adapter's License means the license You apply to Your Copyright
-     and Similar Rights in Your contributions to Adapted Material in
-     accordance with the terms and conditions of this Public License.
-
-  c. BY-NC-SA Compatible License means a license listed at
-     creativecommons.org/compatiblelicenses, approved by Creative
-     Commons as essentially the equivalent of this Public License.
-
-  d. Copyright and Similar Rights means copyright and/or similar rights
-     closely related to copyright including, without limitation,
-     performance, broadcast, sound recording, and Sui Generis Database
-     Rights, without regard to how the rights are labeled or
-     categorized. For purposes of this Public License, the rights
-     specified in Section 2(b)(1)-(2) are not Copyright and Similar
-     Rights.
-
-  e. Effective Technological Measures means those measures that, in the
-     absence of proper authority, may not be circumvented under laws
-     fulfilling obligations under Article 11 of the WIPO Copyright
-     Treaty adopted on December 20, 1996, and/or similar international
-     agreements.
-
-  f. Exceptions and Limitations means fair use, fair dealing, and/or
-     any other exception or limitation to Copyright and Similar Rights
-     that applies to Your use of the Licensed Material.
-
-  g. License Elements means the license attributes listed in the name
-     of a Creative Commons Public License. The License Elements of this
-     Public License are Attribution, NonCommercial, and ShareAlike.
-
-  h. Licensed Material means the artistic or literary work, database,
-     or other material to which the Licensor applied this Public
-     License.
-
-  i. Licensed Rights means the rights granted to You subject to the
-     terms and conditions of this Public License, which are limited to
-     all Copyright and Similar Rights that apply to Your use of the
-     Licensed Material and that the Licensor has authority to license.
-
-  j. Licensor means the individual(s) or entity(ies) granting rights
-     under this Public License.
-
-  k. NonCommercial means not primarily intended for or directed towards
-     commercial advantage or monetary compensation. For purposes of
-     this Public License, the exchange of the Licensed Material for
-     other material subject to Copyright and Similar Rights by digital
-     file-sharing or similar means is NonCommercial provided there is
-     no payment of monetary compensation in connection with the
-     exchange.
-
-  l. Share means to provide material to the public by any means or
-     process that requires permission under the Licensed Rights, such
-     as reproduction, public display, public performance, distribution,
-     dissemination, communication, or importation, and to make material
-     available to the public including in ways that members of the
-     public may access the material from a place and at a time
-     individually chosen by them.
-
-  m. Sui Generis Database Rights means rights other than copyright
-     resulting from Directive 96/9/EC of the European Parliament and of
-     the Council of 11 March 1996 on the legal protection of databases,
-     as amended and/or succeeded, as well as other essentially
-     equivalent rights anywhere in the world.
-
-  n. You means the individual or entity exercising the Licensed Rights
-     under this Public License. Your has a corresponding meaning.
-
-
-Section 2 -- Scope.
-
-  a. License grant.
-
-       1. Subject to the terms and conditions of this Public License,
-          the Licensor hereby grants You a worldwide, royalty-free,
-          non-sublicensable, non-exclusive, irrevocable license to
-          exercise the Licensed Rights in the Licensed Material to:
-
-            a. reproduce and Share the Licensed Material, in whole or
-               in part, for NonCommercial purposes only; and
-
-            b. produce, reproduce, and Share Adapted Material for
-               NonCommercial purposes only.
-
-       2. Exceptions and Limitations. For the avoidance of doubt, where
-          Exceptions and Limitations apply to Your use, this Public
-          License does not apply, and You do not need to comply with
-          its terms and conditions.
-
-       3. Term. The term of this Public License is specified in Section
-          6(a).
-
-       4. Media and formats; technical modifications allowed. The
-          Licensor authorizes You to exercise the Licensed Rights in
-          all media and formats whether now known or hereafter created,
-          and to make technical modifications necessary to do so. The
-          Licensor waives and/or agrees not to assert any right or
-          authority to forbid You from making technical modifications
-          necessary to exercise the Licensed Rights, including
-          technical modifications necessary to circumvent Effective
-          Technological Measures. For purposes of this Public License,
-          simply making modifications authorized by this Section 2(a)
-          (4) never produces Adapted Material.
-
-       5. Downstream recipients.
-
-            a. Offer from the Licensor -- Licensed Material. Every
-               recipient of the Licensed Material automatically
-               receives an offer from the Licensor to exercise the
-               Licensed Rights under the terms and conditions of this
-               Public License.
-
-            b. Additional offer from the Licensor -- Adapted Material.
-               Every recipient of Adapted Material from You
-               automatically receives an offer from the Licensor to
-               exercise the Licensed Rights in the Adapted Material
-               under the conditions of the Adapter's License You apply.
-
-            c. No downstream restrictions. You may not offer or impose
-               any additional or different terms or conditions on, or
-               apply any Effective Technological Measures to, the
-               Licensed Material if doing so restricts exercise of the
-               Licensed Rights by any recipient of the Licensed
-               Material.
-
-       6. No endorsement. Nothing in this Public License constitutes or
-          may be construed as permission to assert or imply that You
-          are, or that Your use of the Licensed Material is, connected
-          with, or sponsored, endorsed, or granted official status by,
-          the Licensor or others designated to receive attribution as
-          provided in Section 3(a)(1)(A)(i).
-
-  b. Other rights.
-
-       1. Moral rights, such as the right of integrity, are not
-          licensed under this Public License, nor are publicity,
-          privacy, and/or other similar personality rights; however, to
-          the extent possible, the Licensor waives and/or agrees not to
-          assert any such rights held by the Licensor to the limited
-          extent necessary to allow You to exercise the Licensed
-          Rights, but not otherwise.
-
-       2. Patent and trademark rights are not licensed under this
-          Public License.
-
-       3. To the extent possible, the Licensor waives any right to
-          collect royalties from You for the exercise of the Licensed
-          Rights, whether directly or through a collecting society
-          under any voluntary or waivable statutory or compulsory
-          licensing scheme. In all other cases the Licensor expressly
-          reserves any right to collect such royalties, including when
-          the Licensed Material is used other than for NonCommercial
-          purposes.
-
-
-Section 3 -- License Conditions.
-
-Your exercise of the Licensed Rights is expressly made subject to the
-following conditions.
-
-  a. Attribution.
-
-       1. If You Share the Licensed Material (including in modified
-          form), You must:
-
-            a. retain the following if it is supplied by the Licensor
-               with the Licensed Material:
-
-                 i. identification of the creator(s) of the Licensed
-                    Material and any others designated to receive
-                    attribution, in any reasonable manner requested by
-                    the Licensor (including by pseudonym if
-                    designated);
-
-                ii. a copyright notice;
-
-               iii. a notice that refers to this Public License;
-
-                iv. a notice that refers to the disclaimer of
-                    warranties;
-
-                 v. a URI or hyperlink to the Licensed Material to the
-                    extent reasonably practicable;
-
-            b. indicate if You modified the Licensed Material and
-               retain an indication of any previous modifications; and
-
-            c. indicate the Licensed Material is licensed under this
-               Public License, and include the text of, or the URI or
-               hyperlink to, this Public License.
-
-       2. You may satisfy the conditions in Section 3(a)(1) in any
-          reasonable manner based on the medium, means, and context in
-          which You Share the Licensed Material. For example, it may be
-          reasonable to satisfy the conditions by providing a URI or
-          hyperlink to a resource that includes the required
-          information.
-       3. If requested by the Licensor, You must remove any of the
-          information required by Section 3(a)(1)(A) to the extent
-          reasonably practicable.
-
-  b. ShareAlike.
-
-     In addition to the conditions in Section 3(a), if You Share
-     Adapted Material You produce, the following conditions also apply.
-
-       1. The Adapter's License You apply must be a Creative Commons
-          license with the same License Elements, this version or
-          later, or a BY-NC-SA Compatible License.
-
-       2. You must include the text of, or the URI or hyperlink to, the
-          Adapter's License You apply. You may satisfy this condition
-          in any reasonable manner based on the medium, means, and
-          context in which You Share Adapted Material.
-
-       3. You may not offer or impose any additional or different terms
-          or conditions on, or apply any Effective Technological
-          Measures to, Adapted Material that restrict exercise of the
-          rights granted under the Adapter's License You apply.
-
-
-Section 4 -- Sui Generis Database Rights.
-
-Where the Licensed Rights include Sui Generis Database Rights that
-apply to Your use of the Licensed Material:
-
-  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
-     to extract, reuse, reproduce, and Share all or a substantial
-     portion of the contents of the database for NonCommercial purposes
-     only;
-
-  b. if You include all or a substantial portion of the database
-     contents in a database in which You have Sui Generis Database
-     Rights, then the database in which You have Sui Generis Database
-     Rights (but not its individual contents) is Adapted Material,
-     including for purposes of Section 3(b); and
-
-  c. You must comply with the conditions in Section 3(a) if You Share
-     all or a substantial portion of the contents of the database.
-
-For the avoidance of doubt, this Section 4 supplements and does not
-replace Your obligations under this Public License where the Licensed
-Rights include other Copyright and Similar Rights.
-
-
-Section 5 -- Disclaimer of Warranties and Limitation of Liability.
-
-  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
-     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
-     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
-     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
-     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
-     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
-     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
-     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
-     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
-     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
-  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
-     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
-     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
-     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
-     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
-     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
-     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
-     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
-     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
-  c. The disclaimer of warranties and limitation of liability provided
-     above shall be interpreted in a manner that, to the extent
-     possible, most closely approximates an absolute disclaimer and
-     waiver of all liability.
-
-
-Section 6 -- Term and Termination.
-
-  a. This Public License applies for the term of the Copyright and
-     Similar Rights licensed here. However, if You fail to comply with
-     this Public License, then Your rights under this Public License
-     terminate automatically.
-
-  b. Where Your right to use the Licensed Material has terminated under
-     Section 6(a), it reinstates:
-
-       1. automatically as of the date the violation is cured, provided
-          it is cured within 30 days of Your discovery of the
-          violation; or
-
-       2. upon express reinstatement by the Licensor.
-
-     For the avoidance of doubt, this Section 6(b) does not affect any
-     right the Licensor may have to seek remedies for Your violations
-     of this Public License.
-
-  c. For the avoidance of doubt, the Licensor may also offer the
-     Licensed Material under separate terms or conditions or stop
-     distributing the Licensed Material at any time; however, doing so
-     will not terminate this Public License.
-
-  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
-     License.
-
-
-Section 7 -- Other Terms and Conditions.
-
-  a. The Licensor shall not be bound by any additional or different
-     terms or conditions communicated by You unless expressly agreed.
-
-  b. Any arrangements, understandings, or agreements regarding the
-     Licensed Material not stated herein are separate from and
-     independent of the terms and conditions of this Public License.
-
-
-Section 8 -- Interpretation.
-
-  a. For the avoidance of doubt, this Public License does not, and
-     shall not be interpreted to, reduce, limit, restrict, or impose
-     conditions on any use of the Licensed Material that could lawfully
-     be made without permission under this Public License.
-
-  b. To the extent possible, if any provision of this Public License is
-     deemed unenforceable, it shall be automatically reformed to the
-     minimum extent necessary to make it enforceable. If the provision
-     cannot be reformed, it shall be severed from this Public License
-     without affecting the enforceability of the remaining terms and
-     conditions.
-
-  c. No term or condition of this Public License will be waived and no
-     failure to comply consented to unless expressly agreed to by the
-     Licensor.
-
-  d. Nothing in this Public License constitutes or may be interpreted
-     as a limitation upon, or waiver of, any privileges and immunities
-     that apply to the Licensor or You, including from the legal
-     processes of any jurisdiction or authority.
--- a/2
+++ b/2
@@ -7,7 +7,7 @@ verify_ssl = true

 [packages]
 boto3 = ">=1.9.188"
-detect-secrets = ">=0.12.4"
+detect-secrets = "==1.0.3"

 [requires]
 python_version = "3.7"
--- a/README.md
+++ b/README.md
@@ -1,8 +1,33 @@
+<p align="center">
+  <img align="center" src="docs/images/prowler-pro-dark.png#gh-dark-mode-only" width="150" height="36">
+  <img align="center" src="docs/images/prowler-pro-light.png#gh-light-mode-only" width="15%" height="15%">
+</p>
+<p align="center">
+  <b><i>&nbsp&nbsp&nbspExplore the Pro version of Prowler at <a href="https://prowler.pro">prowler.pro</a></i></b>
+</p>
+<hr>
 <p align="center">
  <img src="https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png" />
 </p>
+<p align="center">
+  <a href="https://discord.gg/UjSMCVnxSB"><img alt="Discord Shield" src="https://img.shields.io/discord/807208614288818196"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/cloud/build/toniblyx/prowler"></a>
+  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/image-size/toniblyx/prowler"></a>
+  <a href="https://gallery.ecr.aws/o4g1s5r6/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="Repo size" src="https://img.shields.io/github/repo-size/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="Lines" src="https://img.shields.io/tokei/lines/github/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/issues"><img alt="Issues" src="https://img.shields.io/github/issues/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler?include_prereleases"></a>
+  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/release-date/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="Contributors" src="https://img.shields.io/github/contributors-anon/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler"><img alt="License" src="https://img.shields.io/github/license/prowler-cloud/prowler"></a>
+  <a href="https://twitter.com/ToniBlyx"><img alt="Twitter" src="https://img.shields.io/twitter/follow/toniblyx?style=social"></a>
+</p>

-# Prowler - AWS Security Tool
+<p align="center">
+  <i>Prowler</i> is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 240 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
+</p>

 ## Table of Contents

@@ -15,7 +40,8 @@
 - [Advanced Usage](#advanced-usage)
 - [Security Hub integration](#security-hub-integration)
 - [CodeBuild deployment](#codebuild-deployment)
- [Whitelist/allowlist or remove FAIL from resources](#whitelist-or-allowlist-or-remove-a-fail-from-resources)
+- [Allowlist](#allowlist-or-remove-a-fail-from-resources)
+- [Inventory](#inventory)
 - [Fix](#how-to-fix-every-fail)
 - [Troubleshooting](#troubleshooting)
 - [Extras](#extras)
@@ -24,7 +50,7 @@
 - [HIPAA Checks](#hipaa-checks)
 - [Trust Boundaries Checks](#trust-boundaries-checks)
 - [Multi Account and Continuous Monitoring](util/org-multi-account/README.md)
- [Add Custom Checks](#add-custom-checks)
+- [Custom Checks](#custom-checks)
 - [Third Party Integrations](#third-party-integrations)
 - [Full list of checks and groups](/LIST_OF_CHECKS_AND_GROUPS.md)
 - [License](#license)
@@ -33,13 +59,13 @@

 Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.

-It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 100 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.
+It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 190 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.

 Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)

 ## Features

-+180 checks covering security best practices across all AWS regions and most of AWS services and related to the next groups:
+240 checks covering security best practices across all AWS regions and most of AWS services and related to the next groups:

 - Identity and Access Management [group1]
 - Logging  [group2]
@@ -56,14 +82,16 @@ Read more about [CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-20
 - Internet exposed resources
 - EKS-CIS
 - Also includes PCI-DSS, ISO-27001, FFIEC, SOC2, ENS (Esquema Nacional de Seguridad of Spain).
+- AWS FTR [FTR] Read more [here](#aws-ftr-checks)

 With Prowler you can:

 - Get a direct colorful or monochrome report
- A HTML, CSV, JUNIT, JSON or JSON ASFF format report
+- A HTML, CSV, JUNIT, JSON or JSON ASFF (Security Hub) format report
 - Send findings directly to Security Hub
 - Run specific checks and groups or create your own
 - Check multiple AWS accounts in parallel or sequentially
+- Get an inventory of your AWS resources
 - And more! Read examples below

 ## High level architecture
@@ -73,30 +101,47 @@ You can run Prowler from your workstation, an EC2 instance, Fargate or any other
 ![Prowler high level architecture](https://user-images.githubusercontent.com/3985464/109143232-1488af80-7760-11eb-8d83-726790fda592.jpg)
 ## Requirements and Installation

-Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
+Prowler has been written in bash using AWS-CLI underneath and it works in Linux, Mac OS or Windows with cygwin or virtualization. Also requires `jq` and `detect-secrets` to work properly.

- Make sure the latest version of AWS-CLI is installed on your workstation (it works with either v1 or v2), and other components needed, with Python pip already installed:
+- Make sure the latest version of AWS-CLI is installed. It works with either v1 or v2, however _latest v2 is recommended if using new regions since they require STS v2 token_, and other components needed, with Python pip already installed.

-    ```sh
-    pip install awscli detect-secrets
+- For Amazon Linux (`yum` based Linux distributions and AWS CLI v2):
+    ```
+    sudo yum update -y
+    sudo yum remove -y awscli
+    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+    unzip awscliv2.zip
+    sudo ./aws/install
+    sudo yum install -y python3 jq git
+    sudo pip3 install detect-secrets==1.0.3
+    git clone https://github.com/prowler-cloud/prowler
+    ```
+- For Ubuntu Linux (`apt` based Linux distributions and AWS CLI v2):
+    ```
+    sudo apt update
+    sudo apt install python3 python3-pip jq git zip
+    pip install detect-secrets==1.0.3
+    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+    unzip awscliv2.zip
+    sudo ./aws/install
+    git clone https://github.com/prowler-cloud/prowler
    ```

-    AWS-CLI can be also installed it using "brew", "apt", "yum" or manually from <https://aws.amazon.com/cli/>, but `detect-secrets` has to be installed using `pip`. You will need to install `jq` to get the most from Prowler.
-
- Make sure jq is installed (example below with "apt" but use a valid package manager for your OS):
-
+    > NOTE: detect-secrets Yelp version is no longer supported, the one from IBM is mantained now. Use the one mentioned below or the specific Yelp version 1.0.3 to make sure it works as expected (`pip install detect-secrets==1.0.3`):
    ```sh
-    sudo apt install jq
+    pip install "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
    ```

- Previous steps, from your workstation:
+    AWS-CLI can be also installed it using other methods, refer to official documentation for more details: <https://aws.amazon.com/cli/>, but `detect-secrets` has to be installed using `pip` or `pip3`.
+
+- Once Prowler repository is cloned, get into the folder and you can run it:

    ```sh
-    git clone https://github.com/toniblyx/prowler
    cd prowler
+    ./prowler
    ```

- Since Prowler users AWS CLI under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence). Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or intance profile):
+- Since Prowler users AWS CLI under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence). Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):

    ```sh
    aws configure
@@ -117,7 +162,7 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
    arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
    ```

-    > Additional permissions needed: to make sure Prowler can scan all services included in the group *Extras*, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/toniblyx/prowler/blob/master/iam/prowler-additions-policy.json) to the role you are using. If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/toniblyx/prowler/blob/master/iam/prowler-security-hub.json).
+    > Additional permissions needed: to make sure Prowler can scan all services included in the group *Extras*, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-additions-policy.json) to the role you are using. If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/iam/prowler-security-hub.json).

 ## Usage

@@ -135,6 +180,11 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
    docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest
    ```

+    In case you want to get reports created by Prowler use docker volume option like in the example below:
+    ```sh
+    docker run -ti --rm -v /your/local/output:/prowler/output --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest -g hipaa -M csv,json,html
+    ```
+
 1. For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):

    ```sh
@@ -185,19 +235,29 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.

    Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310

+### Regions
+
+By default, Prowler scans all opt-in regions available, that might take a long execution time depending on the number of resources and regions used. Same applies for GovCloud or China regions. See below Advance usage for examples.
+
+Prowler has two parameters related to regions: `-r` that is used query AWS services API endpoints (it uses `us-east-1` by default and required for GovCloud or China) and the option `-f` that is to filter those regions you only want to scan. For example if you want to scan Dublin only use `-f eu-west-1` and if you want to scan Dublin and Ohio `-f eu-west-1,us-east-1`, note the regions are separated by a comma delimiter (it can be used as before with `-f 'eu-west-1,us-east-1'`).
+
 ## Screenshots

- Sample screenshot of report first lines:
+- Sample screenshot of default console report first lines of command `./prowler`:

-    <img width="1125" src="https://user-images.githubusercontent.com/3985464/113942728-92c97e80-9801-11eb-9dfc-aef27ad9f5fb.png">
+    <img width="900" src="https://user-images.githubusercontent.com/3985464/141444529-84640bed-be0b-4112-80a2-2a43e3ebf53f.png">

 - Sample screenshot of the html output `-M html`:

-    <img width="1006" alt="Prowler html" src="https://user-images.githubusercontent.com/3985464/113942724-8f35f780-9801-11eb-8089-d3163dd4e5a4.png">
+    <img width="900" alt="Prowler html" src="https://user-images.githubusercontent.com/3985464/141443976-41d32cc2-533d-405a-92cb-affc3995d6ec.png">
+
+- Sample screenshot of the Quicksight dashboard, see [quicksight-security-dashboard.workshop.aws](https://quicksight-security-dashboard.workshop.aws/):
+
+    <img width="900" alt="Prowler with Quicksight" src="https://user-images.githubusercontent.com/3985464/128932819-0156e838-286d-483c-b953-fda68a325a3d.png">

 - Sample screenshot of the junit-xml output in CodeBuild `-M junit-xml`:

-    <img width="1006" src="https://user-images.githubusercontent.com/3985464/113942824-ca382b00-9801-11eb-84e5-d7731548a7a9.png">
+    <img width="900" src="https://user-images.githubusercontent.com/3985464/113942824-ca382b00-9801-11eb-84e5-d7731548a7a9.png">

 ### Save your reports

@@ -241,11 +301,12 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.

