chore(release): 3.13.0

Co-authored-by: pedrooot <pedromarting3@gmail.com>

.github/dependabot.yml

@@ -13,3 +13,8 @@ updates:
     labels:
       - "dependencies"
       - "pip"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: master

.github/workflows/build-lint-push-containers.yml

@@ -32,11 +32,11 @@ jobs:
       POETRY_VIRTUALENVS_CREATE: "false"
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup python (release)
         if: github.event_name == 'release'
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -52,13 +52,13 @@ jobs:
           poetry version ${{ github.event.release.tag_name }}
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -67,11 +67,11 @@ jobs:
           AWS_REGION: ${{ env.AWS_REGION }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push container image (latest)
         if: github.event_name == 'push'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: |
@@ -83,7 +83,7 @@ jobs:
 
       - name: Build and push container image (release)
         if: github.event_name == 'release'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           # Use local context to get changes
           # https://github.com/docker/build-push-action#path-context

.github/workflows/codeql.yml

@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,6 +52,6 @@ jobs:
         # queries: security-extended,security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/find-secrets.yml

@@ -7,11 +7,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.4.4
+        uses: trufflesecurity/trufflehog@v3.67.2
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}

.github/workflows/pull-request.yml

@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11"]
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Test if changes are in not ignored paths
         id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@v41
+        uses: tj-actions/changed-files@v42
         with:
           files: ./**
           files_ignore: |
@@ -36,7 +36,7 @@ jobs:
           pipx install poetry
       - name: Set up Python ${{ matrix.python-version }}
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -88,6 +88,6 @@ jobs:
           poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
       - name: Upload coverage reports to Codecov
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/pypi-release.yml

@@ -16,7 +16,7 @@ jobs:
     name: Release Prowler to PyPI
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ env.GITHUB_BRANCH }}
       - name: Install dependencies
@@ -24,7 +24,7 @@ jobs:
           pipx install poetry
           pipx inject poetry poetry-bumpversion
       - name: setup python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9
           cache: 'poetry'
@@ -44,7 +44,7 @@ jobs:
           poetry publish
       # Create pull request with new version
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
           commit-message: "chore(release): update Prowler Version to ${{ env.RELEASE_TAG }}."

.github/workflows/refresh_aws_services_regions.yml

@@ -23,12 +23,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ env.GITHUB_BRANCH }}
 
       - name: setup python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9 #install the python needed
 
@@ -38,7 +38,7 @@ jobs:
           pip install boto3
 
       - name: Configure AWS Credentials -- DEV
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: ${{ env.AWS_REGION_DEV }}
           role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -50,12 +50,12 @@ jobs:
 
       # Create pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
           commit-message: "feat(regions_update): Update regions for AWS services."
           branch: "aws-services-regions-updated-${{ github.sha }}"
-          labels: "status/waiting-for-revision, severity/low"
+          labels: "status/waiting-for-revision, severity/low, provider/aws"
           title: "chore(regions_update): Changes in regions for AWS services."
           body: |
             ### Description

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   ## GENERAL
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-merge-conflict
       - id: check-yaml
@@ -15,7 +15,7 @@ repos:
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.10.0
+    rev: v2.12.0
     hooks:
       - id: pretty-format-toml
         args: [--autofix]
@@ -28,7 +28,7 @@ repos:
       - id: shellcheck
   ## PYTHON
   - repo: https://github.com/myint/autoflake
-    rev: v2.2.0
+    rev: v2.2.1
     hooks:
       - id: autoflake
         args:
@@ -39,25 +39,25 @@ repos:
           ]
 
   - repo: https://github.com/timothycrosley/isort
-    rev: 5.12.0
+    rev: 5.13.2
     hooks:
       - id: isort
         args: ["--profile", "black"]
 
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 24.1.1
     hooks:
       - id: black
 
   - repo: https://github.com/pycqa/flake8
-    rev: 6.1.0
+    rev: 7.0.0
     hooks:
       - id: flake8
         exclude: contrib
         args: ["--ignore=E266,W503,E203,E501,W605"]
 
   - repo: https://github.com/python-poetry/poetry
-    rev: 1.6.0 # add version here
+    rev: 1.7.0
     hooks:
       - id: poetry-check
       - id: poetry-lock
@@ -80,18 +80,12 @@ repos:
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        # entry: bash -c 'trufflehog git file://. --only-verified --fail'
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
         # For running trufflehog in docker, use the following entry instead:
-        entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
         language: system
         stages: ["commit", "push"]
 
-      - id: pytest-check
-        name: pytest-check
-        entry: bash -c 'pytest tests -n auto'
-        language: system
-        files: '.*\.py'
-
       - id: bandit
         name: bandit
         description: "Bandit is a tool for finding common security issues in Python code"

CODE_OF_CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at community@prowler.cloud. All
+reported by contacting the project team at [support.prowler.com](https://customer.support.prowler.com/servicedesk/customer/portals). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

README.md

@@ -1,24 +1,25 @@
 <p align="center">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-dark.png?raw=True#gh-dark-mode-only" width="150" height="36">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-light.png?raw=True#gh-light-mode-only" width="15%" height="15%">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png?raw=True#gh-light-mode-only" width="350" height="115">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png?raw=True#gh-dark-mode-only" width="350" height="115">
 </p>
 <p align="center">
-  <b><i>See all the things you and your team can do with ProwlerPro at <a href="https://prowler.pro">prowler.pro</a></i></b>
+  <b><i>Prowler SaaS </b> and <b>Prowler Open Source</b> are as dynamic and adaptable as the environment they’re meant to protect. Trusted by the leaders in security.
 </p>
+<p align="center">
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
+</p>
+
 <hr>
-<p align="center">
-  <img src="https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png" />
-</p>
 <p align="center">
   <a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
   <a href="https://pypi.org/project/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler.svg"></a>
   <a href="https://pypi.python.org/pypi/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler.svg"></a>
   <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Prowler Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=prowler%20downloads"></a>
-  <a href="https://pypistats.org/packages/prowler-cloud"><img alt="PyPI Prowler-Cloud Downloads" src="https://img.shields.io/pypi/dw/prowler-cloud.svg?label=prowler-cloud%20downloads"></a>
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/cloud/build/toniblyx/prowler"></a>
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/image-size/toniblyx/prowler"></a>
   <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
 </p>
 <p align="center">
   <a href="https://github.com/prowler-cloud/prowler"><img alt="Repo size" src="https://img.shields.io/github/repo-size/prowler-cloud/prowler"></a>
@@ -30,6 +31,7 @@
   <a href="https://twitter.com/ToniBlyx"><img alt="Twitter" src="https://img.shields.io/twitter/follow/toniblyx?style=social"></a>
   <a href="https://twitter.com/prowlercloud"><img alt="Twitter" src="https://img.shields.io/twitter/follow/prowlercloud?style=social"></a>
 </p>
+<hr>
 
 # Description
 
@@ -39,10 +41,10 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.cloud/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.cloud/en/latest/tutorials/misc/#categories) |
 |---|---|---|---|---|
-| AWS | 301 | 61 -> `prowler aws --list-services` | 25 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |
+| AWS | 302 | 61 -> `prowler aws --list-services` | 27 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` |
 | GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
-| Azure | 23 | 4 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` |
-| Kubernetes | Planned | - | - | - |
+| Azure | 37 | 4 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` |
+| Kubernetes | Work In Progress | - | CIS soon | - |
 
 # 📖 Documentation
 
@@ -54,7 +56,7 @@ For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prow
 # ⚙️ Install
 
 ## Pip package
-Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9:
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9, < 3.13:
 
 ```console
 pip install prowler
@@ -77,7 +79,7 @@ The container images are available here:
 
 ## From Github
 
-Python >= 3.9 is required with pip and poetry:
+Python >= 3.9, < 3.13 is required with pip and poetry:
 
 ```
 git clone https://github.com/prowler-cloud/prowler

SECURITY.md

@@ -14,7 +14,7 @@ As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (F
 
 If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to help@prowler.pro.
 
-The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+The information you share with ProwlerPro as part of this process is kept confidential within ProwlerPro. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
 
 We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
 

docs/developer-guide/unit-testing.md

@@ -523,7 +523,7 @@ from unittest import mock
 from uuid import uuid4
 
 # Azure Constants
-AZURE_SUSCRIPTION = str(uuid4())
+AZURE_SUBSCRIPTION = str(uuid4())
 
 
 
@@ -542,7 +542,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
 
         # Create the custom Defender object to be tested
         defender_client.pricings = {
-            AZURE_SUSCRIPTION: {
+            AZURE_SUBSCRIPTION: {
                 "Arm": Defender_Pricing(
                     resource_id=resource_id,
                     pricing_tier="Not Standard",
@@ -580,9 +580,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
             assert result[0].status == "FAIL"
             assert (
                 result[0].status_extended
-                == f"Defender plan Defender for ARM from subscription {AZURE_SUSCRIPTION} is set to OFF (pricing tier not standard)"
+                == f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)"
             )
-            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].subscription == AZURE_SUBSCRIPTION
             assert result[0].resource_name == "Defender plan ARM"
             assert result[0].resource_id == resource_id
 ```

docs/security.md

@@ -15,7 +15,7 @@ As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (F
 
 If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to help@prowler.pro.
 
-The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+The information you share with ProwlerPro as part of this process is kept confidential within ProwlerPro. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
 
 We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
 

docs/tutorials/aws/securityhub.md

@@ -1,48 +1,116 @@
 # AWS Security Hub Integration
 
-Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub.
+Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows **Prowler** to import its findings to AWS Security Hub.
 
-With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free.
 
-Before sending findings to Prowler, you will need to perform next steps:
+Before sending findings, you will need to enable AWS Security Hub and the **Prowler** integration.
 
-1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions:
-    - `aws securityhub enable-security-hub --region <region>`.
-2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions:
-    - `aws securityhub enable-import-findings-for-product --region <region> --product-arn arn:aws:securityhub:<region>::product/prowler/prowler` (change region also inside the ARN).
-    - Using the AWS Management Console:
-     ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
-3. Allow Prowler to import its findings to AWS Security Hub by adding the policy below to the role or user running Prowler:
-    - [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)
+## Enable AWS Security Hub
 
+To enable the integration you have to perform the following steps, in _at least_ one AWS region of a given AWS account, to enable **AWS Security Hub** and **Prowler** as a partner integration.
+
+Since **AWS Security Hub** is a region based service, you will need to enable it in the region or regions you require. You can configure it using the AWS Management Console or the AWS CLI.
+
+> Take into account that enabling this integration will incur in costs in AWS Security Hub, please refer to its pricing [here](https://aws.amazon.com/security-hub/pricing/) for more information.
+
+### Using the AWS Management Console
+
+#### Enable AWS Security Hub
+
+If you have currently AWS Security Hub enabled you can skip to the [next section](#enable-prowler-integration).
+
+1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+
+2. When you open the Security Hub console for the first time make sure that you are in the region you want to enable, then choose **Go to Security Hub**.
+![](./img/enable.png)
+
+3. On the next page, the Security standards section lists the security standards that Security Hub supports. Select the check box for a standard to enable it, and clear the check box to disable it.
+
+4. Choose **Enable Security Hub**.
+![](./img/enable-2.png)
+
+#### Enable Prowler Integration
+
+If you have currently the Prowler integration enabled in AWS Security Hub you can skip to the [next section](#send-findings) and start sending findings.
+
+Once **AWS Security Hub** is enabled you will need to enable **Prowler** as partner integration to allow **Prowler** to send findings to your **AWS Security Hub**.
+
+1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+
+2. Select the **Integrations** tab in the right-side menu bar.
+![](./img/enable-partner-integration.png)
+
+3. Search for _Prowler_ in the text search box and the **Prowler** integration will appear.
+
+4. Once there, click on **Accept Findings** to allow **AWS Security Hub** to receive findings from **Prowler**.
+![](./img/enable-partner-integration-2.png)
+
+5. A new modal will appear to confirm that you are enabling the **Prowler** integration.
+![](./img/enable-partner-integration-3.png)
+
+6. Right after click on **Accept Findings**, you will see that the integration is enabled in **AWS Security Hub**.
+![](./img/enable-partner-integration-4.png)
+
+### Using the AWS CLI
+
+To enable **AWS Security Hub** and the **Prowler** integration you have to run the following commands using the AWS CLI:
+
+```shell
+aws securityhub enable-security-hub --region <region>
+```
+> For this command to work you will need the `securityhub:EnableSecurityHub` permission.
+> You will need to set the AWS region where you want to enable AWS Security Hub.
+
+Once **AWS Security Hub** is enabled you will need to enable **Prowler** as partner integration to allow **Prowler** to send findings to your AWS Security Hub. You have to run the following commands using the AWS CLI:
+
+```shell
+aws securityhub enable-import-findings-for-product --region eu-west-1 --product-arn arn:aws:securityhub:<region>::product/prowler/prowler
+```
+> You will need to set the AWS region where you want to enable the integration and also the AWS region also within the ARN.
+> For this command to work you will need the `securityhub:securityhub:EnableImportFindingsForProduct` permission.
+
+
+## Send Findings
 Once it is enabled, it is as simple as running the command below (for all regions):
 
