chore(release): 3.16.14

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
Co-authored-by: Rubén De la Torre Vico <rubendltv22@gmail.com>

.github/CODEOWNERS

@@ -1 +1,5 @@
-* @prowler-cloud/prowler-oss
+* @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+
+# To protect a repository fully against unauthorized changes, you also need to define an owner for the CODEOWNERS file itself.
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection
+/.github/ @prowler-cloud/sdk

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -1,6 +1,6 @@
 name:  💡 Feature Request
 description: Suggest an idea for this project
-labels: ["enhancement", "status/needs-triage"]
+labels: ["feature-request", "status/needs-triage"]
 
 
 body:

.github/dependabot.yml

@@ -13,3 +13,8 @@ updates:
     labels:
       - "dependencies"
       - "pip"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: master

.github/labeler.yml

@@ -0,0 +1,27 @@
+documentation:
+  - changed-files:
+      - any-glob-to-any-file: "docs/**"
+
+provider/aws:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/aws/**"
+      - any-glob-to-any-file: "tests/providers/aws/**"
+
+provider/azure:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/azure/**"
+      - any-glob-to-any-file: "tests/providers/azure/**"
+
+provider/gcp:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/gcp/**"
+      - any-glob-to-any-file: "tests/providers/gcp/**"
+
+provider/kubernetes:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/kubernetes/**"
+      - any-glob-to-any-file: "tests/providers/kubernetes/**"
+
+github_actions:
+  - changed-files:
+      - any-glob-to-any-file: ".github/workflows/*"

.github/workflows/build-documentation-on-pr.yml

@@ -0,0 +1,24 @@
+name: Pull Request Documentation Link
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+      - 'v3'
+    paths:
+      - 'docs/**'
+
+env:
+  PR_NUMBER: ${{ github.event.pull_request.number }}
+
+jobs:
+  documentation-link:
+    name: Documentation Link
+    runs-on: ubuntu-latest
+    steps:
+      - name: Leave PR comment with the SaaS Documentation URI
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          body: |
+            You can check the documentation for this PR here -> [SaaS Documentation](https://prowler-prowler-docs--${{ env.PR_NUMBER }}.com.readthedocs.build/projects/prowler-open-source/en/${{ env.PR_NUMBER }}/)

.github/workflows/build-lint-push-containers.yml

@@ -3,6 +3,7 @@ name: build-lint-push-containers
 on:
   push:
     branches:
+      - "v3"
       - "master"
     paths-ignore:
       - ".github/**"
@@ -13,52 +14,98 @@ on:
     types: [published]
 
 env:
+  # AWS Configuration
   AWS_REGION_STG: eu-west-1
   AWS_REGION_PLATFORM: eu-west-1
   AWS_REGION: us-east-1
+
+  # Container's configuration
   IMAGE_NAME: prowler
+  DOCKERFILE_PATH: ./Dockerfile
+
+  # Tags
   LATEST_TAG: latest
   STABLE_TAG: stable
-  TEMPORARY_TAG: temporary
-  DOCKERFILE_PATH: ./Dockerfile
-  PYTHON_VERSION: 3.9
+  # The RELEASE_TAG is set during runtime in releases
+  RELEASE_TAG: ""
+  # The PROWLER_VERSION and PROWLER_VERSION_MAJOR are set during runtime in releases
+  PROWLER_VERSION: ""
+  PROWLER_VERSION_MAJOR: ""
+  # TEMPORARY_TAG: temporary
+
+  # Python configuration
+  PYTHON_VERSION: 3.12
 
 jobs:
   # Build Prowler OSS container
   container-build-push:
     # needs: dockerfile-linter
     runs-on: ubuntu-latest
+    outputs:
+      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
+      prowler_version: ${{ steps.update-prowler-version.outputs.PROWLER_VERSION }}
     env:
       POETRY_VIRTUALENVS_CREATE: "false"
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Setup python (release)
-        if: github.event_name == 'release'
-        uses: actions/setup-python@v2
+      - name: Setup Python
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
-      - name: Install dependencies (release)
-        if: github.event_name == 'release'
+      - name: Install Poetry
         run: |
           pipx install poetry
           pipx inject poetry poetry-bumpversion
 
+      - name: Get Prowler version
+        id: get-prowler-version
+        run: |
+          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+
+          # Store prowler version major just for the release
+          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION_MAJOR=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
+
+          case ${PROWLER_VERSION_MAJOR} in
+          3)
+              echo "LATEST_TAG=v3-latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=v3-stable" >> "${GITHUB_ENV}"
+              ;;
+
+          4)
+              echo "LATEST_TAG=latest" >> "${GITHUB_ENV}"
+              echo "STABLE_TAG=stable" >> "${GITHUB_ENV}"
+              ;;
+
+          *)
+              # Fallback if any other version is present
+              echo "Releasing another Prowler major version, aborting..."
+              exit 1
+              ;;
+          esac
+
       - name: Update Prowler version (release)
+        id: update-prowler-version
         if: github.event_name == 'release'
         run: |
-          poetry version ${{ github.event.release.tag_name }}
-
+          PROWLER_VERSION="${{ github.event.release.tag_name }}"
+          poetry version "${PROWLER_VERSION}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
+          
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: public.ecr.aws
           username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -67,11 +114,11 @@ jobs:
           AWS_REGION: ${{ env.AWS_REGION }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push container image (latest)
         if: github.event_name == 'push'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           push: true
           tags: |
@@ -83,16 +130,16 @@ jobs:
 
       - name: Build and push container image (release)
         if: github.event_name == 'release'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           # Use local context to get changes
           # https://github.com/docker/build-push-action#path-context
           context: .
           push: true
           tags: |
-            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+            ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
             ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
-            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+            ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.PROWLER_VERSION }}
             ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.STABLE_TAG }}
           file: ${{ env.DOCKERFILE_PATH }}
           cache-from: type=gha
@@ -102,16 +149,26 @@ jobs:
     needs: container-build-push
     runs-on: ubuntu-latest
     steps:
-      - name: Get latest commit info
+      - name: Get latest commit info (latest)
         if: github.event_name == 'push'
         run: |
           LATEST_COMMIT_HASH=$(echo ${{ github.event.after }} | cut -b -7)
           echo "LATEST_COMMIT_HASH=${LATEST_COMMIT_HASH}" >> $GITHUB_ENV
-      - name: Dispatch event for latest
-        if: github.event_name == 'push'
+
+      - name: Dispatch event (latest)
+        if: github.event_name == 'push' && needs.container-build-push.outputs.prowler_version_major == '3'
         run: |
-          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" --data '{"event_type":"dispatch","client_payload":{"version":"latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
-      - name: Dispatch event for release
-        if: github.event_name == 'release'
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'
+
+      - name: Dispatch event (release)
+        if: github.event_name == 'release' && needs.container-build-push.outputs.prowler_version_major == '3'
         run: |
-          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ github.event.release.tag_name }}"}}'
+          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'

.github/workflows/codeql.yml

@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "master", "prowler-4.0-dev" ]
+    branches: [ "master", "v3" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "master", "prowler-4.0-dev" ]
+    branches: [ "master", "v3" ]
   schedule:
     - cron: '00 12 * * *'
 
@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,6 +52,6 @@ jobs:
         # queries: security-extended,security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/find-secrets.yml

@@ -7,12 +7,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.4.4
+        uses: trufflesecurity/trufflehog@v3.80.1
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}
           head: HEAD
+          extra_args: --only-verified

.github/workflows/labeler.yml

@@ -0,0 +1,16 @@
+name: "Pull Request Labeler"
+
+on:
+    pull_request_target:
+      branches:
+        - "master"
+        - "v3"
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@v5

.github/workflows/pull-request.yml

@@ -4,23 +4,23 @@ on:
   push:
     branches:
       - "master"
-      - "prowler-4.0-dev"
+      - "v3"
   pull_request:
     branches:
       - "master"
-      - "prowler-4.0-dev"
+      - "v3"
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11"]
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Test if changes are in not ignored paths
         id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@v41
+        uses: tj-actions/changed-files@v44
         with:
           files: ./**
           files_ignore: |
@@ -36,7 +36,7 @@ jobs:
           pipx install poetry
       - name: Set up Python ${{ matrix.python-version }}
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
@@ -73,7 +73,7 @@ jobs:
       - name: Safety
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
-          poetry run safety check
+          poetry run safety check --ignore 70612
       - name: Vulture
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
         run: |
@@ -88,6 +88,6 @@ jobs:
           poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
       - name: Upload coverage reports to Codecov
         if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/pypi-release.yml

@@ -6,7 +6,10 @@ on:
 
 env:
   RELEASE_TAG: ${{ github.event.release.tag_name }}
-  GITHUB_BRANCH: master
+  PYTHON_VERSION: 3.11
+  CACHE: "poetry"
+  # TODO: create a bot user for this kind of tasks, like prowler-bot
+  GIT_COMMITTER_EMAIL: "sergio@prowler.com"
 
 jobs:
   release-prowler-job:
@@ -15,56 +18,80 @@ jobs:
       POETRY_VIRTUALENVS_CREATE: "false"
     name: Release Prowler to PyPI
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
-        with:
-          ref: ${{ env.GITHUB_BRANCH }}
+      - name: Get Prowler version
+        run: |
+          PROWLER_VERSION="${{ env.RELEASE_TAG }}"
+
+          case ${PROWLER_VERSION%%.*} in
+          3)
+              echo "Releasing Prowler v3 with tag ${PROWLER_VERSION}"
+              ;;
+          4)
+              echo "Releasing Prowler v4 with tag ${PROWLER_VERSION}"
+              ;;
+          *)
+              echo "Releasing another Prowler major version, aborting..."
+              exit 1
+              ;;
+          esac
+
+      - uses: actions/checkout@v4
+
       - name: Install dependencies
         run: |
           pipx install poetry
           pipx inject poetry poetry-bumpversion
-      - name: setup python
-        uses: actions/setup-python@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.9
-          cache: 'poetry'
-      - name: Change version and Build package
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: ${{ env.CACHE }}
+
+      - name: Update Poetry and config version
         run: |
           poetry version ${{ env.RELEASE_TAG }}
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+
+      - name: Push updated version to the release tag
+        run: |
+          # Configure Git
           git config user.name "github-actions"
-          git config user.email "<noreply@github.com>"
+          git config user.email "${{ env.GIT_COMMITTER_EMAIL }}"
+
+          # Add the files with the version changed
           git add prowler/config/config.py pyproject.toml
-          git commit -m "chore(release): ${{ env.RELEASE_TAG }}" --no-verify
-          git tag -fa ${{ env.RELEASE_TAG }} -m "chore(release): ${{ env.RELEASE_TAG }}"
+          git commit -m "chore(release): ${{ env.RELEASE_TAG }}" --no-verify -S
+
+          # Replace the tag with the version updated
+          git tag -fa ${{ env.RELEASE_TAG }} -m "chore(release): ${{ env.RELEASE_TAG }}" --sign
+
+          # Push the tag
           git push -f origin ${{ env.RELEASE_TAG }}
+
+      - name: Build Prowler package
+        run: |
           poetry build
-      - name: Publish prowler package to PyPI
+
+      - name: Publish Prowler package to PyPI
         run: |
           poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
           poetry publish
-      # Create pull request with new version
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
-        with:
-          token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
-          commit-message: "chore(release): update Prowler Version to ${{ env.RELEASE_TAG }}."
-          branch: release-${{ env.RELEASE_TAG }}
-          labels: "status/waiting-for-revision, severity/low"
-          title: "chore(release): update Prowler Version to ${{ env.RELEASE_TAG }}"
-          body: |
-            ### Description
 
-            This PR updates Prowler Version to ${{ env.RELEASE_TAG }}.
-
-            ### License
-
-            By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
-      - name: Replicate PyPi Package
+      - name: Replicate PyPI package
         run: |
           rm -rf ./dist && rm -rf ./build && rm -rf prowler.egg-info
           pip install toml
           python util/replicate_pypi_package.py
           poetry build
+
       - name: Publish prowler-cloud package to PyPI
         run: |
           poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}

.github/workflows/refresh_aws_services_regions.yml

@@ -23,12 +23,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ env.GITHUB_BRANCH }}
 
       - name: setup python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9 #install the python needed
 
@@ -38,7 +38,7 @@ jobs:
           pip install boto3
 
       - name: Configure AWS Credentials -- DEV
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: ${{ env.AWS_REGION_DEV }}
           role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -50,12 +50,12 @@ jobs:
 
       # Create pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
           commit-message: "feat(regions_update): Update regions for AWS services."
           branch: "aws-services-regions-updated-${{ github.sha }}"
-          labels: "status/waiting-for-revision, severity/low"
+          labels: "status/waiting-for-revision, severity/low, provider/aws"
           title: "chore(regions_update): Changes in regions for AWS services."
           body: |
             ### Description

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   ## GENERAL
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-merge-conflict
       - id: check-yaml
@@ -15,7 +15,7 @@ repos:
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.10.0
+    rev: v2.12.0
     hooks:
       - id: pretty-format-toml
         args: [--autofix]
@@ -28,7 +28,7 @@ repos:
       - id: shellcheck
   ## PYTHON
   - repo: https://github.com/myint/autoflake
-    rev: v2.2.0
+    rev: v2.2.1
     hooks:
       - id: autoflake
         args:
@@ -39,25 +39,25 @@ repos:
           ]
 
   - repo: https://github.com/timothycrosley/isort
-    rev: 5.12.0
+    rev: 5.13.2
     hooks:
       - id: isort
         args: ["--profile", "black"]
 
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 24.1.1
     hooks:
       - id: black
 
   - repo: https://github.com/pycqa/flake8
-    rev: 6.1.0
+    rev: 7.0.0
     hooks:
       - id: flake8
         exclude: contrib
         args: ["--ignore=E266,W503,E203,E501,W605"]
 
   - repo: https://github.com/python-poetry/poetry
-    rev: 1.6.0 # add version here
+    rev: 1.7.0
     hooks:
       - id: poetry-check
       - id: poetry-lock
@@ -80,18 +80,12 @@ repos:
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        # entry: bash -c 'trufflehog git file://. --only-verified --fail'
+        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
         # For running trufflehog in docker, use the following entry instead:
-        entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
         language: system
         stages: ["commit", "push"]
 
-      - id: pytest-check
-        name: pytest-check
-        entry: bash -c 'pytest tests -n auto'
-        language: system
-        files: '.*\.py'
-
       - id: bandit
         name: bandit
         description: "Bandit is a tool for finding common security issues in Python code"
@@ -102,7 +96,7 @@ repos:
       - id: safety
         name: safety
         description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        entry: bash -c 'safety check'
+        entry: bash -c 'safety check --ignore 70612'
         language: system
 
       - id: vulture

.readthedocs.yaml

@@ -8,16 +8,18 @@ version: 2
 build:
   os: "ubuntu-22.04"
   tools:
-    python: "3.9"
+    python: "3.11"
   jobs:
     post_create_environment:
       # Install poetry
       # https://python-poetry.org/docs/#installing-manually
-      - pip install poetry
-      # Tell poetry to not use a virtual environment
-      - poetry config virtualenvs.create false
+      - python -m pip install poetry
     post_install:
-      - poetry install -E docs
+      # Install dependencies with 'docs' dependency group
+      # https://python-poetry.org/docs/managing-dependencies/#dependency-groups
+      # VIRTUAL_ENV needs to be set manually for now.
+      # See https://github.com/readthedocs/readthedocs.org/pull/11152/
+      - VIRTUAL_ENV=${READTHEDOCS_VIRTUALENV_PATH} python -m poetry install --only=docs
 
 mkdocs:
   configuration: mkdocs.yml

CODE_OF_CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at community@prowler.cloud. All
+reported by contacting the project team at [support.prowler.com](https://customer.support.prowler.com/servicedesk/customer/portals). All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CONTRIBUTING.md

@@ -10,4 +10,4 @@
 Want some swag as appreciation for your contribution?
 