    >Note about output formats to use with `-M`: "text" is the default one with colors, "mono" is like default one but monochrome, "csv" is comma separated values, "json" plain basic json (without comma between lines) and "json-asff" is also json with Amazon Security Finding Format that you can ship to Security Hub using `-S`.

-    or save your report in an S3 bucket (this only works for text or mono. For csv, json or json-asff it has to be copied afterwards):
+    To save your report in an S3 bucket, use `-B` to define a custom output bucket along with `-M` to define the output format that is going to be uploaded to S3:

    ```sh
-    ./prowler -M mono | aws s3 cp - s3://bucket-name/prowler-report.txt
+    ./prowler -M csv -B my-bucket/folder/
    ```
+    >In the case you do not want to use the assumed role credentials but the initial credentials to put the reports into the S3 bucket, use `-D` instead of `-B`. Make sure that the used credentials have s3:PutObject permissions in the S3 path where the reports are going to be uploaded.

    When generating multiple formats and running using Docker, to retrieve the reports, bind a local directory to the container, e.g.:

@@ -271,12 +332,72 @@ Prowler has been written in bash using AWS-CLI and it works in Linux and OSX.
    ```
    ./prowler -h
    ```
+## Database providers connector
+
+You can send the Prowler's output to different databases (right now only PostgreSQL is supported).
+
+Jump into the section for the database provider you want to use and follow the required steps to configure it.
+### PostgreSQL
+Install psql
+- Mac -> `brew install libpq`
+- Ubuntu -> `sudo apt-get install postgresql-client `
+- RHEL/Centos -> `sudo yum install postgresql10`
+
+#### Credentials
+There are two options to pass the PostgreSQL credentials to Prowler:
+##### Using a .pgpass file
+Configure a `~/.pgpass` file into the root folder of the user that is going to launch Prowler ([pgpass file doc](https://www.postgresql.org/docs/current/libpq-pgpass.html)), including an extra field at the end of the line, separated by `:`, to name the table, using the following format:
+        `hostname:port:database:username:password:table`
+##### Using environment variables
+- Configure the following environment variables:  
+    - `POSTGRES_HOST`  
+    - `POSTGRES_PORT`  
+    - `POSTGRES_USER`  
+    - `POSTGRES_PASSWORD`  
+    - `POSTGRES_DB`  
+    - `POSTGRES_TABLE`  
+> *Note*: If you are using a schema different than postgres please include it at the beginning of the `POSTGRES_TABLE` variable, like: `export POSTGRES_TABLE=prowler.findings`
+
+Create a table in your PostgreSQL database to store the Prowler's data. You can use the following SQL statement to create the table:
+```
+CREATE TABLE  IF NOT EXISTS prowler_findings (
+profile TEXT,
+account_number TEXT,
+region TEXT,
+check_id TEXT,
+result TEXT,
+item_scored TEXT,
+item_level TEXT,
+check_title TEXT,
+result_extended TEXT,
+check_asff_compliance_type TEXT,
+severity TEXT,
+service_name TEXT,
+check_asff_resource_type TEXT,
+check_asff_type TEXT,
+risk TEXT,
+remediation TEXT,
+documentation TEXT,
+check_caf_epic TEXT,
+resource_id TEXT,
+prowler_start_time TEXT,
+account_details_email TEXT,
+account_details_name TEXT,
+account_details_arn TEXT,
+account_details_org TEXT,
+account_details_tags  TEXT
+);
+```
+
+- Execute Prowler with `-d` flag, for example:
+    `./prowler -M csv -d postgresql`
+    > *Note*: This command creates a `csv` output file and stores the Prowler output in the configured PostgreSQL DB. It's an example, `-d` flag **does not** require `-M` to run.

 ## Advanced Usage

 ### Assume Role:

-Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. To create a role to assume in multiple accounts easier eather as CFN Stack or StackSet, look at [this CloudFormation template](iam/create_role_to_assume_cfn.yaml) and adapt it.
+Prowler uses the AWS CLI underneath so it uses the same authentication methods. However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on eachg use case. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `./prowler -p your-custom-profile`. Additionally you can use `-A 123456789012` and `-R RemoteRoleToAssume` and Prowler will get those temporary credentials using `aws sts assume-role`, set them up as environment variables and run against that given account. To create a role to assume in multiple accounts easier either as CFN Stack or StackSet, look at [this CloudFormation template](iam/create_role_to_assume_cfn.yaml) and adapt it.

 ```sh
 ./prowler -A 123456789012 -R ProwlerRole
@@ -312,25 +433,55 @@ Then run Prowler to assume a role (same in all members) per each account, in thi
 ```
 for accountId in $ACCOUNTS_IN_ORGS; do ./prowler -A $accountId -R RemoteRoleToAssume -c extra79; done
 ```
-Usig the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'`
+Using the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'`
+
+### Get AWS Account details from your AWS Organization:
+
+From Prowler v2.8, you can get additional information of the scanned account in CSV and JSON outputs. When scanning a single account you get the Account ID as part of the output. Now, if you have AWS Organizations and are scanning multiple accounts using the assume role functionality, Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and you will have them next to every finding in the CSV and JSON outputs.
+In order to do that you can use the new option `-O <management account id>`, requires `-R <role to assume>` and also needs permissions `organizations:ListAccounts*` and `organizations:ListTagsForResource`. See the following sample command:
+```
+./prowler -R ProwlerScanRole -A 111111111111 -O 222222222222 -M json,csv
+```
+In that command Prowler will scan the account `111111111111` assuming the role `ProwlerScanRole` and getting the account details from the AWS Organizatiosn management account `222222222222` assuming the same role `ProwlerScanRole` for that and creating two reports with those details in JSON and CSV.
+
+In the JSON output below (redacted) you can see tags coded in base64 to prevent breaking CSV or JSON due to its format:
+
+```json
+  "Account Email": "my-prod-account@domain.com",
+  "Account Name": "my-prod-account",
+  "Account ARN": "arn:aws:organizations::222222222222:account/o-abcde1234/111111111111",
+  "Account Organization": "o-abcde1234",
+  "Account tags": "\"eyJUYWdzIjpasf0=\""
+```
+The additional fields in CSV header output are as follow:
+
+```csv
+ACCOUNT_DETAILS_EMAIL,ACCOUNT_DETAILS_NAME,ACCOUNT_DETAILS_ARN,ACCOUNT_DETAILS_ORG,ACCOUNT_DETAILS_TAGS
+```

 ### GovCloud

 Prowler runs in GovCloud regions as well. To make sure it points to the right API endpoint use `-r` to either `us-gov-west-1` or `us-gov-east-1`. If not filter region is used it will look for resources in both GovCloud regions by default:
-```
+```sh
 ./prowler -r us-gov-west-1
 ```
 > For Security Hub integration see below in Security Hub section.

 ### Custom folder for custom checks

-Flag `-x /my/own/checks` will include any check in that particular directory. To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
+Flag `-x /my/own/checks` will include any check in that particular directory (files must start by check). To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
+
+S3 URIs are also supported as custom folders for custom checks, e.g. `s3://bucket/prefix/checks`. Prowler will download the folder locally and run the checks as they are called with default execution,`-c` or `-g`.
+>Make sure that the used credentials have s3:GetObject permissions in the S3 path where the custom checks are located.

 ### Show or log only FAILs

-In order to remove noise and get only FAIL findings there is a `-q` flag that makes Prowler to show and log only FAILs. It can be combined with any other option.
+In order to remove noise and get only FAIL findings there is a `-q` flag that makes Prowler to show and log only FAILs.
+It can be combined with any other option.
+Will show WARNINGS when a resource is excluded, just to take into consideration.

 ```sh
+# -q option combined with -M csv -b
 ./prowler -q -M csv -b
 ```

@@ -343,15 +494,18 @@ Sets the entropy limit for high entropy hex strings from environment variable `H
 export BASE64_LIMIT=4.5
 export HEX_LIMIT=3.0
 ```
+### Run Prowler using AWS CloudShell
+
+An easy way to run Prowler to scan your account is using AWS CloudShell. Read more and learn how to do it [here](util/cloudshell/README.md).

 ## Security Hub integration

-Since October 30th 2020 (version v2.3RC5), Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free. 
+Since October 30th 2020 (version v2.3RC5), Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free.

 Before sending findings to Prowler, you need to perform next steps:
-1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions:
    - `aws securityhub enable-security-hub --region <region>`.
-2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions:
    - `aws securityhub enable-import-findings-for-product --region <region> --product-arn arn:aws:securityhub:<region>::product/prowler/prowler` (change region also inside the ARN).
    - Using the AWS Management Console:
    ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
@@ -367,7 +521,7 @@ or for only one filtered region like eu-west-1:
 ```sh
 ./prowler -M json-asff -q -S -f eu-west-1
 ```
-> Note 1: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command. 
+> Note 1: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command.

 > Note 2: Since Prowler perform checks to all regions by defaults you may need to filter by region when runing Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs).

@@ -395,20 +549,35 @@ To use Prowler and Security Hub integration in China regions there is an additio

 Either to run Prowler once or based on a schedule this template makes it pretty straight forward. This template will create a CodeBuild environment and run Prowler directly leaving all reports in a bucket and creating a report also inside CodeBuild basedon the JUnit output from Prowler. Scheduling can be cron based like `cron(0 22 * * ? *)` or rate based like `rate(5 hours)` since CloudWatch Event rules (or Eventbridge) is used here.

-The Cloud Formation template that helps you doing that is [here](https://github.com/toniblyx/prowler/blob/master/util/codebuild/codebuild-prowler-audit-account-cfn.yaml). 
+The Cloud Formation template that helps you to do that is [here](https://github.com/prowler-cloud/prowler/blob/master/util/codebuild/codebuild-prowler-audit-account-cfn.yaml).

 > This is a simple solution to monitor one account. For multiples accounts see [Multi Account and Continuous Monitoring](util/org-multi-account/README.md).
+## Allowlist or remove a fail from resources

-## Whitelist or allowlist or remove a fail from resources
-
-Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w whitelist_sample.txt` and add your resources as `checkID:resourcename` as in this command:
+Sometimes you may find resources that are intentionally configured in a certain way that may be a bad practice but it is all right with it, for example an S3 bucket open to the internet hosting a web site, or a security group with an open port needed in your use case. Now you can use `-w allowlist_sample.txt` and add your resources as `checkID:resourcename` as in this command:

 ```
-./prowler -w whitelist_sample.txt
+./prowler -w allowlist_sample.txt
 ```

-Whitelist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`.
+S3 URIs are also supported as allowlist file, e.g. `s3://bucket/prefix/allowlist_sample.txt`
+>Make sure that the used credentials have s3:GetObject permissions in the S3 path where the allowlist file is located.

+DynamoDB table ARNs are also supported as allowlist file, e.g. `arn:aws:dynamodb:us-east-1:111111222222:table/allowlist`
+>Make sure that the table has `account_id` as partition key and `rule` as sort key, and that the used credentials have `dynamodb:PartiQLSelect` permissions in the table.
+><p align="left"><img src="https://user-images.githubusercontent.com/38561120/165769502-296f9075-7cc8-445e-8158-4b21804bfe7e.png" alt="image" width="397" height="252" /></p>
+
+>The field `account_id` can contain either an account ID or an `*` (which applies to all the accounts that use this table as a whitelist). As in the traditional allowlist file, the `rule` field must contain `checkID:resourcename` pattern.
+><p><img src="https://user-images.githubusercontent.com/38561120/165770610-ed5c2764-7538-44c2-9195-bcfdecc4ef9b.png" alt="image" width="394" /></p>
+
+
+
+Allowlist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`.
+
+## Inventory
+With Prowler you can get an inventory of your AWS resources. To do so, run `./prowler -i` to see what AWS resources you have deployed in your AWS account. This feature lists almost all resources in all regions based on [this](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html) API call. Note that it does not cover 100% of resource types.
+
+The inventory will be stored in an output `csv` file by default, under common Prowler `output` folder, with the following format: `prowler-inventory-${ACCOUNT_NUM}-${OUTPUT_DATE}.csv`
 ## How to fix every FAIL

 Check your report and fix the issues following all specific guidelines per check in <https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf>
@@ -472,7 +641,7 @@ Allows Prowler to import its findings to [AWS Security Hub](https://aws.amazon.c

 ### Bootstrap Script

-Quick bash script to set up a "prowler" IAM user with "SecurityAudit" and "ViewOnlyAccess" group with the required permissions (including "Prowler-Additions-Policy"). To run the script below, you need user with administrative permissions; set the `AWS_DEFAULT_PROFILE` to use that account:
+Quick bash script to set up a "prowler" IAM user with "SecurityAudit" and "ViewOnlyAccess" group with the required permissions (including "Prowler-Additions-Policy"). To run the script below, you need a user with administrative permissions; set the `AWS_DEFAULT_PROFILE` to use that account:

 ```sh
 export AWS_DEFAULT_PROFILE=default
@@ -488,13 +657,13 @@ aws iam create-access-key --user-name prowler
 unset ACCOUNT_ID AWS_DEFAULT_PROFILE
 ```

-The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with Prowler. This is the only time they secret key will be shown.  If you lose it, you will need to generate a replacement.
+The `aws iam create-access-key` command will output the secret access key and the key id; keep these somewhere safe, and add them to `~/.aws/credentials` with an appropriate profile name to use them with Prowler. This is the only time the secret key will be shown.  If you lose it, you will need to generate a replacement.

 > [This CloudFormation template](iam/create_role_to_assume_cfn.yaml) may also help you on that task.

 ## Extras

-We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS but we consider them very helpful to get to know each AWS account set up and find issues on it.
+We are adding additional checks to improve the information gather from each account, these checks are out of the scope of the CIS benchmark for AWS, but we consider them very helpful to get to know each AWS account set up and find issues on it.

 Some of these checks look for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.

@@ -504,7 +673,7 @@ To list all existing checks in the extras group run the command below:
 ./prowler -l -g extras
 ```

->There are some checks not included in that list, they are experimental or checks that takes long to run like `extra759` and `extra760` (search for secrets in Lambda function variables and code).
+>There are some checks not included in that list, they are experimental or checks that take long to run like `extra759` and `extra760` (search for secrets in Lambda function variables and code).

 To check all extras in one command:

@@ -539,7 +708,7 @@ The `forensics-ready` group of checks uses existing and extra checks. To get a f

 ## GDPR Checks

-With this group of checks, Prowler shows result of checks related to GDPR, more information [here](https://github.com/toniblyx/prowler/issues/189). The list of checks can be seen in the group file at:
+With this group of checks, Prowler shows result of checks related to GDPR, more information [here](https://github.com/prowler-cloud/prowler/issues/189). The list of checks can be seen in the group file at:

 [groups/group9_gdpr](groups/group9_gdpr)