 ```sh
-prowler aws -S
+prowler aws --security-hub
 ```
 
 or for only one filtered region like eu-west-1:
 
 ```sh
-prowler -S -f eu-west-1
+prowler --security-hub --region eu-west-1
 ```
 
-> **Note 1**: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command.
+> **Note 1**: It is recommended to send only fails to Security Hub and that is possible adding `-q/--quiet` to the command. You can use, instead of the `-q/--quiet` argument, the `--send-sh-only-fails` argument to save all the findings in the Prowler outputs but just to send FAIL findings to AWS Security Hub.
 
-> **Note 2**: Since Prowler perform checks to all regions by default you may need to filter by region when running Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs). Prowler will send findings to the Security Hub on the region where the scanned resource is located.
+> **Note 2**: Since Prowler perform checks to all regions by default you may need to filter by region when running Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f/--region <region>` (if no region is used it will try to push findings in all regions hubs). Prowler will send findings to the Security Hub on the region where the scanned resource is located.
 
 > **Note 3**: To have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
 
-Once you run findings for first time you will be able to see Prowler findings in Findings section:
+### See you Prowler findings in AWS Security Hub
 
-![Screenshot 2020-10-29 at 10 29 05 PM](https://user-images.githubusercontent.com/3985464/97634676-66c9f600-1a36-11eb-9341-70feb06f6331.png)
+Once configured the **AWS Security Hub** in your next scan you will receive the **Prowler** findings in the AWS regions configured. To review those findings in **AWS Security Hub**:
+
+1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+
+2. Select the **Findings** tab in the right-side menu bar.
+![](./img/findings.png)
+
+3. Use the search box filters and use the **Product Name** filter with the value _Prowler_ to see the findings sent from **Prowler**.
+
+4. Then, you can click on the check **Title** to see the details and the history of a finding.
+![](./img/finding-details.png)
+
+As you can see in the related requirements section, in the detailed view of the findings, **Prowler** also sends compliance information related to every finding.
 
 ## Send findings to Security Hub assuming an IAM Role
 
 When you are auditing a multi-account AWS environment, you can send findings to a Security Hub of another account by assuming an IAM role from that account using the `-R` flag in the Prowler command:
 
 ```sh
-prowler -S -R arn:aws:iam::123456789012:role/ProwlerExecRole
+prowler --security-hub --role arn:aws:iam::123456789012:role/ProwlerExecutionRole
 ```
 
 > Remember that the used role needs to have permissions to send findings to Security Hub. To get more information about the permissions required, please refer to the following IAM policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)
@@ -50,12 +118,17 @@ prowler -S -R arn:aws:iam::123456789012:role/ProwlerExecRole
 
 ## Send only failed findings to Security Hub
 
-When using Security Hub it is recommended to send only the failed findings generated. To follow that recommendation you could add the `-q` flag to the Prowler command:
+When using the **AWS Security Hub** integration you can send only the `FAIL` findings generated by **Prowler**. Therefore, the **AWS Security Hub** usage costs eventually would be lower. To follow that recommendation you could add the `-q/--quiet` flag to the Prowler command:
 
 ```sh
-prowler -S -q
+prowler --security-hub --quiet
 ```
 
+You can use, instead of the `-q/--quiet` argument, the `--send-sh-only-fails` argument to save all the findings in the Prowler outputs but just to send FAIL findings to AWS Security Hub:
+
+```sh
+prowler --security-hub --send-sh-only-fails
+```
 
 ## Skip sending updates of findings to Security Hub
 
@@ -63,5 +136,5 @@ By default, Prowler archives all its findings in Security Hub that have not appe
 You can skip this logic by using the option `--skip-sh-update` so Prowler will not archive older findings:
 