 # Prowler Developer Guide
-https://docs.prowler.cloud/en/latest/tutorials/developer-guide/
+https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/introduction/

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11-alpine
+FROM python:3.12-alpine
 
 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-Copyright 2018 Netflix, Inc.
+   Copyright @ 2024 Toni de la Fuente
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,24 +1,31 @@
 <p align="center">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-dark.png?raw=True#gh-dark-mode-only" width="150" height="36">
-  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/62c1ce73bbcdd6b9e5ba03dfcae26dfd165defd9/docs/img/prowler-pro-light.png?raw=True#gh-light-mode-only" width="15%" height="15%">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-black.png?raw=True#gh-light-mode-only" width="350" height="115">
+  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png?raw=True#gh-dark-mode-only" width="350" height="115">
 </p>
 <p align="center">
-  <b><i>See all the things you and your team can do with ProwlerPro at <a href="https://prowler.pro">prowler.pro</a></i></b>
+  <b><i>Prowler SaaS </b> and <b>Prowler Open Source</b> are as dynamic and adaptable as the environment they’re meant to protect. Trusted by the leaders in security.
 </p>
+<p align="center">
+<b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
+</p>
+
+<p align="center">
+<a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img width="30" height="30" alt="Prowler community on Slack" src="https://github.com/prowler-cloud/prowler/assets/3985464/3617e470-670c-47c9-9794-ce895ebdb627"></a>
+  <br>
+<a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog">Join our Prowler community!</a>
+</p>
+
 <hr>
-<p align="center">
-  <img src="https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png" />
-</p>
 <p align="center">
   <a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
   <a href="https://pypi.org/project/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler.svg"></a>
   <a href="https://pypi.python.org/pypi/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler.svg"></a>
   <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Prowler Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=prowler%20downloads"></a>
-  <a href="https://pypistats.org/packages/prowler-cloud"><img alt="PyPI Prowler-Cloud Downloads" src="https://img.shields.io/pypi/dw/prowler-cloud.svg?label=prowler-cloud%20downloads"></a>
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/cloud/build/toniblyx/prowler"></a>
   <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/image-size/toniblyx/prowler"></a>
   <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
+  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
 </p>
 <p align="center">
   <a href="https://github.com/prowler-cloud/prowler"><img alt="Repo size" src="https://img.shields.io/github/repo-size/prowler-cloud/prowler"></a>
@@ -30,6 +37,7 @@
   <a href="https://twitter.com/ToniBlyx"><img alt="Twitter" src="https://img.shields.io/twitter/follow/toniblyx?style=social"></a>
   <a href="https://twitter.com/prowlercloud"><img alt="Twitter" src="https://img.shields.io/twitter/follow/prowlercloud?style=social"></a>
 </p>
+<hr>
 
 # Description
 
@@ -37,16 +45,16 @@
 
 It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks.
 
-| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.cloud/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.cloud/en/latest/tutorials/misc/#categories) |
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
 |---|---|---|---|---|
-| AWS | 301 | 61 -> `prowler aws --list-services` | 25 -> `prowler aws --list-compliance` | 5 -> `prowler aws --list-categories` |
-| GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
-| Azure | 23 | 4 -> `prowler azure --list-services` | CIS soon | 1 -> `prowler azure --list-categories` |
-| Kubernetes | Planned | - | - | - |
+| AWS | 304 | 61 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` |
+| GCP | 75 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
+| Azure | 127 | 16 -> `prowler azure --list-services` | 2 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
+| Kubernetes | Work In Progress | - | CIS soon | - |
 
 # 📖 Documentation
 
-The full documentation can now be found at [https://docs.prowler.cloud](https://docs.prowler.cloud)
+The full documentation can now be found at [https://docs.prowler.com](https://docs.prowler.com/projects/prowler-open-source/en/latest/)
 
 ## Looking for Prowler v2 documentation?
 For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prowler/tree/2.12.1.
@@ -54,13 +62,13 @@ For Prowler v2 Documentation, please go to https://github.com/prowler-cloud/prow
 # ⚙️ Install
 
 ## Pip package
-Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9:
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with Python >= 3.9, < 3.13:
 
 ```console
 pip install prowler
 prowler -v
 ```
-More details at https://docs.prowler.cloud
+More details at [https://docs.prowler.com](https://docs.prowler.com/projects/prowler-open-source/en/latest/)
 
 ## Containers
 
@@ -77,7 +85,7 @@ The container images are available here:
 
 ## From Github
 
-Python >= 3.9 is required with pip and poetry:
+Python >= 3.9, < 3.13 is required with pip and poetry:
 
 ```
 git clone https://github.com/prowler-cloud/prowler

SECURITY.md

@@ -14,7 +14,7 @@ As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (F
 
 If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to help@prowler.pro.
 
-The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+The information you share with ProwlerPro as part of this process is kept confidential within ProwlerPro. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
 
 We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
 

docs/developer-guide/checks.md

@@ -101,7 +101,7 @@ All the checks MUST fill the `report.status` and `report.status_extended` with t
 
 - Status -- `report.status`
     - `PASS` --> If the check is passing against the configured value.
-    - `FAIL` --> If the check is passing against the configured value.
+    - `FAIL` --> If the check is failing against the configured value.
     - `INFO` --> This value cannot be used unless a manual operation is required in order to determine if the `report.status` is whether `PASS` or `FAIL`.
 - Status Extended -- `report.status_extended`
     - MUST end in a dot `.`
@@ -125,7 +125,7 @@ All the checks MUST fill the `report.resource_id` and `report.resource_arn` with
     - Resource ARN -- `report.resource_arn`
         - AWS Account --> Root ARN `arn:aws:iam::123456789012:root`
         - AWS Resource --> Resource ARN
-        - Root resource --> Root ARN `arn:aws:iam::123456789012:root`
+        - Root resource --> Resource Type ARN `f"arn:{service_client.audited_partition}:<service_name>:{service_client.region}:{service_client.audited_account}:<resource_type>"`
 - GCP
     - Resource ID -- `report.resource_id`
         - GCP Resource --> Resource ID
@@ -196,14 +196,17 @@ aws:
 As you can see in the above code, within the service client, in this case the `ec2_client`, there is an object called `audit_config` which is a Python dictionary containing the values read from the configuration file.
 
 In order to use it, you have to check first if the value is present in the configuration file. If the value is not present, you can create it in the `config.yaml` file and then, read it from the check.
-> It is mandatory to always use the `dictionary.get(value, default)` syntax to set a default value in the case the configuration value is not present.
+
+???+ note
+    It is mandatory to always use the `dictionary.get(value, default)` syntax to set a default value in the case the configuration value is not present.
 
 
 ## Check Metadata
 
 Each Prowler check has metadata associated which is stored at the same level of the check's folder in a file called A `check_name.metadata.json` containing the check's metadata.
 
-> We are going to include comments in this example metadata JSON but they cannot be included because the JSON format does not allow comments.
+???+ note
+    We are going to include comments in this example metadata JSON but they cannot be included because the JSON format does not allow comments.
 
 ```json
 {
@@ -240,11 +243,11 @@ Each Prowler check has metadata associated which is stored at the same level of
     # Code holds different methods to remediate the FAIL finding
     "Code": {
       # CLI holds the command in the provider native CLI to remediate it
-      "CLI": "https://docs.bridgecrew.io/docs/public_8#cli-command",
+      "CLI": "https://docs.prowler.com/checks/public_8#cli-command",
       # NativeIaC holds the native IaC code to remediate it, use "https://docs.bridgecrew.io/docs"
       "NativeIaC": "",
       # Other holds the other commands, scripts or code to remediate it, use "https://www.trendmicro.com/cloudoneconformity"
-      "Other": "https://docs.bridgecrew.io/docs/public_8#aws-console",
+      "Other": "https://docs.prowler.com/checks/public_8#aws-console",
       # Terraform holds the Terraform code to remediate it, use "https://docs.bridgecrew.io/docs"
       "Terraform": ""
     },

docs/developer-guide/debugging.md

@@ -0,0 +1,45 @@
+# Debugging
+
+Debugging in Prowler make things easier!
+If you are developing Prowler, it's possible that you will encounter some situations where you have to inspect the code in depth to fix some unexpected issues during the execution. To do that, if you are using VSCode you can run the code using the integrated debugger. Please, refer to this [documentation](https://code.visualstudio.com/docs/editor/debugging) for guidance about the debugger in VSCode.
+The following file is an example of the [debugging configuration](https://code.visualstudio.com/docs/editor/debugging#_launch-configurations) file that you can add to [Virtual Studio Code](https://code.visualstudio.com/).
+
+This file should inside the *.vscode* folder and its name has to be *launch.json*:
+
+```json
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Python: Current File",
+            "type": "python",
+            "request": "launch",
+            "program": "prowler.py",
+            "args": [
+                "aws",
+                "-f",
+                "eu-west-1",
+                "--service",
+                "cloudwatch",
+                "--log-level",
+                "ERROR",
+                "-p",
+                "dev",
+            ],
+            "console": "integratedTerminal",
+            "justMyCode": false
+        },
+        {
+            "name": "Python: Debug Tests",
+            "type": "python",
+            "request": "launch",
+            "program": "${file}",
+            "purpose": [
+                "debug-test"
+            ],
+            "console": "integratedTerminal",
+            "justMyCode": false
+        }
+    ]
+}
+```

docs/developer-guide/documentation.md

@@ -1,8 +1,8 @@
 ## Contribute with documentation
 
-We use `mkdocs` to build this Prowler documentation site so you can easily contribute back with new docs or improving them.
+We use `mkdocs` to build this Prowler documentation site so you can easily contribute back with new docs or improving them. To install all necessary dependencies use `poetry install --with docs`.
 
 1. Install `mkdocs` with your favorite package manager.
 2. Inside the `prowler` repository folder run `mkdocs serve` and point your browser to `http://localhost:8000` and you will see live changes to your local copy of this documentation site.
-3. Make all needed changes to docs or add new documents. To do so just edit existing md files inside `prowler/docs` and if you are adding a new section or file please make sure you add it to `mkdocs.yaml` file in the root folder of the Prowler repo.
+3. Make all needed changes to docs or add new documents. To do so just edit existing md files inside `prowler/docs` and if you are adding a new section or file please make sure you add it to `mkdocs.yml` file in the root folder of the Prowler repo.
 4. Once you are done with changes, please send a pull request to us for review and merge. Thank you in advance!

docs/developer-guide/introduction.md

@@ -1,6 +1,6 @@
 # Developer Guide
 
-You can extend Prowler in many different ways, in most cases you will want to create your own checks and compliance security frameworks, here is where you can learn about how to get started with it. We also include how to create custom outputs, integrations and more.
+You can extend Prowler Open Source in many different ways, in most cases you will want to create your own checks and compliance security frameworks, here is where you can learn about how to get started with it. We also include how to create custom outputs, integrations and more.
 
 ## Get the code and install all dependencies
 
@@ -16,7 +16,7 @@ pip install poetry
 ```
 Then install all dependencies including the ones for developers:
 ```
-poetry install
+poetry install --with dev
 poetry shell
 ```
 
@@ -31,7 +31,9 @@ You should get an output like the following:
 pre-commit installed at .git/hooks/pre-commit
 ```
 
-Before we merge any of your pull requests we pass checks to the code, we use the following tools and automation to make sure the code is secure and dependencies up-to-dated (these should have been already installed if you ran `pipenv install -d`):
+Before we merge any of your pull requests we pass checks to the code, we use the following tools and automation to make sure the code is secure and dependencies up-to-dated:
+???+ note
+    These should have been already installed if you ran `poetry install --with dev`
 
 - [`bandit`](https://pypi.org/project/bandit/) for code security review.
 - [`safety`](https://pypi.org/project/safety/) and [`dependabot`](https://github.com/features/security) for dependencies.

docs/developer-guide/security-compliance-framework.md

@@ -23,7 +23,7 @@ Each file version of a framework will have the following structure at high level
   "Requirements": [
     {
       "Id": "<unique-id>",
-      "Description": "Requiemente full description",
+      "Description": "Requirement full description",
       "Checks": [
         "Here is the prowler check or checks that is going to be executed"
       ],
@@ -38,4 +38,4 @@ Each file version of a framework will have the following structure at high level
 }
 ```
 
-Finally, to have a proper output file for your reports, your framework data model has to be created in `prowler/lib/outputs/models.py` and also the CLI table output in `prowler/lib/outputs/compliance.py`.
+Finally, to have a proper output file for your reports, your framework data model has to be created in `prowler/lib/outputs/models.py` and also the CLI table output in `prowler/lib/outputs/compliance.py`. Also, you need to add a new conditional in `prowler/lib/outputs/file_descriptors.py` if you create a new CSV model.

docs/developer-guide/services.md

@@ -175,6 +175,8 @@ class <Service>(ServiceParentClass):
                 f"{<item>.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 ```
+???+note
+    To avoid fake findings, when Prowler can't retrieve the items, because an Access Denied or similar error, we set that items value as `None`.
 
 ### Service Models
 

docs/developer-guide/unit-testing.md

@@ -40,13 +40,15 @@ Other commands to run tests:
 - Run tests for a provider service: `pytest -n auto -vvv -s -x tests/providers/<provider>/services/<service>`
 - Run tests for a provider check: `pytest -n auto -vvv -s -x tests/providers/<provider>/services/<service>/<check>`
 
-> Refer to the [pytest documentation](https://docs.pytest.org/en/7.1.x/getting-started.html) documentation for more information.
+???+ note
+    Refer to the [pytest documentation](https://docs.pytest.org/en/7.1.x/getting-started.html) documentation for more information.
 
 ## AWS
 
 For the AWS provider we have ways to test a Prowler check based on the following criteria:
 
-> Note: We use and contribute to the [Moto](https://github.com/getmoto/moto) library which allows us to easily mock out tests based on AWS infrastructure. **It's awesome!**
+???+ note
+    We use and contribute to the [Moto](https://github.com/getmoto/moto) library which allows us to easily mock out tests based on AWS infrastructure. **It's awesome!**
 
 - AWS API calls covered by [Moto](https://github.com/getmoto/moto):
     - Service tests with `@mock_<service>`
@@ -195,7 +197,8 @@ class Test_iam_password_policy_uppercase:
 
 If the IAM service for the check's we want to test is not covered by Moto, we have to inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock). As we have pointed above, we cannot instantiate the service since it will make real calls to the AWS APIs.
 
-> The following example uses the IAM GetAccountPasswordPolicy which is covered by Moto but this is only for demonstration purposes.
+???+ note
+    The following example uses the IAM GetAccountPasswordPolicy which is covered by Moto but this is only for demonstration purposes.
 
 The following code shows how to use MagicMock to create the service objects.
 
@@ -325,7 +328,8 @@ class Test_iam_password_policy_uppercase:
 
 Note that this does not use Moto, to keep it simple, but if you use any `moto`-decorators in addition to the patch, the call to `orig(self, operation_name, kwarg)` will be intercepted by Moto.
 
-> The above code comes from here https://docs.getmoto.org/en/latest/docs/services/patching_other_services.html
+???+ note
+    The above code comes from here https://docs.getmoto.org/en/latest/docs/services/patching_other_services.html
 
 #### Mocking more than one service
 
@@ -385,7 +389,7 @@ with mock.patch(
     "prowler.providers.<provider>.lib.audit_info.audit_info.audit_info",
     new=audit_info,
 ), mock.patch(
-    "prowler.providers.aws.services.<service>.<check>.<check>.<service>_client",
+    "prowler.providers.<provider>.services.<service>.<check>.<check>.<service>_client",
     new=<SERVICE>(audit_info),
 ):
 ```
@@ -407,10 +411,10 @@ with mock.patch(
     "prowler.providers.<provider>.lib.audit_info.audit_info.audit_info",
     new=audit_info,
 ), mock.patch(
-    "prowler.providers.aws.services.<service>.<SERVICE>",
+    "prowler.providers.<provider>.services.<service>.<SERVICE>",
     new=<SERVICE>(audit_info),
 ) as service_client, mock.patch(
-    "prowler.providers.aws.services.<service>.<service>_client.<service>_client",
+    "prowler.providers.<provider>.services.<service>.<service>_client.<service>_client",
     new=service_client,
 ):
 ```
@@ -505,7 +509,113 @@ class Test_compute_firewall_rdp_access_from_the_internet_allowed:
 
 ### Services
 
-Coming soon ...
+For testing Google Cloud Services, we have to follow the same logic as with the Google Cloud checks. We still mocking all API calls, but in this case, every API call to set up an attribute is defined in [fixtures file](https://github.com/prowler-cloud/prowler/blob/master/tests/providers/gcp/gcp_fixtures.py) in `mock_api_client` function. Remember that EVERY method of a service must be tested.
+
+The following code shows a real example of a testing class, but it has more comments than usual for educational purposes.
+
+```python title="BigQuery Service Test"
+# We need to import the unittest.mock.patch to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest.mock import patch
+# Import the class needed from the service file
+from prowler.providers.gcp.services.bigquery.bigquery_service import BigQuery
+# Necessary constans and functions from fixtures file
+from tests.providers.gcp.gcp_fixtures import (
+    GCP_PROJECT_ID,
+    mock_api_client,
+    mock_is_api_active,
+    set_mocked_gcp_audit_info,
+)
+
+
+class TestBigQueryService:
+    # Only method needed to test full service
+    def test_service(self):
+        # In this case we are mocking the __is_api_active__ to ensure our mocked project is used
+        # And all the client to use our mocked API calls
+        with patch(
+            "prowler.providers.gcp.lib.service.service.GCPService.__is_api_active__",
+            new=mock_is_api_active,
+        ), patch(
+            "prowler.providers.gcp.lib.service.service.GCPService.__generate_client__",
+            new=mock_api_client,
+        ):
+            # Instantiate an object of class with the mocked provider
+            bigquery_client = BigQuery(
+                set_mocked_gcp_audit_info(project_ids=[GCP_PROJECT_ID])
+            )
+            # Check all attributes of the tested class is well set up according API calls mocked from GCP fixture file
+            assert bigquery_client.service == "bigquery"
+            assert bigquery_client.project_ids == [GCP_PROJECT_ID]
+
+            assert len(bigquery_client.datasets) == 2
+
+            assert bigquery_client.datasets[0].name == "unique_dataset1_name"
+            assert bigquery_client.datasets[0].id.__class__.__name__ == "str"
+            assert bigquery_client.datasets[0].region == "US"
+            assert bigquery_client.datasets[0].cmk_encryption
+            assert bigquery_client.datasets[0].public
+            assert bigquery_client.datasets[0].project_id == GCP_PROJECT_ID
+
+            assert bigquery_client.datasets[1].name == "unique_dataset2_name"
+            assert bigquery_client.datasets[1].id.__class__.__name__ == "str"
+            assert bigquery_client.datasets[1].region == "EU"
+            assert not bigquery_client.datasets[1].cmk_encryption
+            assert not bigquery_client.datasets[1].public
+            assert bigquery_client.datasets[1].project_id == GCP_PROJECT_ID
+
+            assert len(bigquery_client.tables) == 2
+
+            assert bigquery_client.tables[0].name == "unique_table1_name"
+            assert bigquery_client.tables[0].id.__class__.__name__ == "str"
+            assert bigquery_client.tables[0].region == "US"
+            assert bigquery_client.tables[0].cmk_encryption
+            assert bigquery_client.tables[0].project_id == GCP_PROJECT_ID
+
+            assert bigquery_client.tables[1].name == "unique_table2_name"
+            assert bigquery_client.tables[1].id.__class__.__name__ == "str"
+            assert bigquery_client.tables[1].region == "US"
+            assert not bigquery_client.tables[1].cmk_encryption
+            assert bigquery_client.tables[1].project_id == GCP_PROJECT_ID
+```
+As it can be confusing where all these values come from, I'll give an example to make this clearer. First we need to check
+what is the API call used to obtain the datasets. In this case if we check the service the call is
+`self.client.datasets().list(projectId=project_id)`.
+
+Now in the fixture file we have to mock this call in our `MagicMock` client in the function `mock_api_client`. The best way to mock
+is following the actual format, add one function where the client is passed to be changed, the format of this function name must be
+`mock_api_<endpoint>_calls` (*endpoint* refers to the first attribute pointed after *client*).
+
+In the example of BigQuery the function is called `mock_api_dataset_calls`. And inside of this function we found an assignation to
+be used in the `__get_datasets__` method in BigQuery class:
+
+```python
+# Mocking datasets
+dataset1_id = str(uuid4())
+dataset2_id = str(uuid4())
+
+client.datasets().list().execute.return_value = {
+    "datasets": [
+        {
+            "datasetReference": {
+                "datasetId": "unique_dataset1_name",
+                "projectId": GCP_PROJECT_ID,
+            },
+            "id": dataset1_id,
+            "location": "US",
+        },
+        {
+            "datasetReference": {
+                "datasetId": "unique_dataset2_name",
+                "projectId": GCP_PROJECT_ID,
+            },
+            "id": dataset2_id,
+            "location": "EU",
+        },
+    ]
+}
+```
+
 
 ## Azure
 
@@ -513,6 +623,8 @@ Coming soon ...
 
 For the Azure Provider we don't have any library to mock out the API calls we use. So in this scenario we inject the objects in the service client using [MagicMock](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.MagicMock).
 
+In essence, we create object instances and we run the check that we are testing with that instance. In the test we ensure the check executed correctly and results with the expected values.
+
 The following code shows how to use MagicMock to create the service objects for a Azure check test.
 