@@ -549,11 +718,23 @@ The `gdpr` group of checks uses existing and extra checks. To get a GDPR report,
 ./prowler -g gdpr
 ```

+## AWS FTR Checks
+
+With this group of checks, Prowler shows result of checks related to the AWS Foundational Technical Review, more information [here](https://apn-checklists.s3.amazonaws.com/foundational/partner-hosted/partner-hosted/CVLHEC5X7.html). The list of checks can be seen in the group file at:
+
+[groups/group25_ftr](groups/group25_FTR)
+
+The `ftr` group of checks uses existing and extra checks. To get a AWS FTR report, run this command:
+
+```sh
+./prowler -g ftr
+```
+
 ## HIPAA Checks

 With this group of checks, Prowler shows results of controls related to the "Security Rule" of the Health Insurance Portability and Accountability Act aka [HIPAA](https://www.hhs.gov/hipaa/for-professionals/security/index.html) as defined in [45 CFR Subpart C - Security Standards for the Protection of Electronic Protected Health Information](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) within [PART 160 - GENERAL ADMINISTRATIVE REQUIREMENTS](https://www.law.cornell.edu/cfr/text/45/part-160) and [Subpart A](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-A) and [Subpart C](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C) of PART 164 - SECURITY AND PRIVACY

-More information on the original PR is [here](https://github.com/toniblyx/prowler/issues/227).
+More information on the original PR is [here](https://github.com/prowler-cloud/prowler/issues/227).

 ### Note on Business Associate Addendum's (BAA)

@@ -592,7 +773,7 @@ To give it a quick shot just call:

 ### Scenarios

-Currently this check group supports two different scenarios:
+Currently, this check group supports two different scenarios:

 1. Single account environment: no action required, the configuration is happening automatically for you.
 2. Multi account environment: in case you environment has multiple trusted and known AWS accounts you maybe want to append them manually to [groups/group16_trustboundaries](groups/group16_trustboundaries) as a space separated list into `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable, then just run prowler.
@@ -603,9 +784,9 @@ Current coverage of Amazon Web Service (AWS) taken from [here](https://docs.aws.
 | Topic                           | Service    | Trust Boundary                                                            |
 |---------------------------------|------------|---------------------------------------------------------------------------|
 | Networking and Content Delivery | Amazon VPC | VPC endpoints connections ([extra786](checks/check_extra786))             |
-|                                 |            | VPC endpoints whitelisted principals ([extra787](checks/check_extra787))  |
+|                                 |            | VPC endpoints allowlisted principals ([extra787](checks/check_extra787))  |

-All ideas or recommendations to extend this group are very welcome [here](https://github.com/toniblyx/prowler/issues/new/choose).
+All ideas or recommendations to extend this group are very welcome [here](https://github.com/prowler-cloud/prowler/issues/new/choose).

 ### Detailed Explanation of the Concept

@@ -614,13 +795,21 @@ Every circle represents one AWS account.
 The dashed line represents the trust boundary, that separates trust and untrusted AWS accounts.
 The arrow simply describes the direction of the trust, however the data can potentially flow in both directions.

-Single Account environment assumes that only the AWS account subject to this analysis is trusted. However there is a chance that two VPCs are existing within that one AWS account which are still trusted as a self reference.
+Single Account environment assumes that only the AWS account subject to this analysis is trusted. However, there is a chance that two VPCs are existing within that one AWS account which are still trusted as a self reference.
 ![single-account-environment](/docs/images/prowler-single-account-environment.png)

 Multi Account environments assumes a minimum of two trusted or known accounts. For this particular example all trusted and known accounts will be tested. Therefore `GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS` variable in [groups/group16_trustboundaries](groups/group16_trustboundaries) should include all trusted accounts Account #A, Account #B, Account #C, and Account #D in order to finally raise Account #E and Account #F for being untrusted or unknown.
 ![multi-account-environment](/docs/images/prowler-multi-account-environment.png)

-## Add Custom Checks
+## Custom Checks
+Using  `./prowler -c extra9999 -a` you can build your own on-the-fly custom check by specifying the AWS CLI command to execute.
+> Omit the "aws" command and only use its parameters within quotes and do not nest quotes in the aws parameter, --output text is already included in the check.
+>
+Here is an example of a check to find SGs with inbound port 80:
+
+```sh
+./prowler -c extra9999 -a 'ec2 describe-security-groups --filters Name=ip-permission.to-port,Values=80 --query SecurityGroups[*].GroupId[]]'
+```

 In order to add any new check feel free to create a new extra check in the extras group or other group. To do so, you will need to follow these steps:

@@ -655,4 +844,4 @@ Prowler is licensed as Apache License 2.0 as specified in each file. You may obt

 **I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**

-If you want to contact me visit <https://blyx.com/contact> or follow me on Twitter <https://twitter.com/toniblyx> my DMs are open.
+If you want to contact me visit <https://blyx.com/contact> or follow me on Twitter <https://twitter.com/prowler-cloud> my DMs are open.
--- a/allowlist_example.txt
+++ b/allowlist_example.txt
@@ -16,6 +16,14 @@ check26:myignoredbucket
 #<checkid2>:<resource to ignore 1>

 # REGEXES
-# This whitelist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use)
+# This allowlist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use)
 # therefore:
-# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
+# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
+
+# EXAMPLE: CONTROL TOWER
+# When using Control Tower, guardrails prevent access to certain protected resources. The allowlist
+# below ensures that warnings instead of errors are reported for the affected resources.
+#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
--- a/checklist.txt
+++ b/checklist.txt
@@ -0,0 +1,6 @@
+# You can add a comma seperated list of checks like this:
+check11,check12
+extra72 # You can also use newlines for each check
+check13 # This way allows you to add inline comments
+# Both of these can be combined if you have a standard list and want to add
+# inline comments for other checks.
--- a/checks/check11
+++ b/checks/check11
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check11="1.1"
-CHECK_TITLE_check11="[check11] Avoid the use of the root account (Scored)"
+CHECK_TITLE_check11="[check11] Avoid the use of the root account"
 CHECK_SCORED_check11="SCORED"
-CHECK_TYPE_check11="LEVEL1"
+CHECK_CIS_LEVEL_check11="LEVEL1"
 CHECK_SEVERITY_check11="High"
 CHECK_ASFF_TYPE_check11="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check101="check11"
@@ -22,23 +25,27 @@ CHECK_DOC_check11='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practice
 CHECK_CAF_EPIC_check11='IAM'

 check11(){
-  # "Avoid the use of the root account (Scored)."
-  MAX_DAYS=-1
-  last_login_dates=$(cat $TEMP_REPORT_FILE | awk -F, '{ print $1,$5,$11,$16 }' | grep '<root_account>' | cut -d' ' -f2,3,4)
+  if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
+        textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
+  else
+    # "Avoid the use of the root account (Scored)."
+    MAX_DAYS=-1
+    last_login_dates=$(cat $TEMP_REPORT_FILE | awk -F, '{ print $1,$5,$11,$16 }' | grep '<root_account>' | cut -d' ' -f2,3,4)

-  failures=0
-  for date in $last_login_dates; do
-    if [[ ${date%T*} =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]];then
-      days_not_in_use=$(how_many_days_from_today ${date%T*})
-      if [ "$days_not_in_use" -gt "$MAX_DAYS" ];then
-          failures=1
-          textFail "Root user in the account was last accessed ${MAX_DAYS#-} day ago"
-          break
+    failures=0
+    for date in $last_login_dates; do
+      if [[ ${date%T*} =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]];then
+        days_not_in_use=$(how_many_days_from_today ${date%T*})
+        if [ "$days_not_in_use" -gt "$MAX_DAYS" ];then
+            failures=1
+            textFail "$REGION: Root user in the account was last accessed ${MAX_DAYS#-} day ago" "$REGION" "root"
+            break
+        fi
      fi
-    fi
-  done
+    done

-  if [[ $failures == 0 ]]; then
-      textPass "Root user in the account wasn't accessed in the last ${MAX_DAYS#-} days"
+    if [[ $failures == 0 ]]; then
+        textPass "$REGION: Root user in the account wasn't accessed in the last ${MAX_DAYS#-} days" "$REGION" "root"
+    fi
  fi
 }
--- a/checks/check110
+++ b/checks/check110
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check110="1.10"
-CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)"
+CHECK_TITLE_check110="[check110] Ensure IAM password policy prevents password reuse: 24 or greater"
 CHECK_SCORED_check110="SCORED"
-CHECK_TYPE_check110="LEVEL1"
+CHECK_CIS_LEVEL_check110="LEVEL1"
 CHECK_SEVERITY_check110="Medium"
 CHECK_ASFF_TYPE_check110="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check110="check110"
@@ -26,11 +29,11 @@ check110(){
  COMMAND110=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' --output text 2> /dev/null)
  if [[ $COMMAND110 ]];then
    if [[ $COMMAND110 -gt "23" ]];then
-      textPass "Password Policy limits reuse"
+      textPass "$REGION: Password Policy limits reuse" "$REGION" "password policy"
    else
-      textFail "Password Policy has weak reuse requirement (lower than 24)"
+      textFail "$REGION: Password Policy has weak reuse requirement (lower than 24)" "$REGION" "password policy"
    fi
  else
-    textFail "Password Policy missing reuse requirement"
+    textFail "$REGION: Password Policy missing reuse requirement" "$REGION" "password policy"
  fi
 }
--- a/checks/check111
+++ b/checks/check111
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check111="1.11"
-CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less (Scored)"
+CHECK_TITLE_check111="[check111] Ensure IAM password policy expires passwords within 90 days or less"
 CHECK_SCORED_check111="SCORED"
-CHECK_TYPE_check111="LEVEL1"
+CHECK_CIS_LEVEL_check111="LEVEL1"
 CHECK_SEVERITY_check111="Medium"
 CHECK_ASFF_TYPE_check111="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check111="check111"
@@ -26,11 +29,11 @@ check111(){
  COMMAND111=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --query PasswordPolicy.MaxPasswordAge --output text 2> /dev/null)
  if [[ $COMMAND111 == [0-9]* ]];then
    if [[ "$COMMAND111" -le "90" ]];then
-      textPass "Password Policy includes expiration (Value: $COMMAND111)"
+      textPass "$REGION: Password Policy includes expiration (Value: $COMMAND111)" "$REGION" "password policy"
    else
-      textFail "Password expiration is set greater than 90 days"
+      textFail "$REGION: Password expiration is set greater than 90 days" "$REGION" "password policy"
    fi
  else
-    textFail "Password expiration is not set"
+    textFail "$REGION: Password expiration is not set" "$REGION" "password policy"
  fi
 }
--- a/checks/check112
+++ b/checks/check112
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check112="1.12"
-CHECK_TITLE_check112="[check112] Ensure no root account access key exists (Scored)"
+CHECK_TITLE_check112="[check112] Ensure no root account access key exists"
 CHECK_SCORED_check112="SCORED"
-CHECK_TYPE_check112="LEVEL1"
+CHECK_CIS_LEVEL_check112="LEVEL1"
 CHECK_SEVERITY_check112="Critical"
 CHECK_ASFF_TYPE_check112="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check112="check112"
@@ -27,13 +30,13 @@ check112(){
  ROOTKEY1=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $9 }')
  ROOTKEY2=$(cat $TEMP_REPORT_FILE |grep root_account|awk -F',' '{ print $14 }')
  if [ "$ROOTKEY1" == "false" ];then
-    textPass "No access key 1 found for root"
+    textPass "$REGION: No access key 1 found for root" "$REGION" "root access key1"
  else
-    textFail "Found access key 1 for root"
+    textFail "$REGION: Found access key 1 for root" "$REGION" "root access key1"
  fi
  if [ "$ROOTKEY2" == "false" ];then
-    textPass "No access key 2 found for root"
+    textPass "$REGION: No access key 2 found for root" "$REGION" "root access key2"
  else
-    textFail "Found access key 2 for root"
+    textFail "$REGION: Found access key 2 for root" "$REGION" "root access key2"
  fi
 }
--- a/checks/check113
+++ b/checks/check113
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check113="1.13"
-CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account (Scored)"
+CHECK_TITLE_check113="[check113] Ensure MFA is enabled for the root account"
 CHECK_SCORED_check113="SCORED"
-CHECK_TYPE_check113="LEVEL1"
+CHECK_CIS_LEVEL_check113="LEVEL1"
 CHECK_SEVERITY_check113="Critical"
 CHECK_ASFF_TYPE_check113="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check113="check113"
@@ -22,11 +25,15 @@ CHECK_DOC_check113='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-use
 CHECK_CAF_EPIC_check113='IAM'

 check113(){
-  # "Ensure MFA is enabled for the root account (Scored)"
-  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
-  if [ "$COMMAND113" == "1" ]; then
-    textPass "Virtual MFA is enabled for root"
+  if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
+    textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
  else
-    textFail "MFA is not ENABLED for root account"
+    # "Ensure MFA is enabled for the root account (Scored)"
+    COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
+    if [ "$COMMAND113" == "1" ]; then
+      textPass "$REGION: Virtual MFA is enabled for root" "$REGION" "MFA"
+    else
+      textFail "$REGION: MFA is not ENABLED for root account" "$REGION" "MFA"
+    fi
  fi
 }
--- a/checks/check114
+++ b/checks/check114
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check114="1.14"
-CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account (Scored)"
+CHECK_TITLE_check114="[check114] Ensure hardware MFA is enabled for the root account"
 CHECK_SCORED_check114="SCORED"
-CHECK_TYPE_check114="LEVEL2"
+CHECK_CIS_LEVEL_check114="LEVEL2"
 CHECK_SEVERITY_check114="Critical"
 CHECK_ASFF_TYPE_check114="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check114="check114"
@@ -22,16 +25,20 @@ CHECK_DOC_check114='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-use
 CHECK_CAF_EPIC_check114='IAM'

 check114(){
-  # "Ensure hardware MFA is enabled for the root account (Scored)"
-  COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
-  if [ "$COMMAND113" == "1" ]; then
-    COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep "^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$")
-    if [[ "$COMMAND114" ]]; then
-      textFail "Only Virtual MFA is enabled for root"
-    else
-      textPass "Hardware MFA is enabled for root"
-    fi
+  if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
+    textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
  else
-    textFail "MFA is not ENABLED for root account"
+    # "Ensure hardware MFA is enabled for the root account (Scored)"
+    COMMAND113=$($AWSCLI iam get-account-summary $PROFILE_OPT --region $REGION --output json --query 'SummaryMap.AccountMFAEnabled')
+    if [ "$COMMAND113" == "1" ]; then
+      COMMAND114=$($AWSCLI iam list-virtual-mfa-devices $PROFILE_OPT --region $REGION --output text --assignment-status Assigned --query 'VirtualMFADevices[*].[SerialNumber]' | grep "^arn:${AWS_PARTITION}:iam::[0-9]\{12\}:mfa/root-account-mfa-device$")
+      if [[ "$COMMAND114" ]]; then
+        textFail "$REGION: Only Virtual MFA is enabled for root" "$REGION" "MFA"
+      else
+        textPass "$REGION: Hardware MFA is enabled for root" "$REGION" "MFA"
+      fi
+    else
+      textFail "$REGION: MFA is not ENABLED for root account" "$REGION" "MFA"
+    fi
  fi
 }
--- a/checks/check115
+++ b/checks/check115
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check115="1.15"
-CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account (Not Scored)"
+CHECK_TITLE_check115="[check115] Ensure security questions are registered in the AWS account"
 CHECK_SCORED_check115="NOT_SCORED"
-CHECK_TYPE_check115="LEVEL1"
+CHECK_CIS_LEVEL_check115="LEVEL1"
 CHECK_SEVERITY_check115="Medium"
 CHECK_ASFF_TYPE_check115="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check115="check115"
@@ -22,8 +25,10 @@ CHECK_DOC_check115='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti
 CHECK_CAF_EPIC_check115='IAM'

 check115(){
-  # "Ensure security questions are registered in the AWS account (Not Scored)"
-  textInfo "No command available for check 1.15 "
-  textInfo "Login to the AWS Console as root & click on the Account "
-  textInfo "Name -> My Account -> Configure Security Challenge Questions "
+  if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
+    textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks." "$REGION" "root"
+  else
+    # "Ensure security questions are registered in the AWS account (Not Scored)"
+    textInfo "${REGION}: No command available for check 1.15. Login to the AWS Console as root & click on the Account. Name -> My Account -> Configure Security Challenge Questions." "$REGION" "root"
+  fi
 }
--- a/checks/check116
+++ b/checks/check116
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check116="1.16"
-CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles (Scored)"
+CHECK_TITLE_check116="[check116] Ensure IAM policies are attached only to groups or roles"
 CHECK_SCORED_check116="SCORED"
-CHECK_TYPE_check116="LEVEL1"
+CHECK_CIS_LEVEL_check116="LEVEL1"
 CHECK_SEVERITY_check116="Low"
 CHECK_ASFF_TYPE_check116="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check116="AwsIamUser"
@@ -26,20 +29,21 @@ CHECK_CAF_EPIC_check116='IAM'
 check116(){
  # "Ensure IAM policies are attached only to groups or roles (Scored)"
  LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
-  C116_NUM_USERS=0
  for user in $LIST_USERS;do
-    USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
-    if [[ $USER_POLICY ]]; then
-      textFail "$user has managed policy directly attached"
-      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
-    fi
-    USER_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
-    if [[ $USER_POLICY ]]; then
-      textFail "$user has inline policy directly attached"
-      C116_NUM_USERS=$(expr $C116_NUM_USERS + 1)
+    USER_ATTACHED_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
+    USER_INLINE_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
+    if [[ $USER_ATTACHED_POLICY ]] || [[ $USER_INLINE_POLICY ]]
+    then
+      if [[ $USER_ATTACHED_POLICY ]]
+      then
+        textFail "$REGION: $user has managed policy directly attached" "$REGION" "$user"
+      fi
+      if [[ $USER_INLINE_POLICY ]]
+      then
+        textFail "$REGION: $user has inline policy directly attached" "$REGION" "$user"
+      fi
+    else
+      textPass "$REGION: No policies attached to user $user" "$REGION" "$user"
    fi
  done
-  if [[ $C116_NUM_USERS -eq 0 ]]; then
-    textPass "No policies attached to users"
-  fi
 }
--- a/checks/check117
+++ b/checks/check117
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check117="1.17"
-CHECK_TITLE_check117="[check117] Maintain current contact details (Not Scored)"
+CHECK_TITLE_check117="[check117] Maintain current contact details"
 CHECK_SCORED_check117="NOT_SCORED"
-CHECK_TYPE_check117="LEVEL1"
+CHECK_CIS_LEVEL_check117="LEVEL1"
 CHECK_SEVERITY_check117="Medium"
 CHECK_ASFF_TYPE_check117="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check117="check117"
@@ -22,8 +25,11 @@ CHECK_DOC_check117='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2
 CHECK_CAF_EPIC_check117='IAM'

 check117(){
-  # "Maintain current contact details (Scored)"
-  # No command available
-  textInfo "No command available for check 1.17 "
-  textInfo "See section 1.17 on the CIS Benchmark guide for details "
+  if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
+    textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks." "$REGION" "root"
+  else
+    # "Maintain current contact details (Scored)"
+    # No command available
+    textInfo "No command available for check 1.17. See section 1.17 on the CIS Benchmark guide for details." "$REGION" "root"
+  fi
 }
--- a/checks/check118
+++ b/checks/check118
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check118="1.18"
-CHECK_TITLE_check118="[check118] Ensure security contact information is registered (Not Scored)"
+CHECK_TITLE_check118="[check118] Ensure security contact information is registered"
 CHECK_SCORED_check118="NOT_SCORED"
-CHECK_TYPE_check118="LEVEL1"
+CHECK_CIS_LEVEL_check118="LEVEL1"
 CHECK_SEVERITY_check118="Medium"
 CHECK_ASFF_TYPE_check118="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check118="check118"
@@ -22,8 +25,11 @@ CHECK_DOC_check118='https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2
 CHECK_CAF_EPIC_check118='IAM'

 check118(){
-  # "Ensure security contact information is registered (Scored)"
-  # No command available
-  textInfo "No command available for check 1.18 "
-  textInfo "See section 1.18 on the CIS Benchmark guide for details "
+  if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
+    textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks." "$REGION" "root"
+  else
+    # "Ensure security contact information is registered (Scored)"
+    # No command available
+    textInfo "No command available for check 1.18. See section 1.18 on the CIS Benchmark guide for details." "$REGION" "root"
+  fi
 }
--- a/checks/check119
+++ b/checks/check119
@@ -1,46 +1,54 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check119="1.19"
-CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)"
+CHECK_TITLE_check119="[check119] Ensure IAM instance roles are used for AWS resource access from instances"
 CHECK_SCORED_check119="NOT_SCORED"
-CHECK_TYPE_check119="LEVEL2"
+CHECK_CIS_LEVEL_check119="LEVEL2"
 CHECK_SEVERITY_check119="Medium"