 ```sh
-prowler -S --skip-sh-update
+prowler --security-hub --skip-sh-update
 ```

docs/tutorials/ignore-unused-services.md

@@ -47,7 +47,7 @@ It is a best practice to encrypt both metadata and connection passwords in AWS G
 #### Inspector
 Amazon Inspector is a vulnerability discovery service that automates continuous scanning for security vulnerabilities within your Amazon EC2, Amazon ECR, and AWS Lambda environments. Prowler recommends to enable it and resolve all the Inspector's findings. Ignoring the unused services, Prowler will only notify you if there are any Lambda functions, EC2 instances or ECR repositories in the region where Amazon inspector should be enabled.
 
-  - `inspector2_findings_exist`
+  - `inspector2_is_enabled`
 
 #### Macie
 Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in S3 buckets. Prowler will only create a finding when Macie is not enabled if there are S3 buckets in your account.

mkdocs.yml

@@ -102,7 +102,7 @@ extra:
       link: https://twitter.com/prowlercloud
 
 # Copyright
-copyright: Copyright &copy; 2022 Toni de la Fuente, Maintained by the Prowler Team at Verica, Inc.</a>
+copyright: Copyright &copy; 2024 Toni de la Fuente, Maintained by the Prowler Team at ProwlerPro, Inc.</a>
 
 markdown_extensions:
   - abbr

prowler/compliance/aws/cis_2.0_aws.json

@@ -468,27 +468,6 @@
     },
     {
       "Id": "2.1.1",
-      "Description": "Ensure all S3 buckets employ encryption-at-rest",
-      "Checks": [
-        "s3_bucket_default_encryption"
-      ],
-      "Attributes": [
-        {
-          "Section": "2.1. Simple Storage Service (S3)",
-          "Profile": "Level 2",
-          "AssessmentStatus": "Automated",
-          "Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
-          "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
-          "ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.",
-          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.  **From Command Line:**  Run either  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```  or  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```  **Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
-          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run  ``` aws s3api get-bucket-encryption --bucket <bucket name> ``` 3. Verify that either  ``` \"SSEAlgorithm\": \"AES256\" ```  or  ``` \"SSEAlgorithm\": \"aws:kms\"```  is displayed.",
-          "AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket.",
-          "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources"
-        }
-      ]
-    },
-    {
-      "Id": "2.1.2",
       "Description": "Ensure S3 Bucket Policy is set to deny HTTP requests",
       "Checks": [
         "s3_bucket_secure_transport_policy"
@@ -509,7 +488,7 @@
       ]
     },
     {
-      "Id": "2.1.3",
+      "Id": "2.1.2",
       "Description": "Ensure MFA Delete is enabled on S3 buckets",
       "Checks": [
         "s3_bucket_no_mfa_delete"
@@ -530,7 +509,7 @@
       ]
     },
     {
-      "Id": "2.1.4",
+      "Id": "2.1.3",
       "Description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.",
       "Checks": [
         "macie_is_enabled"
@@ -551,7 +530,7 @@
       ]
     },
     {
-      "Id": "2.1.5",
+      "Id": "2.1.4",
       "Description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'",
       "Checks": [
         "s3_bucket_level_public_access_block",

prowler/compliance/aws/ens_rd2022_aws.json

@@ -814,7 +814,8 @@
         }
       ],
       "Checks": [
-        "inspector2_findings_exist"
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
       ]
     },
     {
@@ -1935,7 +1936,8 @@
         }
       ],
       "Checks": [
-        "inspector2_findings_exist"
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
       ]
     },
     {
@@ -2010,7 +2012,8 @@
         }
       ],
       "Checks": [
-        "inspector2_findings_exist"
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
       ]
     },
     {

prowler/compliance/aws/mitre_attack_aws.json

@@ -29,7 +29,8 @@
         "securityhub_enabled",
         "elbv2_waf_acl_attached",
         "guardduty_is_enabled",
-        "inspector2_findings_exist",
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist",
         "awslambda_function_not_publicly_accessible",
         "ec2_instance_public_ip"
       ],
@@ -576,7 +577,8 @@
         "config_recorder_all_regions_enabled",
         "securityhub_enabled",
         "guardduty_is_enabled",
-        "inspector2_findings_exist"
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
       ],
       "Attributes": [
         {
@@ -737,7 +739,8 @@
         "iam_user_hardware_mfa_enabled",
         "iam_user_mfa_enabled_console_access",
         "securityhub_enabled",
-        "inspector2_findings_exist"
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
       ],
       "Attributes": [
         {
@@ -1892,7 +1895,8 @@
         "networkfirewall_in_all_vpc",
         "elbv2_waf_acl_attached",
         "guardduty_is_enabled",
-        "inspector2_findings_exist",
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist",
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",

prowler/compliance/aws/soc2_aws.json

@@ -13,7 +13,7 @@
           "ItemId": "cc_1_1",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -27,7 +27,7 @@
           "ItemId": "cc_1_2",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -41,7 +41,7 @@
           "ItemId": "cc_1_3",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -62,7 +62,7 @@
           "ItemId": "cc_1_4",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -76,7 +76,7 @@
           "ItemId": "cc_1_5",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -90,7 +90,7 @@
           "ItemId": "cc_2_1",
           "Section": "CC2.0 - Common Criteria Related to Communication and Information",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -109,7 +109,7 @@
           "ItemId": "cc_2_2",
           "Section": "CC2.0 - Common Criteria Related to Communication and Information",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -123,7 +123,7 @@
           "ItemId": "cc_2_3",
           "Section": "CC2.0 - Common Criteria Related to Communication and Information",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -137,7 +137,7 @@
           "ItemId": "cc_3_1",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -155,7 +155,7 @@
           "ItemId": "cc_3_2",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -175,7 +175,7 @@
           "ItemId": "cc_3_3",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -189,7 +189,7 @@
           "ItemId": "cc_3_4",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "config",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -205,7 +205,7 @@
           "ItemId": "cc_4_1",
           "Section": "CC4.0 - Monitoring Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -219,7 +219,7 @@
           "ItemId": "cc_4_2",
           "Section": "CC4.0 - Monitoring Activities",
           "Service": "guardduty",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -236,7 +236,7 @@
           "ItemId": "cc_5_1",
           "Section": "CC5.0 - Control Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -250,7 +250,7 @@
           "ItemId": "cc_5_2",
           "Section": "CC5.0 - Control Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -264,7 +264,7 @@
           "ItemId": "cc_5_3",
           "Section": "CC5.0 - Control Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -278,7 +278,7 @@
           "ItemId": "cc_6_1",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "s3",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -294,7 +294,7 @@
           "ItemId": "cc_6_2",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "rds",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -310,7 +310,7 @@
           "ItemId": "cc_6_3",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "iam",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -328,7 +328,7 @@
           "ItemId": "cc_6_4",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -342,7 +342,7 @@
           "ItemId": "cc_6_5",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -356,7 +356,7 @@
           "ItemId": "cc_6_6",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "ec2",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -372,7 +372,7 @@
           "ItemId": "cc_6_7",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "acm",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -388,7 +388,7 @@
           "ItemId": "cc_6_8",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -405,7 +405,7 @@
           "ItemId": "cc_7_1",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -424,7 +424,7 @@
           "ItemId": "cc_7_2",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -460,7 +460,7 @@
           "ItemId": "cc_7_3",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -492,7 +492,7 @@
           "ItemId": "cc_7_4",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -523,7 +523,7 @@
           "ItemId": "cc_7_5",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -537,7 +537,7 @@
           "ItemId": "cc_8_1",
           "Section": "CC8.0 - Change Management",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -553,7 +553,7 @@
           "ItemId": "cc_9_1",
           "Section": "CC9.0 - Risk Mitigation",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -567,7 +567,7 @@
           "ItemId": "cc_9_2",
           "Section": "CC9.0 - Risk Mitigation",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -581,7 +581,7 @@
           "ItemId": "cc_a_1_1",
           "Section": "CCA1.0 - Additional Criterial for Availability",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -595,7 +595,7 @@
           "ItemId": "cc_a_1_2",
           "Section": "CCA1.0 - Additional Criterial for Availability",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -626,7 +626,7 @@
           "ItemId": "cc_a_1_3",
           "Section": "CCA1.0 - Additional Criterial for Availability",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -640,7 +640,7 @@
           "ItemId": "cc_c_1_1",
           "Section": "CCC1.0 - Additional Criterial for Confidentiality",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -656,7 +656,7 @@
           "ItemId": "cc_c_1_2",
           "Section": "CCC1.0 - Additional Criterial for Confidentiality",
           "Service": "s3",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -672,7 +672,7 @@
           "ItemId": "p_1_1",
           "Section": "P1.0 - Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -686,7 +686,7 @@
           "ItemId": "p_2_1",
           "Section": "P2.0 - Privacy Criteria Related to Choice and Consent",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -700,7 +700,7 @@
           "ItemId": "p_3_1",
           "Section": "P3.0 - Privacy Criteria Related to Collection",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -714,7 +714,7 @@
           "ItemId": "p_3_2",
           "Section": "P3.0 - Privacy Criteria Related to Collection",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -728,7 +728,7 @@
           "ItemId": "p_4_1",
           "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -742,7 +742,7 @@
           "ItemId": "p_4_2",
           "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -756,7 +756,7 @@
           "ItemId": "p_4_3",
           "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -770,7 +770,7 @@
           "ItemId": "p_5_1",
           "Section": "P5.0 - Privacy Criteria Related to Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -784,7 +784,7 @@
           "ItemId": "p_5_2",
           "Section": "P5.0 - Privacy Criteria Related to Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -798,7 +798,7 @@
           "ItemId": "p_6_1",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -812,7 +812,7 @@
           "ItemId": "p_6_2",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -826,7 +826,7 @@
           "ItemId": "p_6_3",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -840,7 +840,7 @@
           "ItemId": "p_6_4",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -854,7 +854,7 @@
           "ItemId": "p_6_5",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -868,7 +868,7 @@
           "ItemId": "p_6_6",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -882,7 +882,7 @@
           "ItemId": "p_6_7",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -896,7 +896,7 @@
           "ItemId": "p_7_1",
           "Section": "P7.0 - Privacy Criteria Related to Quality",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -910,7 +910,7 @@
           "ItemId": "p_8_1",
           "Section": "P8.0 - Privacy Criteria Related to Monitoring and Enforcement",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []

prowler/config/config.py

@@ -11,7 +11,7 @@ from prowler.lib.logger import logger
 
 timestamp = datetime.today()
 timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "3.12.0"
+prowler_version = "3.13.0"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 html_logo_img = "https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png"
 square_logo_img = "https://user-images.githubusercontent.com/38561120/235905862-9ece5bd7-9aa3-4e48-807a-3a9035eb8bfb.png"

prowler/lib/banner.py

@@ -4,7 +4,7 @@ from prowler.config.config import banner_color, orange_color, prowler_version, t
 
 
 def print_banner(args):
-    banner = f"""{banner_color}                         _
+    banner = rf"""{banner_color}                         _
  _ __  _ __ _____      _| | ___ _ __
 | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
 | |_) | | | (_) \ V  V /| |  __/ |

prowler/lib/check/check.py

@@ -67,9 +67,9 @@ def bulk_load_compliance_frameworks(provider: str) -> dict:
                         # cis_v1.4_aws.json --> cis_v1.4_aws
                         compliance_framework_name = filename.split(".json")[0]
                         # Store the compliance info
-                        bulk_compliance_frameworks[
-                            compliance_framework_name
-                        ] = load_compliance_framework(file_path)
+                        bulk_compliance_frameworks[compliance_framework_name] = (
+                            load_compliance_framework(file_path)
+                        )
     except Exception as e:
         logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
 

prowler/lib/check/checks_loader.py

@@ -34,7 +34,9 @@ def load_checks_to_execute(
         for check, metadata in bulk_checks_metadata.items():
             # Aliases
             for alias in metadata.CheckAliases:
-                check_aliases[alias] = check
+                if alias not in check_aliases:
+                    check_aliases[alias] = []
+                check_aliases[alias].append(check)
 
             # Severities
             if metadata.Severity:
@@ -110,15 +112,20 @@ def update_checks_to_execute_with_aliases(
 ) -> set:
     """update_checks_to_execute_with_aliases returns the checks_to_execute updated using the check aliases."""
     # Verify if any input check is an alias of another check
-    for input_check in checks_to_execute:
-        if (
-            input_check in check_aliases
-            and check_aliases[input_check] not in checks_to_execute
-        ):
-            # Remove input check name and add the real one
-            checks_to_execute.remove(input_check)
-            checks_to_execute.add(check_aliases[input_check])
-            print(
-                f"\nUsing alias {Fore.YELLOW}{input_check}{Style.RESET_ALL} for check {Fore.YELLOW}{check_aliases[input_check]}{Style.RESET_ALL}...\n"
-            )
-    return checks_to_execute
+    try:
+        new_checks_to_execute = checks_to_execute.copy()
+        for input_check in checks_to_execute:
+            if input_check in check_aliases:
+                # Remove input check name and add the real one
+                new_checks_to_execute.remove(input_check)
+                for alias in check_aliases[input_check]:
+                    if alias not in new_checks_to_execute:
+                        new_checks_to_execute.add(alias)
+                        print(
+                            f"\nUsing alias {Fore.YELLOW}{input_check}{Style.RESET_ALL} for check {Fore.YELLOW}{alias}{Style.RESET_ALL}..."
+                        )
+        return new_checks_to_execute
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )

prowler/lib/check/compliance_models.py

@@ -52,12 +52,12 @@ class ENS_Requirement_Attribute(BaseModel):
 class Generic_Compliance_Requirement_Attribute(BaseModel):
     """Generic Compliance Requirement Attribute"""
 
-    ItemId: str
+    ItemId: Optional[str]
     Section: Optional[str]
     SubSection: Optional[str]
     SubGroup: Optional[str]
-    Service: str
-    Soc_Type: Optional[str]
+    Service: Optional[str]
+    Type: Optional[str]
 
 
 class CIS_Requirement_Attribute_Profile(str):

prowler/lib/outputs/compliance.py

@@ -330,7 +330,7 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                 Requirements_Attributes_SubSection=attribute.SubSection,
                                 Requirements_Attributes_SubGroup=attribute.SubGroup,
                                 Requirements_Attributes_Service=attribute.Service,
-                                Requirements_Attributes_Soc_Type=attribute.Soc_Type,
+                                Requirements_Attributes_Type=attribute.Type,
                                 Status=finding.status,
                                 StatusExtended=finding.status_extended,
                                 ResourceId=finding.resource_id,
@@ -444,8 +444,8 @@ def display_compliance_table(
                 )
                 overview_table = [
                     [
-                        f"{Fore.RED}{round(fail_count/(fail_count+pass_count)*100, 2)}% ({fail_count}) NO CUMPLE{Style.RESET_ALL}",
-                        f"{Fore.GREEN}{round(pass_count/(fail_count+pass_count)*100, 2)}% ({pass_count}) CUMPLE{Style.RESET_ALL}",
+                        f"{Fore.RED}{round(fail_count / (fail_count + pass_count) * 100, 2)}% ({fail_count}) NO CUMPLE{Style.RESET_ALL}",
+                        f"{Fore.GREEN}{round(pass_count / (fail_count + pass_count) * 100, 2)}% ({pass_count}) CUMPLE{Style.RESET_ALL}",
                     ]
                 ]
                 print(tabulate(overview_table, tablefmt="rounded_grid"))
@@ -539,8 +539,8 @@ def display_compliance_table(
                 )
                 overview_table = [
                     [
-                        f"{Fore.RED}{round(fail_count/(fail_count+pass_count)*100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
-                        f"{Fore.GREEN}{round(pass_count/(fail_count+pass_count)*100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
+                        f"{Fore.RED}{round(fail_count / (fail_count + pass_count) * 100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
+                        f"{Fore.GREEN}{round(pass_count / (fail_count + pass_count) * 100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
                     ]
                 ]
                 print(tabulate(overview_table, tablefmt="rounded_grid"))
@@ -610,8 +610,8 @@ def display_compliance_table(
                 )
                 overview_table = [
                     [
-                        f"{Fore.RED}{round(fail_count/(fail_count+pass_count)*100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
-                        f"{Fore.GREEN}{round(pass_count/(fail_count+pass_count)*100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
+                        f"{Fore.RED}{round(fail_count / (fail_count + pass_count) * 100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
+                        f"{Fore.GREEN}{round(pass_count / (fail_count + pass_count) * 100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
                     ]
                 ]
                 print(tabulate(overview_table, tablefmt="rounded_grid"))

prowler/lib/outputs/json.py

@@ -51,9 +51,9 @@ def fill_json_asff(finding_output, audit_info, finding, output_options):
         finding_output.GeneratorId = "prowler-" + finding.check_metadata.CheckID
         finding_output.AwsAccountId = audit_info.audited_account
         finding_output.Types = finding.check_metadata.CheckType
-        finding_output.FirstObservedAt = (
-            finding_output.UpdatedAt
-        ) = finding_output.CreatedAt = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+        finding_output.FirstObservedAt = finding_output.UpdatedAt = (
+            finding_output.CreatedAt
+        ) = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
         finding_output.Severity = Severity(
             Label=finding.check_metadata.Severity.upper()
         )

prowler/lib/outputs/models.py

@@ -55,9 +55,9 @@ def generate_provider_output_csv(
             data["resource_name"] = finding.resource_name
             data["subscription"] = finding.subscription
             data["tenant_domain"] = audit_info.identity.domain
-            data[
-                "finding_unique_id"
-            ] = f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.subscription}-{finding.resource_id}"
+            data["finding_unique_id"] = (
+                f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.subscription}-{finding.resource_id}"
+            )
             data["compliance"] = unroll_dict(
                 get_check_compliance(finding, provider, output_options)
             )
@@ -68,9 +68,9 @@ def generate_provider_output_csv(
             data["resource_name"] = finding.resource_name
             data["project_id"] = finding.project_id
             data["location"] = finding.location.lower()
-            data[
-                "finding_unique_id"
-            ] = f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.project_id}-{finding.resource_id}"
+            data["finding_unique_id"] = (
+                f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.project_id}-{finding.resource_id}"
+            )
             data["compliance"] = unroll_dict(
                 get_check_compliance(finding, provider, output_options)
             )
@@ -82,9 +82,9 @@ def generate_provider_output_csv(
             data["region"] = finding.region
             data["resource_id"] = finding.resource_id
             data["resource_arn"] = finding.resource_arn
-            data[
-                "finding_unique_id"
-            ] = f"prowler-{provider}-{finding.check_metadata.CheckID}-{audit_info.audited_account}-{finding.region}-{finding.resource_id}"
+            data["finding_unique_id"] = (
+                f"prowler-{provider}-{finding.check_metadata.CheckID}-{audit_info.audited_account}-{finding.region}-{finding.resource_id}"
+            )
             data["compliance"] = unroll_dict(
                 get_check_compliance(finding, provider, output_options)
             )
@@ -614,8 +614,8 @@ class Check_Output_CSV_Generic_Compliance(BaseModel):
     Requirements_Attributes_Section: Optional[str]
     Requirements_Attributes_SubSection: Optional[str]
     Requirements_Attributes_SubGroup: Optional[str]
-    Requirements_Attributes_Service: str
-    Requirements_Attributes_Soc_Type: Optional[str]
+    Requirements_Attributes_Service: Optional[str]
+    Requirements_Attributes_Type: Optional[str]
     Status: str
     StatusExtended: str
     ResourceId: str

prowler/lib/outputs/slack.py

@@ -66,14 +66,14 @@ def create_message_blocks(identity, logo, stats):
                 "type": "section",
                 "text": {
                     "type": "mrkdwn",
-                    "text": f"\n:white_check_mark: *{stats['total_pass']} Passed findings* ({round(stats['total_pass']/stats['findings_count']*100,2)}%)\n",
+                    "text": f"\n:white_check_mark: *{stats['total_pass']} Passed findings* ({round(stats['total_pass'] / stats['findings_count'] * 100 , 2)}%)\n",
                 },
             },
             {
                 "type": "section",
                 "text": {
                     "type": "mrkdwn",
-                    "text": f"\n:x: *{stats['total_fail']} Failed findings* ({round(stats['total_fail']/stats['findings_count']*100,2)}%)\n ",
+                    "text": f"\n:x: *{stats['total_fail']} Failed findings* ({round(stats['total_fail'] / stats['findings_count'] * 100 , 2)}%)\n ",
                 },
             },
             {

prowler/lib/outputs/summary_table.py

@@ -96,8 +96,8 @@ def display_summary_table(
             print("\nOverview Results:")
             overview_table = [
                 [
-                    f"{Fore.RED}{round(fail_count/len(findings)*100, 2)}% ({fail_count}) Failed{Style.RESET_ALL}",
-                    f"{Fore.GREEN}{round(pass_count/len(findings)*100, 2)}% ({pass_count}) Passed{Style.RESET_ALL}",
+                    f"{Fore.RED}{round(fail_count / len(findings) * 100, 2)}% ({fail_count}) Failed{Style.RESET_ALL}",
+                    f"{Fore.GREEN}{round(pass_count / len(findings) * 100, 2)}% ({pass_count}) Passed{Style.RESET_ALL}",
                 ]
             ]
             print(tabulate(overview_table, tablefmt="rounded_grid"))

prowler/providers/aws/aws_regions_by_service.json

@@ -400,6 +400,7 @@
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
+          "me-central-1",
           "me-south-1",
           "sa-east-1",
           "us-east-1",
@@ -720,6 +721,7 @@
           "ap-southeast-1",
           "ap-southeast-2",
           "ap-southeast-3",
+          "ap-southeast-4",
           "ca-central-1",
           "eu-central-1",
           "eu-central-2",
@@ -729,6 +731,7 @@
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
+          "il-central-1",
           "me-central-1",
           "me-south-1",
           "sa-east-1",
@@ -2234,6 +2237,15 @@
         "aws-us-gov": []
       }
     },
+    "codewhisperer": {
+      "regions": {
+        "aws": [
+          "us-east-1"
+        ],
+        "aws-cn": [],
+        "aws-us-gov": []
+      }
+    },
     "cognito": {
       "regions": {
         "aws": [
@@ -2761,12 +2773,14 @@
       "regions": {
         "aws": [
           "ap-northeast-1",
+          "ap-northeast-2",
           "ap-southeast-1",
           "ap-southeast-2",
           "ca-central-1",
           "eu-central-1",
           "eu-north-1",
           "eu-west-1",
+          "eu-west-2",
           "sa-east-1",
           "us-east-1",
           "us-east-2",
@@ -2809,17 +2823,6 @@
         "aws-us-gov": []
       }
     },
-    "deeplens": {
-      "regions": {
-        "aws": [
-          "ap-northeast-1",
-          "eu-central-1",
-          "us-east-1"
-        ],
-        "aws-cn": [],
-        "aws-us-gov": []
-      }
-    },
     "deepracer": {
       "regions": {
         "aws": [
@@ -4431,19 +4434,30 @@
     "fsx-openzfs": {
       "regions": {
         "aws": [
+          "af-south-1",
           "ap-east-1",
           "ap-northeast-1",
           "ap-northeast-2",
+          "ap-northeast-3",
           "ap-south-1",
+          "ap-south-2",
           "ap-southeast-1",
           "ap-southeast-2",
+          "ap-southeast-3",
           "ca-central-1",
           "eu-central-1",
           "eu-north-1",
+          "eu-south-1",
           "eu-west-1",
           "eu-west-2",
+          "eu-west-3",
+          "il-central-1",
+          "me-central-1",
+          "me-south-1",
+          "sa-east-1",
           "us-east-1",
           "us-east-2",
+          "us-west-1",
           "us-west-2"
         ],
         "aws-cn": [],
@@ -4831,6 +4845,7 @@
           "eu-west-2",
           "eu-west-3",
           "il-central-1",
+          "me-central-1",
           "me-south-1",
           "sa-east-1",
           "us-east-1",
@@ -5031,7 +5046,10 @@
           "us-west-1",
           "us-west-2"
         ],
-        "aws-cn": [],
+        "aws-cn": [
+          "cn-north-1",
+          "cn-northwest-1"
+        ],
         "aws-us-gov": [
           "us-gov-east-1",
           "us-gov-west-1"
@@ -5416,7 +5434,9 @@
           "us-east-1",
           "us-west-2"
         ],
-        "aws-cn": [],
+        "aws-cn": [
+          "cn-north-1"
+        ],
         "aws-us-gov": [
           "us-gov-west-1"
         ]
@@ -5837,10 +5857,13 @@
           "ap-southeast-1",
           "ap-southeast-2",
           "ap-southeast-3",
+          "ap-southeast-4",
           "ca-central-1",
           "eu-central-1",
+          "eu-central-2",
           "eu-north-1",
           "eu-south-1",
+          "eu-south-2",
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
@@ -5875,10 +5898,13 @@
           "ap-southeast-1",
           "ap-southeast-2",
           "ap-southeast-3",
+          "ap-southeast-4",
           "ca-central-1",
           "eu-central-1",
+          "eu-central-2",
           "eu-north-1",
           "eu-south-1",
+          "eu-south-2",
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
@@ -6225,9 +6251,11 @@
           "eu-central-1",
           "eu-north-1",
           "eu-south-1",
+          "eu-south-2",
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
+          "il-central-1",
           "sa-east-1",
           "us-east-1",
           "us-east-2",
@@ -6612,9 +6640,12 @@
         "aws": [
           "ap-northeast-1",
           "ap-northeast-2",
+          "ap-northeast-3",
           "ap-south-1",
           "ap-southeast-1",
           "ap-southeast-2",
+          "ap-southeast-4",
+          "ca-central-1",
           "eu-central-1",
           "eu-north-1",
           "eu-west-1",
@@ -7011,6 +7042,21 @@
         ]
       }
     },
+    "neptune-graph": {
+      "regions": {
+        "aws": [
+          "ap-northeast-1",
+          "ap-southeast-1",
+          "eu-central-1",
+          "eu-west-1",
+          "us-east-1",
+          "us-east-2",
+          "us-west-2"
+        ],
+        "aws-cn": [],
+        "aws-us-gov": []
+      }
+    },
     "network-firewall": {
       "regions": {
         "aws": [
@@ -7082,6 +7128,32 @@
         ]
       }
     },
+    "networkmonitor": {
+      "regions": {
+        "aws": [
+          "ap-east-1",
+          "ap-northeast-1",
+          "ap-northeast-2",
+          "ap-south-1",
+          "ap-southeast-1",
+          "ap-southeast-2",
+          "ca-central-1",
+          "eu-central-1",
+          "eu-north-1",
+          "eu-west-1",
+          "eu-west-2",
+          "eu-west-3",
+          "me-south-1",
+          "sa-east-1",
+          "us-east-1",
+          "us-east-2",
+          "us-west-1",
+          "us-west-2"
+        ],
+        "aws-cn": [],
+        "aws-us-gov": []
+      }
+    },
     "nimble": {
       "regions": {
         "aws": [
@@ -7442,6 +7514,7 @@
       "regions": {
         "aws": [
           "us-east-1",
+          "us-east-2",
           "us-west-2"
         ],
         "aws-cn": [],
@@ -7600,19 +7673,37 @@
     "pinpoint-sms-voice-v2": {
       "regions": {
         "aws": [
+          "af-south-1",
           "ap-northeast-1",
+          "ap-northeast-2",
+          "ap-northeast-3",
           "ap-south-1",
+          "ap-south-2",
           "ap-southeast-1",
           "ap-southeast-2",
+          "ap-southeast-3",
+          "ap-southeast-4",
           "ca-central-1",
           "eu-central-1",
+          "eu-central-2",
+          "eu-north-1",
+          "eu-south-1",
+          "eu-south-2",
           "eu-west-1",
           "eu-west-2",
+          "eu-west-3",
+          "il-central-1",
+          "me-central-1",