 ```python
@@ -523,7 +635,7 @@ from unittest import mock
 from uuid import uuid4
 
 # Azure Constants
-AZURE_SUSCRIPTION = str(uuid4())
+from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
 
 
 
@@ -542,7 +654,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
 
         # Create the custom Defender object to be tested
         defender_client.pricings = {
-            AZURE_SUSCRIPTION: {
+            AZURE_SUBSCRIPTION: {
                 "Arm": Defender_Pricing(
                     resource_id=resource_id,
                     pricing_tier="Not Standard",
@@ -553,11 +665,8 @@ class Test_defender_ensure_defender_for_arm_is_on:
 
         # In this scenario we have to mock also the Defender service and the defender_client from the check to enforce that the defender_client used is the one created within this check because patch != import, and if you execute tests in parallel some objects can be already initialised hence the check won't be isolated.
         # In this case we don't use the Moto decorator, we use the mocked Defender client for both objects
-        with mock.patch(
-            "prowler.providers.azure.services.defender.defender_service.Defender",
-            new=defender_client,
-        ), mock.patch(
-            "prowler.providers.azure.services.defender.defender_client.defender_client",
+         with mock.patch(
+            "prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on.defender_client",
             new=defender_client,
         ):
 
@@ -571,7 +680,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
             check = defender_ensure_defender_for_arm_is_on()
 
             # And then, call the execute() function to run the check
-            # against the IAM client we've set up.
+            # against the Defender client we've set up.
             result = check.execute()
 
             # Last but not least, we need to assert all the fields
@@ -580,13 +689,180 @@ class Test_defender_ensure_defender_for_arm_is_on:
             assert result[0].status == "FAIL"
             assert (
                 result[0].status_extended
-                == f"Defender plan Defender for ARM from subscription {AZURE_SUSCRIPTION} is set to OFF (pricing tier not standard)"
+                == f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)"
             )
-            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].subscription == AZURE_SUBSCRIPTION
             assert result[0].resource_name == "Defender plan ARM"
             assert result[0].resource_id == resource_id
 ```
 
 ### Services
 
-Coming soon ...
+For the Azure Services tests, the idea is similar, we test that the functions we've done for capturing the values of the different objects using the Azure API work correctly. Again, we create an object instance and verify that the values captured for that instance are correct.
+
+The following code shows how a service test looks like.
+
+```python
+#We import patch from unittest.mock for simulating objects, the ones that we'll test with.
+from unittest.mock import patch
+
+#Importing FlowLogs from azure.mgmt.network.models allows us to create objects corresponding
+#to flow log settings for Azure networking resources.
+from azure.mgmt.network.models import FlowLog
+
+#We import the different classes of the Network Service so we can use them.
+from prowler.providers.azure.services.network.network_service import (
+    BastionHost,
+    Network,
+    NetworkWatcher,
+    PublicIp,
+    SecurityGroup,
+)
+
+#Azure constants
+from tests.providers.azure.azure_fixtures import (
+    AZURE_SUBSCRIPTION,
+    set_mocked_azure_audit_info,
+)
+
+#Mocks the behavior of a function responsible for retrieving security groups from a network service so
+#basically this is the instance for SecurityGroup that we are going to use
+def mock_network_get_security_groups(_):
+    return {
+        AZURE_SUBSCRIPTION: [
+            SecurityGroup(
+                id="id",
+                name="name",
+                location="location",
+                security_rules=[],
+            )
+        ]
+    }
+
+#We do the same for all the components we need, BastionHost, NetworkWatcher and PublicIp in this case
+
+def mock_network_get_bastion_hosts(_):
+    return {
+        AZURE_SUBSCRIPTION: [
+            BastionHost(
+                id="id",
+                name="name",
+                location="location",
+            )
+        ]
+    }
+
+def mock_network_get_network_watchers(_):
+    return {
+        AZURE_SUBSCRIPTION: [
+            NetworkWatcher(
+                id="id",
+                name="name",
+                location="location",
+                flow_logs=[FlowLog(enabled=True, retention_policy=90)],
+            )
+        ]
+    }
+
+def mock_network_get_public_ip_addresses(_):
+    return {
+        AZURE_SUBSCRIPTION: [
+            PublicIp(
+                id="id",
+                name="name",
+                location="location",
+                ip_address="ip_address",
+            )
+        ]
+    }
+
+#We use the 'path' decorator to replace during the test, the original get functions with the mock functions.
+
+#In this case we are replacing the '__get_security_groups__' with the 'mock_network_get_security_groups'.
+#We do the same for the rest of the functions.
+@patch(
+    "prowler.providers.azure.services.network.network_service.Network.__get_security_groups__",
+    new=mock_network_get_security_groups,
+)
+@patch(
+    "prowler.providers.azure.services.network.network_service.Network.__get_bastion_hosts__",
+    new=mock_network_get_bastion_hosts,
+)
+@patch(
+    "prowler.providers.azure.services.network.network_service.Network.__get_network_watchers__",
+    new=mock_network_get_network_watchers,
+)
+@patch(
+    "prowler.providers.azure.services.network.network_service.Network.__get_public_ip_addresses__",
+    new=mock_network_get_public_ip_addresses,
+)
+
+#We create the class for finally testing the methods
+class Test_Network_Service:
+
+    #Verifies that Network class initializes correctly a client object
+    def test__get_client__(self):
+        #Creates instance of the Network class with the audit information provided
+        network = Network(set_mocked_azure_audit_info())
+        #Checks if the client is not being initialize correctly
+        assert (
+            network.clients[AZURE_SUBSCRIPTION].__class__.__name__
+            == "NetworkManagementClient"
+        )
+
+    #Verifies Securiy Group are set correctly
+    def test__get_security_groups__(self):
+        network = Network(set_mocked_azure_audit_info())
+        assert (
+            network.security_groups[AZURE_SUBSCRIPTION][0].__class__.__name__
+            == "SecurityGroup"
+        )
+        #As you can see, every field must be right according to the mocking method
+        assert network.security_groups[AZURE_SUBSCRIPTION][0].id == "id"
+        assert network.security_groups[AZURE_SUBSCRIPTION][0].name == "name"
+        assert network.security_groups[AZURE_SUBSCRIPTION][0].location == "location"
+        assert network.security_groups[AZURE_SUBSCRIPTION][0].security_rules == []
+
+    #Verifies Network Watchers are set correctly
+    def test__get_network_watchers__(self):
+        network = Network(set_mocked_azure_audit_info())
+        assert (
+            network.network_watchers[AZURE_SUBSCRIPTION][0].__class__.__name__
+            == "NetworkWatcher"
+        )
+        assert network.network_watchers[AZURE_SUBSCRIPTION][0].id == "id"
+        assert network.network_watchers[AZURE_SUBSCRIPTION][0].name == "name"
+        assert network.network_watchers[AZURE_SUBSCRIPTION][0].location == "location"
+        assert network.network_watchers[AZURE_SUBSCRIPTION][0].flow_logs == [
+            FlowLog(enabled=True, retention_policy=90)
+        ]
+    #Verifies Flow Logs are set correctly
+    def __get_flow_logs__(self):
+        network = Network(set_mocked_azure_audit_info())
+        nw_name = "name"
+        assert (
+            network.network_watchers[AZURE_SUBSCRIPTION][0]
+            .flow_logs[nw_name][0]
+            .__class__.__name__
+            == "FlowLog"
+        )
+        assert network.network_watchers[AZURE_SUBSCRIPTION][0].flow_logs == [
+            FlowLog(enabled=True, retention_policy=90)
+        ]
+        assert (
+            network.network_watchers[AZURE_SUBSCRIPTION][0].flow_logs[0].enabled is True
+        )
+        assert (
+            network.network_watchers[AZURE_SUBSCRIPTION][0]
+            .flow_logs[0]
+            .retention_policy
+            == 90
+        )
+
+        ...
+```
+The code continues with some more verifications the same way.
+
+Hopefully this will result useful for understanding and creating new Azure Services checks.
+
+Please refer to the [Azure checks tests](./unit-testing.md#azure) for more information on how to create tests and check the existing services tests [here](https://github.com/prowler-cloud/prowler/tree/master/tests/providers/azure/services).

docs/getting-started/requirements.md

@@ -5,7 +5,7 @@ Prowler has been written in Python using the [AWS SDK (Boto3)](https://boto3.ama
 
 Since Prowler uses AWS Credentials under the hood, you can follow any authentication method as described [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence).
 
-### AWS Authentication
+### Authentication
 
 Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
 
@@ -26,9 +26,8 @@ Those credentials must be associated to a user or role with proper permissions t
   - `arn:aws:iam::aws:policy/SecurityAudit`
   - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
 
-  > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
-
-  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
+???+ note
+    Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using. If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
 
 ### Multi-Factor Authentication
 
@@ -39,7 +38,7 @@ If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to
 
 ## Azure
 
-Prowler for azure supports the following authentication types:
+Prowler for Azure supports the following authentication types:
 
 - Service principal authentication by environment variables (Enterprise Application)
 - Current az cli credentials stored
@@ -63,33 +62,61 @@ The other three cases does not need additional configuration, `--az-cli-auth` an
 
 ### Permissions
 
-To use each one you need to pass the proper flag to the execution. Prowler fro Azure handles two types of permission scopes, which are:
+To use each one you need to pass the proper flag to the execution. Prowler for Azure handles two types of permission scopes, which are:
 
-- **Azure Active Directory permissions**: Used to retrieve metadata from the identity assumed by Prowler and future AAD checks (not mandatory to have access to execute the tool)
+- **Microsoft Entra ID permissions**: Used to retrieve metadata from the identity assumed by Prowler (not mandatory to have access to execute the tool).
 - **Subscription scope permissions**: Required to launch the checks against your resources, mandatory to launch the tool.
 
 
-#### Azure Active Directory scope
+#### Microsoft Entra ID scope
 
-Azure Active Directory (AAD) permissions required by the tool are the following:
+Microsoft Entra ID (AAD earlier) permissions required by the tool are the following:
 
 - `Directory.Read.All`
 - `Policy.Read.All`
+- `UserAuthenticationMethod.Read.All`
 
-The best way to assign it is through the azure web console:
+The best way to assign it is through the Azure web console:
+
+1. Access to Microsoft Entra ID
+2. In the left menu bar, go to "App registrations"
+3. Once there, in the menu bar click on "+ New registration" to register a new application
+4. Fill the "Name, select the "Supported account types" and click on "Register. You will be redirected to the applications page.
+  ![Register an Application page](../img/register-application.png)
+4. Select the new application
+5. In the left menu bar, select "API permissions"
+6. Then click on "+ Add a permission" and select "Microsoft Graph"
+7. Once in the "Microsoft Graph" view, select "Application permissions"
+8. Finally, search for "Directory", "Policy" and "UserAuthenticationMethod" select the following permissions:
+    - `Directory.Read.All`
+    - `Policy.Read.All`
+    - `UserAuthenticationMethod.Read.All`
+    ![EntraID Permissions](../img/AAD-permissions.png)
 
-![AAD Permissions](../img/AAD-permissions.png)
 
 #### Subscriptions scope
 
-Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription  to the entity that is going to be assumed by the tool:
+Regarding the subscription scope, Prowler by default scans all the subscriptions that is able to list, so it is required to add the following RBAC builtin roles per subscription to the entity that is going to be assumed by the tool:
 
 - `Security Reader`
 - `Reader`
 
+To assign this roles, follow the instructions:
+
+1. Access your subscription, then select your subscription.
+2. Select "Access control (IAM)".
+3. In the overview, select "Roles"
+  ![IAM Page](../img/page-IAM.png)
+4. Click on "+ Add" and select "Add role assignment"
+5. In the search bar, type `Security Reader`, select it and click on "Next"
+6. In the Members tab, click on "+ Select members" and add the members you want to assign this role.
+7. Click on "Review + assign" to apply the new role.
+
+*Repeat these steps for `Reader` role*
+
 ## Google Cloud
 
-### GCP Authentication
+### Authentication
 
 Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order):
 
@@ -99,4 +126,5 @@ Prowler will follow the same credentials search as [Google authentication librar
 
 Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the `Viewer` role to the member associated with the credentials.
 
-> By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.
+???+ note
+    By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.

docs/index.md

@@ -1,38 +1,13 @@
-<p href="https://github.com/prowler-cloud/prowler">
-<img align="right" src="./img/prowler-logo.png" height="100">
-</p>
-<br>
+**Prowler** is an Open Source security tool to perform AWS, Azure and Google Cloud security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. We have Prowler CLI (Command Line Interface) that we call Prowler Open Source and a service on top of it that we call <a href="https://prowler.com">Prowler SaaS</a>.
 
-# Prowler Documentation
-
-**Welcome to [Prowler Open Source v3](https://github.com/prowler-cloud/prowler/) Documentation!** 📄
-
-For **Prowler v2 Documentation**, please go [here](https://github.com/prowler-cloud/prowler/tree/2.12.0) to the branch and its README.md.
-
-- You are currently in the **Getting Started** section where you can find general information and requirements to help you start with the tool.
-- In the [Tutorials](./tutorials/misc.md) section you will see how to take advantage of all the features in Prowler.
-- In the [Contact Us](./contact.md) section you can find how to reach us out in case of technical issues.
-- In the [About](./about.md) section you will find more information about the Prowler team and license.
-
-## About Prowler
-
-**Prowler** is an Open Source security tool to perform AWS, Azure and Google Cloud security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
-
-It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
-
-[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/prowlercloud.svg?style=social&label=Follow%20%40prowlercloud)](https://twitter.com/prowlercloud)
-
-## About ProwlerPro
-
-<a href="https://prowler.pro"><img align="right" src="./img/prowler-pro-light.png" width="350"></a> **ProwlerPro** gives you the benefits of Prowler Open Source plus continuous monitoring, faster execution, personalized support, visualization of your data with dashboards, alerts and much more.
-Visit <a href="https://prowler.pro">prowler.pro</a> for more info.
+![Prowler Execution](img/short-display.png)
 
+Prowler offers hundreds of controls covering more than 25 standards and compliance frameworks like CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
 
 ## Quick Start
 ### Installation
 
-Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-cloud/), thus can be installed using pip with `Python >= 3.9`:
-
+Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), thus can be installed using pip with `Python >= 3.9`:
 
 === "Generic"
 
@@ -149,7 +124,8 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler-clo
     prowler -v
     ```
 
-    > To download the results from AWS CloudShell, select Actions -> Download File and add the full path of each file. For the CSV file it will be something like `/home/cloudshell-user/output/prowler-output-123456789012-20221220191331.csv`
+    ???+ note
+        To download the results from AWS CloudShell, select Actions -> Download File and add the full path of each file. For the CSV file it will be something like `/home/cloudshell-user/output/prowler-output-123456789012-20221220191331.csv`
 
 === "Azure CloudShell"
 
@@ -184,14 +160,18 @@ You can run Prowler from your workstation, an EC2 instance, Fargate or any other
 ![Architecture](img/architecture.png)
 ## Basic Usage
 
-To run Prowler, you will need to specify the provider (e.g aws, gcp or azure):
-> If no provider specified, AWS will be used for backward compatibility with most of v2 options.
+To run Prowler, you will need to specify the provider (e.g `aws`, `gcp` or `azure`):
+
+???+ note
+    If no provider specified, AWS will be used for backward compatibility with most of v2 options.
 