 CHECK_ASFF_TYPE_check119="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check119="AwsEc2Instance"
 CHECK_ALTERNATE_check119="check119"
 CHECK_SERVICENAME_check119="ec2"
 CHECK_RISK_check119='AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised; they can be used from outside of the AWS account.'
-CHECK_REMEDIATION_check119='IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create or re-launch a new instance. (Check for external dependencies on its current private ip or public addresses).'
+CHECK_REMEDIATION_check119='Create an IAM instance role if necessary and attach it to the corresponding EC2 instance.'
 CHECK_DOC_check119='http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html'
 CHECK_CAF_EPIC_check119='IAM'

 check119(){
  for regx in $REGIONS; do
-    EC2_DATA=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[].Instances[].[InstanceId, IamInstanceProfile.Arn, State.Name]' --output json)
-    EC2_DATA=$(echo $EC2_DATA | jq '.[]|{InstanceId: .[0], ProfileArn: .[1], StateName: .[2]}')
-    INSTANCE_LIST=$(echo $EC2_DATA | jq -r '.InstanceId')
+    EC2_DATA=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[].Instances[].[InstanceId, IamInstanceProfile.Arn, State.Name]' --output json 2>&1)
+    if [[ $(echo "$EC2_DATA" | grep UnauthorizedOperation) ]]; then
+      textInfo "$regx: Unauthorized Operation error trying to describe instances" "$regx"
+      continue
+    else
+      EC2_DATA=$(echo $EC2_DATA | jq '.[]|{InstanceId: .[0], ProfileArn: .[1], StateName: .[2]}')
+      INSTANCE_LIST=$(echo $EC2_DATA | jq -r '.InstanceId')
+    fi
    if [[ $INSTANCE_LIST ]]; then
      for instance in $INSTANCE_LIST; do
        STATE_NAME=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.StateName')
        if [[ $STATE_NAME != "terminated" && $STATE_NAME != "shutting-down" ]]; then
          PROFILEARN=$(echo $EC2_DATA | jq -r --arg i "$instance" 'select(.InstanceId==$i)|.ProfileArn')
          if [[ $PROFILEARN == "null" ]]; then
-            textFail "$regx: Instance $instance not associated with an instance role" $regx
+            textFail "$regx: Instance $instance not associated with an instance role" "$regx" "$instance"
          else
-            textPass "$regx: Instance $instance associated with role ${PROFILEARN##*/}" $regx
+            textPass "$regx: Instance $instance associated with role ${PROFILEARN##*/}" "$regx" "$instance"
          fi
        fi
      done
    else
-      textInfo "$regx: No EC2 instances found" $regx
+      textInfo "$regx: No EC2 instances found" "$regx" "$instance"
    fi
  done
 }
--- a/checks/check12
+++ b/checks/check12
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check12="1.2"
-CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)"
+CHECK_TITLE_check12="[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password"
 CHECK_SCORED_check12="SCORED"
-CHECK_TYPE_check12="LEVEL1"
+CHECK_CIS_LEVEL_check12="LEVEL1"
 CHECK_SEVERITY_check12="High"
 CHECK_ASFF_TYPE_check12="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check12="AwsIamUser"
@@ -19,7 +22,7 @@ CHECK_ALTERNATE_check102="check12"
 CHECK_ASFF_COMPLIANCE_TYPE_check12="ens-op.acc.5.aws.iam.1"
 CHECK_SERVICENAME_check12="iam"
 CHECK_RISK_check12='Unauthorized access to this critical account if password is not secure or it is disclosed in any way.'
-CHECK_REMEDIATION_check12='Enable MFA for root account. is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.'
+CHECK_REMEDIATION_check12='Enable MFA for root account. MFA is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.'
 CHECK_DOC_check12='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html'
 CHECK_CAF_EPIC_check12='IAM'

@@ -33,9 +36,9 @@ check12(){
    done)
    if [[ $COMMAND12 ]]; then
      for u in $COMMAND12; do
-        textFail "User $u has Password enabled but MFA disabled"
+        textFail "$REGION: User $u has Password enabled but MFA disabled" "$REGION" "$u"
      done
    else
-      textPass "No users found with Password enabled and MFA disabled"
+      textPass "$REGION: No users found with Password enabled and MFA disabled" "$REGION" "$u"
    fi
 }
--- a/checks/check120
+++ b/checks/check120
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check120="1.20"
-CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support (Scored)"
+CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support"
 CHECK_SCORED_check120="SCORED"
-CHECK_TYPE_check120="LEVEL1"
+CHECK_CIS_LEVEL_check120="LEVEL1"
 CHECK_SEVERITY_check120="Medium"
 CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
@@ -28,19 +31,19 @@ check120(){
  SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
  if [[ $SUPPORTPOLICYARN ]];then
    for policyarn in $SUPPORTPOLICYARN;do
-      POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN $PROFILE_OPT --region $REGION --output text | awk -F$'\t' '{ print $3 }')
+      POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $policyarn $PROFILE_OPT --region $REGION --output text | awk -F$'\t' '{ print $3 }')
      if [[ $POLICYROLES ]];then
        for name in $POLICYROLES; do
-          textPass "Support Policy attached to $name"
+          textPass "$REGION: Support Policy attached to $name" "$REGION" "$name"
        done
        # for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
        #   textInfo "User $user has support access via $policyarn"
        # done
      else
-        textFail "Support Policy not applied to any Role"
+        textFail "$REGION: Support Policy not applied to any Role" "$REGION" "$name"
      fi
    done
  else
-    textFail "No Support Policy found"
+    textFail "$REGION: No Support Policy found" "$REGION" "$name"
  fi
 }
--- a/checks/check121
+++ b/checks/check121
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check121="1.21"
-CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
+CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password"
 CHECK_SCORED_check121="NOT_SCORED"
-CHECK_TYPE_check121="LEVEL1"
+CHECK_CIS_LEVEL_check121="LEVEL1"
 CHECK_SEVERITY_check121="Medium"
 CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
@@ -32,10 +35,10 @@ check121(){
  LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
  if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
    for user in $LIST_USERS_KEY1_ACTIVE; do
-      textFail "User $user has never used access key 1"
+      textFail "$REGION: User $user has never used access key 1" "$REGION" "$user"
    done
  else
-    textPass "No users found with access key 1 never used"
+    textPass "$REGION: No users found with access key 1 never used" "$REGION" "$user"
  fi
  # List of USERS with KEY2 last_used_date as N/A
  LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
@@ -43,9 +46,9 @@ check121(){
  LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done)
  if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
    for user in $LIST_USERS_KEY2_ACTIVE; do
-      textFail "User $user has never used access key 2"
+      textFail "$REGION: User $user has never used access key 2" "$REGION" "$user"
    done
  else
-    textPass "No users found with access key 2 never used"
+    textPass "$REGION: No users found with access key 2 never used" "$REGION" "$user"
  fi
 }
--- a/checks/check122
+++ b/checks/check122
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check122="1.22"
-CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
+CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created"
 CHECK_SCORED_check122="SCORED"
-CHECK_TYPE_check122="LEVEL1"
+CHECK_CIS_LEVEL_check122="LEVEL1"
 CHECK_SEVERITY_check122="Medium"
 CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
@@ -26,24 +29,22 @@ check122(){
  # "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
  if [[ $LIST_CUSTOM_POLICIES ]]; then
-    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
    for policy in $LIST_CUSTOM_POLICIES; do
-      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
-      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
+      POLICY_ARN=$(awk 'BEGIN{FS=OFS=","}{NF--; print}' <<< "${policy}")
+      POLICY_VERSION=$(awk -F ',' '{print $(NF)}' <<< "${policy}")
      POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
      if [[ $POLICY_WITH_FULL ]]; then
        POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
+      else
+        textPass "$REGION: Policy ${policy//,/[comma]} that does not allow full \"*:*\" administrative privileges" "${REGION}" "${policy}"
      fi
    done
    if [[ $POLICIES_ALLOW_LIST ]]; then
-      textInfo "List of custom policies: "
      for policy in $POLICIES_ALLOW_LIST; do
-        textFail "Policy $policy allows \"*:*\""
+        textFail "$REGION: Policy ${policy//,/[comma]} allows \"*:*\"" "${REGION}" "${policy}"
      done
-    else
-        textPass "No custom policy found that allow full \"*:*\" administrative privileges"
    fi
  else
-    textPass "No custom policies found"
+    textPass "$REGION: No custom policies found" "$REGION"
  fi
 }
--- a/checks/check13
+++ b/checks/check13
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check13="1.3"
-CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled (Scored)"
+CHECK_TITLE_check13="[check13] Ensure credentials unused for 90 days or greater are disabled"
 CHECK_SCORED_check13="SCORED"
-CHECK_TYPE_check13="LEVEL1"
+CHECK_CIS_LEVEL_check13="LEVEL1"
 CHECK_SEVERITY_check13="Medium"
 CHECK_ASFF_TYPE_check13="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check13="AwsIamUser"
--- a/checks/check14
+++ b/checks/check14
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check14="1.4"
-CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less (Scored)"
+CHECK_TITLE_check14="[check14] Ensure access keys are rotated every 90 days or less"
 CHECK_SCORED_check14="SCORED"
-CHECK_TYPE_check14="LEVEL1"
+CHECK_CIS_LEVEL_check14="LEVEL1"
 CHECK_SEVERITY_check14="Medium"
 CHECK_ASFF_TYPE_check14="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check14="AwsIamUser"
@@ -37,15 +40,15 @@ check14(){
        HOWOLDER=$(how_older_from_today $DATEROTATED1)

        if [ $HOWOLDER -gt "90" ];then
-          textFail "$user has not rotated access key 1 in over 90 days"
+          textFail "$REGION: $user has not rotated access key 1 in over 90 days" "$REGION" "$user"
          C14_NUM_USERS1=$(expr $C14_NUM_USERS1 + 1)
        fi
      done
      if [[ $C14_NUM_USERS1 -eq 0 ]]; then
-        textPass "No users with access key 1 older than 90 days"
+        textPass "$REGION: No users with access key 1 older than 90 days" "$REGION" "$user"
      fi
    else
-      textPass "No users with access key 1"
+      textPass "$REGION: No users with access key 1" "$REGION" "$user"
    fi

    if [[ $LIST_OF_USERS_WITH_ACCESS_KEY2 ]]; then
@@ -55,14 +58,14 @@ check14(){
        DATEROTATED2=$(cat $TEMP_REPORT_FILE | grep -v user_creation_time | grep "^${user},"| awk -F, '{ print $15 }' | grep -v "N/A" | awk -F"T" '{ print $1 }')
        HOWOLDER=$(how_older_from_today $DATEROTATED2)
        if [ $HOWOLDER -gt "90" ];then
-          textFail "$user has not rotated access key 2 in over 90 days"
+          textFail "$REGION: $user has not rotated access key 2 in over 90 days" "$REGION" "$user"
          C14_NUM_USERS2=$(expr $C14_NUM_USERS2 + 1)
        fi
      done
      if [[ $C14_NUM_USERS2 -eq 0 ]]; then
-        textPass "No users with access key 2 older than 90 days"
+        textPass "$REGION: No users with access key 2 older than 90 days" "$REGION" "$user"
      fi
    else
-      textPass "No users with access key 2"
+      textPass "$REGION: No users with access key 2" "$REGION" "$user"
    fi
 }
--- a/checks/check15
+++ b/checks/check15
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check15="1.5"
-CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter (Scored)"
+CHECK_TITLE_check15="[check15] Ensure IAM password policy requires at least one uppercase letter"
 CHECK_SCORED_check15="SCORED"
-CHECK_TYPE_check15="LEVEL1"
+CHECK_CIS_LEVEL_check15="LEVEL1"
 CHECK_SEVERITY_check15="Medium"
 CHECK_ASFF_TYPE_check15="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check105="check15"
@@ -25,8 +28,8 @@ check15(){
  # "Ensure IAM password policy requires at least one uppercase letter (Scored)"
  COMMAND15=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireUppercaseCharacters' 2> /dev/null) # must be true
  if [[ "$COMMAND15" == "true" ]];then
-    textPass "Password Policy requires upper case"
+    textPass "$REGION: Password Policy requires upper case" "$REGION" "password policy"
  else
-    textFail "Password Policy missing upper-case requirement"
+    textFail "$REGION: Password Policy missing upper-case requirement" "$REGION" "password policy"
  fi
 }
--- a/checks/check16
+++ b/checks/check16
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check16="1.6"
-CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter (Scored)"
+CHECK_TITLE_check16="[check16] Ensure IAM password policy require at least one lowercase letter"
 CHECK_SCORED_check16="SCORED"
-CHECK_TYPE_check16="LEVEL1"
+CHECK_CIS_LEVEL_check16="LEVEL1"
 CHECK_SEVERITY_check16="Medium"
 CHECK_ASFF_TYPE_check16="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check106="check16"
@@ -25,8 +28,8 @@ check16(){
  # "Ensure IAM password policy require at least one lowercase letter (Scored)"
  COMMAND16=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireLowercaseCharacters' 2> /dev/null) # must be true
  if [[ "$COMMAND16" == "true" ]];then
-    textPass "Password Policy requires lower case"
+    textPass "$REGION: Password Policy requires lower case" "$REGION" "password policy"
  else
-    textFail "Password Policy missing lower-case requirement"
+    textFail "$REGION: Password Policy missing lower-case requirement" "$REGION" "password policy"
  fi
 }
--- a/checks/check17
+++ b/checks/check17
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check17="1.7"
-CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol (Scored)"
+CHECK_TITLE_check17="[check17] Ensure IAM password policy require at least one symbol"
 CHECK_SCORED_check17="SCORED"
-CHECK_TYPE_check17="LEVEL1"
+CHECK_CIS_LEVEL_check17="LEVEL1"
 CHECK_SEVERITY_check17="Medium"
 CHECK_ASFF_TYPE_check17="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check107="check17"
@@ -25,8 +28,8 @@ check17(){
  # "Ensure IAM password policy require at least one symbol (Scored)"
  COMMAND17=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireSymbols' 2> /dev/null) # must be true
  if [[ "$COMMAND17" == "true" ]];then
-    textPass "Password Policy requires symbol"
+    textPass "$REGION: Password Policy requires symbol" "$REGION" "password policy"
  else
-    textFail "Password Policy missing symbol requirement"
+    textFail "$REGION: Password Policy missing symbol requirement" "$REGION" "password policy"
  fi
 }
--- a/checks/check18
+++ b/checks/check18
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check18="1.8"
-CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number (Scored)"
+CHECK_TITLE_check18="[check18] Ensure IAM password policy require at least one number"
 CHECK_SCORED_check18="SCORED"
-CHECK_TYPE_check18="LEVEL1"
+CHECK_CIS_LEVEL_check18="LEVEL1"
 CHECK_SEVERITY_check18="Medium"
 CHECK_ASFF_TYPE_check18="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check108="check18"
@@ -25,8 +28,8 @@ check18(){
  # "Ensure IAM password policy require at least one number (Scored)"
  COMMAND18=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.RequireNumbers' 2> /dev/null) # must be true
  if [[ "$COMMAND18" == "true" ]];then
-    textPass "Password Policy requires number"
+    textPass "$REGION: Password Policy requires number" "$REGION" "password policy"
  else
-    textFail "Password Policy missing number requirement"
+    textFail "$REGION: Password Policy missing number requirement" "$REGION" "password policy"
  fi
 }
--- a/checks/check19
+++ b/checks/check19
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check19="1.9"
-CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
+CHECK_TITLE_check19="[check19] Ensure IAM password policy requires minimum length of 14 or greater"
 CHECK_SCORED_check19="SCORED"
-CHECK_TYPE_check19="LEVEL1"
+CHECK_CIS_LEVEL_check19="LEVEL1"
 CHECK_SEVERITY_check19="Medium"
 CHECK_ASFF_TYPE_check19="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check109="check19"
@@ -25,8 +28,8 @@ check19(){
  # "Ensure IAM password policy requires minimum length of 14 or greater (Scored)"
  COMMAND19=$($AWSCLI iam get-account-password-policy $PROFILE_OPT --region $REGION --output json --query 'PasswordPolicy.MinimumPasswordLength' 2> /dev/null)
  if [[ $COMMAND19 -gt "13" ]];then
-    textPass "Password Policy requires more than 13 characters"
+    textPass "$REGION: Password Policy requires more than 13 characters" "$REGION" "password policy"
  else
-    textFail "Password Policy missing or weak length requirement"
+    textFail "$REGION: Password Policy missing or weak length requirement" "$REGION" "password policy"
  fi
 }
--- a/checks/check21
+++ b/checks/check21
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check21="2.1"
-CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions (Scored)"
+CHECK_TITLE_check21="[check21] Ensure CloudTrail is enabled in all regions"
 CHECK_SCORED_check21="SCORED"
-CHECK_TYPE_check21="LEVEL1"
+CHECK_CIS_LEVEL_check21="LEVEL1"
 CHECK_SEVERITY_check21="High"
 CHECK_ASFF_TYPE_check21="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check21="AwsCloudTrailTrail"
@@ -29,7 +32,7 @@ check21(){
  for regx in $REGIONS; do
    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to describe trails in $regx"
+      textInfo "$regx: Access Denied trying to describe trails" "$regx" "$trail"
      continue
    fi
    if [[ $TRAILS_AND_REGIONS ]]; then
@@ -43,15 +46,23 @@ check21(){

        MULTIREGION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].IsMultiRegionTrail' --output text --trail-name-list $trail)
        if [[ "$MULTIREGION_TRAIL_STATUS" == 'False' ]];then
-          textFail "Trail $trail in $regx is not enabled for all regions"
+          textFail "$regx: Trail $trail is not enabled for all regions" "$regx" "$trail"
        else
-          textPass "Trail $trail in $regx is enabled for all regions"
+          TRAIL_ON_OFF_STATUS=$($AWSCLI cloudtrail get-trail-status $PROFILE_OPT --region $TRAIL_REGION --name $trail --query IsLogging --output text)
+          if [[ "$TRAIL_ON_OFF_STATUS" == 'False'  ]];then
+            textFail "$regx: Trail $trail is configured for all regions but it is OFF" "$regx" "$trail"
+          else
+            textPass "$regx: Trail $trail is enabled for all regions" "$regx" "$trail"
+          fi 
        fi
-
      done
    fi
  done
  if [[ $trail_count == 0 ]]; then
-    textFail "No CloudTrail trails were found in the account"
+    if [[ $FILTERREGION ]]; then
+      textFail "$regx: No CloudTrail trails were found in the filtered region" "$regx" "$trail"
+    else
+      textFail "$regx: No CloudTrail trails were found in the account" "$regx" "$trail"
+    fi 
  fi
-}
+}
--- a/checks/check22
+++ b/checks/check22
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check22="2.2"
-CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled (Scored)"
+CHECK_TITLE_check22="[check22] Ensure CloudTrail log file validation is enabled"
 CHECK_SCORED_check22="SCORED"
-CHECK_TYPE_check22="LEVEL2"
+CHECK_CIS_LEVEL_check22="LEVEL2"
 CHECK_SEVERITY_check22="Medium"
 CHECK_ASFF_TYPE_check22="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check22="AwsCloudTrailTrail"
@@ -29,7 +32,7 @@ check22(){
  for regx in $REGIONS; do
    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to describe trails in $regx"
+      textInfo "$regx: Access Denied trying to describe trails" "$regx" "$trail"
      continue
    fi
    if [[ $TRAILS_AND_REGIONS ]]; then
@@ -43,15 +46,15 @@ check22(){

        LOGFILEVALIDATION_TRAIL_STATUS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].LogFileValidationEnabled' --output text --trail-name-list $trail)
        if [[ "$LOGFILEVALIDATION_TRAIL_STATUS" == 'False' ]];then
-          textFail "Trail $trail in $regx log file validation disabled"
+          textFail "$regx: Trail $trail log file validation disabled" "$regx" "$trail"
        else
-          textPass "Trail $trail in $regx log file validation enabled"
+          textPass "$regx: Trail $trail log file validation enabled" "$regx" "$trail"
        fi

      done
    fi
  done
  if [[ $trail_count == 0 ]]; then
-    textFail "No CloudTrail trails were found in the account"
+    textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail"
  fi
 }
--- a/checks/check23
+++ b/checks/check23
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check23="2.3"
-CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)"
+CHECK_TITLE_check23="[check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible"
 CHECK_SCORED_check23="SCORED"
-CHECK_TYPE_check23="LEVEL1"
+CHECK_CIS_LEVEL_check23="LEVEL1"
 CHECK_SEVERITY_check23="Critical"
 CHECK_ASFF_TYPE_check23="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check23="AwsS3Bucket"
@@ -20,7 +23,7 @@ CHECK_ASFF_COMPLIANCE_TYPE_check23="ens-op.exp.10.aws.trail.3 ens-op.exp.10.aws.
 CHECK_SERVICENAME_check23="cloudtrail"
 CHECK_RISK_check23='Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.'
 CHECK_REMEDIATION_check23='Analyze Bucket policy to validate appropriate permissions. Ensure the AllUsers principal is not granted privileges. Ensure the AuthenticatedUsers principal is not granted privileges.'
-CHECK_DOC_check23='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_ principal.html '
+CHECK_DOC_check23='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html'
 CHECK_CAF_EPIC_check23='Logging and Monitoring'

 check23(){
@@ -29,7 +32,7 @@ check23(){
  for regx in $REGIONS; do
    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to describe trails in $regx"
+      textInfo "$regx: Access Denied trying to describe trails" "$regx" "$trail"
      continue
    fi
    if [[ $TRAILS_AND_REGIONS ]]; then
@@ -43,13 +46,13 @@ check23(){

        CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].[S3BucketName]' --output text --trail-name-list $trail)
        if [[ -z $CLOUDTRAILBUCKET ]]; then
-          textFail "Trail $trail in $TRAIL_REGION does not publish to S3"
+          textFail "Trail $trail in $TRAIL_REGION does not publish to S3" "$regx" "$trail"
          continue
        fi

        CLOUDTRAIL_ACCOUNT_ID=$(echo $trail | awk -F: '{ print $5 }')