+          "me-south-1",
+          "sa-east-1",
           "us-east-1",
+          "us-east-2",
+          "us-west-1",
           "us-west-2"
         ],
         "aws-cn": [],
         "aws-us-gov": [
+          "us-gov-east-1",
           "us-gov-west-1"
         ]
       }
@@ -7829,7 +7920,9 @@
           "us-east-2",
           "us-west-2"
         ],
-        "aws-cn": [],
+        "aws-cn": [
+          "cn-north-1"
+        ],
         "aws-us-gov": [
           "us-gov-west-1"
         ]
@@ -8363,7 +8456,10 @@
           "us-west-2"
         ],
         "aws-cn": [],
-        "aws-us-gov": []
+        "aws-us-gov": [
+          "us-gov-east-1",
+          "us-gov-west-1"
+        ]
       }
     },
     "route53": {
@@ -8406,49 +8502,6 @@
         "aws-us-gov": []
       }
     },
-    "route53-application-recovery-controller": {
-      "regions": {
-        "aws": [
-          "af-south-1",
-          "ap-east-1",
-          "ap-northeast-1",
-          "ap-northeast-2",
-          "ap-northeast-3",
-          "ap-south-1",
-          "ap-south-2",
-          "ap-southeast-1",
-          "ap-southeast-2",
-          "ap-southeast-3",
-          "ap-southeast-4",
-          "ca-central-1",
-          "ca-west-1",
-          "eu-central-1",
-          "eu-central-2",
-          "eu-north-1",
-          "eu-south-1",
-          "eu-south-2",
-          "eu-west-1",
-          "eu-west-2",
-          "eu-west-3",
-          "il-central-1",
-          "me-central-1",
-          "me-south-1",
-          "sa-east-1",
-          "us-east-1",
-          "us-east-2",
-          "us-west-1",
-          "us-west-2"
-        ],
-        "aws-cn": [
-          "cn-north-1",
-          "cn-northwest-1"
-        ],
-        "aws-us-gov": [
-          "us-gov-east-1",
-          "us-gov-west-1"
-        ]
-      }
-    },
     "route53-recovery-readiness": {
       "regions": {
         "aws": [
@@ -8823,6 +8876,7 @@
           "ap-southeast-3",
           "ap-southeast-4",
           "ca-central-1",
+          "ca-west-1",
           "eu-central-1",
           "eu-central-2",
           "eu-north-1",
@@ -9720,6 +9774,7 @@
           "eu-west-2",
           "eu-west-3",
           "il-central-1",
+          "me-central-1",
           "me-south-1",
           "sa-east-1",
           "us-east-1",
@@ -9865,6 +9920,17 @@
         ]
       }
     },
+    "supplychain": {
+      "regions": {
+        "aws": [
+          "eu-central-1",
+          "us-east-1",
+          "us-west-2"
+        ],
+        "aws-cn": [],
+        "aws-us-gov": []
+      }
+    },
     "support": {
       "regions": {
         "aws": [
@@ -10716,7 +10782,10 @@
       "regions": {
         "aws": [
           "ap-northeast-1",
+          "ap-northeast-2",
+          "ap-southeast-1",
           "ap-southeast-2",
+          "ca-central-1",
           "eu-central-1",
           "eu-west-2",
           "us-east-1",

prowler/providers/aws/lib/allowlist/allowlist.py

@@ -199,7 +199,11 @@ def is_allowlisted_in_check(
 
             allowlisted_regions = allowlisted_check_info.get("Regions")
             allowlisted_resources = allowlisted_check_info.get("Resources")
-            allowlisted_tags = allowlisted_check_info.get("Tags")
+            allowlisted_tags = allowlisted_check_info.get("Tags", "*")
+            # We need to set the allowlisted_tags if None, "" or [], so the falsy helps
+            if not allowlisted_tags:
+                allowlisted_tags = "*"
+
             # If there is a *, it affects to all checks
             if (
                 "*" == allowlisted_check
@@ -220,13 +224,15 @@ def is_allowlisted_in_check(
                 # For a finding to be allowlisted requires the following set to True:
                 # - allowlisted_in_check -> True
                 # - allowlisted_in_region -> True
-                # - allowlisted_in_tags -> True or allowlisted_in_resource -> True
+                # - allowlisted_in_tags -> True
+                # - allowlisted_in_resource -> True
                 # - excepted -> False
 
                 if (
                     allowlisted_in_check
                     and allowlisted_in_region
-                    and (allowlisted_in_tags or allowlisted_in_resource)
+                    and allowlisted_in_tags
+                    and allowlisted_in_resource
                 ):
                     is_check_allowlisted = True
 
@@ -304,6 +310,13 @@ def is_excepted(
             is_tag_excepted = __is_item_matched__(excepted_tags, finding_tags)
 
             if (
+                not is_account_excepted
+                and not is_region_excepted
+                and not is_resource_excepted
+                and not is_tag_excepted
+            ):
+                excepted = False
+            elif (
                 (is_account_excepted or not excepted_accounts)
                 and (is_region_excepted or not excepted_regions)
                 and (is_resource_excepted or not excepted_resources)

prowler/providers/aws/lib/quick_inventory/quick_inventory.py

@@ -211,9 +211,13 @@ def create_inventory_table(resources: list, resources_in_region: dict) -> dict:
 
 def create_output(resources: list, audit_info: AWS_Audit_Info, args):
     json_output = []
-    output_file = (
-        f"prowler-inventory-{audit_info.audited_account}-{output_file_timestamp}"
-    )
+    # Check if custom output filename was input, if not, set the default
+    if not hasattr(args, "output_filename") or args.output_filename is None:
+        output_file = (
+            f"prowler-inventory-{audit_info.audited_account}-{output_file_timestamp}"
+        )
+    else:
+        output_file = args.output_filename
 
     for item in sorted(resources, key=lambda d: d["arn"]):
         resource = {}
@@ -275,8 +279,8 @@ def create_output(resources: list, audit_info: AWS_Audit_Info, args):
         f"\n{Fore.YELLOW}WARNING: Only resources that have or have had tags will appear (except for IAM and S3).\nSee more in https://docs.prowler.cloud/en/latest/tutorials/quick-inventory/#objections{Style.RESET_ALL}"
     )
     print("\nMore details in files:")
-    print(f" - CSV: {args.output_directory}/{output_file+csv_file_suffix}")
-    print(f" - JSON: {args.output_directory}/{output_file+json_file_suffix}")
+    print(f" - CSV: {args.output_directory}/{output_file + csv_file_suffix}")
+    print(f" - JSON: {args.output_directory}/{output_file + json_file_suffix}")
 
     # Send output to S3 if needed (-B / -D)
     for mode in ["json", "csv"]:

prowler/providers/aws/lib/s3/s3.py

@@ -27,7 +27,7 @@ def send_to_s3_bucket(
         else:  # Compliance output mode
             filename = f"{output_filename}_{output_mode}{csv_file_suffix}"
 
-        logger.info(f"Sending outputs to S3 bucket {output_bucket_name}")
+        logger.info(f"Sending output file {filename} to S3 bucket {output_bucket_name}")
         # File location
         file_name = output_directory + "/" + filename
 

prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py

@@ -19,7 +19,11 @@ class acm_certificates_expiration_check(Check):
                 report.resource_tags = certificate.tags
             else:
                 report.status = "FAIL"
-                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
+                if certificate.expiration_days < 0:
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
+                else:
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
+
                 report.resource_id = certificate.id
                 report.resource_details = certificate.name
                 report.resource_arn = certificate.arn

prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.py

@@ -14,13 +14,13 @@ class apigatewayv2_api_access_logging_enabled(Check):
                 if stage.logging:
                     report.status = "PASS"
                     report.status_extended = f"API Gateway V2 {api.name} ID {api.id} in stage {stage.name} has access logging enabled."
-                    report.resource_id = api.name
+                    report.resource_id = f"{api.name}-{stage.name}"
                     report.resource_arn = api.arn
                     report.resource_tags = api.tags
                 else:
                     report.status = "FAIL"
                     report.status_extended = f"API Gateway V2 {api.name} ID {api.id} in stage {stage.name} has access logging disabled."
-                    report.resource_id = api.name
+                    report.resource_id = f"{api.name}-{stage.name}"
                     report.resource_arn = api.arn
                     report.resource_tags = api.tags
                 findings.append(report)

prowler/providers/aws/services/athena/athena_service.py

@@ -54,10 +54,8 @@ class Athena(AWSService):
                     )
 
                     wg_configuration = wg.get("WorkGroup").get("Configuration")
-                    self.workgroups[
-                        workgroup.arn
-                    ].enforce_workgroup_configuration = wg_configuration.get(
-                        "EnforceWorkGroupConfiguration", False
+                    self.workgroups[workgroup.arn].enforce_workgroup_configuration = (
+                        wg_configuration.get("EnforceWorkGroupConfiguration", False)
                     )
 
                     # We include an empty EncryptionConfiguration to handle if the workgroup does not have encryption configured
@@ -77,9 +75,9 @@ class Athena(AWSService):
                         encryption_configuration = EncryptionConfiguration(
                             encryption_option=encryption, encrypted=True
                         )
-                        self.workgroups[
-                            workgroup.arn
-                        ].encryption_configuration = encryption_configuration
+                        self.workgroups[workgroup.arn].encryption_configuration = (
+                            encryption_configuration
+                        )
                 except Exception as error:
                     logger.error(
                         f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"

prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py

@@ -42,7 +42,7 @@ class awslambda_function_no_secrets_in_variables(Check):
                     environment_variable_names = list(function.environment.keys())
                     secrets_string = ", ".join(
                         [
-                            f"{secret['type']} in variable {environment_variable_names[int(secret['line_number'])-2]}"
+                            f"{secret['type']} in variable {environment_variable_names[int(secret['line_number']) - 2]}"
                             for secret in detect_secrets_output[temp_env_data_file.name]
                         ]
                     )

prowler/providers/aws/services/cloudfront/cloudfront_service.py

@@ -53,12 +53,12 @@ class CloudFront(AWSService):
                 distributions[distribution_id].logging_enabled = distribution_config[
                     "DistributionConfig"
                 ]["Logging"]["Enabled"]
-                distributions[
-                    distribution_id
-                ].geo_restriction_type = GeoRestrictionType(
-                    distribution_config["DistributionConfig"]["Restrictions"][
-                        "GeoRestriction"
-                    ]["RestrictionType"]
+                distributions[distribution_id].geo_restriction_type = (
+                    GeoRestrictionType(
+                        distribution_config["DistributionConfig"]["Restrictions"][
+                            "GeoRestriction"
+                        ]["RestrictionType"]
+                    )
                 )
                 distributions[distribution_id].web_acl_id = distribution_config[
                     "DistributionConfig"
@@ -78,9 +78,9 @@ class CloudFront(AWSService):
                         "DefaultCacheBehavior"
                     ].get("FieldLevelEncryptionId"),
                 )
-                distributions[
-                    distribution_id
-                ].default_cache_config = default_cache_config
+                distributions[distribution_id].default_cache_config = (
+                    default_cache_config
+                )
 
         except Exception as error:
             logger.error(

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json

@@ -1,7 +1,7 @@
 {
   "Provider": "aws",
   "CheckID": "cloudwatch_changes_to_network_route_tables_alarm_configured",
-  "CheckTitle": "Ensure a log metric filter and alarm exist for route table changes.",
+  "CheckTitle": "Ensure route table changes are monitored",
   "CheckType": [
     "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
   ],
@@ -10,8 +10,8 @@
   "ResourceIdTemplate": "arn:partition:cloudwatch:region:account-id:certificate/resource-id",
   "Severity": "medium",
   "ResourceType": "AwsCloudTrailTrail",
-  "Description": "Ensure a log metric filter and alarm exist for route table changes.",
-  "Risk": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.",
+  "Description": "Real-time monitoring of API calls can be achieved by directing Cloud Trail Logs to CloudWatch Logs, or an external Security information and event management (SIEM)environment, and establishing corresponding metric filters and alarms. Routing tablesare used to route network traffic between subnets and to network gateways. It isrecommended that a metric filter and alarm be established for changes to route tables.",
+  "Risk": "CloudWatch is an AWS native service that allows you to ob serve and monitor resources and applications. CloudTrail Logs can also be sent to an external Security informationand event management (SIEM) environment for monitoring and alerting.Monitoring changes to route tables will help ensure that all VPC traffic flows through anexpected path and prevent any accidental or intentional modifications that may lead touncontrolled network traffic. An alarm should be triggered every time an AWS API call isperformed to create, replace, delete, or disassociate a Route Table.",
   "RelatedUrl": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
   "Remediation": {
     "Code": {
@@ -21,12 +21,12 @@
       "Terraform": "https://docs.bridgecrew.io/docs/monitoring_13#fix---buildtime"
     },
     "Recommendation": {
-      "Text": "It is recommended that a metric filter and alarm be established for unauthorized requests.",
+      "Text": "If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription: 1. Create a metric filter based on filter pattern provided which checks for route table changes and the <cloudtrail_log_group_name> taken from audit step 1. aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> -- filter-name `<route_table_changes_metric>` --metric-transformations metricName= `<route_table_changes_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }' Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. 2. Create an SNS topic that the alarm will notify aws sns create-topic --name <sns_topic_name> Note: you can execute this command once and then re-use the same topic for all monitoring alarms. 3. Create an SNS subscription to the topic created in step 2 aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> - -notification-endpoint <sns_subscription_endpoints> Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms. 4. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2 aws cloudwatch put-metric-alarm --alarm-name `<route_table_changes_alarm>` --metric-name `<route_table_changes_metric>` --statistic Sum --period 300 - -threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>",
       "Url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html"
     }
   },