 ```console
 prowler <provider>
 ```
 ![Prowler Execution](img/short-display.png)
-> Running the `prowler` command without options will use your environment variable credentials, see [Requirements](./getting-started/requirements.md) section to review the credentials settings.
+
+???+ note
+    Running the `prowler` command without options will use your environment variable credentials, see [Requirements](./getting-started/requirements.md) section to review the credentials settings.
 
 If you miss the former output you can use `--verbose` but Prowler v3 is smoking fast, so you won't see much ;)
 
@@ -242,7 +222,9 @@ Use a custom AWS profile with `-p`/`--profile` and/or AWS regions which you want
 ```console
 prowler aws --profile custom-profile -f us-east-1 eu-south-2
 ```
-> By default, `prowler` will scan all AWS regions.
+
+???+ note
+    By default, `prowler` will scan all AWS regions.
 
 See more details about AWS Authentication in [Requirements](getting-started/requirements.md)
 
@@ -292,3 +274,6 @@ prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
 ```
 
 See more details about GCP Authentication in [Requirements](getting-started/requirements.md)
+
+## Prowler v2 Documentation
+For **Prowler v2 Documentation**, please check it out [here](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md).

docs/security.md

@@ -13,9 +13,9 @@ As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (F
 
 ## Reporting Vulnerabilities
 
-If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to help@prowler.pro.
+If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or Prowler SaaS service, please submit the information by contacting to us via [**support.prowler.com**](http://support.prowler.com).
 
-The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+The information you share with the Prowler team as part of this process is kept confidential within Prowler. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
 
 We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
 

docs/tutorials/allowlist.md

@@ -113,7 +113,8 @@ You will need to pass the S3 URI where your Allowlist YAML file was uploaded to
 ```
 prowler aws -w s3://<bucket>/<prefix>/allowlist.yaml
 ```
-> Make sure that the used AWS credentials have s3:GetObject permissions in the S3 path where the allowlist file is located.
+???+ note
+    Make sure that the used AWS credentials have s3:GetObject permissions in the S3 path where the allowlist file is located.
 
 ### AWS DynamoDB Table ARN
 
@@ -138,7 +139,8 @@ The following example will allowlist all resources in all accounts for the EC2 c
 
 <img src="../img/allowlist-row.png"/>
 
-> Make sure that the used AWS credentials have `dynamodb:PartiQLSelect` permissions in the table.
+???+ note
+    Make sure that the used AWS credentials have `dynamodb:PartiQLSelect` permissions in the table.
 
 ### AWS Lambda ARN
 

docs/tutorials/aws/authentication.md

@@ -19,9 +19,8 @@ Those credentials must be associated to a user or role with proper permissions t
   - `arn:aws:iam::aws:policy/SecurityAudit`
   - `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`
 
-  > Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
-
-  > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
+???+ note
+    Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using. If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
 
 
 ## Profiles

docs/tutorials/aws/organizations.md

@@ -1,21 +1,28 @@
 # AWS Organizations
+
 ## Get AWS Account details from your AWS Organization
 
-Prowler allows you to get additional information of the scanned account in CSV and JSON outputs. When scanning a single account you get the Account ID as part of the output.
+Prowler allows you to get additional information of the scanned account from AWS Organizations.
 
-If you have AWS Organizations Prowler can get your account details like Account Name, Email, ARN, Organization ID and Tags and you will have them next to every finding in the CSV and JSON outputs.
+If you have AWS Organizations enabled, Prowler can get your account details like account name, email, ARN, organization id and tags and you will have them next to every finding's output.
 
-In order to do that you can use the option `-O`/`--organizations-role <organizations_role_arn>`. See the following sample command:
+In order to do that you can use the argument `-O`/`--organizations-role <organizations_role_arn>`. If this argument is not present Prowler will try to fetch that information automatically if the AWS account is a delegated administrator for the AWS Organization.
+
+???+ note
+    Refer [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html) for more information about AWS Organizations delegated administrator.
+
+See the following sample command:
 
 ```shell
 prowler aws \
   -O arn:aws:iam::<management_organizations_account_id>:role/<role_name>
 ```
-> Make sure the role in your AWS Organizations management account has the permissions `organizations:ListAccounts*` and `organizations:ListTagsForResource`.
+???+ note
+    Make sure the role in your AWS Organizations management account has the permissions `organizations:DescribeAccount` and `organizations:ListTagsForResource`.
 
-In that command Prowler will scan the account and getting the account details from the AWS Organizations management account assuming a role and creating two reports with those details in JSON and CSV.
+Prowler will scan the AWS account and get the account details from AWS Organizations.
 
-In the JSON output below (redacted) you can see tags coded in base64 to prevent breaking CSV or JSON due to its format:
+In the JSON output below you can see tags coded in base64 to prevent breaking CSV or JSON due to its format:
 
 ```json
   "Account Email": "my-prod-account@domain.com",
@@ -25,13 +32,15 @@ In the JSON output below (redacted) you can see tags coded in base64 to prevent
   "Account tags": "\"eyJUYWdzIjpasf0=\""
 ```
 
-The additional fields in CSV header output are as follow:
+The additional fields in CSV header output are as follows:
 
-```csv
-ACCOUNT_DETAILS_EMAIL,ACCOUNT_DETAILS_NAME,ACCOUNT_DETAILS_ARN,ACCOUNT_DETAILS_ORG,ACCOUNT_DETAILS_TAGS
-```
+- ACCOUNT_DETAILS_EMAIL
+- ACCOUNT_DETAILS_NAME
+- ACCOUNT_DETAILS_ARN
+- ACCOUNT_DETAILS_ORG
+- ACCOUNT_DETAILS_TAGS
 
-## Extra: run Prowler across all accounts in AWS Organizations by assuming roles
+## Extra: Run Prowler across all accounts in AWS Organizations by assuming roles
 
 If you want to run Prowler across all accounts of AWS Organizations you can do this:
 
@@ -55,4 +64,6 @@ If you want to run Prowler across all accounts of AWS Organizations you can do t
     done
     ```
 
-> Using the same for loop it can be scanned a list of accounts with a variable like `ACCOUNTS_LIST='11111111111 2222222222 333333333'`
+???+ note
+    Using the same for loop it can be scanned a list of accounts with a variable like:
+    </br>`ACCOUNTS_LIST='11111111111 2222222222 333333333'`

docs/tutorials/aws/regions-and-partitions.md

@@ -6,10 +6,13 @@ By default Prowler is able to scan the following AWS partitions:
 - China: `aws-cn`
 - GovCloud (US): `aws-us-gov`
 
-> To check the available regions for each partition and service please refer to the following document [aws_regions_by_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json)
+???+ note
+    To check the available regions for each partition and service please refer to the following document [aws_regions_by_service.json](https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/aws_regions_by_service.json)
 
 It is important to take into consideration that to scan the China (`aws-cn`) or GovCloud (`aws-us-gov`) partitions it is either required to have a valid region for that partition in your AWS credentials or to specify the regions you want to audit for that partition using the `-f/--region` flag.
-> Please, refer to https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information about the AWS credentials configuration.
+
+???+ note
+    Please, refer to https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials for more information about the AWS credentials configuration.
 
 Prowler can scan specific region(s) with:
 ```console
@@ -34,7 +37,8 @@ aws_access_key_id = XXXXXXXXXXXXXXXXXXX
 aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
 region = cn-north-1
 ```
-> With this option all the partition regions will be scanned without the need of use the `-f/--region` flag
+???+ note
+    With this option all the partition regions will be scanned without the need of use the `-f/--region` flag
 
 
 ## AWS GovCloud (US)
@@ -52,7 +56,8 @@ aws_access_key_id = XXXXXXXXXXXXXXXXXXX
 aws_secret_access_key = XXXXXXXXXXXXXXXXXXX
 region = us-gov-east-1
 ```
-> With this option all the partition regions will be scanned without the need of use the `-f/--region` flag
+???+ note
+    With this option all the partition regions will be scanned without the need of use the `-f/--region` flag
 
 
 ## AWS ISO (US & Europe)

docs/tutorials/aws/role-assumption.md

@@ -30,15 +30,15 @@ Prowler can use your custom Role Session name with:
 prowler aws --role-session-name <role_session_name>
 ```
 
-> It defaults to `ProwlerAssessmentSession`
+???+ note
+    It defaults to `ProwlerAssessmentSession`.
 
 ## STS Endpoint Region
 
 If you are using Prowler in AWS regions that are not enabled by default you need to use the argument `--sts-endpoint-region` to point the AWS STS API calls `assume-role` and `get-caller-identity` to the non-default region, e.g.: `prowler aws --sts-endpoint-region eu-south-2`.
 
-> Since v3.11.0, Prowler uses a regional token in STS sessions so it can scan all AWS regions without needing the `--sts-endpoint-region` argument.
-
-> Make sure that you have enabled the AWS Region you want to scan in BOTH AWS Accounts (assumed role account and account from which you assume the role).
+???+ note
+    Since v3.11.0, Prowler uses a regional token in STS sessions so it can scan all AWS regions without needing the `--sts-endpoint-region` argument. Make sure that you have enabled the AWS Region you want to scan in **BOTH** AWS Accounts (assumed role account and account from which you assume the role).
 
 ## Role MFA
 
@@ -51,6 +51,7 @@ If your IAM Role has MFA configured you can use `--mfa` along with  `-R`/`--role
 
 To create a role to be assumed in one or multiple accounts you can use either as CloudFormation Stack or StackSet the following [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it.
 
-> _NOTE 1 about Session Duration_: Depending on the amount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>` to allow up to 12h (43200 seconds). To allow more than 1h you need to modify _"Maximum CLI/API session duration"_ for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
+???+ note "About Session Duration"
+    Depending on the amount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>` to allow up to 12h (43200 seconds). To allow more than 1h you need to modify _"Maximum CLI/API session duration"_ for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
 
-> _NOTE 2 about Session Duration_: Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).
+    Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).

docs/tutorials/aws/s3.md

@@ -21,6 +21,5 @@ By default Prowler sends HTML, JSON and CSV output formats, if you want to send
 prowler <provider> -M csv -B my-bucket
 ```
 
-> In the case you do not want to use the assumed role credentials but the initial credentials to put the reports into the S3 bucket, use `-D`/`--output-bucket-no-assume` instead of `-B`/`--output-bucket`.
-
-> Make sure that the used credentials have `s3:PutObject` permissions in the S3 path where the reports are going to be uploaded.
+???+ note
+        In the case you do not want to use the assumed role credentials but the initial credentials to put the reports into the S3 bucket, use `-D`/`--output-bucket-no-assume` instead of `-B`/`--output-bucket`. Make sure that the used credentials have `s3:PutObject` permissions in the S3 path where the reports are going to be uploaded.

docs/tutorials/aws/securityhub.md

@@ -1,61 +1,137 @@
 # AWS Security Hub Integration
 
-Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub.
+Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows **Prowler** to import its findings to AWS Security Hub.
 
-With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free.
 
-Before sending findings to Prowler, you will need to perform next steps:
+Before sending findings, you will need to enable AWS Security Hub and the **Prowler** integration.
 
-1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions:
-    - `aws securityhub enable-security-hub --region <region>`.
-2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions:
-    - `aws securityhub enable-import-findings-for-product --region <region> --product-arn arn:aws:securityhub:<region>::product/prowler/prowler` (change region also inside the ARN).
-    - Using the AWS Management Console:
-     ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
-3. Allow Prowler to import its findings to AWS Security Hub by adding the policy below to the role or user running Prowler:
-    - [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)
+## Enable AWS Security Hub
 
+To enable the integration you have to perform the following steps, in _at least_ one AWS region of a given AWS account, to enable **AWS Security Hub** and **Prowler** as a partner integration.
+
+Since **AWS Security Hub** is a region based service, you will need to enable it in the region or regions you require. You can configure it using the AWS Management Console or the AWS CLI.
+
+???+ note
+    Take into account that enabling this integration will incur in costs in AWS Security Hub, please refer to its pricing [here](https://aws.amazon.com/security-hub/pricing/) for more information.
+
+### Using the AWS Management Console
+
+#### Enable AWS Security Hub
+
+If you have currently AWS Security Hub enabled you can skip to the [next section](#enable-prowler-integration).
+
+1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+
+2. When you open the Security Hub console for the first time make sure that you are in the region you want to enable, then choose **Go to Security Hub**.
+![](./img/enable.png)
+
+3. On the next page, the Security standards section lists the security standards that Security Hub supports. Select the check box for a standard to enable it, and clear the check box to disable it.
+
+4. Choose **Enable Security Hub**.
+![](./img/enable-2.png)
+
+#### Enable Prowler Integration
+
+If you have currently the Prowler integration enabled in AWS Security Hub you can skip to the [next section](#send-findings) and start sending findings.
+
+Once **AWS Security Hub** is enabled you will need to enable **Prowler** as partner integration to allow **Prowler** to send findings to your **AWS Security Hub**.
+
+1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+
+2. Select the **Integrations** tab in the right-side menu bar.
+![](./img/enable-partner-integration.png)
+
+3. Search for _Prowler_ in the text search box and the **Prowler** integration will appear.
+
+4. Once there, click on **Accept Findings** to allow **AWS Security Hub** to receive findings from **Prowler**.
+![](./img/enable-partner-integration-2.png)
+
+5. A new modal will appear to confirm that you are enabling the **Prowler** integration.
+![](./img/enable-partner-integration-3.png)
+
+6. Right after click on **Accept Findings**, you will see that the integration is enabled in **AWS Security Hub**.
+![](./img/enable-partner-integration-4.png)
+
+### Using the AWS CLI
+
+To enable **AWS Security Hub** and the **Prowler** integration you have to run the following commands using the AWS CLI:
+
+```shell
+aws securityhub enable-security-hub --region <region>
+```
+???+ note
+    For this command to work you will need the `securityhub:EnableSecurityHub` permission. You will need to set the AWS region where you want to enable AWS Security Hub.
+
+Once **AWS Security Hub** is enabled you will need to enable **Prowler** as partner integration to allow **Prowler** to send findings to your AWS Security Hub. You have to run the following commands using the AWS CLI:
+
+```shell
+aws securityhub enable-import-findings-for-product --region eu-west-1 --product-arn arn:aws:securityhub:<region>::product/prowler/prowler
+```
+???+ note
+    You will need to set the AWS region where you want to enable the integration and also the AWS region also within the ARN. For this command to work you will need the `securityhub:securityhub:EnableImportFindingsForProduct` permission.
+
+
+## Send Findings
 Once it is enabled, it is as simple as running the command below (for all regions):
 