        if [ "$CLOUDTRAIL_ACCOUNT_ID" != "$ACCOUNT_NUM" ]; then
-          textInfo "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not in current account"
+          textInfo "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not in current account" "$regx" "$trail"
          continue
        fi

@@ -60,7 +63,7 @@ check23(){
        #
        BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $regx --bucket $CLOUDTRAILBUCKET --output text 2>&1)
        if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then
-          textFail "Trail $trail in $TRAIL_REGION Access Denied getting bucket location for $CLOUDTRAILBUCKET"
+          textInfo "Trail $trail in $TRAIL_REGION Access Denied getting bucket location for $CLOUDTRAILBUCKET" "$regx" "$trail"
          continue
        fi
        if [[ $BUCKET_LOCATION == "None" ]]; then
@@ -72,20 +75,20 @@ check23(){

        CLOUDTRAILBUCKET_HASALLPERMISIONS=$($AWSCLI s3api get-bucket-acl --bucket $CLOUDTRAILBUCKET $PROFILE_OPT --region $BUCKET_LOCATION --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' --output text 2>&1)
        if [[ $(echo "$CLOUDTRAILBUCKET_HASALLPERMISIONS" | grep AccessDenied) ]]; then
-          textInfo "Trail $trail in $TRAIL_REGION Access Denied getting bucket acl for $CLOUDTRAILBUCKET"
+          textInfo "Trail $trail in $TRAIL_REGION Access Denied getting bucket acl for $CLOUDTRAILBUCKET" "$regx" "$trail"
          continue
        fi

        if [[ -z $CLOUDTRAILBUCKET_HASALLPERMISIONS ]]; then
-          textPass "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not publicly accessible"
+          textPass "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not publicly accessible" "$regx" "$trail"
        else
-          textFail "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is publicly accessible"
+          textFail "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is publicly accessible" "$regx" "$trail"
        fi

      done
    fi
  done
  if [[ $trail_count == 0 ]]; then
-    textFail "No CloudTrail trails were found in the account"
+    textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail"
  fi
 }
--- a/checks/check24
+++ b/checks/check24
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check24="2.4"
-CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)"
+CHECK_TITLE_check24="[check24] Ensure CloudTrail trails are integrated with CloudWatch Logs"
 CHECK_SCORED_check24="SCORED"
-CHECK_TYPE_check24="LEVEL1"
+CHECK_CIS_LEVEL_check24="LEVEL1"
 CHECK_SEVERITY_check24="Low"
 CHECK_ASFF_TYPE_check24="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check24="AwsCloudTrailTrail"
@@ -29,7 +32,7 @@ check24(){
  for regx in $REGIONS; do
    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to describe trails in $regx"
+      textInfo "$regx: Access Denied trying to describe trails" "$regx" "$trail"
      continue
    fi
    if [[ $TRAILS_AND_REGIONS ]]; then
@@ -43,14 +46,14 @@ check24(){

        LATESTDELIVERY_TIMESTAMP=$($AWSCLI cloudtrail get-trail-status --name $trail $PROFILE_OPT --region $TRAIL_REGION --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None)
        if [[ ! $LATESTDELIVERY_TIMESTAMP ]];then
-          textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
+          textFail "$TRAIL_REGION: $trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)" "$TRAIL_REGION" "$trail"
        else
          LATESTDELIVERY_DATE=$(timestamp_to_date $LATESTDELIVERY_TIMESTAMP)
          HOWOLDER=$(how_older_from_today $LATESTDELIVERY_DATE)
          if [ $HOWOLDER -gt "1" ];then
-            textFail "$trail trail is not logging in the last 24h or not configured (it is in $TRAIL_REGION)"
+            textFail "$TRAIL_REGION: $trail trail is not logging in the last 24h or not configured" "$TRAIL_REGION" "$trail"
          else
-            textPass "$trail trail has been logging during the last 24h (it is in $TRAIL_REGION)"
+            textPass "$TRAIL_REGION: $trail trail has been logging during the last 24h" "$TRAIL_REGION" "$trail"
          fi
        fi

@@ -58,6 +61,6 @@ check24(){
    fi
  done
  if [[ $trail_count == 0 ]]; then
-    textFail "No CloudTrail trails were found in the account"
+    textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail"
  fi
 }
--- a/checks/check25
+++ b/checks/check25
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check25="2.5"
-CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions (Scored)"
+CHECK_TITLE_check25="[check25] Ensure AWS Config is enabled in all regions"
 CHECK_SCORED_check25="SCORED"
-CHECK_TYPE_check25="LEVEL1"
+CHECK_CIS_LEVEL_check25="LEVEL1"
 CHECK_SEVERITY_check25="Medium"
 CHECK_ASFF_TYPE_check25="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ALTERNATE_check205="check25"
@@ -28,17 +31,17 @@ check25(){
    CHECK_AWSCONFIG_RECORDING=$($AWSCLI configservice describe-configuration-recorder-status $PROFILE_OPT --region $regx --query 'ConfigurationRecordersStatus[*].recording' --output text 2>&1)
    CHECK_AWSCONFIG_STATUS=$($AWSCLI configservice describe-configuration-recorder-status $PROFILE_OPT --region $regx --query 'ConfigurationRecordersStatus[*].lastStatus' --output text 2>&1)
    if [[ $(echo "$CHECK_AWSCONFIG_STATUS" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to describe configuration recorder status in $regx"
+      textInfo "$regx: Access Denied trying to describe configuration recorder status" "$regx" "recorder"
      continue
    fi
    if [[ $CHECK_AWSCONFIG_RECORDING == "True" ]]; then
      if [[ $CHECK_AWSCONFIG_STATUS == "SUCCESS" ]]; then
-        textPass "Region $regx AWS Config recorder enabled"
+        textPass "$regx: AWS Config recorder enabled" "$regx" "recorder"
      else
-        textFail "Region $regx AWS Config recorder in failure state"
+        textFail "$regx: AWS Config recorder in failure state" "$regx" "recorder"
      fi
    else
-      textFail "Region $regx AWS Config recorder disabled"
+      textFail "$regx: AWS Config recorder disabled" "$regx" "recorder"
    fi
  done
 }
--- a/checks/check26
+++ b/checks/check26
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check26="2.6"
-CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)"
+CHECK_TITLE_check26="[check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket"
 CHECK_SCORED_check26="SCORED"
-CHECK_TYPE_check26="LEVEL1"
+CHECK_CIS_LEVEL_check26="LEVEL1"
 CHECK_SEVERITY_check26="Medium"
 CHECK_ASFF_TYPE_check26="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check26="AwsS3Bucket"
@@ -28,7 +31,7 @@ check26(){
  for regx in $REGIONS; do
    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to describe trails in $regx"
+      textInfo "$regx: Access Denied trying to describe trails" "$regx" "$trail"
      continue
    fi
    if [[ $TRAILS_AND_REGIONS ]]; then
@@ -42,13 +45,13 @@ check26(){

        CLOUDTRAILBUCKET=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].[S3BucketName]' --output text --trail-name-list $trail)
        if [[ -z $CLOUDTRAILBUCKET ]]; then
-          textFail "Trail $trail in $TRAIL_REGION does not publish to S3"
+          textFail "$regx: Trail $trail does not publish to S3" "$TRAIL_REGION" "$trail"
          continue
        fi

        CLOUDTRAIL_ACCOUNT_ID=$(echo $trail | awk -F: '{ print $5 }')
        if [ "$CLOUDTRAIL_ACCOUNT_ID" != "$ACCOUNT_NUM" ]; then
-          textInfo "Trail $trail in $TRAIL_REGION S3 logging bucket $CLOUDTRAILBUCKET is not in current account"
+          textInfo "$regx: Trail $trail S3 logging bucket $CLOUDTRAILBUCKET is not in current account" "$TRAIL_REGION" "$trail"
          continue
        fi

@@ -59,7 +62,7 @@ check26(){
        #
        BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $regx --bucket $CLOUDTRAILBUCKET --output text 2>&1)
        if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then
-          textFail "Trail $trail in $TRAIL_REGION Access Denied getting bucket location for $CLOUDTRAILBUCKET"
+          textInfo "$regx: Trail $trail Access Denied getting bucket location for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail"
          continue
        fi
        if [[ $BUCKET_LOCATION == "None" ]]; then
@@ -71,20 +74,20 @@ check26(){

        CLOUDTRAILBUCKET_LOGENABLED=$($AWSCLI s3api get-bucket-logging --bucket $CLOUDTRAILBUCKET $PROFILE_OPT --region $BUCKET_LOCATION --query 'LoggingEnabled.TargetBucket' --output text 2>&1)
        if [[ $(echo "$CLOUDTRAILBUCKET_LOGENABLED" | grep AccessDenied) ]]; then
-          textInfo "Trail $trail in $TRAIL_REGION Access Denied getting bucket logging for $CLOUDTRAILBUCKET"
+          textInfo "$regx: Trail $trail Access Denied getting bucket logging for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail"
          continue
        fi

        if [[ $CLOUDTRAILBUCKET_LOGENABLED != "None" ]]; then
-          textPass "Trail $trail in $TRAIL_REGION S3 bucket access logging is enabled for $CLOUDTRAILBUCKET"
+          textPass "$regx: Trail $trail S3 bucket access logging is enabled for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail"
        else
-          textFail "Trail $trail in $TRAIL_REGION S3 bucket access logging is not enabled for $CLOUDTRAILBUCKET"
+          textFail "$regx: Trail $trail S3 bucket access logging is not enabled for $CLOUDTRAILBUCKET" "$TRAIL_REGION" "$trail"
        fi

      done
    fi
  done
  if [[ $trail_count == 0 ]]; then
-    textFail "No CloudTrail trails were found in the account"
+    textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail"
  fi
 }
--- a/checks/check27
+++ b/checks/check27
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check27="2.7"
-CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)"
+CHECK_TITLE_check27="[check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs"
 CHECK_SCORED_check27="SCORED"
-CHECK_TYPE_check27="LEVEL2"
+CHECK_CIS_LEVEL_check27="LEVEL2"
 CHECK_SEVERITY_check27="Medium"
 CHECK_ASFF_TYPE_check27="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check27="AwsCloudTrailTrail"
@@ -29,7 +32,7 @@ check27(){
  for regx in $REGIONS; do
    TRAILS_AND_REGIONS=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $regx --query 'trailList[*].{Name:TrailARN, HomeRegion:HomeRegion}' --output text 2>&1 | tr "	" ',')
    if [[ $(echo "$TRAILS_AND_REGIONS" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to describe trails in $regx"
+      textInfo "$regx: Access Denied trying to describe trails" "$regx" "$trail"
      continue
    fi
    if [[ $TRAILS_AND_REGIONS ]]; then
@@ -43,14 +46,14 @@ check27(){

        KMSKEYID=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $TRAIL_REGION --query 'trailList[*].KmsKeyId' --output text --trail-name-list $trail)
        if [[ "$KMSKEYID" ]];then
-          textPass "Trail $trail in $regx has encryption enabled"
+          textPass "$regx: Trail $trail has encryption enabled" "$regx" "$trail"
        else
-          textFail "Trail $trail in $regx has encryption disabled"
+          textFail "$regx: Trail $trail has encryption disabled" "$regx" "$trail"
        fi
      done
    fi
  done
  if [[ $trail_count == 0 ]]; then
-    textFail "No CloudTrail trails were found in the account"
+    textFail "$REGION: No CloudTrail trails were found in the account" "$REGION" "$trail"
  fi
 }
--- a/checks/check28
+++ b/checks/check28
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check28="2.8"
-CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled (Scored)"
+CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled"
 CHECK_SCORED_check28="SCORED"
-CHECK_TYPE_check28="LEVEL2"
+CHECK_CIS_LEVEL_check28="LEVEL2"
 CHECK_SEVERITY_check28="Medium"
 CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
@@ -27,7 +30,7 @@ check28(){
  for regx in $REGIONS; do
    CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId' --output text 2>&1)
    if [[ $(echo "$CHECK_KMS_KEYLIST" | grep AccessDenied) ]]; then
-      textFail "Access Denied trying to list keys in $regx"
+      textInfo "$regx: Access Denied trying to list keys" "$regx" "$key"
      continue
    fi
    if [[ $CHECK_KMS_KEYLIST ]]; then
@@ -35,7 +38,7 @@ check28(){
      for key in $CHECK_KMS_KEYLIST; do
        KMSDETAILS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,man:KeyManager,origin:Origin,spec:CustomerMasterKeySpec,state:KeyState}' --output text 2>&1 | grep SYMMETRIC)
        if [[ $(echo "$KMSDETAILS" | grep AccessDenied) ]]; then
-           textFail "$regx: Key $key Access Denied describing key"
+           textInfo "$regx: Access Denied describing key $key" "$regx" "$key"
           continue
        fi

@@ -53,25 +56,25 @@ check28(){
        cmk_count=$((cmk_count + 1))

        if [[ "$KEYORIGIN" == "EXTERNAL" ]]; then
-          textPass "$regx: Key $key uses imported key material"
+          textPass "$regx: Key $key uses imported key material" "$regx" "$key"
        else
          CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text 2>&1)
          if [[ $(echo "$CHECK_KMS_KEY_ROTATION" | grep AccessDenied) ]]; then
-            textFail "$regx: Key $key Access Denied getting key rotation status"
+            textInfo "$regx: Access Denied getting key rotation status for $key " "$regx" "$key"
            continue
          fi
          if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
-            textPass "$regx: Key $key automatic rotation of the key material is enabled"
+            textPass "$regx: Key $key automatic rotation of the key material is enabled" "$regx" "$key"
          else
-            textFail "$regx: Key $key automatic rotation of the key material is disabled"
+            textFail "$regx: Key $key automatic rotation of the key material is disabled" "$regx" "$key"
          fi
        fi
      done
      if [[ $cmk_count == 0 ]]; then
-        textInfo "$regx: This region has no customer managed keys"
+        textInfo "$regx: This region has no customer managed keys" "$regx" "$key"
      fi
    else
-      textInfo "$regx: This region has no KMS keys"
+      textInfo "$regx: This region has no KMS keys" "$regx" "$key"
    fi
  done
 }
--- a/checks/check29
+++ b/checks/check29
@@ -1,24 +1,27 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check29="2.9"
-CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
+CHECK_TITLE_check29="[check29] Ensure VPC Flow Logging is Enabled in all VPCs"
 CHECK_SCORED_check29="SCORED"
-CHECK_TYPE_check29="LEVEL2"
+CHECK_CIS_LEVEL_check29="LEVEL2"
 CHECK_SEVERITY_check29="Medium"
 CHECK_ASFF_TYPE_check29="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check29="AwsEc2Vpc"
 CHECK_ALTERNATE_check209="check29"
 CHECK_ASFF_COMPLIANCE_TYPE_check29="ens-op.mon.1.aws.flow.1"
 CHECK_SERVICENAME_check29="vpc"
-CHECK_RISK_check29='PC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.'
+CHECK_RISK_check29='VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.'
 CHECK_REMEDIATION_check29='It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. '
 CHECK_DOC_check29='http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html '
 CHECK_CAF_EPIC_check29='Logging and Monitoring'
@@ -27,22 +30,22 @@ check29(){
  # "Ensure VPC Flow Logging is Enabled in all VPCs (Scored)"
  for regx in $REGIONS; do
    AVAILABLE_VPC=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[?State==`available`].VpcId' --output text 2>&1)
-    if [[ $(echo "$AVAILABLE_VPC" | grep AccessDenied) ]]; then
-      textFail "$regx: Access Denied trying to describe VPCs"
+    if [[ $(echo "$AVAILABLE_VPC" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+      textInfo "$regx: Access Denied trying to describe VPCs" "$regx" "$vpcx"
      continue
    fi
    for vpcx in $AVAILABLE_VPC; do
      CHECK_FL=$($AWSCLI ec2 describe-flow-logs $PROFILE_OPT --region $regx --filter Name="resource-id",Values="${vpcx}" --query 'FlowLogs[?FlowLogStatus==`ACTIVE`].FlowLogId' --output text 2>&1)
-      if [[ $(echo "$CHECK_FL" | grep AccessDenied) ]]; then
-        textFail "$regx: VPC $vpcx Access Denied trying to describe flow logs"
+      if [[ $(echo "$CHECK_FL" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe flow logs in VPC $vpcx" "$regx" "$vpcx"
        continue
      fi
      if [[ $CHECK_FL ]]; then
        for FL in $CHECK_FL; do
-          textPass "$regx: VPC $vpcx VPCFlowLog is enabled for LogGroupName: $FL"
+          textPass "$regx: VPC $vpcx VPCFlowLog is enabled for LogGroupName: $FL" "$regx" "$vpcx"
        done
      else
-        textFail "$regx: VPC $vpcx VPCFlowLog is disabled"
+        textFail "$regx: VPC $vpcx VPCFlowLog is disabled" "$regx" "$vpcx"
      fi
    done
  done
--- a/checks/check31
+++ b/checks/check31
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check31="3.1"
-CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)"
+CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls"
 CHECK_SCORED_check31="SCORED"
-CHECK_TYPE_check31="LEVEL1"
+CHECK_CIS_LEVEL_check31="LEVEL1"
 CHECK_SEVERITY_check31="Medium"
 CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
--- a/checks/check310
+++ b/checks/check310
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check310="3.10"
-CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes (Scored)"
+CHECK_TITLE_check310="[check310] Ensure a log metric filter and alarm exist for security group changes"
 CHECK_SCORED_check310="SCORED"
-CHECK_TYPE_check310="LEVEL2"
+CHECK_CIS_LEVEL_check310="LEVEL2"
 CHECK_SEVERITY_check310="Medium"
 CHECK_ASFF_TYPE_check310="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check310="AwsCloudTrailTrail"
--- a/checks/check311
+++ b/checks/check311
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check311="3.11"
-CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)"
+CHECK_TITLE_check311="[check311] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)"
 CHECK_SCORED_check311="SCORED"
-CHECK_TYPE_check311="LEVEL2"
+CHECK_CIS_LEVEL_check311="LEVEL2"
 CHECK_SEVERITY_check311="Medium"
 CHECK_ASFF_TYPE_check311="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check311="AwsCloudTrailTrail"
--- a/checks/check312
+++ b/checks/check312
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check312="3.12"
-CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways (Scored)"
+CHECK_TITLE_check312="[check312] Ensure a log metric filter and alarm exist for changes to network gateways"
 CHECK_SCORED_check312="SCORED"
-CHECK_TYPE_check312="LEVEL1"
+CHECK_CIS_LEVEL_check312="LEVEL1"
 CHECK_SEVERITY_check312="Medium"
 CHECK_ASFF_TYPE_check312="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check312="AwsCloudTrailTrail"
--- a/checks/check313
+++ b/checks/check313
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check313="3.13"
-CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes (Scored)"
+CHECK_TITLE_check313="[check313] Ensure a log metric filter and alarm exist for route table changes"
 CHECK_SCORED_check313="SCORED"
-CHECK_TYPE_check313="LEVEL1"
+CHECK_CIS_LEVEL_check313="LEVEL1"
 CHECK_SEVERITY_check313="Medium"
 CHECK_ASFF_TYPE_check313="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check313="AwsCloudTrailTrail"
--- a/checks/check314
+++ b/checks/check314
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check314="3.14"
-CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)"
+CHECK_TITLE_check314="[check314] Ensure a log metric filter and alarm exist for VPC changes"
 CHECK_SCORED_check314="SCORED"
-CHECK_TYPE_check314="LEVEL1"
+CHECK_CIS_LEVEL_check314="LEVEL1"
 CHECK_SEVERITY_check314="Medium"
 CHECK_ASFF_TYPE_check314="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check314="AwsCloudTrailTrail"
--- a/checks/check32
+++ b/checks/check32
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check32="3.2"
-CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)"
+CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA"
 CHECK_SCORED_check32="SCORED"
-CHECK_TYPE_check32="LEVEL1"
+CHECK_CIS_LEVEL_check32="LEVEL1"
 CHECK_SEVERITY_check32="Medium"
 CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
--- a/checks/check33
+++ b/checks/check33
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check33="3.3"
-CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)"
+CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account"
 CHECK_SCORED_check33="SCORED"
-CHECK_TYPE_check33="LEVEL1"
+CHECK_CIS_LEVEL_check33="LEVEL1"
 CHECK_SEVERITY_check33="Medium"
 CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
@@ -49,5 +52,9 @@ CHECK_DOC_check33='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cl
 CHECK_CAF_EPIC_check33='Logging and Monitoring'

 check33(){
-  check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
+  if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
+    textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
+  else
+    check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
+  fi
 }
--- a/checks/check34
+++ b/checks/check34
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check34="3.4"
-CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)"
+CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes"
 CHECK_SCORED_check34="SCORED"
-CHECK_TYPE_check34="LEVEL1"
+CHECK_CIS_LEVEL_check34="LEVEL1"
 CHECK_SEVERITY_check34="Medium"
 CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
--- a/checks/check35
+++ b/checks/check35
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check35="3.5"
-CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)"
+CHECK_TITLE_check35="[check35] Ensure a log metric filter and alarm exist for CloudTrail configuration changes"
 CHECK_SCORED_check35="SCORED"
-CHECK_TYPE_check35="LEVEL1"
+CHECK_CIS_LEVEL_check35="LEVEL1"
 CHECK_SEVERITY_check35="Medium"
 CHECK_ASFF_TYPE_check35="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check35="AwsCloudTrailTrail"
--- a/checks/check36
+++ b/checks/check36
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check36="3.6"
-CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)"
+CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures"
 CHECK_SCORED_check36="SCORED"
-CHECK_TYPE_check36="LEVEL2"
+CHECK_CIS_LEVEL_check36="LEVEL2"
 CHECK_SEVERITY_check36="Medium"
 CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
--- a/checks/check37
+++ b/checks/check37
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check37="3.7"
-CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs (Scored)"
+CHECK_TITLE_check37="[check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs"
 CHECK_SCORED_check37="SCORED"
-CHECK_TYPE_check37="LEVEL2"