   "Categories": [],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": "Logging and Monitoring"
+  "Notes": ""
 }

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py

@@ -13,7 +13,7 @@ from prowler.providers.aws.services.cloudwatch.logs_client import logs_client
 
 class cloudwatch_changes_to_network_route_tables_alarm_configured(Check):
     def execute(self):
-        pattern = r"\$\.eventName\s*=\s*.?CreateRoute.+\$\.eventName\s*=\s*.?CreateRouteTable.+\$\.eventName\s*=\s*.?ReplaceRoute.+\$\.eventName\s*=\s*.?ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*.?DeleteRouteTable.+\$\.eventName\s*=\s*.?DeleteRoute.+\$\.eventName\s*=\s*.?DisassociateRouteTable.?"
+        pattern = r"\$\.eventSource\s*=\s*.?ec2.amazonaws.com.+\$\.eventName\s*=\s*.?CreateRoute.+\$\.eventName\s*=\s*.?CreateRouteTable.+\$\.eventName\s*=\s*.?ReplaceRoute.+\$\.eventName\s*=\s*.?ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*.?DeleteRouteTable.+\$\.eventName\s*=\s*.?DeleteRoute.+\$\.eventName\s*=\s*.?DisassociateRouteTable.?"
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.status = "FAIL"

prowler/providers/aws/services/cloudwatch/cloudwatch_service.py

@@ -218,9 +218,9 @@ class LogGroup(BaseModel):
     never_expire: bool
     kms_id: Optional[str]
     region: str
-    log_streams: dict[
-        str, list[str]
-    ] = {}  # Log stream name as the key, array of events as the value
+    log_streams: dict[str, list[str]] = (
+        {}
+    )  # Log stream name as the key, array of events as the value
     tags: Optional[list] = []
 
 

prowler/providers/aws/services/emr/emr_service.py

@@ -108,9 +108,9 @@ class EMR(AWSService):
                     master_public_dns_name = cluster_info["Cluster"].get(
                         "MasterPublicDnsName"
                     )
-                    self.clusters[
-                        cluster.id
-                    ].master_public_dns_name = master_public_dns_name
+                    self.clusters[cluster.id].master_public_dns_name = (
+                        master_public_dns_name
+                    )
                     # Set cluster Public/Private
                     # Public EMR cluster have their DNS ending with .amazonaws.com
                     # while private ones have format of ip-xxx-xx-xx.us-east-1.compute.internal.
@@ -136,12 +136,12 @@ class EMR(AWSService):
                 regional_client.get_block_public_access_configuration()
             )
 
-            self.block_public_access_configuration[
-                regional_client.region
-            ] = BlockPublicAccessConfiguration(
-                block_public_security_group_rules=block_public_access_configuration[
-                    "BlockPublicAccessConfiguration"
-                ]["BlockPublicSecurityGroupRules"]
+            self.block_public_access_configuration[regional_client.region] = (
+                BlockPublicAccessConfiguration(
+                    block_public_security_group_rules=block_public_access_configuration[
+                        "BlockPublicAccessConfiguration"
+                    ]["BlockPublicSecurityGroupRules"]
+                )
             )
         except Exception as error:
             logger.error(

prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py

@@ -16,7 +16,10 @@ class fms_policy_compliant(Check):
             if fms_client.fms_policies:
                 for policy in fms_client.fms_policies:
                     for policy_to_account in policy.compliance_status:
-                        if policy_to_account.status == "NON_COMPLIANT":
+                        if (
+                            policy_to_account.status == "NON_COMPLIANT"
+                            or not policy_to_account.status
+                        ):
                             report.status = "FAIL"
                             report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}."
                             report.resource_id = policy.id

prowler/providers/aws/services/fms/fms_service.py

@@ -69,13 +69,16 @@ class FMS(AWSService):
                     for fms_compliance_status in page.get(
                         "PolicyComplianceStatusList", []
                     ):
+                        compliance_status = ""
+                        if fms_compliance_status.get("EvaluationResults"):
+                            compliance_status = fms_compliance_status.get(
+                                "EvaluationResults"
+                            )[0].get("ComplianceStatus", "")
                         fms_policy.compliance_status.append(
                             PolicyAccountComplianceStatus(
                                 account_id=fms_compliance_status.get("MemberAccount"),
                                 policy_id=fms_compliance_status.get("PolicyId"),
-                                status=fms_compliance_status.get("EvaluationResults")[
-                                    0
-                                ].get("ComplianceStatus"),
+                                status=compliance_status,
                             )
                         )
 

prowler/providers/aws/services/iam/iam_service.py

@@ -453,12 +453,29 @@ class IAM(AWSService):
                                     document=inline_user_policy_doc,
                                 )
                             )
-
+                        except ClientError as error:
+                            if error.response["Error"]["Code"] == "NoSuchEntity":
+                                logger.warning(
+                                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                                )
+                            else:
+                                logger.error(
+                                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                                )
                         except Exception as error:
                             logger.error(
                                 f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                             )
                 user.inline_policies = inline_user_policies
+            except ClientError as error:
+                if error.response["Error"]["Code"] == "NoSuchEntity":
+                    logger.warning(
+                        f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
+                else:
+                    logger.error(
+                        f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
             except Exception as error:
                 logger.error(
                     f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
@@ -619,9 +636,9 @@ class IAM(AWSService):
                                 entity=policy["PolicyId"],
                                 version_id=policy["DefaultVersionId"],
                                 type="Custom" if scope == "Local" else "AWS",
-                                attached=True
-                                if policy["AttachmentCount"] > 0
-                                else False,
+                                attached=(
+                                    True if policy["AttachmentCount"] > 0 else False
+                                ),
                             )
                         )
         except Exception as error:
@@ -850,9 +867,9 @@ class IAM(AWSService):
                     services_accessed > 0 and access_keys_number > 0
                 )
 
-                self.user_temporary_credentials_usage[
-                    user_data
-                ] = temporary_credentials_usage
+                self.user_temporary_credentials_usage[user_data] = (
+                    temporary_credentials_usage
+                )
 
         except Exception as error:
             logger.error(

prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.metadata.json

@@ -1,7 +1,10 @@
 {
   "Provider": "aws",
-  "CheckID": "inspector2_findings_exist",
+  "CheckID": "inspector2_active_findings_exist",
   "CheckTitle": "Check if Inspector2 findings exist",
+  "CheckAliases": [
+    "inspector2_findings_exist"
+  ],
   "CheckType": [],
   "ServiceName": "inspector2",
   "SubServiceName": "",
@@ -13,13 +16,13 @@
   "RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html",
   "Remediation": {
     "Code": {
-      "CLI": "aws inspector2 enable",
+      "CLI": "",
       "NativeIaC": "",
       "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable Inspector2",
+      "Text": "Review the active findings from Inspector2",
       "Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html"
     }
   },

prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py

@@ -0,0 +1,33 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.inspector2.inspector2_client import (
+    inspector2_client,
+)
+
+
+class inspector2_active_findings_exist(Check):
+    def execute(self):
+        findings = []
+        for inspector in inspector2_client.inspectors:
+            report = Check_Report_AWS(self.metadata())
+            report.resource_id = inspector.id
+            report.resource_arn = inspector.arn
+            report.region = inspector.region
+            if inspector.status == "ENABLED":
+                active_findings = 0
+                report.status = "PASS"
+                report.status_extended = "Inspector2 is enabled with no findings."
+                for finding in inspector.findings:
+                    if finding.status == "ACTIVE":
+                        active_findings += 1
+                if len(inspector.findings) > 0:
+                    report.status_extended = (
+                        "Inspector2 is enabled with no active findings."
+                    )
+                    if active_findings > 0:
+                        report.status = "FAIL"
+                        report.status_extended = (
+                            f"There are {active_findings} ACTIVE Inspector2 findings."
+                        )
+                findings.append(report)
+
+        return findings

prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.metadata.json

@@ -0,0 +1,33 @@
+{
+  "Provider": "aws",
+  "CheckID": "inspector2_is_enabled",
+  "CheckTitle": "Check if Inspector2 is enabled",
+  "CheckAliases": [
+    "inspector2_findings_exist"
+  ],
+  "CheckType": [],
+  "ServiceName": "inspector2",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:inspector2:region:account-id/detector-id",
+  "Severity": "medium",
+  "ResourceType": "Other",
+  "Description": "Check if Inspector2 is enabled",
+  "Risk": "Without using AWS Inspector, you may not be aware of all the security vulnerabilities in your AWS resources, which could lead to unauthorized access, data breaches, or other security incidents.",
+  "RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws inspector2 enable",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable Inspector2",
+      "Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py

@@ -7,31 +7,17 @@ from prowler.providers.aws.services.inspector2.inspector2_client import (
 )
 
 
-class inspector2_findings_exist(Check):
+class inspector2_is_enabled(Check):
     def execute(self):
         findings = []
         for inspector in inspector2_client.inspectors:
             report = Check_Report_AWS(self.metadata())
-            report.resource_id = inspector2_client.audited_account
-            report.resource_arn = inspector2_client.audited_account_arn
+            report.resource_id = inspector.id
+            report.resource_arn = inspector.arn
             report.region = inspector.region
             if inspector.status == "ENABLED":
-                active_findings = 0
                 report.status = "PASS"
-                report.status_extended = "Inspector2 is enabled with no findings."
-                for finding in inspector.findings:
-                    if finding.status == "ACTIVE":
-                        active_findings += 1
-                if len(inspector.findings) > 0:
-                    report.status_extended = (
-                        "Inspector2 is enabled with no active findings."
-                    )
-                    if active_findings > 0:
-                        report.status = "FAIL"
-                        report.status_extended = (
-                            f"There are {active_findings} ACTIVE Inspector2 findings."
-                        )
-                findings.append(report)
+                report.status_extended = "Inspector2 is enabled."
             else:
                 if inspector2_client.audit_info.ignore_unused_services:
                     funtions_in_region = False
@@ -49,6 +35,6 @@ class inspector2_findings_exist(Check):
                 ):
                     report.status = "FAIL"
                     report.status_extended = "Inspector2 is not enabled."
-                    findings.append(report)
+            findings.append(report)
 
         return findings

prowler/providers/aws/services/inspector2/inspector2_service.py

@@ -23,7 +23,8 @@ class Inspector2(AWSService):
             ][0]
             self.inspectors.append(
                 Inspector(
-                    id=self.audited_account,
+                    id="Inspector2",
+                    arn=f"arn:{self.audited_partition}:inspector2:{regional_client.region}:{self.audited_account}:inspector2",
                     status=batch_get_account_status.get("state").get("status"),
                     region=regional_client.region,
                 )
@@ -80,6 +81,7 @@ class InspectorFinding(BaseModel):
 
 class Inspector(BaseModel):
     id: str
+    arn: str
     region: str
     status: str
     findings: list[InspectorFinding] = []

prowler/providers/aws/services/organizations/organizations_service.py

@@ -102,14 +102,13 @@ class Organizations(AWSService):
                 )
                 for page in list_policies_paginator.paginate(Filter=policy_type):
                     for policy in page["Policies"]:
-                        policy_content = self.__describe_policy__(policy.get("Id"))
-                        policy_targets = self.__list_targets_for_policy__(
-                            policy.get("Id")
-                        )
+                        policy_id = policy.get("Id")
+                        policy_content = self.__describe_policy__(policy_id)
+                        policy_targets = self.__list_targets_for_policy__(policy_id)
                         self.policies.append(
                             Policy(
                                 arn=policy.get("Arn"),
-                                id=policy.get("Id"),
+                                id=policy_id,
                                 type=policy.get("Type"),
                                 aws_managed=policy.get("AwsManaged"),
                                 content=policy_content,
@@ -134,23 +133,29 @@ class Organizations(AWSService):
 
         # This operation can be called only from the organization’s management account or by a member account that is a delegated administrator for an Amazon Web Services service.
         try:
-            policy_desc = self.client.describe_policy(PolicyId=policy_id)["Policy"]
-            policy_content = policy_desc["Content"]
-            policy_content_json = json.loads(policy_content)
+            policy_content = {}
+            if policy_id:
+                policy_content = (
+                    self.client.describe_policy(PolicyId=policy_id)
+                    .get("Policy", {})
+                    .get("Content", "")
+                )
         except Exception as error:
             logger.error(
                 f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
         finally:
-            return policy_content_json
+            return json.loads(policy_content)
 