 ```sh
-prowler aws -S
+prowler aws --security-hub
 ```
 
 or for only one filtered region like eu-west-1:
 
 ```sh
-prowler -S -f eu-west-1
+prowler --security-hub --region eu-west-1
 ```
 
-> **Note 1**: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command.
+???+ note
+    It is recommended to send only fails to Security Hub and that is possible adding `-q/--quiet` to the command. You can use, instead of the `-q/--quiet` argument, the `--send-sh-only-fails` argument to save all the findings in the Prowler outputs but just to send FAIL findings to AWS Security Hub.
 
-> **Note 2**: Since Prowler perform checks to all regions by default you may need to filter by region when running Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs). Prowler will send findings to the Security Hub on the region where the scanned resource is located.
+    Since Prowler perform checks to all regions by default you may need to filter by region when running Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f/--region <region>` (if no region is used it will try to push findings in all regions hubs). Prowler will send findings to the Security Hub on the region where the scanned resource is located.
 
-> **Note 3**: To have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
+    To have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
 
-Once you run findings for first time you will be able to see Prowler findings in Findings section:
+### See you Prowler findings in AWS Security Hub
 
-![Screenshot 2020-10-29 at 10 29 05 PM](https://user-images.githubusercontent.com/3985464/97634676-66c9f600-1a36-11eb-9341-70feb06f6331.png)
+Once configured the **AWS Security Hub** in your next scan you will receive the **Prowler** findings in the AWS regions configured. To review those findings in **AWS Security Hub**:
+
+1. Open the **AWS Security Hub** console at https://console.aws.amazon.com/securityhub/.
+
+2. Select the **Findings** tab in the right-side menu bar.
+![](./img/findings.png)
+
+3. Use the search box filters and use the **Product Name** filter with the value _Prowler_ to see the findings sent from **Prowler**.
+
+4. Then, you can click on the check **Title** to see the details and the history of a finding.
+![](./img/finding-details.png)
+
+As you can see in the related requirements section, in the detailed view of the findings, **Prowler** also sends compliance information related to every finding.
 
 ## Send findings to Security Hub assuming an IAM Role
 
 When you are auditing a multi-account AWS environment, you can send findings to a Security Hub of another account by assuming an IAM role from that account using the `-R` flag in the Prowler command:
 
 ```sh
-prowler -S -R arn:aws:iam::123456789012:role/ProwlerExecRole
+prowler --security-hub --role arn:aws:iam::123456789012:role/ProwlerExecutionRole
 ```
 
-> Remember that the used role needs to have permissions to send findings to Security Hub. To get more information about the permissions required, please refer to the following IAM policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)
+???+ note
+    Remember that the used role needs to have permissions to send findings to Security Hub. To get more information about the permissions required, please refer to the following IAM policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json)
 
 
 ## Send only failed findings to Security Hub
 
-When using Security Hub it is recommended to send only the failed findings generated. To follow that recommendation you could add the `-q` flag to the Prowler command:
+When using the **AWS Security Hub** integration you can send only the `FAIL` findings generated by **Prowler**. Therefore, the **AWS Security Hub** usage costs eventually would be lower. To follow that recommendation you could add the `-q/--quiet` flag to the Prowler command:
 
 ```sh
-prowler -S -q
+prowler --security-hub --quiet
 ```
 
+You can use, instead of the `-q/--quiet` argument, the `--send-sh-only-fails` argument to save all the findings in the Prowler outputs but just to send FAIL findings to AWS Security Hub:
+
+```sh
+prowler --security-hub --send-sh-only-fails
+```
 
 ## Skip sending updates of findings to Security Hub
 
@@ -63,5 +139,5 @@ By default, Prowler archives all its findings in Security Hub that have not appe
 You can skip this logic by using the option `--skip-sh-update` so Prowler will not archive older findings:
 
 ```sh
-prowler -S --skip-sh-update
+prowler --security-hub --skip-sh-update
 ```

docs/tutorials/aws/v2_to_v3_checks_mapping.md

@@ -95,7 +95,8 @@ checks_v3_to_v2_mapping = {
     "ec2_networkacl_allow_ingress_any_port": "extra7138",
     "ec2_networkacl_allow_ingress_tcp_port_22": "check45",
     "ec2_networkacl_allow_ingress_tcp_port_3389": "check46",
-    "ec2_securitygroup_allow_ingress_from_internet_to_any_port": "extra748",
+    "ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "extra748",
+    "ec2_securitygroup_allow_ingress_from_internet_to_any_port": "extra74",
     "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "extra753",
     "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "extra7134",
     "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "check41",

docs/tutorials/check-aliases.md

@@ -1,19 +1,19 @@
 # Check Aliases
 
 Prowler allows you to use aliases for the checks. You only have to add the `CheckAliases` key to the check's metadata with a list of the aliases:
-
-    "Provider": "<provider>",
-    "CheckID": "<check_id>",
-    "CheckTitle": "<check_title>",
-    "CheckAliases": [
-      "<check_alias_1>"
-      "<check_alias_2>",
-      ...
-    ],
-    ...
-
+```json title="check.metadata.json"
+"Provider": "<provider>",
+"CheckID": "<check_id>",
+"CheckTitle": "<check_title>",
+"CheckAliases": [
+  "<check_alias_1>"
+  "<check_alias_2>",
+  ...
+],
+...
+```
 Then, you can execute the check either with its check ID or with one of the previous aliases:
-```console
+```shell
 prowler <provider> -c/--checks <check_alias_1>
 
 Using alias <check_alias_1> for check <check_id>...

docs/tutorials/compliance.md

@@ -8,29 +8,38 @@ prowler <provider> --list-compliance
 ```
 Currently, the available frameworks are:
 
-- `cis_1.4_aws`
-- `cis_1.5_aws`
-- `ens_rd2022_aws`
+- `aws_account_security_onboarding_aws`
 - `aws_audit_manager_control_tower_guardrails_aws`
 - `aws_foundational_security_best_practices_aws`
+- `aws_well_architected_framework_reliability_pillar_aws`
 - `aws_well_architected_framework_security_pillar_aws`
+- `cis_1.4_aws`
+- `cis_1.5_aws`
+- `cis_2.0_aws`
+- `cis_2.0_gcp`
+- `cis_2.0_azure`
+- `cis_2.1_azure`
+- `cis_3.0_aws`
 - `cisa_aws`
+- `ens_rd2022_aws`
 - `fedramp_low_revision_4_aws`
 - `fedramp_moderate_revision_4_aws`
 - `ffiec_aws`
+- `aws_foundational_technical_review_aws`
 - `gdpr_aws`
-- `gxp_eu_annex_11_aws`
 - `gxp_21_cfr_part_11_aws`
+- `gxp_eu_annex_11_aws`
 - `hipaa_aws`
+- `iso27001_2013_aws`
+- `mitre_attack_aws`
+- `nist_800_171_revision_2_aws`
 - `nist_800_53_revision_4_aws`
 - `nist_800_53_revision_5_aws`
-- `nist_800_171_revision_2_aws`
 - `nist_csf_1.1_aws`
 - `pci_3.2.1_aws`
 - `rbi_cyber_security_framework_aws`
 - `soc2_aws`
 
-
 ## List Requirements of Compliance Frameworks
 For each compliance framework, you can use option `--list-compliance-requirements` to list its requirements:
 ```sh

docs/tutorials/configuration_file.md

@@ -33,22 +33,34 @@ The following list includes all the AWS checks with configurable variables that
 | `drs_job_exist`                                               | `allowlist_non_default_regions`                  | Boolean         |
 | `guardduty_is_enabled`                                        | `allowlist_non_default_regions`                  | Boolean         |
 | `securityhub_enabled`                                         | `allowlist_non_default_regions`                  | Boolean         |
+| `rds_instance_backup_enabled`                                  | `check_rds_instance_replicas`      | Boolean        |
+| `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |
 
 ## Azure
 
 ### Configurable Checks
+The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file:
+
+| Check Name                                                    | Value                                            | Type            |
+|---------------------------------------------------------------|--------------------------------------------------|-----------------|
+| `network_public_ip_shodan`                                   | `shodan_api_key`                    | String         |
+| `app_ensure_php_version_is_latest`                            | `php_latest_version`                             | String          |
+| `app_ensure_python_version_is_latest`                         | `python_latest_version`                          | String          |
+| `app_ensure_java_version_is_latest`                           | `java_latest_version`                            | String          |
+
 
 ## GCP
 
 ### Configurable Checks
 
 ## Config YAML File Structure
-> This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider.
+
+???+ note
+    This is the new Prowler configuration file format. The old one without provider keys is still compatible just for the AWS provider.
 
 ```yaml title="config.yaml"
 # AWS Configuration
 aws:
-
   # AWS Global Configuration
   # aws.allowlist_non_default_regions --> Allowlist Failed Findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
   allowlist_non_default_regions: False
@@ -61,6 +73,7 @@ aws:
 
   # AWS EC2 Configuration
   # aws.ec2_elastic_ip_shodan
+  # TODO: create common config
   shodan_api_key: null
   # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
   max_security_group_rules: 50
@@ -89,45 +102,78 @@ aws:
   # aws.awslambda_function_using_supported_runtimes
   obsolete_lambda_runtimes:
     [
+      "java8",
+      "go1.x",
+      "provided",
       "python3.6",
       "python2.7",
+      "python3.7",
       "nodejs4.3",
       "nodejs4.3-edge",
       "nodejs6.10",
       "nodejs",
       "nodejs8.10",
       "nodejs10.x",
+      "nodejs12.x",
+      "nodejs14.x",
+      "dotnet5.0",
       "dotnetcore1.0",
       "dotnetcore2.0",
       "dotnetcore2.1",
+      "dotnetcore3.1",
       "ruby2.5",
+      "ruby2.7",
     ]
 
   # AWS Organizations
-  # organizations_scp_check_deny_regions
-  # organizations_enabled_regions: [
-  #   'eu-central-1',
-  #   'eu-west-1',
+  # aws.organizations_scp_check_deny_regions
+  # aws.organizations_enabled_regions: [
+  #   "eu-central-1",
+  #   "eu-west-1",
   #   "us-east-1"
   # ]
   organizations_enabled_regions: []
   organizations_trusted_delegated_administrators: []
 
   # AWS ECR
-  # ecr_repositories_scan_vulnerabilities_in_latest_image
+  # aws.ecr_repositories_scan_vulnerabilities_in_latest_image
   # CRITICAL
   # HIGH
   # MEDIUM
   ecr_repository_vulnerability_minimum_severity: "MEDIUM"
 
   # AWS Trusted Advisor
-  # trustedadvisor_premium_support_plan_subscribed
+  # aws.trustedadvisor_premium_support_plan_subscribed
   verify_premium_support_plans: True
 
+  # AWS RDS
+  # aws.rds_instance_backup_enabled
+  # Whether to check RDS instance replicas or not
+  check_rds_instance_replicas: False
+
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
+  # Azure Network Configuration
+  # azure.network_public_ip_shodan
+  # TODO: create common config
+  shodan_api_key: null
+
+  # Azure App Service
+  # azure.app_ensure_php_version_is_latest
+  php_latest_version: "8.2"
+  # azure.app_ensure_python_version_is_latest
+  python_latest_version: "3.12"
+  # azure.app_ensure_java_version_is_latest
+  java_latest_version: "17"
 
 # GCP Configuration
 gcp:
+  # GCP Compute Configuration
+  # gcp.compute_public_address_shodan
+  shodan_api_key: null
 
 ```

docs/tutorials/gcp/authentication.md

@@ -13,7 +13,8 @@ Otherwise, you can generate and download Service Account keys in JSON format (re
 prowler gcp --credentials-file path
 ```
 
-> `prowler` will scan the GCP project associated with the credentials.
+???+ note
+    `prowler` will scan the GCP project associated with the credentials.
 
 
 Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order):

docs/tutorials/ignore-unused-services.md

@@ -1,6 +1,7 @@
 # Ignore Unused Services
 
-> Currently only available on the AWS provider.
+???+ note
+    Currently only available on the AWS provider.
 
 Prowler allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports.
 
@@ -10,6 +11,12 @@ prowler <provider> --ignore-unused-services
 
 ## Services that can be ignored
 ### AWS
+#### ACM
+You can have certificates in ACM that is not in use by any AWS resource.
+Prowler will check if every certificate is going to expire soon, if this certificate is not in use by default it is not going to be check if it is expired, is going to expire soon or it is good.
+
+- `acm_certificates_expiration_check`
+
 #### Athena
 When you create an AWS Account, Athena will create a default primary workgroup for you.
 Prowler will check if that workgroup is enabled and if it is being used by checking if there were queries in the last 45 days.
@@ -29,9 +36,10 @@ If EBS default encyption is not enabled, sensitive information at rest is not pr
 
   - `ec2_ebs_default_encryption`
 
-If your Security groups are not properly configured the attack surface is increased, nonetheless, Prowler will detect those security groups that are being used (they are attached) to only notify those that are being used. This logic applies to the 15 checks related to open ports in security groups.
+If your Security groups are not properly configured the attack surface is increased, nonetheless, Prowler will detect those security groups that are being used (they are attached) to only notify those that are being used. This logic applies to the 15 checks related to open ports in security groups and the check for the default security group.
 
   - `ec2_securitygroup_allow_ingress_from_internet_to_port_X` (15 checks)
+  - `ec2_securitygroup_default_restrict_traffic`
 
 Prowler will also check for used Network ACLs to only alerts those with open ports that are being used.
 
@@ -47,7 +55,7 @@ It is a best practice to encrypt both metadata and connection passwords in AWS G
 #### Inspector
 Amazon Inspector is a vulnerability discovery service that automates continuous scanning for security vulnerabilities within your Amazon EC2, Amazon ECR, and AWS Lambda environments. Prowler recommends to enable it and resolve all the Inspector's findings. Ignoring the unused services, Prowler will only notify you if there are any Lambda functions, EC2 instances or ECR repositories in the region where Amazon inspector should be enabled.
 