+CHECK_CIS_LEVEL_check37="LEVEL2"
 CHECK_SEVERITY_check37="Medium"
 CHECK_ASFF_TYPE_check37="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check37="AwsCloudTrailTrail"
--- a/checks/check38
+++ b/checks/check38
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check38="3.8"
-CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)"
+CHECK_TITLE_check38="[check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes"
 CHECK_SCORED_check38="SCORED"
-CHECK_TYPE_check38="LEVEL1"
+CHECK_CIS_LEVEL_check38="LEVEL1"
 CHECK_SEVERITY_check38="Medium"
 CHECK_ASFF_TYPE_check38="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check38="AwsCloudTrailTrail"
--- a/checks/check39
+++ b/checks/check39
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
 #
 # Remediation:
 #
@@ -34,9 +37,9 @@
 #     --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic

 CHECK_ID_check39="3.9"
-CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)"
+CHECK_TITLE_check39="[check39] Ensure a log metric filter and alarm exist for AWS Config configuration changes"
 CHECK_SCORED_check39="SCORED"
-CHECK_TYPE_check39="LEVEL2"
+CHECK_CIS_LEVEL_check39="LEVEL2"
 CHECK_SEVERITY_check39="Medium"
 CHECK_ASFF_TYPE_check39="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check39="AwsCloudTrailTrail"
--- a/checks/check41
+++ b/checks/check41
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check41="4.1"
-CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
+CHECK_TITLE_check41="[check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22"
 CHECK_SCORED_check41="SCORED"
-CHECK_TYPE_check41="LEVEL2"
+CHECK_CIS_LEVEL_check41="LEVEL2"
 CHECK_SEVERITY_check41="High"
 CHECK_ASFF_TYPE_check41="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check41="AwsEc2SecurityGroup"
@@ -26,13 +29,17 @@ CHECK_CAF_EPIC_check41='Infrastructure Security'
 check41(){
  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Scored)"
  for regx in $REGIONS; do
-    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    SG_LIST=$("${AWSCLI}" ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`22` && ToPort>=`22`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)) && (IpProtocol==`tcp`)]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region "${regx}" --output text 2>&1)
+    if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe security groups" "$regx"
+        continue
+    fi
    if [[ $SG_LIST ]];then
      for SG in $SG_LIST;do
-        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
+        textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0" "$regx" "$SG"
      done
    else
-      textPass "No Security Groups found in $regx with port 22 TCP open to 0.0.0.0/0" "$regx"
+      textPass "$regx: No Security Groups found with port 22 TCP open to 0.0.0.0/0" "$regx" "$SG"
    fi
  done
 }
--- a/checks/check42
+++ b/checks/check42
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check42="4.2"
-CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
+CHECK_TITLE_check42="[check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389"
 CHECK_SCORED_check42="SCORED"
-CHECK_TYPE_check42="LEVEL2"
+CHECK_CIS_LEVEL_check42="LEVEL2"
 CHECK_SEVERITY_check42="High"
 CHECK_ASFF_TYPE_check42="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check42="AwsEc2SecurityGroup"
@@ -26,13 +29,17 @@ CHECK_CAF_EPIC_check42='Infrastructure Security'
 check42(){
  # "Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (Scored)"
  for regx in $REGIONS; do
-    SG_LIST=$($AWSCLI ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`))]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region $regx --output text)
+    SG_LIST=$("${AWSCLI}" ec2 describe-security-groups --query 'SecurityGroups[?length(IpPermissions[?((FromPort==null && ToPort==null) || (FromPort<=`3389` && ToPort>=`3389`)) && (contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)) && (IpProtocol==`tcp`) ]) > `0`].{GroupId:GroupId}' $PROFILE_OPT --region "${regx}" --output text 2>&1)
+    if [[ $(echo "$SG_LIST" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe security groups" "$regx"
+        continue
+    fi
    if [[ $SG_LIST ]];then
      for SG in $SG_LIST;do
-        textFail "Found Security Group: $SG open to 0.0.0.0/0 in Region $regx" "$regx"
+        textFail "$regx: Found Security Group: $SG open to 0.0.0.0/0" "$regx" "$SG"
      done
    else
-      textPass "No Security Groups found in $regx with port 3389 TCP open to 0.0.0.0/0" "$regx"
+      textPass "$regx: No Security Groups found with port 3389 TCP open to 0.0.0.0/0" "$regx" "$SG"
    fi
  done
 }
--- a/checks/check43
+++ b/checks/check43
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check43="4.3"
-CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic (Scored)"
+CHECK_TITLE_check43="[check43] Ensure the default security group of every VPC restricts all traffic"
 CHECK_SCORED_check43="SCORED"
-CHECK_TYPE_check43="LEVEL2"
+CHECK_CIS_LEVEL_check43="LEVEL2"
 CHECK_SEVERITY_check43="High"
 CHECK_ASFF_TYPE_check43="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check43="AwsEc2SecurityGroup"
@@ -26,13 +29,17 @@ CHECK_CAF_EPIC_check43='Infrastructure Security'
 check43(){
  # "Ensure the default security group of every VPC restricts all traffic (Scored)"
  for regx in $REGIONS; do
-    CHECK_SGDEFAULT_IDS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].GroupId[]' --output text)
+    CHECK_SGDEFAULT_IDS=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --filters Name=group-name,Values='default' --query 'SecurityGroups[*].GroupId[]' --output text 2>&1)
+    if [[ $(echo "$CHECK_SGDEFAULT_IDS" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe security groups" "$regx"
+        continue
+    fi
    for CHECK_SGDEFAULT_ID in $CHECK_SGDEFAULT_IDS; do
      CHECK_SGDEFAULT_ID_OPEN=$($AWSCLI ec2 describe-security-groups $PROFILE_OPT --region $regx --group-ids $CHECK_SGDEFAULT_ID --query 'SecurityGroups[*].{IpPermissions:IpPermissions,IpPermissionsEgress:IpPermissionsEgress,GroupId:GroupId}' --output text |egrep '\s0.0.0.0|\:\:\/0')
      if [[ $CHECK_SGDEFAULT_ID_OPEN ]];then
-        textFail "Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic in Region $regx" "$regx"
+        textFail "$regx: Default Security Groups ($CHECK_SGDEFAULT_ID) found that allow 0.0.0.0 IN or OUT traffic" "$regx" "$CHECK_SGDEFAULT_ID"
      else
-        textPass "No Default Security Groups ($CHECK_SGDEFAULT_ID) open to 0.0.0.0 found in Region $regx" "$regx"
+        textPass "$regx: No Default Security Groups ($CHECK_SGDEFAULT_ID) open to 0.0.0.0 found" "$regx" "$CHECK_SGDEFAULT_ID"
      fi
    done
  done
--- a/checks/check44
+++ b/checks/check44
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash

-# Prowler - the handy cloud security tool (c) by Toni de la Fuente
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
-# This Prowler check is licensed under a
-# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
-# You should have received a copy of the license along with this
-# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.

 CHECK_ID_check44="4.4"
-CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
+CHECK_TITLE_check44="[check44] Ensure routing tables for VPC peering are \"least access\""
 CHECK_SCORED_check44="NOT_SCORED"
-CHECK_TYPE_check44="LEVEL2"
+CHECK_CIS_LEVEL_check44="LEVEL2"
 CHECK_SEVERITY_check44="Medium"
 CHECK_ASFF_TYPE_check44="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_check44="AwsEc2Vpc"
@@ -24,11 +27,14 @@ CHECK_CAF_EPIC_check44='Infrastructure Security'

 check44(){
  # "Ensure routing tables for VPC peering are \"least access\" (Not Scored)"
-  textInfo "Looking for VPC peering in all regions...  "
  for regx in $REGIONS; do
-    LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId'| sort | paste -s -d" " -)
+    LIST_OF_VPCS_PEERING_CONNECTIONS=$($AWSCLI ec2 describe-vpc-peering-connections --output text $PROFILE_OPT --region $regx --query 'VpcPeeringConnections[*].VpcPeeringConnectionId' 2>&1| sort | paste -s -d" " - )
+    if [[ $(echo "$LIST_OF_VPCS_PEERING_CONNECTIONS" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe vpc peering connections" "$regx"
+        continue
+    fi
    if [[ $LIST_OF_VPCS_PEERING_CONNECTIONS ]];then
-      textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx"
+      textInfo "$regx: $LIST_OF_VPCS_PEERING_CONNECTIONS - review routing tables" "$regx" "$LIST_OF_VPCS_PEERING_CONNECTIONS"
      #LIST_OF_VPCS=$($AWSCLI ec2 describe-vpcs $PROFILE_OPT --region $regx --query 'Vpcs[*].VpcId' --output text)
      #aws ec2 describe-route-tables --filter "Name=vpc-id,Values=vpc-0213e864" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}" $PROFILE_OPT --region $regx
      # for vpc in $LIST_OF_VPCS; do
@@ -36,7 +42,7 @@ check44(){
      # done
      #echo $VPCS_WITH_PEERING
    else
-      textPass "$regx: No VPC peering found" "$regx"
+      textPass "$regx: No VPC peering found" "$regx" "$LIST_OF_VPCS_PEERING_CONNECTIONS"
    fi
  done
 }
--- a/checks/check45
+++ b/checks/check45
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_check45="4.5"
+CHECK_TITLE_check45="[check45] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22"
+CHECK_SCORED_check45="SCORED"
+CHECK_CIS_LEVEL_check45="LEVEL2"
+CHECK_SEVERITY_check45="High"
+CHECK_ASFF_TYPE_check45="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check45="AwsEc2NetworkAcl"
+CHECK_ALTERNATE_check401="check45"
+CHECK_SERVICENAME_check45="ec2"
+CHECK_RISK_check45='Even having a perimeter firewall; having network acls open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
+CHECK_REMEDIATION_check45='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive network acls. Recommended best practices is to narrow the definition for the minimum ports required.'
+CHECK_DOC_check45='https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html'
+CHECK_CAF_EPIC_check45='Infrastructure Security'
+
+check45(){
+  for regx in $REGIONS; do
+    NACL_LIST=$($AWSCLI ec2 describe-network-acls --query 'NetworkAcls[?Entries[?(((!PortRange) || (PortRange.From<=`22` && PortRange.To>=`22`)) && ((CidrBlock == `0.0.0.0/0`) && (Egress == `false`) && (RuleAction == `allow`)))]].{NetworkAclId:NetworkAclId}' $PROFILE_OPT --region $regx --output text 2>&1)
+    if [[ $(echo "$NACL_LIST" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe vpc network acls" "$regx"
+        continue
+    fi
+    if [[ $NACL_LIST ]];then
+      for NACL in $NACL_LIST;do
+        textInfo "$regx: Found Network ACL: $NACL open to 0.0.0.0/0 for SSH port 22" "$regx" "$NACL"
+      done
+    else
+      textPass "$regx: No Network ACL found with SSH port 22 open to 0.0.0.0/0" "$regx" "$NACL"
+    fi
+  done
+}
--- a/checks/check46
+++ b/checks/check46
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_check46="4.6"
+CHECK_TITLE_check46="[check46] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389"
+CHECK_SCORED_check46="SCORED"
+CHECK_CIS_LEVEL_check46="LEVEL2"
+CHECK_SEVERITY_check46="High"
+CHECK_ASFF_TYPE_check46="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
+CHECK_ASFF_RESOURCE_TYPE_check46="AwsEc2NetworkAcl"
+CHECK_ALTERNATE_check401="check46"
+CHECK_SERVICENAME_check46="ec2"
+CHECK_RISK_check46='Even having a perimeter firewall; having network acls open allows any user or malware with vpc access to scan for well known and sensitive ports and gain access to instance.'
+CHECK_REMEDIATION_check46='Apply Zero Trust approach. Implement a process to scan and remediate unrestricted or overly permissive network acls. Recommended best practices is to narrow the definition for the minimum ports required.'
+CHECK_DOC_check46='https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html'
+CHECK_CAF_EPIC_check46='Infrastructure Security'
+
+check46(){
+  for regx in $REGIONS; do
+    NACL_LIST=$($AWSCLI ec2 describe-network-acls --query 'NetworkAcls[?Entries[?(((!PortRange) || (PortRange.From<=`3389` && PortRange.To>=`3389`)) && ((CidrBlock == `0.0.0.0/0`) && (Egress == `false`) && (RuleAction == `allow`)))]].{NetworkAclId:NetworkAclId}' $PROFILE_OPT --region $regx --output text 2>&1)
+    if [[ $(echo "$NACL_LIST" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe vpc network acls" "$regx"
+        continue
+    fi
+    if [[ $NACL_LIST ]];then
+      for NACL in $NACL_LIST;do
+        textInfo "$regx: Found Network ACL: $NACL open to 0.0.0.0/0 for Microsoft RDP port 3389" "$regx" "$NACL"
+      done
+    else
+      textPass "$regx: No Network ACL found with Microsoft RDP port 3389 open to 0.0.0.0/0" "$regx" "$NACL"
+    fi
+  done
+}
--- a/checks/check_extra71
+++ b/checks/check_extra71
@@ -11,9 +11,9 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra71="7.1"
-CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra71="[extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled"
 CHECK_SCORED_extra71="NOT_SCORED"
-CHECK_TYPE_extra71="EXTRA"
+CHECK_CIS_LEVEL_extra71="EXTRA"
 CHECK_SEVERITY_extra71="High"
 CHECK_ASFF_RESOURCE_TYPE_extra71="AwsIamUser"
 CHECK_ALTERNATE_extra701="extra71"
@@ -27,7 +27,7 @@ CHECK_DOC_extra71='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentia
 CHECK_CAF_EPIC_extra71='Infrastructure Security'

 extra71(){
-  # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)"
+  # "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled "
  ADMIN_GROUPS=''
  AWS_GROUPS=$($AWSCLI $PROFILE_OPT iam list-groups --output text --region $REGION --query 'Groups[].GroupName')
  for grp in $AWS_GROUPS; do
@@ -36,7 +36,7 @@ extra71(){
    CHECK_ADMIN_GROUP=$($AWSCLI $PROFILE_OPT --region $REGION iam list-attached-group-policies --group-name $grp --output json --query 'AttachedPolicies[].PolicyArn' | grep  "arn:${AWS_PARTITION}:iam::aws:policy/AdministratorAccess")
    if [[ $CHECK_ADMIN_GROUP ]]; then
      ADMIN_GROUPS="$ADMIN_GROUPS $grp"
-      textInfo "$grp group provides administrative access"
+      textInfo "$REGION: $grp group provides administrative access" "$REGION" "$grp"
      ADMIN_USERS=$($AWSCLI $PROFILE_OPT iam get-group --region $REGION --group-name $grp --output json --query 'Users[].UserName' | grep '"' | cut -d'"' -f2 )
      for auser in $ADMIN_USERS; do
        # users in group are Administrators
@@ -44,13 +44,13 @@ extra71(){
        # check for user MFA device in credential report
        USER_MFA_ENABLED=$( cat $TEMP_REPORT_FILE | grep "^$auser," | cut -d',' -f8)
        if [[ "true" == $USER_MFA_ENABLED ]]; then
-          textPass "$auser / MFA Enabled / admin via group $grp"
+          textPass "$REGION: $auser / MFA Enabled / admin via group $grp" "$REGION" "$grp"
        else
-          textFail "$auser / MFA DISABLED / admin via group $grp"
+          textFail "$REGION: $auser / MFA DISABLED / admin via group $grp" "$REGION" "$grp"
        fi
      done
    else
-      textInfo "$grp group provides non-administrative access"
+      textInfo "$REGION: $grp group provides non-administrative access" "$REGION" "$grp"
    fi
  done
 }
--- a/checks/check_extra710
+++ b/checks/check_extra710
@@ -11,9 +11,9 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra710="7.10"
-CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra710="[extra710] Check for internet facing EC2 Instances"
 CHECK_SCORED_extra710="NOT_SCORED"
-CHECK_TYPE_extra710="EXTRA"
+CHECK_CIS_LEVEL_extra710="EXTRA"
 CHECK_SEVERITY_extra710="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra710="AwsEc2Instance"
 CHECK_ALTERNATE_check710="extra710"
@@ -25,18 +25,21 @@ CHECK_DOC_extra710='https://aws.amazon.com/blogs/aws/aws-web-application-firewal
 CHECK_CAF_EPIC_extra710='Infrastructure Security'

 extra710(){
-  # "Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)"
-  textInfo "Looking for instances in all regions...  "
+  # "Check for internet facing EC2 Instances "
  for regx in $REGIONS; do
-    LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text)
+    LIST_OF_PUBLIC_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query 'Reservations[*].Instances[?PublicIpAddress].[InstanceId,PublicIpAddress]' --output text 2>&1)
+    if [[ $(echo "$LIST_OF_PUBLIC_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe instances" "$regx"
+        continue
+    fi
    if [[ $LIST_OF_PUBLIC_INSTANCES ]];then
      while read -r instance;do
        INSTANCE_ID=$(echo $instance | awk '{ print $1; }')
        PUBLIC_IP=$(echo $instance | awk '{ print $2; }')
-        textFail "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx"
+        textFail "$regx: Instance: $INSTANCE_ID at IP: $PUBLIC_IP is internet-facing!" "$regx" "$INSTANCE_ID"
      done <<< "$LIST_OF_PUBLIC_INSTANCES"
      else
-        textPass "$regx: no Internet Facing EC2 Instances found" "$regx"
+        textPass "$regx: no Internet Facing EC2 Instances found" "$regx" "$INSTANCE_ID"
    fi
  done
 }
--- a/checks/check_extra7100
+++ b/checks/check_extra7100
@@ -17,7 +17,7 @@
 CHECK_ID_extra7100="7.100"
 CHECK_TITLE_extra7100="[extra7100] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
 CHECK_SCORED_extra7100="NOT_SCORED"
-CHECK_TYPE_extra7100="EXTRA"
+CHECK_CIS_LEVEL_extra7100="EXTRA"
 CHECK_SEVERITY_extra7100="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
 CHECK_ALTERNATE_check7100="extra7100"
@@ -37,7 +37,6 @@ extra7100(){
  # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
  if [[ $LIST_CUSTOM_POLICIES ]]; then
-    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
    for policy in $LIST_CUSTOM_POLICIES; do
      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
@@ -69,15 +68,14 @@ extra7100(){

    done
    if [[ $PERMISSIVE_POLICIES_LIST ]]; then
-      textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs"
-      textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
+      textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs. Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy" "$REGION"
      for policy in $PERMISSIVE_POLICIES_LIST; do
-        textFail "Policy $policy allows permissive STS Role assumption"
+        textFail "$REGION: Policy $policy allows permissive STS Role assumption" "$REGION" "$policy"
      done
    else
-      textPass "No custom policies found that allow permissive STS Role assumption"
+      textPass "$REGION: No custom policies found that allow permissive STS Role assumption" "$REGION"
    fi
  else
-    textPass "No custom policies found"
+    textPass "$REGION: No custom policies found" "$REGION"
  fi
 }
--- a/checks/check_extra7101
+++ b/checks/check_extra7101
@@ -14,7 +14,7 @@
 CHECK_ID_extra7101="7.101"
 CHECK_TITLE_extra7101="[extra7101] Check if Amazon Elasticsearch Service (ES) domains have audit logging enabled"
 CHECK_SCORED_extra7101="NOT_SCORED"
-CHECK_TYPE_extra7101="EXTRA"
+CHECK_CIS_LEVEL_extra7101="EXTRA"
 CHECK_SEVERITY_extra7101="Low"
 CHECK_ASFF_RESOURCE_TYPE_extra7101="AwsElasticsearchDomain"
 CHECK_ALTERNATE_check7101="extra7101"
@@ -25,19 +25,27 @@ CHECK_DOC_extra7101='https://docs.aws.amazon.com/elasticsearch-service/latest/de
 CHECK_CAF_EPIC_extra7101='Logging and Monitoring'

 extra7101(){
-  for regx in $REGIONS; do
-    LIST_OF_DOMAINS=$($AWSCLI es list-domain-names $PROFILE_OPT --region $regx --query DomainNames --output text)
-    if [[ $LIST_OF_DOMAINS ]]; then
-      for domain in $LIST_OF_DOMAINS;do
-        AUDIT_LOGS_ENABLED=$($AWSCLI es describe-elasticsearch-domain-config --domain-name $domain $PROFILE_OPT --region $regx --query DomainConfig.LogPublishingOptions.Options.AUDIT_LOGS.Enabled --output text |grep -v ^None|grep -v ^False)
-        if [[ $AUDIT_LOGS_ENABLED ]];then
-          textPass "$regx: Amazon ES domain $domain AUDIT_LOGS enabled" "$regx"
+  for regx in ${REGIONS}; do
+    LIST_OF_DOMAINS=$("${AWSCLI}" es list-domain-names ${PROFILE_OPT} --region "${regx}" --query 'DomainNames[].DomainName' --output text 2>&1)
+    if [[ $(echo "${LIST_OF_DOMAINS}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "${regx}: Access Denied trying to list domain names" "${regx}"
+        continue
+    fi
+    if [[ "${LIST_OF_DOMAINS}" ]]; then
+      for domain in ${LIST_OF_DOMAINS}; do
+        AUDIT_LOGS_ENABLED=$("${AWSCLI}" es describe-elasticsearch-domain-config --domain-name "${domain}" ${PROFILE_OPT} --region "${regx}" --query 'DomainConfig.LogPublishingOptions.Options.AUDIT_LOGS.Enabled' --output text 2>&1)
+        if [[ $(echo "${AUDIT_LOGS_ENABLED}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "${regx}: Access Denied trying to get ES domain config for ${domain}" "${regx}"
+            continue
+        fi
+        if [[ $(tr '[:upper:]' '[:lower:]' <<< "${AUDIT_LOGS_ENABLED}") == "true" ]]; then
+          textPass "${regx}: Amazon ES domain ${domain} AUDIT_LOGS enabled" "${regx}" "${domain}"
        else
-          textFail "$regx: Amazon ES domain $domain AUDIT_LOGS disabled!" "$regx"
+          textFail "${regx}: Amazon ES domain ${domain} AUDIT_LOGS disabled!" "${regx}" "${domain}"
        fi
      done
    else
-      textInfo "$regx: No Amazon ES domain found" "$regx"
+      textInfo "${regx}: No Amazon ES domain found" "${regx}"
    fi
  done
 }
--- a/checks/check_extra7102
+++ b/checks/check_extra7102
@@ -13,7 +13,7 @@
 CHECK_ID_extra7102="7.102"
 CHECK_TITLE_extra7102="[extra7102] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY)"
 CHECK_SCORED_extra7102="NOT_SCORED"
-CHECK_TYPE_extra7102="EXTRA"
+CHECK_CIS_LEVEL_extra7102="EXTRA"
 CHECK_SEVERITY_extra7102="High"
 CHECK_ASFF_RESOURCE_TYPE_extra7102="AwsEc2Eip"
 CHECK_ALTERNATE_check7102="extra7102"
@@ -23,7 +23,7 @@ CHECK_REMEDIATION_extra7102='Check Identified IPs; consider changing them to pri
 CHECK_DOC_extra7102='https://www.shodan.io/'
 CHECK_CAF_EPIC_extra7102='Infrastructure Security'

-# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively 
+# Watch out, always use Shodan API key, if you use `curl https://www.shodan.io/host/{ip}` massively
 # your IP will be banned by Shodan

 # This is the right way to do so
@@ -33,10 +33,14 @@ CHECK_CAF_EPIC_extra7102='Infrastructure Security'

 extra7102(){
  if [[ ! $SHODAN_API_KEY ]]; then
-    textInfo "[extra7102] Requires a Shodan API key to work. Use -N <shodan_api_key>"
-  else 
+    textInfo "[extra7102] Requires a Shodan API key to work. Use -N <shodan_api_key>" "$REGION"
+  else
    for regx in $REGIONS; do
-      LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-network-interfaces --query 'NetworkInterfaces[*].Association.PublicIp' --output text)
+      LIST_OF_EIP=$($AWSCLI $PROFILE_OPT --region $regx ec2 describe-network-interfaces --query 'NetworkInterfaces[*].Association.PublicIp' --output text 2>&1)