     def __list_targets_for_policy__(self, policy_id):
         logger.info("Organizations - List Targets for policy: %s ...", policy_id)
 
         try:
-            targets_for_policy = self.client.list_targets_for_policy(
-                PolicyId=policy_id
-            )["Targets"]
+            targets_for_policy = []
+            if policy_id:
+                targets_for_policy = self.client.list_targets_for_policy(
+                    PolicyId=policy_id
+                )["Targets"]
         except Exception as error:
             logger.error(
                 f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"

prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py

@@ -1,4 +1,5 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.ec2.ec2_client import ec2_client
 from prowler.providers.aws.services.rds.rds_client import rds_client
 
 
@@ -11,17 +12,23 @@ class rds_instance_no_public_access(Check):
             report.resource_id = db_instance.id
             report.resource_arn = db_instance.arn
             report.resource_tags = db_instance.tags
-            if not db_instance.public:
-                report.status = "PASS"
-                report.status_extended = (
-                    f"RDS Instance {db_instance.id} is not Publicly Accessible."
-                )
-            else:
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"RDS Instance {db_instance.id} is set as Publicly Accessible."
-                )
-
+            report.status = "PASS"
+            report.status_extended = (
+                f"RDS Instance {db_instance.id} is not publicly accessible."
+            )
+            if db_instance.public:
+                # Check if any DB Instance Security Group is publicly open
+                if db_instance.security_groups:
+                    report.status = "PASS"
+                    report.status_extended = f"RDS Instance {db_instance.id} is public but filtered with security groups."
+                    for security_group in ec2_client.security_groups:
+                        if (
+                            security_group.id in db_instance.security_groups
+                            and security_group.public_ports
+                        ):
+                            report.status = "FAIL"
+                            report.status_extended = f"RDS Instance {db_instance.id} is set as publicly accessible."
+                            break
             findings.append(report)
 
         return findings

prowler/providers/aws/services/rds/rds_service.py

@@ -68,6 +68,11 @@ class RDS(AWSService):
                                         for item in instance["DBParameterGroups"]
                                     ],
                                     multi_az=instance["MultiAZ"],
+                                    security_groups=[
+                                        sg["VpcSecurityGroupId"]
+                                        for sg in instance["VpcSecurityGroups"]
+                                        if sg["Status"] == "active"
+                                    ],
                                     cluster_id=instance.get("DBClusterIdentifier"),
                                     cluster_arn=f"arn:{self.audited_partition}:rds:{regional_client.region}:{self.audited_account}:cluster:{instance.get('DBClusterIdentifier')}",
                                     region=regional_client.region,
@@ -232,7 +237,15 @@ class RDS(AWSService):
                     for att in response["DBClusterSnapshotAttributes"]:
                         if "all" in att["AttributeValues"]:
                             snapshot.public = True
-
+        except ClientError as error:
+            if error.response["Error"]["Code"] == "DBClusterSnapshotNotFoundFault":
+                logger.warning(
+                    f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+            else:
+                logger.error(
+                    f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
         except Exception as error:
             logger.error(
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
@@ -287,6 +300,7 @@ class DBInstance(BaseModel):
     multi_az: bool
     parameter_groups: list[str] = []
     parameters: list[dict] = []
+    security_groups: list[str] = []
     cluster_id: Optional[str]
     cluster_arn: Optional[str]
     region: str

prowler/providers/aws/services/route53/route53_service.py

@@ -87,12 +87,12 @@ class Route53(AWSService):
                 )
                 for page in list_query_logging_configs_paginator.paginate():
                     for logging_config in page["QueryLoggingConfigs"]:
-                        self.hosted_zones[
-                            hosted_zone.id
-                        ].logging_config = LoggingConfig(
-                            cloudwatch_log_group_arn=logging_config[
-                                "CloudWatchLogsLogGroupArn"
-                            ]
+                        self.hosted_zones[hosted_zone.id].logging_config = (
+                            LoggingConfig(
+                                cloudwatch_log_group_arn=logging_config[
+                                    "CloudWatchLogsLogGroupArn"
+                                ]
+                            )
                         )
 
         except Exception as error:

prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py

@@ -46,9 +46,24 @@ class s3_bucket_policy_public_write_access(Check):
                             and "*" in str(statement["Principal"])
                         )
                         and (
-                            "s3:PutObject" in statement["Action"]
-                            or "*" in statement["Action"]
-                            or "s3:*" in statement["Action"]
+                            (
+                                isinstance(statement["Action"], list)
+                                and (
+                                    "s3:PutObject" in statement["Action"]
+                                    or "*" in statement["Action"]
+                                    or "s3:*" in statement["Action"]
+                                    or "s3:Put*" in statement["Action"]
+                                )
+                            )
+                            or (
+                                isinstance(statement["Action"], str)
+                                and (
+                                    "s3:PutObject" == statement["Action"]
+                                    or "*" == statement["Action"]
+                                    or "s3:*" == statement["Action"]
+                                    or "s3:Put*" == statement["Action"]
+                                )
+                            )
                         )
                     ):
                         report.status = "FAIL"

prowler/providers/aws/services/wellarchitected/wellarchitected_service.py

@@ -1,5 +1,6 @@
 from typing import Optional
 
+from botocore.client import ClientError
 from pydantic import BaseModel
 
 from prowler.lib.logger import logger
@@ -49,6 +50,15 @@ class WellArchitected(AWSService):
                     WorkloadArn=workload.arn
                 )["Tags"]
                 workload.tags = [response]
+        except ClientError as error:
+            if error.response["Error"]["Code"] == "BadRequestException":
+                logger.warning(
+                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+            else:
+                logger.error(
+                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
         except Exception as error:
             logger.error(
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"

prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py

@@ -17,7 +17,7 @@ class wellarchitected_workload_no_high_or_medium_risks(Check):
             report.status_extended = f"Well Architected workload {workload.name} does not contain high or medium risks."
             if "HIGH" in workload.risks or "MEDIUM" in workload.risks:
                 report.status = "FAIL"
-                report.status_extended = f"Well Architected workload {workload.name} contains {workload.risks.get('HIGH',0)} high and {workload.risks.get('MEDIUM',0)} medium risks."
+                report.status_extended = f"Well Architected workload {workload.name} contains {workload.risks.get('HIGH' , 0)} high and {workload.risks.get('MEDIUM' , 0)} medium risks."
 
             findings.append(report)
         return findings

prowler/providers/azure/azure_provider.py

@@ -1,9 +1,10 @@
+import asyncio
 import sys
 from os import getenv
 
 from azure.identity import DefaultAzureCredential, InteractiveBrowserCredential
 from azure.mgmt.subscription import SubscriptionClient
-from msgraph.core import GraphClient
+from msgraph import GraphServiceClient
 
 from prowler.lib.logger import logger
 from prowler.providers.azure.lib.audit_info.models import Azure_Identity_Info
@@ -100,55 +101,57 @@ class Azure_Provider:
         subscription_ids,
     ):
         identity = Azure_Identity_Info()
-
         # If credentials comes from service principal or browser, if the required permissions are assigned
         # the identity can access AAD and retrieve the tenant domain name.
         # With cli also should be possible but right now it does not work, azure python package issue is coming
         # At the time of writting this with az cli creds is not working, despite that is included
         if sp_env_auth or browser_auth or az_cli_auth:
-            # Trying to recover tenant domain info
-            try:
-                logger.info(
-                    "Trying to retrieve tenant domain from AAD to populate identity structure ..."
-                )
-                client = GraphClient(credential=credentials)
-                domain_result = client.get("/domains").json()
-                if "value" in domain_result:
-                    if "id" in domain_result["value"][0]:
-                        identity.domain = domain_result["value"][0]["id"]
-            except Exception as error:
-                logger.error(
-                    "Provided identity does not have permissions to access AAD to retrieve tenant domain"
-                )
-                logger.error(
-                    f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
-                )
-            # since that exception is not considered as critical, we keep filling another identity fields
-            if sp_env_auth:
-                # The id of the sp can be retrieved from environment variables
-                identity.identity_id = getenv("AZURE_CLIENT_ID")
-                identity.identity_type = "Service Principal"
-            # Same here, if user can access AAD, some fields are retrieved if not, default value, for az cli
-            # should work but it doesn't, pending issue
-            else:
-                identity.identity_id = "Unknown user id (Missing AAD permissions)"
-                identity.identity_type = "User"
+
+            async def get_azure_identity():
+                # Trying to recover tenant domain info
                 try:
                     logger.info(
-                        "Trying to retrieve user information from AAD to populate identity structure ..."
+                        "Trying to retrieve tenant domain from AAD to populate identity structure ..."
                     )
-                    client = GraphClient(credential=credentials)
-                    user_name = client.get("/me").json()
-                    if "userPrincipalName" in user_name:
-                        identity.identity_id = user_name
+                    client = GraphServiceClient(credentials=credentials)
+
+                    domain_result = await client.domains.get()
+                    if getattr(domain_result, "value"):
+                        if getattr(domain_result.value[0], "id"):
+                            identity.domain = domain_result.value[0].id
 
                 except Exception as error:
-                    logger.error(
-                        "Provided identity does not have permissions to access AAD to retrieve user's metadata"
-                    )
                     logger.error(
                         f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
                     )
+                # since that exception is not considered as critical, we keep filling another identity fields
+                if sp_env_auth:
+                    # The id of the sp can be retrieved from environment variables
+                    identity.identity_id = getenv("AZURE_CLIENT_ID")
+                    identity.identity_type = "Service Principal"
+                # Same here, if user can access AAD, some fields are retrieved if not, default value, for az cli
+                # should work but it doesn't, pending issue
+                else:
+                    identity.identity_id = "Unknown user id (Missing AAD permissions)"
+                    identity.identity_type = "User"
+                    try:
+                        logger.info(
+                            "Trying to retrieve user information from AAD to populate identity structure ..."
+                        )
+                        client = GraphServiceClient(credentials=credentials)
+
+                        me = await client.me.get()
+                        if me:
+                            if getattr(me, "user_principal_name"):
+                                identity.identity_id = me.user_principal_name
+
+                    except Exception as error:
+                        logger.error(
+                            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+                        )
+
+            asyncio.run(get_azure_identity())
+
         # Managed identities only can be assigned resource, resource group and subscription scope permissions
         elif managed_entity_auth:
             identity.identity_id = "Default Managed Identity ID"

prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_additional_email_configured_with_a_security_contact",
+  "CheckTitle": "Ensure 'Additional email addresses' is Configured with a Security Contact Email",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "AzureEmailNotifications",
+  "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.",
+  "Risk": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/security-contact-email.html",
+      "Terraform": "https://docs.bridgecrew.io/docs/ensure-that-security-contact-emails-is-set#terraform"
+    },
+    "Recommendation": {
+      "Text": "1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field 7. Click Save",
+      "Url": "https://learn.microsoft.com/en-us/rest/api/defenderforcloud/security-contacts/list?view=rest-defenderforcloud-2020-01-01-preview&tabs=HTTP"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.py

@@ -0,0 +1,36 @@
+import re
+
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_additional_email_configured_with_a_security_contact(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            security_contacts,
+        ) in defender_client.security_contacts.items():
+            for contact_name, contact_info in security_contacts.items():
+                report = Check_Report_Azure(self.metadata())
+                report.status = "PASS"
+                report.subscription = subscription_name
+                report.resource_name = contact_name
+                report.resource_id = contact_info.resource_id
+                report.status_extended = f"There is another correct email configured for susbscription {subscription_name}."
+
+                emails = contact_info.emails.split(";")
+