-  - `inspector2_findings_exist`
+  - `inspector2_is_enabled`
 
 #### Macie
 Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in S3 buckets. Prowler will only create a finding when Macie is not enabled if there are S3 buckets in your account.
@@ -68,3 +76,15 @@ You should enable Public Access Block at the account level to prevent the exposu
 VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows. Nevertheless, Prowler will only check if the Flow Logs are enabled for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
 
   - `vpc_flow_logs_enabled`
+
+VPC subnets must not have public IP addresses by default to prevent the exposure of your resources to the internet. Prowler will only check this configuration for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `vpc_subnet_no_public_ip_by_default`
+
+VPCs should have separate private and public subnets to prevent the exposure of your resources to the internet. Prowler will only check this configuration for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `vpc_subnet_separate_private_public`
+
+VPCs should have subnets in different availability zones to prevent a single point of failure. Prowler will only check this configuration for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `vpc_subnet_different_az`

docs/tutorials/integrations.md

@@ -10,7 +10,9 @@ prowler <provider> --slack
 
 ![Prowler Slack Message](img/slack-prowler-message.png)
 
-> Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_ID environment variables.
+???+ note
+    Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_NAME environment variables.
+
 ### Configuration
 
 To configure the Slack Integration, follow the next steps:
@@ -33,4 +35,4 @@ To configure the Slack Integration, follow the next steps:
 
 4. Set the following environment variables that Prowler will read:
     - `SLACK_API_TOKEN`: the *Slack App OAuth Token* that was previously get.
-    - `SLACK_CHANNEL_ID`: the name of your Slack Channel where Prowler will send the message.
+    - `SLACK_CHANNEL_NAME`: the name of your Slack Channel where Prowler will send the message.

docs/tutorials/logging.md

@@ -18,7 +18,8 @@ You can establish the log level of Prowler with `--log-level` option:
 prowler <provider> --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
 ```
 
-> By default, Prowler will run with the `CRITICAL` log level, since critical errors will abort the execution.
+???+ note
+    By default, Prowler will run with the `CRITICAL` log level, since critical errors will abort the execution.
 
 ## Export Logs to File
 
@@ -45,4 +46,5 @@ An example of a log file will be the following:
         "message": "eu-west-2 -- ClientError[124]: An error occurred (UnauthorizedOperation) when calling the DescribeNetworkAcls operation: You are not authorized to perform this operation."
     }
 
-> NOTE: Each finding is represented as a `json` object.
+???+ note
+    Each finding is represented as a `json` object.

docs/tutorials/misc.md

@@ -61,21 +61,26 @@ Prowler allows you to include your custom checks with the flag:
 ```console
 prowler <provider> -x/--checks-folder <custom_checks_folder>
 ```
-> S3 URIs are also supported as folders for custom checks, e.g. s3://bucket/prefix/checks_folder/. Make sure that the used credentials have s3:GetObject permissions in the S3 path where the custom checks are located.
+
+???+ note
+    S3 URIs are also supported as folders for custom checks, e.g. `s3://bucket/prefix/checks_folder/`. Make sure that the used credentials have `s3:GetObject` permissions in the S3 path where the custom checks are located.
 
 The custom checks folder must contain one subfolder per check, each subfolder must be named as the check and must contain:
 
 - An empty `__init__.py`: to make Python treat this check folder as a package.
 - A `check_name.py` containing the check's logic.
 - A `check_name.metadata.json` containing the check's metadata.
->The check name must start with the service name followed by an underscore (e.g., ec2_instance_public_ip).
+
+???+ note
+    The check name must start with the service name followed by an underscore (e.g., ec2_instance_public_ip).
 
 To see more information about how to write checks see the [Developer Guide](../developer-guide/checks.md#create-a-new-check-for-a-provider).
 
-> If you want to run ONLY your custom check(s), import it with -x (--checks-folder) and then run it with -c (--checks), e.g.:
-```console
-prowler aws -x s3://bucket/prowler/providers/aws/services/s3/s3_bucket_policy/ -c s3_bucket_policy
-```
+???+ note
+    If you want to run ONLY your custom check(s), import it with -x (--checks-folder) and then run it with -c (--checks), e.g.:
+    ```console
+    prowler aws -x s3://bucket/prowler/providers/aws/services/s3/s3_bucket_policy/ -c s3_bucket_policy
+    ```
 
 ## Severities
 Each of Prowler's checks has a severity, which can be:

docs/tutorials/parallel-execution.md

@@ -10,7 +10,8 @@ This can help for really large accounts, but please be aware of AWS API rate lim
 
 For information on Prowler's retrier configuration please refer to this [page](https://docs.prowler.cloud/en/latest/tutorials/aws/boto3-configuration/).
 
-> Note: You might need to increase the `--aws-retries-max-attempts` parameter from the default value of 3. The retrier follows an exponential backoff strategy.
+???+ note
+    You might need to increase the `--aws-retries-max-attempts` parameter from the default value of 3. The retrier follows an exponential backoff strategy.
 
 ## Linux
 

docs/tutorials/pentesting.md

@@ -50,6 +50,7 @@ Several checks analyse resources that are exposed to the Internet, these are:
 - sagemaker_notebook_instance_without_direct_internet_access_configured
 - sns_topics_not_publicly_accessible
 - sqs_queues_not_publicly_accessible
+- network_public_ip_shodan
 
 ...
 
@@ -61,8 +62,17 @@ prowler <provider> --categories internet-exposed
 
 ### Shodan
 
-Prowler allows you check if any elastic ip in your AWS Account is exposed in Shodan with `-N`/`--shodan <shodan_api_key>` option:
+Prowler allows you check if any public IPs in your Cloud environments are exposed in Shodan with `-N`/`--shodan <shodan_api_key>` option:
 
+For example, you can check if any of your AWS EC2 instances has an elastic IP exposed in shodan:
 ```console
-prowler aws --shodan <shodan_api_key> -c ec2_elastic_ip_shodan
+prowler aws -N/--shodan <shodan_api_key> -c ec2_elastic_ip_shodan
+```
+Also, you can check if any of your Azure Subscription has an public IP exposed in shodan:
+```console
+prowler azure -N/--shodan <shodan_api_key> -c network_public_ip_shodan
+```
+And finally, you can check if any of your GCP projects has an public IP address exposed in shodan:
+```console
+prowler gcp -N/--shodan <shodan_api_key> -c compute_public_address_shodan
 ```

docs/tutorials/quick-inventory.md

@@ -1,14 +1,18 @@
 # Quick Inventory
 
 Prowler allows you to execute a quick inventory to extract the number of resources in your provider.
-> Currently, it is only available for AWS provider.
+
+???+ note
+    Currently, it is only available for AWS provider.
 
 
 - You can use option `-i`/`--quick-inventory` to execute it:
 ```sh
 prowler <provider> -i
 ```
-> By default, it extracts resources from all the regions, you could use `-f`/`--filter-region` to specify the regions to execute the analysis.
+
+???+ note
+    By default, it extracts resources from all the regions, you could use `-f`/`--filter-region` to specify the regions to execute the analysis.
 
 - This feature specify both the number of resources for each service and for each resource type.
 

docs/tutorials/reporting.md

@@ -19,11 +19,12 @@ prowler <provider> -M csv json json-asff html -F <custom_report_name>
 ```console
 prowler <provider> -M csv json json-asff html -o <custom_report_directory>
 ```
-> Both flags can be used simultaneously to provide a custom directory and filename.
-```console
-prowler <provider> -M csv json json-asff html \
-        -F <custom_report_name> -o <custom_report_directory>
-```
+???+ note
+    Both flags can be used simultaneously to provide a custom directory and filename.
+    ```console
+    prowler <provider> -M csv json json-asff html \
+            -F <custom_report_name> -o <custom_report_directory>
+    ```
 ## Output timestamp format
 By default, the timestamp format of the output files is ISO 8601. This can be changed with the flag `--unix-timestamp` generating the timestamp fields in pure unix timestamp format.
 
@@ -41,9 +42,10 @@ Hereunder is the structure for each of the supported report formats by Prowler:
 
 ### HTML
 ![HTML Output](../img/output-html.png)
+
 ### CSV
 
-CSV format has a set of common columns for all the providers, and then provider specific columns.  
+CSV format has a set of common columns for all the providers, and then provider specific columns.
 The common columns are the following:
 
 - ASSESSMENT_START_TIME
@@ -90,7 +92,6 @@ And then by the provider specific columns:
 - RESOURCE_ID
 - RESOURCE_ARN
 
-
 #### AZURE
 
 - TENANT_DOMAIN
@@ -98,7 +99,6 @@ And then by the provider specific columns:
 - RESOURCE_ID
 - RESOURCE_NAME
 
-
 #### GCP
 
 - PROJECT_ID
@@ -107,9 +107,9 @@ And then by the provider specific columns:
 - RESOURCE_NAME
 
 
+???+ note
+    Since Prowler v3 the CSV column delimiter is the semicolon (`;`)
 
-
-> Since Prowler v3 the CSV column delimiter is the semicolon (`;`)
 ### JSON
 
 The following code is an example output of the JSON format:
@@ -206,7 +206,8 @@ The following code is an example output of the JSON format:
 }]
 ```
 
-> NOTE: Each finding is a `json` object within a list. This has changed in v3 since in v2 the format used was [ndjson](http://ndjson.org/).
+???+ note
+    Each finding is a `json` object within a list. This has changed in v3 since in v2 the format used was [ndjson](http://ndjson.org/).
 
 
 ### JSON-OCSF
@@ -467,7 +468,9 @@ Based on [Open Cybersecurity Schema Framework Security Finding v1.0.0-rc.3](http
 }]
 ```
 
-> NOTE: Each finding is a `json` object.
+???+ note
+    Each finding is a `json` object.
+
 ### JSON-ASFF
 
 The following code is an example output of the [JSON-ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html) format:
@@ -600,4 +603,5 @@ The following code is an example output of the [JSON-ASFF](https://docs.aws.amaz
 }]
 ```
 
-> NOTE: Each finding is a `json` object within a list.
+???+ note
+    Each finding is a `json` object within a list.

mkdocs.yml

@@ -1,23 +1,43 @@
 # Project information
-site_name: Prowler Documentation
-site_url: https://docs.prowler.pro/
+site_name: Prowler Open Source Documentation
+site_url: https://docs.prowler.com/
 site_description: >-
-  Prowler Documentation Site
+  Prowler Open Source Documentation
 
 # Theme Configuration
 theme:
   language: en
-  logo: img/prowler-logo.png
+  logo: img/prowler-logo-white.png
   name: material
-  favicon: img/prowler-icon.svg
+  favicon: favicon.ico
   features:
     - navigation.tabs
     - navigation.tabs.sticky
     - navigation.sections
     - navigation.top
   palette:
-    primary: black
-    accent: green
+    # Palette toggle for light mode
+    - media: "(prefers-color-scheme: light)"
+      scheme: default
+      primary: black
+      accent: green
+      toggle:
+        icon: material/weather-night
+        name: Switch to dark mode
+    # Palette toggle for dark mode
+    - media: "(prefers-color-scheme: dark)"
+      scheme: slate
+      primary: black
+      accent: green
+      toggle:
+        icon: material/weather-sunny
+        name: Switch to light mode
+
+
+plugins:
+  - search
+  - git-revision-date-localized:
+      enable_creation_date: true
 
 edit_uri: "https://github.com/prowler-cloud/prowler/tree/master/docs"
 # Prowler OSS Repository
@@ -74,11 +94,13 @@ nav:
       - Testing:
           - Unit Tests: developer-guide/unit-testing.md
           - Integration Tests: developer-guide/integration-testing.md
+      - Debugging: developer-guide/debugging.md
   - Security: security.md
   - Contact Us: contact.md
   - Troubleshooting: troubleshooting.md
   - About: about.md
-  - ProwlerPro: https://prowler.pro
+  - Prowler SaaS: https://prowler.com
+
 # Customization
 extra:
   consent:
@@ -102,11 +124,15 @@ extra:
       link: https://twitter.com/prowlercloud
 
 # Copyright
-copyright: Copyright &copy; 2022 Toni de la Fuente, Maintained by the Prowler Team at Verica, Inc.</a>
+copyright: >
+  Copyright &copy; <script>document.write(new Date().getFullYear())</script> Toni de la Fuente, Maintained by the Prowler Team at ProwlerPro, Inc.</a>
+  </br><a href="#__consent">Change cookie settings</a>
 
 markdown_extensions:
   - abbr
   - admonition
+  - pymdownx.details
+  - pymdownx.superfences
   - attr_list
   - def_list
   - footnotes
@@ -120,8 +146,8 @@ markdown_extensions:
   - pymdownx.caret
   - pymdownx.details
   - pymdownx.emoji:
-      emoji_generator: !!python/name:materialx.emoji.to_svg
-      emoji_index: !!python/name:materialx.emoji.twemoji
+      emoji_index: !!python/name:material.extensions.emoji.twemoji
+      emoji_generator: !!python/name:material.extensions.emoji.to_svg
   - pymdownx.highlight:
       anchor_linenums: true
   - pymdownx.inlinehilite

prowler/__main__.py

@@ -204,17 +204,23 @@ def prowler():
     stats = extract_findings_statistics(findings)
 
     if args.slack:
-        if "SLACK_API_TOKEN" in os.environ and "SLACK_CHANNEL_ID" in os.environ:
+        if "SLACK_API_TOKEN" in os.environ and (
+            "SLACK_CHANNEL_NAME" in os.environ or "SLACK_CHANNEL_ID" in os.environ
+        ):
             _ = send_slack_message(
                 os.environ["SLACK_API_TOKEN"],
-                os.environ["SLACK_CHANNEL_ID"],
+                (
+                    os.environ["SLACK_CHANNEL_NAME"]
+                    if "SLACK_CHANNEL_NAME" in os.environ
+                    else os.environ["SLACK_CHANNEL_ID"]
+                ),
                 stats,
                 provider,
                 audit_info,
             )
         else:
             logger.critical(
-                "Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_ID environment variables (see more in https://docs.prowler.cloud/en/latest/tutorials/integrations/#slack)."
+                "Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_NAME environment variables (see more in https://docs.prowler.cloud/en/latest/tutorials/integrations/#slack)."
             )
             sys.exit(1)
 