+      if [[ $(echo "$LIST_OF_EIP" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+          textInfo "$regx: Access Denied trying to describe network interfaces" "$regx"
+          continue
+      fi
      if [[ $LIST_OF_EIP ]]; then
        for ip in $LIST_OF_EIP;do
          SHODAN_QUERY=$(curl -ks https://api.shodan.io/shodan/host/$ip?key=$SHODAN_API_KEY)
@@ -47,7 +51,7 @@ extra7102(){
          else
            echo $SHODAN_QUERY > $OUTPUT_DIR/shodan-output-$ip.json
            IP_SHODAN_INFO=$(cat $OUTPUT_DIR/shodan-output-$ip.json | jq -r '. | { ports: .ports, org: .org, country: .country_name }| @text' | tr -d \"\{\}\}\]\[ | tr , '\ ' )
-            textFail "$regx: IP $ip is listed in Shodan with data $IP_SHODAN_INFO. More info https://www.shodan.io/host/$ip and $OUTPUT_DIR/shodan-output-$ip.json" "$regx"
+            textFail "$regx: IP $ip is listed in Shodan with data $IP_SHODAN_INFO. More info https://www.shodan.io/host/$ip and $OUTPUT_DIR/shodan-output-$ip.json" "$regx" "$ip"
          fi
        done
      else
--- a/checks/check_extra7103
+++ b/checks/check_extra7103
@@ -14,7 +14,7 @@
 CHECK_ID_extra7103="7.103"
 CHECK_TITLE_extra7103="[extra7103] Check if Amazon SageMaker Notebook instances have root access disabled"
 CHECK_SCORED_extra7103="NOT_SCORED"
-CHECK_TYPE_extra7103="EXTRA"
+CHECK_CIS_LEVEL_extra7103="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7103="extra7103"
 CHECK_SEVERITY_extra7103="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7103='IAM'

 extra7103(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_INSTANCES ]];then 
            for nb_instance in $LIST_SM_NB_INSTANCES; do
                SM_NB_ROOTACCESS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'RootAccess' --output text)
                if [[ "${SM_NB_ROOTACCESS}" == "Enabled" ]]; then
-                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has root access enabled" "${regx}"
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has root access enabled" "${regx}" "$nb_instance"
                else
-                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has root access disabled" "${regx}"                    
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has root access disabled" "${regx}" "$nb_instance"                    
                fi 
            done
        else 
--- a/checks/check_extra7104
+++ b/checks/check_extra7104
@@ -14,7 +14,7 @@
 CHECK_ID_extra7104="7.104"
 CHECK_TITLE_extra7104="[extra7104] Check if Amazon SageMaker Notebook instances have VPC settings configured"
 CHECK_SCORED_extra7104="NOT_SCORED"
-CHECK_TYPE_extra7104="EXTRA"
+CHECK_CIS_LEVEL_extra7104="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7104="extra7104"
 CHECK_SEVERITY_extra7104="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7104='Infrastructure Security'

 extra7104(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_INSTANCES ]];then 
            for nb_instance in $LIST_SM_NB_INSTANCES; do
                SM_NB_SUBNETID=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'SubnetId' --output text)
                if [[ "${SM_NB_SUBNETID}" == "None" ]]; then
-                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has VPC settings disabled" "${regx}"
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has VPC settings disabled" "${regx}" "$nb_instance"
                else
-                    textPass "${regx}: Sagemaker Notebook instance $nb_instance is in a VPC" "${regx}"
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance is in a VPC" "${regx}" "$nb_instance"
                fi 
            done
        else 
--- a/checks/check_extra7105
+++ b/checks/check_extra7105
@@ -14,7 +14,7 @@
 CHECK_ID_extra7105="7.105"
 CHECK_TITLE_extra7105="[extra7105] Check if Amazon SageMaker Models have network isolation enabled"
 CHECK_SCORED_extra7105="NOT_SCORED"
-CHECK_TYPE_extra7105="EXTRA"
+CHECK_CIS_LEVEL_extra7105="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
 CHECK_ALTERNATE_check7105="extra7105"
 CHECK_SEVERITY_extra7105="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7105='Infrastructure Security'

 extra7105(){
 	for regx in ${REGIONS}; do
-		LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+		LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_MODELS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list models" "$regx"
+            continue
+        fi
 		if [[ $LIST_SM_NB_MODELS ]];then 
 			for nb_model_name in $LIST_SM_NB_MODELS; do
 				SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'EnableNetworkIsolation' --output text)
 				if [[ $SM_NB_NETWORKISOLATION == False ]]; then
-					textFail "${regx}: SageMaker Model $nb_model_name has network isolation disabled" "${regx}"
+					textFail "${regx}: SageMaker Model $nb_model_name has network isolation disabled" "${regx}" "$nb_model_name"
 				else
-					textPass "${regx}: SageMaker Model $nb_model_name has network isolation enabled" "${regx}"
+					textPass "${regx}: SageMaker Model $nb_model_name has network isolation enabled" "${regx}" "$nb_model_name"
 				fi 
 			done
 		else 
--- a/checks/check_extra7106
+++ b/checks/check_extra7106
@@ -14,7 +14,7 @@
 CHECK_ID_extra7106="7.106"
 CHECK_TITLE_extra7106="[extra7106] Check if Amazon SageMaker Models have VPC settings configured"
 CHECK_SCORED_extra7106="NOT_SCORED"
-CHECK_TYPE_extra7106="EXTRA"
+CHECK_CIS_LEVEL_extra7106="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
 CHECK_ALTERNATE_check7106="extra7106"
 CHECK_SEVERITY_extra7106="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7106='Infrastructure Security'

 extra7106(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text)
+        LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_MODELS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list models" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_MODELS ]];then 
            for nb_model_name in $LIST_SM_NB_MODELS; do
                SM_NB_VPCCONFIG=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'VpcConfig.Subnets' --output text)
                if [[ $SM_NB_VPCCONFIG == "None" ]]; then
-                    textFail "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings disabled" "${regx}"
+                    textFail "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings disabled" "${regx}" "$nb_model_name"
                else
-                    textPass "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings enabled" "${regx}"
+                    textPass "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings enabled" "${regx}" "$nb_model_name"
                fi 
            done
        else 
--- a/checks/check_extra7107
+++ b/checks/check_extra7107
@@ -14,7 +14,7 @@
 CHECK_ID_extra7107="7.107"
 CHECK_TITLE_extra7107="[extra7107] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled"
 CHECK_SCORED_extra7107="NOT_SCORED"
-CHECK_TYPE_extra7107="EXTRA"
+CHECK_CIS_LEVEL_extra7107="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7107="extra7107"
 CHECK_SEVERITY_extra7107="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7107='Data Protection'

 extra7107(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_JOBS ]];then 
            for nb_job_name in $LIST_SM_NB_JOBS; do
                SM_NB_INTERCONTAINERENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableInterContainerTrafficEncryption' --output text)
                if [[ $SM_NB_INTERCONTAINERENCRYPTION == "False" ]]; then
-                    textFail "${regx}: SageMaker Training job $nb_job_name has intercontainer encryption disabled" "${regx}"
+                    textFail "${regx}: SageMaker Training job $nb_job_name has intercontainer encryption disabled" "${regx}" "$nb_job_name"
                else
-                    textPass "${regx}: SageMaker Training jobs $nb_job_name has intercontainer encryption enabled" "${regx}"
+                    textPass "${regx}: SageMaker Training jobs $nb_job_name has intercontainer encryption enabled" "${regx}" "$nb_job_name"
                fi 
            done
        else 
--- a/checks/check_extra7108
+++ b/checks/check_extra7108
@@ -14,7 +14,7 @@
 CHECK_ID_extra7108="7.108"
 CHECK_TITLE_extra7108="[extra7108] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled"
 CHECK_SCORED_extra7108="NOT_SCORED"
-CHECK_TYPE_extra7108="EXTRA"
+CHECK_CIS_LEVEL_extra7108="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7108="extra7108"
 CHECK_SEVERITY_extra7108="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7108='Data Protection'

 extra7108(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_JOBS ]];then 
            for nb_job_name in $LIST_SM_NB_JOBS; do
                SM_JOB_KMSENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'ResourceConfig.VolumeKmsKeyId' --output text)
                if [[ "${SM_JOB_KMSENCRYPTION}" == "None" ]];then
-                    textFail "${regx}: Sagemaker Trainings job $nb_job_name has KMS encryption disabled" "${regx}"
+                    textFail "${regx}: Sagemaker Trainings job $nb_job_name has KMS encryption disabled" "${regx}" "$nb_job_name"
                else
-                    textPass "${regx}: Sagemaker Trainings job $nb_job_name has KSM encryption enabled" "${regx}"
+                    textPass "${regx}: Sagemaker Trainings job $nb_job_name has KSM encryption enabled" "${regx}" "$nb_job_name"
                fi 
            done
        else 
--- a/checks/check_extra7109
+++ b/checks/check_extra7109
@@ -14,7 +14,7 @@
 CHECK_ID_extra7109="7.109"
 CHECK_TITLE_extra7109="[extra7109] Check if Amazon SageMaker Training jobs have network isolation enabled"
 CHECK_SCORED_extra7109="NOT_SCORED"
-CHECK_TYPE_extra7109="EXTRA"
+CHECK_CIS_LEVEL_extra7109="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7109="extra7109"
 CHECK_SEVERITY_extra7109="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7109='Infrastructure Security'

 extra7109(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_JOBS ]];then 
            for nb_job_name in $LIST_SM_NB_JOBS; do
                SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableNetworkIsolation' --output text)
                if [[ $SM_NB_NETWORKISOLATION == False ]]; then
-                    textFail "${regx}: Sagemaker Training job $nb_job_name has network isolation disabled" "${regx}"
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has network isolation disabled" "${regx}" "$nb_job_name"
                else
-                    textPass "${regx}: Sagemaker Training job $nb_job_name has network isolation enabled" "${regx}"
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has network isolation enabled" "${regx}" "$nb_job_name"
                fi 
            done
        else 
--- a/checks/check_extra711
+++ b/checks/check_extra711
@@ -11,31 +11,34 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra711="7.11"
-CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra711="[extra711] Check for Publicly Accessible Redshift Clusters"
 CHECK_SCORED_extra711="NOT_SCORED"
-CHECK_TYPE_extra711="EXTRA"
+CHECK_CIS_LEVEL_extra711="EXTRA"
 CHECK_SEVERITY_extra711="High"
 CHECK_ASFF_RESOURCE_TYPE_extra711="AwsRedshiftCluster"
 CHECK_ALTERNATE_check711="extra711"
 CHECK_SERVICENAME_extra711="redshift"
-CHECK_RISK_extra711='Publicly accessible services could expose sensible data to bad actors.'
+CHECK_RISK_extra711='Publicly accessible services could expose sensitive data to bad actors.'
 CHECK_REMEDIATION_extra711='List all shared Redshift clusters and make sure there is a business reason for them.'
 CHECK_DOC_extra711='https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html'
 CHECK_CAF_EPIC_extra711='Data Protection'

 extra711(){
-  # "Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)"
-  textInfo "Looking for Redshift clusters in all regions...  "
+  # "Check for Publicly Accessible Redshift Clusters "
  for regx in $REGIONS; do
-    LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text)
+    LIST_OF_PUBLIC_REDSHIFT_CLUSTERS=$($AWSCLI redshift describe-clusters $PROFILE_OPT --region $regx --query 'Clusters[?PubliclyAccessible == `true`].[ClusterIdentifier,Endpoint.Address]' --output text 2>&1)
+    if [[ $(echo "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS" | grep -E 'AccessDenied|UnauthorizedOperation') ]]; then
+        textInfo "$regx: Access Denied trying to describe clusters" "$regx"
+        continue
+    fi
    if [[ $LIST_OF_PUBLIC_REDSHIFT_CLUSTERS ]];then
      while read -r cluster;do
        CLUSTER_ID=$(echo $cluster | awk '{ print $1; }')
        CLUSTER_ENDPOINT=$(echo $cluster | awk '{ print $2; }')
-        textFail "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx"
+        textFail "$regx: Cluster: $CLUSTER_ID at Endpoint: $CLUSTER_ENDPOINT is publicly accessible!" "$regx" "$CLUSTER_ID"
      done <<< "$LIST_OF_PUBLIC_REDSHIFT_CLUSTERS"
      else
-        textPass "$regx: no Publicly Accessible Redshift Clusters found" "$regx"
+        textPass "$regx: no Publicly Accessible Redshift Clusters found" "$regx" "$CLUSTER_ID"
    fi
  done
 }
--- a/checks/check_extra7110
+++ b/checks/check_extra7110
@@ -14,7 +14,7 @@
 CHECK_ID_extra7110="7.110"
 CHECK_TITLE_extra7110="[extra7110] Check if Amazon SageMaker Training job have VPC settings configured."
 CHECK_SCORED_extra7110="NOT_SCORED"
-CHECK_TYPE_extra7110="EXTRA"
+CHECK_CIS_LEVEL_extra7110="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7110="extra7110"
 CHECK_SEVERITY_extra7110="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7110='Infrastructure Security'
 
 extra7110(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text)
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_JOBS ]];then 
            for nb_job_name in $LIST_SM_NB_JOBS; do
                SM_NB_SUBNETS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'VpcConfig.Subnets' --output text)
                if [[ $SM_NB_SUBNETS == "None" ]]; then
-                    textFail "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output disabled" "${regx}"
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output disabled" "${regx}" "$nb_job_name"
                else
-                    textPass "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output enabled" "${regx}"
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output enabled" "${regx}" "$nb_job_name"
                fi 
            done
        else 
--- a/checks/check_extra7111
+++ b/checks/check_extra7111
@@ -14,7 +14,7 @@
 CHECK_ID_extra7111="7.111"
 CHECK_TITLE_extra7111="[extra7111] Check if Amazon SageMaker Notebook instances have direct internet access"
 CHECK_SCORED_extra7111="NOT_SCORED"
-CHECK_TYPE_extra7111="EXTRA"
+CHECK_CIS_LEVEL_extra7111="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7111="extra7111"
 CHECK_SEVERITY_extra7111="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7111='Infrastructure Security'

 extra7111(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_INSTANCES ]];then 
            for nb_instance in $LIST_SM_NB_INSTANCES; do
                SM_NB_DIRECTINET=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'DirectInternetAccess' --output text)
                if [[ "${SM_NB_DIRECTINET}" == "Enabled" ]]; then
-                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access enabled" "${regx}"
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access enabled" "${regx}" "$nb_instance"
                else
-                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access disabled" "${regx}"
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access disabled" "${regx}" "$nb_instance"
                fi 
            done
        else 
--- a/checks/check_extra7112
+++ b/checks/check_extra7112
@@ -14,7 +14,7 @@
 CHECK_ID_extra7112="7.112"
 CHECK_TITLE_extra7112="[extra7112] Check if Amazon SageMaker Notebook instances have data encryption enabled"
 CHECK_SCORED_extra7112="NOT_SCORED"
-CHECK_TYPE_extra7112="EXTRA"
+CHECK_CIS_LEVEL_extra7112="EXTRA"
 CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
 CHECK_ALTERNATE_check7112="extra7112"
 CHECK_SEVERITY_extra7112="Medium"
@@ -26,14 +26,18 @@ CHECK_CAF_EPIC_extra7112='Data Protection'

 extra7112(){
    for regx in ${REGIONS}; do
-        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text)
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
        if [[ $LIST_SM_NB_INSTANCES ]];then 
            for nb_instance in $LIST_SM_NB_INSTANCES; do
                SM_NB_KMSKEY=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'KmsKeyId' --output text)
                if [[ "${SM_NB_KMSKEY}" == "None" ]]; then
-                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has data encryption disabled" "${regx}"
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has data encryption disabled" "${regx}" "$nb_instance"
                else
-                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has data encryption enabled" "${regx}"
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has data encryption enabled" "${regx}" "$nb_instance"
                fi 
            done
        else 
--- a/checks/check_extra7113
+++ b/checks/check_extra7113
@@ -23,9 +23,9 @@
 #	[--apply-immediately | --no-apply-immediately]

 CHECK_ID_extra7113="7.113"
-CHECK_TITLE_extra7113="[extra7113] Check if RDS instances have deletion protection enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra7113="[extra7113] Check if RDS instances have deletion protection enabled "
 CHECK_SCORED_extra7113="NOT_SCORED"
-CHECK_TYPE_extra7113="EXTRA"
+CHECK_CIS_LEVEL_extra7113="EXTRA"
 CHECK_SEVERITY_extra7113="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7113="AwsRdsDbInstance"
 CHECK_ALTERNATE_check7113="extra7113"
@@ -36,20 +36,23 @@ CHECK_DOC_extra7113='https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER
 CHECK_CAF_EPIC_extra7113='Data Protection'

 extra7113(){
-  textInfo "Looking for RDS Volumes in all regions...  "
  for regx in $REGIONS; do
-    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query 'DBInstances[*].DBInstanceIdentifier' --output text)
+    LIST_OF_RDS_INSTANCES=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --query "DBInstances[?Engine != 'docdb'].DBInstanceIdentifier" --output text 2>&1)
+    if [[ $(echo "$LIST_OF_RDS_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to describe DB instances" "$regx"
+        continue
+    fi
    if [[ $LIST_OF_RDS_INSTANCES ]];then
      for rdsinstance in $LIST_OF_RDS_INSTANCES; do
        IS_DELETIONPROTECTION=$($AWSCLI rds describe-db-instances $PROFILE_OPT --region $regx --db-instance-identifier $rdsinstance --query 'DBInstances[*].DeletionProtection' --output text)
        if [[ $IS_DELETIONPROTECTION == "False" ]]; then
-          textFail "$regx: RDS instance $rdsinstance deletion protection is not enabled!" "$regx"
+          textFail "$regx: RDS instance $rdsinstance deletion protection is not enabled!" "$regx" "$rdsinstance"
        else
-          textPass "$regx: RDS instance $rdsinstance deletion protection is enabled" "$regx"
+          textPass "$regx: RDS instance $rdsinstance deletion protection is enabled" "$regx" "$rdsinstance"
        fi
      done
    else
-      textInfo "$regx: No RDS instances found" "$regx"
+      textInfo "$regx: No RDS instances found" "$regx" 
    fi
  done
 }
--- a/checks/check_extra7114
+++ b/checks/check_extra7114
@@ -14,7 +14,7 @@
 CHECK_ID_extra7114="7.114"
 CHECK_TITLE_extra7114="[extra7114] Check if Glue development endpoints have S3 encryption enabled."
 CHECK_SCORED_extra7114="NOT_SCORED"
-CHECK_TYPE_extra7114="EXTRA"
+CHECK_CIS_LEVEL_extra7114="EXTRA"
 CHECK_SEVERITY_extra7114="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7114="AwsGlue"
 CHECK_ALTERNATE_check7114="extra7114"
@@ -26,7 +26,11 @@ CHECK_CAF_EPIC_extra7114='Data Protection'

 extra7114(){
  for regx in $REGIONS; do
-    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json 2>&1)
+    if [[ $(echo "$LIST_EP_SC" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get dev endpoints" "$regx"
+        continue
+    fi
    if [[ $LIST_EP_SC != '[]' ]]; then
      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
@@ -34,12 +38,12 @@ extra7114(){
        if [[ ! -z "$ENDPOINT_SC" ]]; then
          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode' --output text)
          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
-            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx"
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have S3 encryption enabled!" "$regx" "$ENDPOINT_NAME"
          else
-            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx"
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has S3 encryption enabled" "$regx" "$ENDPOINT_NAME"
          fi
        else
-          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" "$ENDPOINT_NAME"
        fi
      done
    else
--- a/checks/check_extra7115
+++ b/checks/check_extra7115
@@ -13,7 +13,7 @@
 CHECK_ID_extra7115="7.115"
 CHECK_TITLE_extra7115="[extra7115] Check if Glue database connection has SSL connection enabled."
 CHECK_SCORED_extra7115="NOT_SCORED"
-CHECK_TYPE_extra7115="EXTRA"
+CHECK_CIS_LEVEL_extra7115="EXTRA"
 CHECK_SEVERITY_extra7115="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7115="AwsGlue"
 CHECK_ALTERNATE_check7115="extra7115"
@@ -25,15 +25,19 @@ CHECK_CAF_EPIC_extra7115='Data Protection'

 extra7115(){
  for regx in $REGIONS; do
-    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}')
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output json --query 'ConnectionList[*].{Name:Name,SSL:ConnectionProperties.JDBC_ENFORCE_SSL}' 2>&1)
+    if [[ $(echo "$CONNECTION_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get connections" "$regx"
+        continue
+    fi
    if [[ $CONNECTION_LIST != '[]' ]]; then
      for connection in $(echo "${CONNECTION_LIST}" | jq -r '.[] | @base64'); do
          CONNECTION_NAME=$(echo $connection | base64 --decode   | jq -r '.Name' )
          CONNECTION_SSL_STATE=$(echo $connection | base64 --decode  | jq -r '.SSL')
          if [[ "$CONNECTION_SSL_STATE" == "false" ]]; then
-              textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled"  "$regx"
+              textFail "$regx: Glue connection $CONNECTION_NAME has SSL connection disabled"  "$regx" "$CONNECTION_NAME"
          else 