+                for email in emails:
+                    if re.fullmatch(
+                        r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b", email
+                    ):
+                        break
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"There is not another correct email configured for susbscription {subscription_name}."
+
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_auto_provisioning_log_analytics_agent_vms_on",
+  "CheckTitle": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "AzureDefenderPlan",
+  "Description": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.",
+  "Risk": "Missing critical security information about your Azure VMs, such as security alerts, security recommendations, and change tracking.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/automatic-provisioning-of-monitoring-agent.html",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure comprehensive visibility into possible security vulnerabilities, including missing updates, misconfigured operating system security settings, and active threats, allowing for timely mitigation and improved overall security posture",
+      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.py

@@ -0,0 +1,29 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_auto_provisioning_log_analytics_agent_vms_on(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            auto_provisioning_settings,
+        ) in defender_client.auto_provisioning_settings.items():
+
+            for auto_provisioning_setting in auto_provisioning_settings.values():
+
+                report = Check_Report_Azure(self.metadata())
+                report.status = "PASS"
+                report.subscription = subscription_name
+                report.resource_name = auto_provisioning_setting.resource_name
+                report.resource_id = auto_provisioning_setting.resource_id
+                report.status_extended = f"Defender Auto Provisioning Log Analytics Agents from subscription {subscription_name} is set to ON."
+
+                if auto_provisioning_setting.auto_provision != "On":
+                    report.status = "FAIL"
+                    report.status_extended = f"Defender Auto Provisioning Log Analytics Agents from subscription {subscription_name} is set to OFF."
+
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_auto_provisioning_vulnerabilty_assessments_machines_on",
+  "CheckTitle": "Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "AzureDefenderPlan",
+  "Description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.",
+  "Risk": "Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/automatic-provisioning-vulnerability-assessment-machines.html",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud. 3. Then Environment Settings. 4. Select a subscription. 5. Click on Settings & Monitoring. 6. Ensure that Vulnerability assessment for machines is set to On. Repeat this for any additional subscriptions.",
+      "Url": ""
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Additional licensing is required and configuration of Azure Arc introduces complexity beyond this recommendation."
+}

prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.py

@@ -0,0 +1,39 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_auto_provisioning_vulnerabilty_assessments_machines_on(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            assessments,
+        ) in defender_client.assessments.items():
+            if (
+                "Machines should have a vulnerability assessment solution"
+                in assessments
+            ):
+                report = Check_Report_Azure(self.metadata())
+                report.status = "PASS"
+                report.subscription = subscription_name
+                report.resource_name = assessments[
+                    "Machines should have a vulnerability assessment solution"
+                ].resource_name
+                report.resource_id = assessments[
+                    "Machines should have a vulnerability assessment solution"
+                ].resource_id
+                report.status_extended = f"Vulnerability assessment is set up in all VMs in subscription {subscription_name}."
+
+                if (
+                    assessments[
+                        "Machines should have a vulnerability assessment solution"
+                    ].status
+                    == "Unhealthy"
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Vulnerability assessment is not set up in all VMs in subscription {subscription_name}."
+
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_ensure_iot_hub_defender_is_on",
+  "CheckTitle": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "DefenderIoT",
+  "Description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.",
+  "Risk": "IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.",
+  "RelatedUrl": "https://azure.microsoft.com/en-us/services/iot-defender/#overview",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. Go to IoT Hub. 2. Select a IoT Hub to validate. 3. Select Overview in Defender for IoT. 4. Click on Secure your IoT solution, and complete the onboarding.",
+      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Enabling Microsoft Defender for IoT will incur additional charges dependent on the level of usage."
+}

prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.py

@@ -0,0 +1,41 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_ensure_iot_hub_defender_is_on(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            iot_security_solutions,
+        ) in defender_client.iot_security_solutions.items():
+
+            if not iot_security_solutions:
+                report = Check_Report_Azure(self.metadata())
+                report.status = "FAIL"
+                report.subscription = subscription_name
+                report.resource_name = "IoT Hub Defender"
+                report.resource_id = "IoT Hub Defender"
+                report.status_extended = f"No IoT Security Solutions found in the subscription {subscription_name}."
+                findings.append(report)
+                continue
+
+            for (
+                iot_security_solution_name,
+                iot_security_solution,
+            ) in iot_security_solutions.items():
+                report = Check_Report_Azure(self.metadata())
+                report.status = "PASS"
+                report.subscription = subscription_name
+                report.resource_name = iot_security_solution_name
+                report.resource_id = iot_security_solution.resource_id
+                report.status_extended = f"The security solution {iot_security_solution_name} is enabled in susbscription {subscription_name}."
+
+                if iot_security_solution.status != "Enabled":
+                    report.status = "FAIL"
+                    report.status_extended = f"The security solution {iot_security_solution_name} is disabled in susbscription {subscription_name}"
+
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_ensure_mcas_is_enabled",
+  "CheckTitle": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "DefenderSettings",
+  "Description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.",
+  "Risk": "Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.",
+  "RelatedUrl": "https://learn.microsoft.com/en-in/azure/defender-for-cloud/defender-for-cloud-introduction#secure-cloud-applications",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-cloud-apps-integration.html#",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud. 3. Select Environment Settings blade. 4. Select the subscription. 5. Check App Service Defender Plan to On. 6. Select Save.",
+      "Url": "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource."
+}

prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.py

@@ -0,0 +1,28 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_ensure_mcas_is_enabled(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            settings,
+        ) in defender_client.settings.items():
+            report = Check_Report_Azure(self.metadata())
+            report.status = "FAIL"
+            report.subscription = subscription_name
+            report.resource_name = "MCAS"
+            report.resource_id = "MCAS"
+            report.status_extended = f"Microsoft Defender for Cloud Apps not exists for subscription {subscription_name}."
+            if "MCAS" in settings:
+                report.resource_id = settings["MCAS"].resource_id
+                report.status_extended = f"Microsoft Defender for Cloud Apps is disabeld for subscription {subscription_name}."
+                if settings["MCAS"].enabled:
+                    report.status = "PASS"
+                    report.status_extended = f"Microsoft Defender for Cloud Apps is enabled for subscription {subscription_name}."
+
+            findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_ensure_notify_alerts_severity_is_high",
+  "CheckTitle": "Ensure That 'Notify about alerts with the following severity' is Set to 'High'",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "AzureEmailNotifications",
+  "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.",
+  "Risk": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/enable-high-severity-email-notifications.html",
+      "Terraform": "https://docs.bridgecrew.io/docs/bc_azr_general_4#terraform"
+    },
+    "Recommendation": {
+      "Text": "1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field 7. Click Save",
+      "Url": "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.py

@@ -0,0 +1,27 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_ensure_notify_alerts_severity_is_high(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            security_contacts,
+        ) in defender_client.security_contacts.items():
+            for contact_name, contact_info in security_contacts.items():
+                report = Check_Report_Azure(self.metadata())
+                report.status = "PASS"
+                report.subscription = subscription_name
+                report.resource_name = contact_name
+                report.resource_id = contact_info.resource_id
+                report.status_extended = f"Notifiy alerts are enabled for severity high in susbscription {subscription_name}."
+
+                if contact_info.alert_notifications_minimal_severity != "High":
+                    report.status = "FAIL"
+                    report.status_extended = f"Notifiy alerts are not enabled for severity high in susbscription {subscription_name}."
+
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_ensure_notify_emails_to_owners",
+  "CheckTitle": "Ensure That 'All users with the following roles' is set to 'Owner'",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "AzureEmailNotifications",
+  "Description": "Enable security alert emails to subscription owners.",
+  "Risk": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/email-to-subscription-owners.html",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. In the drop down of the All users with the following roles field select Owner 7. Click Save",
+      "Url": "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.py

@@ -0,0 +1,34 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_ensure_notify_emails_to_owners(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            security_contacts,
+        ) in defender_client.security_contacts.items():
+
+            for contact_name, contact_info in security_contacts.items():
+
+                report = Check_Report_Azure(self.metadata())
+                report.status = "PASS"
+                report.subscription = subscription_name
+                report.resource_name = contact_name
+                report.resource_id = contact_info.resource_id
+                report.status_extended = (
+                    f"The Owner role is notified for subscription {subscription_name}."
+                )
+
+                if (
+                    contact_info.notified_roles_state != "On"
+                    or "Owner" not in contact_info.notified_roles
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"The Owner role is not notified for subscription {subscription_name}."
+
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_ensure_system_updates_are_applied",
+  "CheckTitle": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "AzureDefenderRecommendation",
+  "Description": "Ensure that the latest OS patches for all virtual machines are applied.",
+  "Risk": "The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/VirtualMachines/apply-latest-os-patches.html",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.",
+      "Url": "https://learn.microsoft.com/en-us/azure/virtual-machines/updates-maintenance-overview"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour."
+}

prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.py

@@ -0,0 +1,50 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.defender.defender_client import defender_client
+
+
+class defender_ensure_system_updates_are_applied(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+
+        for (
+            subscription_name,
+            assessments,
+        ) in defender_client.assessments.items():
+            if (
+                "Log Analytics agent should be installed on virtual machines"
+                in assessments
+                and "Machines should be configured to periodically check for missing system updates"
+                in assessments
+                and "System updates should be installed on your machines" in assessments
+            ):
+                report = Check_Report_Azure(self.metadata())
+                report.status = "PASS"
+                report.subscription = subscription_name
+                report.resource_name = assessments[
+                    "System updates should be installed on your machines"
+                ].resource_name
+                report.resource_id = assessments[
+                    "System updates should be installed on your machines"
+                ].resource_id
+                report.status_extended = f"System updates are applied for all the VMs in the subscription {subscription_name}."
+
+                if (
+                    assessments[
+                        "Log Analytics agent should be installed on virtual machines"
+                    ].status
+                    == "Unhealthy"
+                    or assessments[
+                        "Machines should be configured to periodically check for missing system updates"
+                    ].status
+                    == "Unhealthy"
+                    or assessments[
+                        "System updates should be installed on your machines"
+                    ].status
+                    == "Unhealthy"
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"System updates are not applied for all the VMs in the subscription {subscription_name}."
+
+                findings.append(report)
+
+        return findings

prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "defender_ensure_wdatp_is_enabled",
+  "CheckTitle": "Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected",
+  "CheckType": [],
+  "ServiceName": "defender",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "DefenderSettings",
+  "Description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.",
+  "Risk": "Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.",
+  "RelatedUrl": "https://learn.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-endpoint-integration.html",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "",
+      "Url": "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource."
+}