-              textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled"  "$regx"
+              textPass "$regx: Glue connection $CONNECTION_NAME has SSL connection enabled"  "$regx" "$CONNECTION_NAME"
          fi
      done
    else 
--- a/checks/check_extra7116
+++ b/checks/check_extra7116
@@ -13,19 +13,23 @@
 CHECK_ID_extra7116="7.116"
 CHECK_TITLE_extra7116="[extra7116] Check if Glue data catalog settings have metadata encryption enabled."
 CHECK_SCORED_extra7116="NOT_SCORED"
-CHECK_TYPE_extra7116="EXTRA"
+CHECK_CIS_LEVEL_extra7116="EXTRA"
 CHECK_SEVERITY_extra7116="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7116="AwsGlue"
 CHECK_ALTERNATE_check7116="extra7116"
 CHECK_SERVICENAME_extra7116="glue"
-CHECK_RISK_extra7116='If not enabled sensible information at rest is not protected.'
+CHECK_RISK_extra7116='If not enabled sensitive information at rest is not protected.'
 CHECK_REMEDIATION_extra7116='Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.'
 CHECK_DOC_extra7116='https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html'
 CHECK_CAF_EPIC_extra7116='Data Protection'

 extra7116(){
  for regx in $REGIONS; do
-    TABLE_LIST=$($AWSCLI glue search-tables --max-results 1 $PROFILE_OPT --region $regx  --output text --query 'TableList[*]' )
+    TABLE_LIST=$($AWSCLI glue search-tables --max-results 1 $PROFILE_OPT --region $regx  --output text --query 'TableList[*]' 2>&1)
+    if [[ $(echo "$TABLE_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to search tables" "$regx"
+        continue
+    fi
    if [[ ! -z $TABLE_LIST ]]; then
      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode")
      if [[ "$METADATA_ENCRYPTED" == "DISABLED" ]]; then
--- a/checks/check_extra7117
+++ b/checks/check_extra7117
@@ -13,19 +13,23 @@
 CHECK_ID_extra7117="7.117"
 CHECK_TITLE_extra7117="[extra7117] Check if Glue data catalog settings have encrypt connection password enabled."
 CHECK_SCORED_extra7117="NOT_SCORED"
-CHECK_TYPE_extra7117="EXTRA"
+CHECK_CIS_LEVEL_extra7117="EXTRA"
 CHECK_SEVERITY_extra7117="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7117="AwsGlue"
 CHECK_ALTERNATE_check7117="extra7117"
 CHECK_SERVICENAME_extra7117="glue"
-CHECK_RISK_extra7117='If not enabled sensible information at rest is not protected.'
+CHECK_RISK_extra7117='If not enabled sensitive information at rest is not protected.'
 CHECK_REMEDIATION_extra7117='On the AWS Glue console; you can enable this option on the Data catalog settings page.'
 CHECK_DOC_extra7117='https://docs.aws.amazon.com/glue/latest/dg/encrypt-connection-passwords.html'
 CHECK_CAF_EPIC_extra7117='Data Protection'

 extra7117(){
  for regx in $REGIONS; do
-    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output text --query 'ConnectionList[*]')
+    CONNECTION_LIST=$($AWSCLI glue get-connections $PROFILE_OPT --region $regx  --output text --query 'ConnectionList[*]' 2>&1)
+    if [[ $(echo "$CONNECTION_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get connections" "$regx"
+        continue
+    fi
    if [[ ! -z $CONNECTION_LIST ]]; then
      METADATA_ENCRYPTED=$($AWSCLI glue get-data-catalog-encryption-settings $PROFILE_OPT --region $regx --output text --query "DataCatalogEncryptionSettings.ConnectionPasswordEncryption.ReturnConnectionPasswordEncrypted")
      if [[ "$METADATA_ENCRYPTED" == "False" ]]; then
--- a/checks/check_extra7118
+++ b/checks/check_extra7118
@@ -13,19 +13,23 @@
 CHECK_ID_extra7118="7.118"
 CHECK_TITLE_extra7118="[extra7118] Check if Glue ETL Jobs have S3 encryption enabled."
 CHECK_SCORED_extra7118="NOT_SCORED"
-CHECK_TYPE_extra7118="EXTRA"
+CHECK_CIS_LEVEL_extra7118="EXTRA"
 CHECK_SEVERITY_extra7118="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7118="AwsGlue"
 CHECK_ALTERNATE_check7118="extra7118"
 CHECK_SERVICENAME_extra7118="glue"
-CHECK_RISK_extra7118='If not enabled sensible information at rest is not protected.'
+CHECK_RISK_extra7118='If not enabled sensitive information at rest is not protected.'
 CHECK_REMEDIATION_extra7118='Provide the encryption properties that are used by crawlers; jobs; and development endpoints.'
 CHECK_DOC_extra7118='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
 CHECK_CAF_EPIC_extra7118='Data Protection'

 extra7118(){
  for regx in $REGIONS; do
-    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}')
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration,JobEncryption:DefaultArguments."--encryption-type"}' 2>&1)
+    if [[ $(echo "$JOB_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get jobs" "$regx"
+        continue
+    fi
    if [[ $JOB_LIST != '[]' ]]; then
      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
@@ -35,17 +39,17 @@ extra7118(){
            S3_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.S3Encryption[0].S3EncryptionMode')
            if [[ "$S3_ENCRYPTION" == "DISABLED" ]]; then
              if [[ ! -z "$JOB_ENCRYPTION" ]]; then
-                textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+                textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx" "$JOB_NAME"
              else 
-                textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+                textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" "$JOB_NAME"
              fi 
            else
-              textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx"
+              textPass "$regx: Glue job $JOB_NAME does have $S3_ENCRYPTION for S3 encryption enabled" "$regx" "$JOB_NAME"
            fi
          elif [[ ! -z "$JOB_ENCRYPTION" ]]; then
-            textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx"
+            textPass "$regx: Glue job $JOB_NAME does have $JOB_ENCRYPTION for S3 encryption enabled" "$regx" "$JOB_NAME"
          else 
-            textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx"
+            textFail "$regx: Glue job $JOB_NAME does not have S3 encryption enabled" "$regx" "$JOB_NAME"
          fi
      done
    else 
--- a/checks/check_extra7119
+++ b/checks/check_extra7119
@@ -14,19 +14,23 @@
 CHECK_ID_extra7119="7.119"
 CHECK_TITLE_extra7119="[extra7119] Check if Glue development endpoints have CloudWatch logs encryption enabled."
 CHECK_SCORED_extra7119="NOT_SCORED"
-CHECK_TYPE_extra7119="EXTRA"
+CHECK_CIS_LEVEL_extra7119="EXTRA"
 CHECK_SEVERITY_extra7119="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7119="AwsGlue"
 CHECK_ALTERNATE_check7119="extra7119"
 CHECK_SERVICENAME_extra7119="glue"
-CHECK_RISK_extra7119='If not enabled sensible information at rest is not protected.'
+CHECK_RISK_extra7119='If not enabled sensitive information at rest is not protected.'
 CHECK_REMEDIATION_extra7119='Enable Encryption in the Security configurations.'
 CHECK_DOC_extra7119='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
 CHECK_CAF_EPIC_extra7119='Logging and Monitoring'

 extra7119(){
  for regx in $REGIONS; do
-    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json 2>&1)
+    if [[ $(echo "$LIST_EP_SC" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get dev endpoints" "$regx"
+        continue
+    fi
    if [[ $LIST_EP_SC != '[]' ]]; then
      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
@@ -34,12 +38,12 @@ extra7119(){
        if [[ ! -z "$ENDPOINT_SC" ]]; then
          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode' --output text)
          if [[ $ENDPOINT_SC_ENCRYPTION == "DISABLED" ]]; then
-            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx"
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have CloudWatch logs encryption enabled!" "$regx" "$ENDPOINT_NAME"
          else
-            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx"
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has CloudWatch logs encryption enabled" "$regx" "$ENDPOINT_NAME"
          fi
        else
-          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" "$ENDPOINT_NAME"
        fi
      done
    else
--- a/checks/check_extra712
+++ b/checks/check_extra712
@@ -11,9 +11,9 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra712="7.12"
-CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_TITLE_extra712="[extra712] Check if Amazon Macie is enabled"
 CHECK_SCORED_extra712="NOT_SCORED"
-CHECK_TYPE_extra712="EXTRA"
+CHECK_CIS_LEVEL_extra712="EXTRA"
 CHECK_SEVERITY_extra712="Low"
 CHECK_ALTERNATE_check712="extra712"
 CHECK_ASFF_RESOURCE_TYPE_extra712="AwsMacieSession"
@@ -24,12 +24,12 @@ CHECK_DOC_extra712='https://docs.aws.amazon.com/macie/latest/user/getting-starte
 CHECK_CAF_EPIC_extra712='Data Protection'

 extra712(){ 
-#    textInfo "No API commands available to check if Macie is enabled," 
-#    textInfo "just looking if IAM Macie related permissions exist.  " 
+#     "No API commands available to check if Macie is enabled," 
+#     "just looking if IAM Macie related permissions exist.  " 
   MACIE_IAM_ROLES_CREATED=$($AWSCLI iam list-roles $PROFILE_OPT --query 'Roles[*].Arn'|grep AWSMacieServiceCustomer|wc -l) 
   if [[ $MACIE_IAM_ROLES_CREATED -eq 2 ]];then 
-     textPass "Macie related IAM roles exist so it might be enabled. Check it out manually" 
+     textPass "$REGION: Macie related IAM roles exist so it might be enabled. Check it out manually" "$REGION"
 else
-     textFail "No Macie related IAM roles found. It is most likely not to be enabled" 
+     textFail "$REGION: No Macie related IAM roles found. It is most likely not to be enabled" "$REGION"
 fi
 }
--- a/checks/check_extra7120
+++ b/checks/check_extra7120
@@ -13,19 +13,23 @@
 CHECK_ID_extra7120="7.120"
 CHECK_TITLE_extra7120="[extra7120] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled."
 CHECK_SCORED_extra7120="NOT_SCORED"
-CHECK_TYPE_extra7120="EXTRA"
+CHECK_CIS_LEVEL_extra7120="EXTRA"
 CHECK_SEVERITY_extra7120="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7120="AwsGlue"
 CHECK_ALTERNATE_check7120="extra7120"
 CHECK_SERVICENAME_extra7120="glue"
-CHECK_RISK_extra7120='If not enabled sensible information at rest is not protected.'
+CHECK_RISK_extra7120='If not enabled sensitive information at rest is not protected.'
 CHECK_REMEDIATION_extra7120='Enable Encryption in the Security configurations.'
 CHECK_DOC_extra7120='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
 CHECK_CAF_EPIC_extra7120='Logging and Monitoring'

 extra7120(){
  for regx in $REGIONS; do
-    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}' 2>&1)
+    if [[ $(echo "$JOB_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get jobs" "$regx"
+        continue
+    fi
    if [[ $JOB_LIST != '[]' ]]; then
      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
@@ -33,12 +37,12 @@ extra7120(){
          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
            CLOUDWATCH_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode')
            if [[ "$CLOUDWATCH_ENCRYPTION" == "DISABLED" ]]; then
-              textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+              textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx" "$JOB_NAME"
            else
-              textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx"
+              textPass "$regx: Glue job $JOB_NAME does have $CLOUDWATCH_ENCRYPTION CloudWatch Logs encryption enabled" "$regx" "$JOB_NAME"
            fi
          else
-            textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx"
+            textFail "$regx: Glue job $JOB_NAME does not have CloudWatch Logs encryption enabled" "$regx" "$JOB_NAME"
          fi
      done
    else 
--- a/checks/check_extra7121
+++ b/checks/check_extra7121
@@ -14,19 +14,23 @@
 CHECK_ID_extra7121="7.121"
 CHECK_TITLE_extra7121="[extra7121] Check if Glue development endpoints have Job bookmark encryption enabled."
 CHECK_SCORED_extra7121="NOT_SCORED"
-CHECK_TYPE_extra7121="EXTRA"
+CHECK_CIS_LEVEL_extra7121="EXTRA"
 CHECK_SEVERITY_extra7121="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7121="AwsGlue"
 CHECK_ALTERNATE_check7121="extra7121"
 CHECK_SERVICENAME_extra7121="glue"
-CHECK_RISK_extra7121='If not enabled sensible information at rest is not protected.'
+CHECK_RISK_extra7121='If not enabled sensitive information at rest is not protected.'
 CHECK_REMEDIATION_extra7121='Enable Encryption in the Security configurations.'
 CHECK_DOC_extra7121='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
 CHECK_CAF_EPIC_extra7121='Data Protection'

 extra7121(){
  for regx in $REGIONS; do
-    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json)
+    LIST_EP_SC=$($AWSCLI glue get-dev-endpoints $PROFILE_OPT --region $regx --query 'DevEndpoints[*].{Name:EndpointName,Security:SecurityConfiguration}' --output json 2>&1)
+    if [[ $(echo "$LIST_EP_SC" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get dev endpoints" "$regx"
+        continue
+    fi
    if [[ $LIST_EP_SC != '[]' ]]; then
      for ep in $(echo "${LIST_EP_SC}"| jq -r '.[] | @base64');do
        ENDPOINT_NAME=$(echo $ep | base64 --decode | jq -r '.Name')
@@ -34,12 +38,12 @@ extra7121(){
        if [[ ! -z "$ENDPOINT_SC" ]]; then
          ENDPOINT_SC_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${ENDPOINT_SC}" $PROFILE_OPT --region $regx --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode' --output text)
          if [[ "$ENDPOINT_SC_ENCRYPTION" == "DISABLED" ]]; then
-            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx"
+            textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have Job Bookmark encryption enabled!" "$regx" "$ENDPOINT_NAME"
          else
-            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx"
+            textPass "$regx: Glue development endpoint $ENDPOINT_NAME has Job Bookmark encryption enabled" "$regx" "$ENDPOINT_NAME"
          fi
        else
-          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx"
+          textFail "$regx: Glue development endpoint $ENDPOINT_NAME does not have security configuration" "$regx" "$ENDPOINT_NAME"
        fi
      done
    else
--- a/checks/check_extra7122
+++ b/checks/check_extra7122
@@ -13,19 +13,23 @@
 CHECK_ID_extra7122="7.122"
 CHECK_TITLE_extra7122="[extra7122] Check if Glue ETL Jobs have Job bookmark encryption enabled."
 CHECK_SCORED_extra7122="NOT_SCORED"
-CHECK_TYPE_extra7122="EXTRA"
+CHECK_CIS_LEVEL_extra7122="EXTRA"
 CHECK_SEVERITY_extra7122="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7122="AwsGlue"
 CHECK_ALTERNATE_check7122="extra7122"
 CHECK_SERVICENAME_extra7122="glue"
-CHECK_RISK_extra7122='If not enabled sensible information at rest is not protected.'
+CHECK_RISK_extra7122='If not enabled sensitive information at rest is not protected.'
 CHECK_REMEDIATION_extra7122='Enable Encryption in the Security configurations.'
 CHECK_DOC_extra7122='https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html'
 CHECK_CAF_EPIC_extra7122='Data Protection'

 extra7122(){
  for regx in $REGIONS; do
-    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}')
+    JOB_LIST=$($AWSCLI glue get-jobs $PROFILE_OPT --region $regx --output json --query 'Jobs[*].{Name:Name,SecurityConfiguration:SecurityConfiguration}' 2>&1)
+    if [[ $(echo "$JOB_LIST" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to get jobs" "$regx"
+        continue
+    fi
    if [[ $JOB_LIST != '[]' ]]; then
      for job in $(echo "${JOB_LIST}" | jq -r '.[] | @base64'); do
          JOB_NAME=$(echo $job | base64 --decode | jq -r '.Name')
@@ -33,12 +37,12 @@ extra7122(){
          if [[ ! -z "$SECURITY_CONFIGURATION" ]]; then
            JOB_BOOKMARK_ENCRYPTION=$($AWSCLI glue get-security-configuration --name "${SECURITY_CONFIGURATION}" $PROFILE_OPT --region $regx --output text --query 'SecurityConfiguration.EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode')
            if [[ "$JOB_BOOKMARK_ENCRYPTION" == "DISABLED" ]]; then
-              textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+              textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" "$JOB_NAME"
            else
-              textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx"
+              textPass "$regx: Glue job $JOB_NAME does have $JOB_BOOKMARK_ENCRYPTION for Job bookmark encryption enabled" "$regx" "$JOB_NAME"
            fi
          else
-            textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx"
+            textFail "$regx: Glue job $JOB_NAME does not have Job bookmark encryption enabled" "$regx" "$JOB_NAME"
          fi
      done
    else 
--- a/checks/check_extra7123
+++ b/checks/check_extra7123
@@ -13,7 +13,7 @@
 CHECK_ID_extra7123="7.123"
 CHECK_TITLE_extra7123="[extra7123] Check if IAM users have two active access keys"
 CHECK_SCORED_extra7123="NOT_SCORED"
-CHECK_TYPE_extra7123="EXTRA"
+CHECK_CIS_LEVEL_extra7123="EXTRA"
 CHECK_SEVERITY_extra7123="Medium"
 CHECK_ASFF_TYPE_extra7123="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
 CHECK_ASFF_RESOURCE_TYPE_extra7123="AwsIamUser"
@@ -30,9 +30,9 @@ extra7123(){
  if [[ $LIST_OF_USERS_WITH_2ACCESS_KEYS ]]; then
    # textFail "Users with access key 1 older than 90 days:"
    for user in $LIST_OF_USERS_WITH_2ACCESS_KEYS; do
-      textFail "User $user has 2 active access keys" 
+      textFail "User $user has 2 active access keys" "$REGION" "$user"
    done
  else
-    textPass "No users with 2 active access keys"
+    textPass "No users with 2 active access keys" "$REGION"
  fi
-}
+}
--- a/checks/check_extra7124
+++ b/checks/check_extra7124
@@ -13,7 +13,7 @@
 CHECK_ID_extra7124="7.124"
 CHECK_TITLE_extra7124="[extra7124] Check if EC2 instances are managed by Systems Manager."
 CHECK_SCORED_extra7124="NOT_SCORED"
-CHECK_TYPE_extra7124="EXTRA"
+CHECK_CIS_LEVEL_extra7124="EXTRA"
 CHECK_SEVERITY_extra7124="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7124="AwsEc2Instance"
 CHECK_ALTERNATE_check7124="extra7124"
@@ -27,18 +27,22 @@ CHECK_CAF_EPIC_extra7124='Infrastructure Security'
 extra7124(){
  for regx in $REGIONS; do
    # Filters running instances only 
-    LIST_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --query 'Reservations[*].Instances[*].[InstanceId]' --filters Name=instance-state-name,Values=running --region $regx --output text)
+    LIST_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --query 'Reservations[*].Instances[*].[InstanceId]' --filters Name=instance-state-name,Values=running --region $regx --output text 2>&1)
+    if [[ $(echo "$LIST_EC2_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "$regx: Access Denied trying to describe instances" "$regx"
+        continue
+    fi
    if [[ $LIST_EC2_INSTANCES ]]; then
      LIST_SSM_MANAGED_INSTANCES=$($AWSCLI ssm describe-instance-information $PROFILE_OPT --query "InstanceInformationList[].InstanceId"  --region $regx | jq -r '.[]')
      LIST_EC2_UNMANAGED=$(echo ${LIST_SSM_MANAGED_INSTANCES[@]} ${LIST_EC2_INSTANCES[@]} | tr ' ' '\n' | sort | uniq -u)
      if [[ $LIST_EC2_UNMANAGED ]]; then
        for instance in $LIST_EC2_UNMANAGED; do
-          textFail "$regx: EC2 instance $instance is not managed by Systems Manager" "$regx"
+          textFail "$regx: EC2 instance $instance is not managed by Systems Manager" "$regx" "$instance"
        done
      fi 
      if [[ $LIST_SSM_MANAGED_INSTANCES ]]; then
        for instance in $LIST_SSM_MANAGED_INSTANCES; do 
-          textPass "$regx: EC2 instance $instance is managed by Systems Manager" "$regx"
+          textPass "$regx: EC2 instance $instance is managed by Systems Manager" "$regx" "$instance"
        done 
      fi 
    else 
--- a/checks/check_extra7125
+++ b/checks/check_extra7125
@@ -13,7 +13,7 @@
 CHECK_ID_extra7125="7.125"
 CHECK_TITLE_extra7125="[extra7125] Check if IAM users have Hardware MFA enabled."
 CHECK_SCORED_extra7125="NOT_SCORED"
-CHECK_TYPE_extra7125="EXTRA"
+CHECK_CIS_LEVEL_extra7125="EXTRA"
 CHECK_SEVERITY_extra7125="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7125="AwsIamUser"
 CHECK_ALTERNATE_check7125="extra7125"
@@ -31,15 +31,15 @@ extra7125(){
    for user in $LIST_USERS; do
      # Would be virtual if sms-mfa or mfa, hardware is u2f or different.
      MFA_TYPE=$($AWSCLI iam list-mfa-devices --user-name $user $PROFILE_OPT --region $REGION --query MFADevices[].SerialNumber --output text | awk -F':' '{ print $6 }'| awk -F'/' '{ print $1 }')
-      if [[ $MFA_TYPE == "mfa" || $MFA_TYPE == "sms-mfa" ]]; then 
-        textInfo "User $user has virtual MFA enabled" 
-      elif [[ $MFA_TYPE == "" ]]; then 
-        textFail "User $user has not hardware MFA enabled"
-      else 
-        textPass "User $user has hardware MFA enabled"
+      if [[ $MFA_TYPE == "mfa" || $MFA_TYPE == "sms-mfa" ]]; then
+        textInfo "User $user has virtual MFA enabled" "$REGION" "$user"
+      elif [[ $MFA_TYPE == "" ]]; then
+        textFail "User $user has not hardware MFA enabled" "$REGION" "$user"
+      else
+        textPass "User $user has hardware MFA enabled" "$REGION" "$user"
      fi
    done
  else
-    textPass "No users found"
+    textPass "No users found" "$REGION"
  fi
-}
+}
--- a/checks/check_extra7126
+++ b/checks/check_extra7126
@@ -13,7 +13,7 @@
 CHECK_ID_extra7126="7.126"
 CHECK_TITLE_extra7126="[extra7126] Check if there are CMK KMS keys not used"
 CHECK_SCORED_extra7126="NOT_SCORED"
-CHECK_TYPE_extra7126="EXTRA"
+CHECK_CIS_LEVEL_extra7126="EXTRA"
 CHECK_SEVERITY_extra7126="Medium"
 CHECK_ASFF_RESOURCE_TYPE_extra7126="AwsKmsKey"
 CHECK_ALTERNATE_check7126="extra7126"
@@ -26,16 +26,16 @@ CHECK_CAF_EPIC_extra7126='Data Protection'

 extra7126(){
  for regx in $REGIONS; do
-    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --output text |grep -v :alias/aws/ |awk '{ print $4 }')
+    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --query "Aliases[].[AliasName,TargetKeyId]" --output text |grep -v ^alias/aws/ |awk '{ print $2 }')
    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
        CHECK_STATUS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output json | jq -r '.KeyMetadata.KeyState')
        if [[ $CHECK_STATUS == "PendingDeletion" ]]; then
          textInfo "$regx: KMS key $key is pending deletion" "$regx"
        elif [[ $CHECK_STATUS == "Disabled"  ]]; then
-          textInfo "$regx: KMS key $key is disabled" "$regx"
+          textInfo "$regx: KMS key $key is disabled" "$regx" "$key"
        else
-          textPass "$regx: KMS key $key is not disabled or pending deletion" "$regx"
+          textPass "$regx: KMS key $key is not disabled or pending deletion" "$regx" "$key"
        fi
      done
    else
--- a/Show More
+++ b/Show More