prowler/compliance/aws/aws_foundational_technical_review_aws.json

@@ -0,0 +1,693 @@
+{
+  "Framework": "AWS-Foundational-Technical-Review",
+  "Version": "",
+  "Provider": "AWS",
+  "Description": "The AWS Foundational Technical Review (FTR) assesses an AWS Partner's solution against a specific set of Amazon Web Services (AWS) best practices around security, performance, and operational processes that are most critical for customer success. Passing the FTR is required to qualify AWS Software Partners for AWS Partner Network (APN) programs such as AWS Competency and AWS Service Ready but any AWS Partner who offers a technology solution may request a FTR review through AWS Partner Central.",
+  "Requirements": [
+    {
+      "Id": "HOST-001",
+      "Name": "Confirm your hosting model",
+      "Description": "To use this FTR checklist you must host all critical application components on AWS. You may use external providers for edge services such as content delivery networks (CDNs) or domain name system (DNS), or corporate identity providers. If you are using any edge services outside AWS, please specify them in the self-assessment.",
+      "Attributes": [
+        {
+          "Section": "Partner-hosted FTR requirements",
+          "Subsection": "Hosting",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "SUP-001",
+      "Name": "Subscribe to the AWS Business Support tier (or higher) for all production AWS accounts or have an action plan to handle issues which require help from AWS Support",
+      "Description": "It is recommended that you subscribe to the AWS Business Support tier or higher (including AWS Partner-Led Support) for all of your AWS production accounts. For more information, refer to Compare AWS Support Plans. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.",
+      "Attributes": [
+        {
+          "Section": "Partner-hosted FTR requirements",
+          "Subsection": "Support level",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "WAFR-001",
+      "Name": "Conduct periodic architecture reviews (minimum once every year)",
+      "Description": "Conduct periodic architecture reviews of your production workload (at least once per year) using a documented architectural standard that includes AWS-specific best practices. If you have an internally defined standard for your AWS workloads, we recommend you use it for these reviews. If you do not have an internal standard, we recommend you use the AWS Well-Architected Framework.",
+      "Attributes": [
+        {
+          "Section": "Partner-hosted FTR requirements",
+          "Subsection": "Architecture review",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "WAFR-002",
+      "Name": "Review the AWS Shared Responsibility Models for Security and Resiliency",
+      "Description": "Review the AWS Shared Responsibility Model for Security and the AWS Shared Responsibility Model for Resiliency. Ensure that your product’s architecture and operational processes address the customer responsibilities defined in these models. We recommend you to use AWS Resilience Hub to ensure your workload resiliency posture meets your targets and to provide you with operational procedures you may use to address the customer responsibilities.",
+      "Attributes": [
+        {
+          "Section": "Partner-hosted FTR requirements",
+          "Subsection": "Architecture review",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "ARC-001",
+      "Name": "Use root user only by exception",
+      "Description": "The root user has unlimited access to your account and its resources, and using it only by exception helps protect your AWS resources. The AWS root user must not be used for everyday tasks, even administrative ones. Instead, adhere to the best practice of using the root user only to create your first AWS Identity and Access Management (IAM) user. Then securely lock away the root user credentials and use them to perform only a few accounts and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. FTR does not require you to actively monitor root usage.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "AWS root account",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "ARC-003",
+      "Name": "Enable multi-factor authentication (MFA) on the root user for all AWS accounts",
+      "Description": "Enabling MFA provides an additional layer of protection against unauthorized access to your account. To configure MFA for the root user, follow the instructions for enabling either a virtual MFA or hardware MFA device. If you are using AWS Organizations to create new accounts, the initial password for the root user is set to a random value that is never exposed to you. If you do not recover the password for the root user of these accounts, you do not need to enable MFA on them. For any accounts where you do have access to the root user’s password, you must enable MFA",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "AWS root account",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "iam_root_mfa_enabled",
+        "iam_root_hardware_mfa_enabled"
+      ]
+    },
+    {
+      "Id": "ARC-004",
+      "Name": "Remove access keys for the root user",
+      "Description": "Programmatic access to AWS APIs should never use the root user. It is best not to generate static an access key for the root user. If one already exists, you should transition any processes using that key to use temporary access keys from an AWS Identity and Access Management (IAM) role, or, if necessary, static access keys from an IAM user.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "AWS root account",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "iam_no_root_access_key"
+      ]
+    },
+    {
+      "Id": "ARC-005",
+      "Name": "Develop incident management plans",
+      "Description": "An incident management plan is critical to respond, mitigate, and recover from the potential impact of security incidents. An incident management plan is a structured process for identifying, remediating, and responding in a timely matter to security incidents. An effective incident management plan must be continually iterated upon, remaining current with your cloud operations goal. For more information on developing incident management plan please see Develop incident management plans.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "AWS root account",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "ACOM-001",
+      "Name": "Configure AWS account contacts",
+      "Description": "If an account is not managed by AWS Organizations, alternate account contacts help AWS get in contact with the appropriate personnel if needed. Configure the account’s alternate contacts to point to a group rather than an individual. For example, create separate email distribution lists for billing, operations, and security and configure these as Billing, Security, and Operations contacts in each active AWS account. This ensures that multiple people will receive AWS notifications and be able to respond, even if someone is on vacation, changes roles, or leaves the company.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Communications from AWS",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "ACOM-002",
+      "Name": "Set account contact information including the root user email address to email addresses and phone numbers owned by your company",
+      "Description": "Using company owned email addresses and phone numbers for contact information enables you to access them even if the individuals whom they belong to are no longer with your organization",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Communications from AWS",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-001",
+      "Name": "Enable multi-factor authentication (MFA) for all Human Identities with AWS access",
+      "Description": "You must require any human identities to authenticate using MFA before accessing your AWS accounts. Typically, this means enabling MFA within your corporate identity provider. If you have existing legacy IAM users you must enable MFA for console access for those principals as well. Enabling MFA for IAM users provides an additional layer of security. With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP). Users must provide both their normal credentials (user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone). Please note that machine identities do not require MFA.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "iam_root_mfa_enabled",
+        "iam_root_hardware_mfa_enabled",
+        "iam_user_hardware_mfa_enabled",
+        "iam_user_mfa_enabled_console_access",
+        "iam_administrator_access_with_mfa"
+      ]
+    },
+    {
+      "Id": "IAM-002",
+      "Name": "Monitor and secure static AWS Identity and Access Management (IAM) credentials",
+      "Description": "Use temporary IAM credentials retrieved by assuming a role whenever possible. In cases where it is infeasible to use IAM roles, implement the following controls to reduce the risk these credentials are misused: Rotate IAM access keys regularly (recommended at least every 90 days). Maintain an inventory of all static keys and where they are used and remove unused access keys. Implement monitoring of AWS CloudTrail logs to detect anomalous activity or other potential misuse (e.g. using AWS GuardDuty.) Define a runbook or SOP for revoking credentials in the event you detect misuse.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "iam_rotate_access_key_90_days",
+        "iam_user_accesskey_unused",
+        "iam_user_with_temporary_credentials",
+        "guardduty_is_enabled",
+        "guardduty_no_high_severity_findings"
+      ]
+    },
+    {
+      "Id": "IAM-003",
+      "Name": "Use strong password policy",
+      "Description": "Enforce a strong password policy, and educate users to avoid common or re-used passwords. For IAM users, you can create a password policy for your account on the Account Settings page of the IAM console. You can use the password policy to define password requirements, such as minimum length and whether it requires non-alphabetic characters, and so on. For more information, see Setting an Account Password Policy for IAM users.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "iam_password_policy_expires_passwords_within_90_days_or_less",
+        "iam_password_policy_lowercase",
+        "iam_password_policy_minimum_length_14",
+        "iam_password_policy_number",
+        "iam_password_policy_reuse_24",
+        "iam_password_policy_symbol",
+        "iam_password_policy_uppercase"
+      ]
+    },
+    {
+      "Id": "IAM-004",
+      "Name": "Create individual identities (no shared credentials) for anyone who needs AWS access",
+      "Description": "Create individual entities and give unique security credentials and permissions to each user accessing your account. With individual entities and no shared credentials, you can audit the activity of each user.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-005",
+      "Name": "Use IAM roles and its temporary security credentials to provide access to third parties.",
+      "Description": "Do not provision IAM users and share those credentials with people outside of your organization. Any external services that need to make AWS API calls against your account (for example, a monitoring solution that accesses your account's AWS CloudWatch metrics) must use a cross-account role. For more information, refer to Providing access to AWS accounts owned by third parties.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-006",
+      "Name": "Grant least privilege access",
+      "Description": "You must follow the standard security advice of granting least privilege. Grant only the access that identities require by allowing access to specific actions on specific AWS resources under specific conditions. Rely on groups and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, when a developer is removed from the group, access for the developer is revoked everywhere that group was used for access control, without requiring any changes to the access policies.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "iam_policy_attached_only_to_group_or_roles"
+      ]
+    },
+    {
+      "Id": "IAM-007",
+      "Name": "Manage access based on life cycle",
+      "Description": "Integrate access controls with operator and application lifecycle and your centralized federation provider and IAM. For example, remove a user’s access when they leave the organization or change roles.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-008",
+      "Name": "Audit identities quarterly",
+      "Description": "Auditing the identities that are configured in your identity provider and IAM helps ensure that only authorized identities have access to your workload. For example, remove people that leave the organization, and remove cross-account roles that are no longer required. Have a process in place to periodically audit permissions to the services accessed by an IAM entity. This helps you identify the policies you needto modify to remove any unused permissions. For more information, see Refining permissions in AWS using last accessed information.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-009",
+      "Name": "Do not embed credentials in application code",
+      "Description": "Ensure that all credentials used by your applications (for example, IAM access keys and database passwords) are never included in your application's source code or committed to source control in any way.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-0010",
+      "Name": "Store secrets securely.",
+      "Description": "Encrypt all secrets in transit and at rest, define fine-grained access controls that only allow access to specific identities, and log access to secrets in an audit log. We recommend you use a purpose-built secret management service such as AWS Secrets Manager, AWS Systems Manager Parameter Store, or an AWS Partner solution, but internally developed solutions that meet these requirements are also acceptable.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-0011",
+      "Name": "Encrypt all end user/customer credentials and hash passwords at rest.",
+      "Description": "If you are storing end user/customer credentials in a database that you manage, encrypt credentials at rest and hash passwords. As an alternative, AWS recommends using a user-identity synchronization service, such as Amazon Cognito or an equivalent AWS Partner solution.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "IAM-0012",
+      "Name": "Use temporary credentials",
+      "Description": "Use temporary security credentials to access AWS resources. For machine identities within AWS (for example, Amazon Elastic Compute Cloud (Amazon EC2) instances or AWS Lambda functions), always use IAM roles to acquire temporary security credentials. For machine identities running outside of AWS, use IAM Roles Anywhere or securely store static AWS access keys that are only used to assume an IAM role.For human identities, use AWS IAM Identity Center or other identity federation solutions where possible. If you must use static AWS access keys for human users, require MFA for all access, including the AWS Management Console, and AWS Command Line Interface (AWS CLI).",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Identity and Access Management",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "iam_rotate_access_key_90_days",
+        "iam_user_accesskey_unused",
+        "iam_user_with_temporary_credentials",
+        "iam_policy_attached_only_to_group_or_roles",
+        "iam_role_administratoraccess_policy",
+        "iam_role_cross_account_readonlyaccess_policy",
+        "iam_role_cross_service_confused_deputy_prevention",
+        "iam_root_hardware_mfa_enabled",
+        "iam_root_mfa_enabled",
+        "iam_root_hardware_mfa_enabled",
+        "iam_user_hardware_mfa_enabled",
+        "iam_user_mfa_enabled_console_access",
+        "iam_administrator_access_with_mfa"
+      ]
+    },
+    {
+      "Id": "SECOPS-001",
+      "Name": "Perform vulnerability management",
+      "Description": "Define a mechanism and frequency to scan and patch for vulnerabilities in your dependencies, and in your operating systems to help protect against new threats. Scan and patch your dependencies, and your operating systems on a defined schedule. Software vulnerability management is essential to keeping your system secure from threat actors. Embedding vulnerability assessments early into your continuous integration/continuous delivery (CI/CD) pipeline allows you to prioritize remediation of any security vulnerabilities detected. The solution you need to achieve this varies according to the AWS services that you are consuming. To check for vulnerabilities in software running in Amazon EC2 instances, you can add Amazon Inspector to your pipeline to cause your build to fail if Inspector detects vulnerabilities. You can also use open source products such as OWASP Dependency-Check, Snyk, OpenVAS, package managers and AWS Partner tools for vulnerability management.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Operational security",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist",
+        "accessanalyzer_enabled_without_findings",
+        "guardduty_no_high_severity_findings"
+      ]
+    },
+    {
+      "Id": "NETSEC-001",
+      "Name": "Implement the least permissive rules for all Amazon EC2 security groups",
+      "Description": "All Amazon EC2 security groups should restrict access to the greatest degree possible. At a minimum, do the following: Ensure that no security groups allow ingress from 0.0.0.0/0 to port 22 or 3389 (CIS 5.2) Ensure that the default security group of every VPC restricts all traffic (CIS 5.3/Security Control EC2.2)",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Network Security",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "ec2_ami_public",
+        "ec2_instance_public_ip",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
+        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434",
+        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23",
+        "ec2_securitygroup_allow_wide_open_public_ipv4",
+        "ec2_securitygroup_default_restrict_traffic",
+        "ec2_securitygroup_not_used",
+        "ec2_securitygroup_with_many_ingress_egress_rules"
+      ]
+    },
+    {
+      "Id": "NETSEC-002",
+      "Name": "Restrict resources in public subnets",
+      "Description": "Do not place resources in public subnets of your VPC unless they must receive network traffic from public sources. Public subnets are subnets associated with a route table that has a route to an internet gateway.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Network Security",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "vpc_subnet_no_public_ip_by_default",
+        "vpc_subnet_separate_private_public",
+        "vpc_endpoint_connections_trust_boundaries",
+        "vpc_endpoint_services_allowed_principals_trust_boundaries",
+        "workspaces_vpc_2private_1public_subnets_nat"
+      ]
+    },
+    {
+      "Id": "BAR-001",
+      "Name": "Configure automatic data backups",
+      "Description": "You must perform regular backups to a durable storage service. Backups ensure that you have the ability to recover from administrative, logical, or physical error scenarios. Configure backups to be taken automatically based on a periodic schedule, or by changes in the dataset. RDS instances, EBS volumes, DynamoDB tables, and S3 objects can all be configured for automatic backup. AWS Backup, AWS Marketplace solutions or third-party solutions can also be used. If objects in S3 bucket are write-once-read-many (WORM), compensating controls such as object lock can be used meet this requirement. If it is customers’ responsibility to backup their data, it must be clearly stated in the documentation and the Partner must provide clear instructions on how to backup the data.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Backups and recovery",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "backup_plans_exist",
+        "backup_reportplans_exist",
+        "backup_vaults_encrypted",
+        "backup_vaults_exist",
+        "efs_have_backup_enabled",
+        "rds_instance_backup_enabled"
+      ]
+    },
+    {
+      "Id": "BAR-002",
+      "Name": "Periodically recover data to verify the integrity of your backup process",
+      "Description": "To confirm that your backup process meets your recovery time objectives (RTO) and recovery point objectives (RPO), run a recovery test on a regular schedule and after making significant changes to your cloud environment. For more information, refer to Getting Started - Backup and Restore with AWS.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Backups and recovery",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "RES-001",
+      "Name": "Define a Recovery Point Objective (RPO)",
+      "Description": "To confirm that your backup process meets your recovery time objectives (RTO) and recovery point objectives (RPO), run a recovery test on a regular schedule and after making significant changes to your cloud environment. For more information, refer to Getting Started - Backup and Restore with AWS.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Resiliency",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "RES-002",
+      "Name": "Establish a Recovery Time Objective (RTO)",
+      "Description": "Define an RTO that meets your organization’s needs and expectations. RTO is the maximum acceptable delay your organization will accept between the interruption and restoration of service.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Resiliency",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "RES-004",
+      "Name": "Resiliency Testing",
+      "Description": "Test resiliency to ensure that RTO and RPO are met, both periodically (minimum every 12 months) and after major updates. The resiliency test must include accidental data loss, instance failures, and Availability Zone (AZ) failures. At least one resilience test that meets RTO and RPO requirements must be completed prior to FTR approval. You can use AWS Resilience Hub to test and verify your workloads to see if it meets its resilience target. AWS Resilience Hub works with AWS Fault Injection Service (AWS FIS) , a chaos engineering service, to provide fault-injection simulations of real-world failures to validate the application recovers within the resilience targets you defined. AWS Resilience Hub also provides API operations for you to integrate its resilience assessment and testing into your CI/CD pipelines for ongoing resilience validation. Including resilience validation in CI/CD pipelines helps make sure that changes to the workload’s underlying infrastructure don't compromise resilience.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Resiliency",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "RES-005",
+      "Name": "Communicate customer responsibilities for resilience",
+      "Description": "Clearly define your customers’ responsibility for backup, recovery, and availability. At a minimum, your product documentation or customer agreements should cover the following: Responsibility the customer has for backing up the data stored in your solution. Instructions for backing up data or configuring optional features in your product for data protection, if applicable. Options customers have for configuring the availability of your product.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Resiliency",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "RES-006",
+      "Name": "Architect your product to meet availability targets and uptime service level agreements (SLAs)",
+      "Description": "If you publish or privately agree to availability targets or uptime SLAs, ensure that your architecture and operational processes are designed to support them. Additionally, provide clear guidance to customers on any configuration required to achieve the targets or SLAs.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Resiliency",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "RES-007",
+      "Name": "Define a customer communication plan for outages",
+      "Description": "Establish a plan for communicating information about system outages to your customers both during and after incidents. Your communication should not include any data that was provided by AWS under a non-disclosure agreement (NDA).",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Resiliency",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "S3-001",
+      "Name": "Review all Amazon S3 buckets to determine appropriate access levels",
+      "Description": "You must ensure that buckets that require public access have been reviewed to determine if public read or write access is needed and if appropriate controls are in place to control public access. When assigning access permissions, follow the principle of least privilege, an AWS best practice. For more information, refer to overview of managing access.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Amazon S3 bucket access",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "s3_bucket_acl_prohibited",
+        "s3_bucket_default_encryption",
+        "s3_bucket_kms_encryption",
+        "s3_bucket_level_public_access_block",
+        "s3_bucket_object_lock",
+        "s3_bucket_policy_public_write_access",
+        "s3_bucket_public_access",
+        "s3_bucket_public_list_acl",
+        "s3_bucket_public_write_acl",
+        "s3_bucket_secure_transport_policy",
+        "s3_bucket_server_access_logging_enabled"
+      ]
+    },
+    {
+      "Id": "CAA-001",
+      "Name": "Use cross-account roles to access customer AWS accounts",
+      "Description": "Cross-account roles reduce the amount of sensitive information AWS Partners need to store for their customers.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Cross-account access",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "CAA-007",
+      "Name": "Provide guidance or an automated setup mechanism (for example, an AWS CloudFormation template) for creating cross-account roles with the minimum required privileges",
+      "Description": "The policy created for cross-account access in customer accounts must follow the principle of least privilege. The AWS Partner must provide a role-policy document or an automated setup mechanism (for example, an AWS CloudFormation template) for the customers to use to ensure that the roles are created with minimum required privileges. For more information, refer to the AWS Partner Network (APN) blog posts.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Cross-account access",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "CAA-002",
+      "Name": "Use an external ID with cross-account roles to access customer accounts",
+      "Description": "An external ID allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances. The primary function of the external ID is to address and prevent the confused deputy problem.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Cross-account access",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "CAA-004",
+      "Name": "Use a value you generate (not something provided by the customer) for the external ID",
+      "Description": "When configuring cross-account access using IAM roles, you must use a value you generate for the external ID, instead of one provided by the customer, to ensure the integrity of the cross-account role configuration. A partner-generated external ID ensures that malicious parties cannot impersonate a customer's configuration and enforces uniqueness and format consistency across all customers. If you are not generating an external ID today we recommend implementing a process that generates a random unique value (such as a Universally Unique Identifier) for the external ID that a customer uses to set up a cross-account role.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Cross-account access",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "CAA-005",
+      "Name": "Ensure that all external IDs are unique.",
+      "Description": "The external IDs used must be unique across all customers. Re-using external IDs for different customers does not solve the confused deputy problem and runs the risk of customer A being able to view data of customer B by using the role ARN and the external ID of customer B. To resolve this, we recommend implementing a process that ensures a random unique value, such as a Universally Unique Identifier, is generated for the external ID that a customer would use to setup a cross account role.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Cross-account access",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "CAA-006",
+      "Name": "Provide read-only access to external ID to customers",
+      "Description": "Customers must not be able to set or influence external IDs. When the external ID is editable, it is possible for one customer to impersonate the configuration of another. For example, when the external ID is editable, customer A can create a cross account role setup using customer B’s role ARN and external ID, granting customer A access to customer B’s data. Remediation of this item involves making the external ID a view-only field, ensuring that the external ID cannot be changed to impersonate the setup of another customer.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Cross-account access",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "CAA-003",
+      "Name": "Deprecate any historical use of customer-provided IAM credentials",
+      "Description": "If your application provides legacy support for the use of static IAM credentials for cross-account access, the application's user interface and customer documentation must make it clear that this method is deprecated. Existing customers should be encouraged to switch to cross-account role based-access, and collection of credentials should be disabled for new customers.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Cross-account access",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "SDAT-001",
+      "Name": "Identify sensitive data (for example, Personally Identifiable Information (PII) and Protected Health Information (PHI))",
+      "Description": "Data classification enables you to determine which data needs to be protected and how. Based on the workload and the data it processes, identify the data that is not common public knowledge.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Sensitive data",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "SDAT-002",
+      "Name": "Encrypt all sensitive data at rest",
+      "Description": "Encryption maintains the confidentiality of sensitive data even when it gets stolen or the network through which it is transmitted becomes compromised.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Sensitive data",
+          "Type": "Automated"
+        }
+      ],
+      "Checks": [
+        "sns_topics_kms_encryption_at_rest_enabled",
+        "athena_workgroup_encryption",
+        "cloudtrail_kms_encryption_enabled",
+        "dynamodb_accelerator_cluster_encryption_enabled",
+        "dynamodb_tables_kms_cmk_encryption_enabled",
+        "efs_encryption_at_rest_enabled",
+        "opensearch_service_domains_encryption_at_rest_enabled"
+      ]
+    },
+    {
+      "Id": "SDAT-003",
+      "Name": "Only use protocols with encryption when transmitting sensitive data outside of your VPC",
+      "Description": "Encryption maintains data confidentiality even when the network through which it is transmitted becomes compromised.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Sensitive data",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    },
+    {
+      "Id": "RCVP-001",
+      "Name": "Establish a process to ensure that all required compliance standards are met",
+      "Description": "If you advertise that your product meets specific compliance standards, you must have an internal process for ensuring compliance. Examples of compliance standards include Payment Card Industry Data Security Standard (PCI DSS) PCI DSS, Federal Risk and Authorization Management Program (FedRAMP)FedRAMP, and U.S. Health Insurance Portability and Accountability Act (HIPAA)HIPAA. Applicable compliance standards are determined by various factors, such as what types of data the solution stores or transmits and which geographic regions the solution supports.",
+      "Attributes": [
+        {
+          "Section": "Architectural and Operational Controls",
+          "Subsection": "Regulatory compliance validation process",
+          "Type": "Manual"
+        }
+      ],
+      "Checks": []
+    }
+  ]
+}

prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json

@@ -719,7 +719,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",

prowler/compliance/aws/cis_1.4_aws.json

@@ -1168,7 +1168,7 @@
       "Id": "5.2",
       "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],

prowler/compliance/aws/cis_1.5_aws.json

@@ -1252,7 +1252,7 @@
       "Id": "5.2",
       "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],
@@ -1275,7 +1275,7 @@
       "Id": "5.3",
       "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],

prowler/compliance/aws/cis_2.0_aws.json

@@ -468,27 +468,6 @@
     },
     {
       "Id": "2.1.1",
-      "Description": "Ensure all S3 buckets employ encryption-at-rest",
-      "Checks": [
-        "s3_bucket_default_encryption"
-      ],
-      "Attributes": [
-        {
-          "Section": "2.1. Simple Storage Service (S3)",
-          "Profile": "Level 2",
-          "AssessmentStatus": "Automated",
-          "Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
-          "RationaleStatement": "Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.",
-          "ImpactStatement": "Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.",
-          "RemediationProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Click edit on `Default Encryption`. 5. Select either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 6. Click `Save` 7. Repeat for all the buckets in your AWS account lacking encryption.  **From Command Line:**  Run either  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}' ```  or  ``` aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}' ```  **Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.",
-          "AuditProcedure": "**From Console:**  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/  2. Select a Bucket. 3. Click on 'Properties'. 4. Verify that `Default Encryption` is enabled, and displays either `AES-256`, `AWS-KMS`, `SSE-KMS` or `SSE-S3`. 5. Repeat for all the buckets in your AWS account.  **From Command Line:**  1. Run command to list buckets ``` aws s3 ls ``` 2. For each bucket, run  ``` aws s3api get-bucket-encryption --bucket <bucket name> ``` 3. Verify that either  ``` \"SSEAlgorithm\": \"AES256\" ```  or  ``` \"SSEAlgorithm\": \"aws:kms\"```  is displayed.",
-          "AdditionalInformation": "S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does **not** encrypt objects previously stored within the bucket.",
-          "References": "https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html:https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources"
-        }
-      ]
-    },
-    {
-      "Id": "2.1.2",
       "Description": "Ensure S3 Bucket Policy is set to deny HTTP requests",
       "Checks": [
         "s3_bucket_secure_transport_policy"
@@ -509,7 +488,7 @@
       ]
     },
     {
-      "Id": "2.1.3",
+      "Id": "2.1.2",
       "Description": "Ensure MFA Delete is enabled on S3 buckets",
       "Checks": [
         "s3_bucket_no_mfa_delete"
@@ -530,7 +509,7 @@
       ]
     },
     {
-      "Id": "2.1.4",
+      "Id": "2.1.3",
       "Description": "Ensure all data in Amazon S3 has been discovered, classified and secured when required.",
       "Checks": [
         "macie_is_enabled"
@@ -551,7 +530,7 @@
       ]
     },
     {
-      "Id": "2.1.5",
+      "Id": "2.1.4",
       "Description": "Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'",
       "Checks": [
         "s3_bucket_level_public_access_block",
@@ -1271,7 +1250,7 @@
       "Id": "5.2",
       "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],
@@ -1294,7 +1273,7 @@
       "Id": "5.3",
       "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],

prowler/compliance/aws/cisa_aws.json

@@ -134,7 +134,7 @@
         "vpc_endpoint_connections_trust_boundaries",
         "ec2_securitygroup_default_restrict_traffic",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
       ]
     },
     {
@@ -297,7 +297,7 @@
         "vpc_flow_logs_enabled",
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
       ]
     },
     {

prowler/compliance/aws/mitre_attack_aws.json

@@ -29,7 +29,8 @@
         "securityhub_enabled",
         "elbv2_waf_acl_attached",
         "guardduty_is_enabled",
-        "inspector2_findings_exist",
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist",
         "awslambda_function_not_publicly_accessible",
         "ec2_instance_public_ip"
       ],
@@ -105,7 +106,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -576,7 +577,8 @@
         "config_recorder_all_regions_enabled",
         "securityhub_enabled",
         "guardduty_is_enabled",
-        "inspector2_findings_exist"
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
       ],
       "Attributes": [
         {
@@ -737,7 +739,8 @@
         "iam_user_hardware_mfa_enabled",
         "iam_user_mfa_enabled_console_access",
         "securityhub_enabled",
-        "inspector2_findings_exist"
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
       ],
       "Attributes": [
         {
@@ -1019,7 +1022,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1465,7 +1468,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1645,7 +1648,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1892,11 +1895,12 @@
         "networkfirewall_in_all_vpc",
         "elbv2_waf_acl_attached",
         "guardduty_is_enabled",
-        "inspector2_findings_exist",
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist",
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",

prowler/compliance/aws/soc2_aws.json

@@ -13,7 +13,7 @@
           "ItemId": "cc_1_1",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -27,7 +27,7 @@
           "ItemId": "cc_1_2",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -41,7 +41,7 @@
           "ItemId": "cc_1_3",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -62,7 +62,7 @@
           "ItemId": "cc_1_4",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -76,7 +76,7 @@
           "ItemId": "cc_1_5",
           "Section": "CC1.0 - Common Criteria Related to Control Environment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -90,7 +90,7 @@
           "ItemId": "cc_2_1",
           "Section": "CC2.0 - Common Criteria Related to Communication and Information",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -109,7 +109,7 @@
           "ItemId": "cc_2_2",
           "Section": "CC2.0 - Common Criteria Related to Communication and Information",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -123,7 +123,7 @@
           "ItemId": "cc_2_3",
           "Section": "CC2.0 - Common Criteria Related to Communication and Information",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -137,7 +137,7 @@
           "ItemId": "cc_3_1",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -155,7 +155,7 @@
           "ItemId": "cc_3_2",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -175,7 +175,7 @@
           "ItemId": "cc_3_3",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -189,7 +189,7 @@
           "ItemId": "cc_3_4",
           "Section": "CC3.0 - Common Criteria Related to Risk Assessment",
           "Service": "config",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -205,7 +205,7 @@
           "ItemId": "cc_4_1",
           "Section": "CC4.0 - Monitoring Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -219,7 +219,7 @@
           "ItemId": "cc_4_2",
           "Section": "CC4.0 - Monitoring Activities",
           "Service": "guardduty",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -236,7 +236,7 @@
           "ItemId": "cc_5_1",
           "Section": "CC5.0 - Control Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -250,7 +250,7 @@
           "ItemId": "cc_5_2",
           "Section": "CC5.0 - Control Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -264,7 +264,7 @@
           "ItemId": "cc_5_3",
           "Section": "CC5.0 - Control Activities",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -278,7 +278,7 @@
           "ItemId": "cc_6_1",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "s3",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -294,7 +294,7 @@
           "ItemId": "cc_6_2",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "rds",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -310,7 +310,7 @@
           "ItemId": "cc_6_3",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "iam",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -328,7 +328,7 @@
           "ItemId": "cc_6_4",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -342,7 +342,7 @@
           "ItemId": "cc_6_5",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -356,7 +356,7 @@
           "ItemId": "cc_6_6",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "ec2",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -372,7 +372,7 @@
           "ItemId": "cc_6_7",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "acm",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -388,7 +388,7 @@
           "ItemId": "cc_6_8",
           "Section": "CC6.0 - Logical and Physical Access",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -405,7 +405,7 @@
           "ItemId": "cc_7_1",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -424,7 +424,7 @@
           "ItemId": "cc_7_2",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -460,7 +460,7 @@
           "ItemId": "cc_7_3",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -492,7 +492,7 @@
           "ItemId": "cc_7_4",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -523,7 +523,7 @@
           "ItemId": "cc_7_5",
           "Section": "CC7.0 - System Operations",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -537,7 +537,7 @@
           "ItemId": "cc_8_1",
           "Section": "CC8.0 - Change Management",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -553,7 +553,7 @@
           "ItemId": "cc_9_1",
           "Section": "CC9.0 - Risk Mitigation",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -567,7 +567,7 @@
           "ItemId": "cc_9_2",
           "Section": "CC9.0 - Risk Mitigation",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -581,7 +581,7 @@
           "ItemId": "cc_a_1_1",
           "Section": "CCA1.0 - Additional Criterial for Availability",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -595,7 +595,7 @@
           "ItemId": "cc_a_1_2",
           "Section": "CCA1.0 - Additional Criterial for Availability",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -626,7 +626,7 @@
           "ItemId": "cc_a_1_3",
           "Section": "CCA1.0 - Additional Criterial for Availability",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -640,7 +640,7 @@
           "ItemId": "cc_c_1_1",
           "Section": "CCC1.0 - Additional Criterial for Confidentiality",
           "Service": "aws",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -656,7 +656,7 @@
           "ItemId": "cc_c_1_2",
           "Section": "CCC1.0 - Additional Criterial for Confidentiality",
           "Service": "s3",
-          "Soc_Type": "automated"
+          "Type": "automated"
         }
       ],
       "Checks": [
@@ -672,7 +672,7 @@
           "ItemId": "p_1_1",
           "Section": "P1.0 - Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -686,7 +686,7 @@
           "ItemId": "p_2_1",
           "Section": "P2.0 - Privacy Criteria Related to Choice and Consent",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -700,7 +700,7 @@
           "ItemId": "p_3_1",
           "Section": "P3.0 - Privacy Criteria Related to Collection",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -714,7 +714,7 @@
           "ItemId": "p_3_2",
           "Section": "P3.0 - Privacy Criteria Related to Collection",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -728,7 +728,7 @@
           "ItemId": "p_4_1",
           "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -742,7 +742,7 @@
           "ItemId": "p_4_2",
           "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -756,7 +756,7 @@
           "ItemId": "p_4_3",
           "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -770,7 +770,7 @@
           "ItemId": "p_5_1",
           "Section": "P5.0 - Privacy Criteria Related to Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -784,7 +784,7 @@
           "ItemId": "p_5_2",
           "Section": "P5.0 - Privacy Criteria Related to Access",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -798,7 +798,7 @@
           "ItemId": "p_6_1",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -812,7 +812,7 @@
           "ItemId": "p_6_2",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -826,7 +826,7 @@
           "ItemId": "p_6_3",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -840,7 +840,7 @@
           "ItemId": "p_6_4",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -854,7 +854,7 @@
           "ItemId": "p_6_5",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -868,7 +868,7 @@
           "ItemId": "p_6_6",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -882,7 +882,7 @@
           "ItemId": "p_6_7",
           "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -896,7 +896,7 @@
           "ItemId": "p_7_1",
           "Section": "P7.0 - Privacy Criteria Related to Quality",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []
@@ -910,7 +910,7 @@
           "ItemId": "p_8_1",
           "Section": "P8.0 - Privacy Criteria Related to Monitoring and Enforcement",
           "Service": "aws",
-          "Soc_Type": "manual"
+          "Type": "manual"
         }
       ],
       "Checks": []

prowler/config/aws_allowlist.yaml

@@ -38,6 +38,9 @@ Allowlist:
             - "aws-controltower-ReadOnlyExecutionRole"
             - "AWSControlTower_VPCFlowLogsRole"
             - "AWSControlTowerExecution"
+            - "AWSAFTAdmin"
+            - "AWSAFTExecution"
+            - "AWSAFTService"
         "iam_policy_*":
           Regions:
             - "*"

prowler/config/config.py

@@ -11,7 +11,7 @@ from prowler.lib.logger import logger
 
 timestamp = datetime.today()
 timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "3.12.0"
+prowler_version = "3.16.14"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 html_logo_img = "https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png"
 square_logo_img = "https://user-images.githubusercontent.com/38561120/235905862-9ece5bd7-9aa3-4e48-807a-3a9035eb8bfb.png"

prowler/config/config.yaml

@@ -52,18 +52,27 @@ aws:
   # aws.awslambda_function_using_supported_runtimes
   obsolete_lambda_runtimes:
     [
+      "java8",
+      "go1.x",
+      "provided",
       "python3.6",
       "python2.7",
+      "python3.7",
       "nodejs4.3",
       "nodejs4.3-edge",
       "nodejs6.10",
       "nodejs",
       "nodejs8.10",
       "nodejs10.x",
+      "nodejs12.x",
+      "nodejs14.x",
+      "dotnet5.0",
       "dotnetcore1.0",
       "dotnetcore2.0",
       "dotnetcore2.1",
+      "dotnetcore3.1",
       "ruby2.5",
+      "ruby2.7",
     ]
 
   # AWS Organizations
@@ -87,8 +96,31 @@ aws:
   # trustedadvisor_premium_support_plan_subscribed
   verify_premium_support_plans: True
 
+  # AWS RDS
+  # aws.rds_instance_backup_enabled
+  # Whether to check RDS instance replicas or not
+  check_rds_instance_replicas: False
+
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
+  # Azure Network Configuration
+  # azure.network_public_ip_shodan
+  shodan_api_key: null
+
+  # Azure App Service
+  # azure.app_ensure_php_version_is_latest
+  php_latest_version: "8.2"
+  # azure.app_ensure_python_version_is_latest
+  python_latest_version: "3.12"
+  # azure.app_ensure_java_version_is_latest
+  java_latest_version: "17"
 
 # GCP Configuration
 gcp:
+  # GCP Compute Configuration
+  # gcp.compute_public_address_shodan
+  shodan_api_key: null

prowler/lib/banner.py

@@ -4,7 +4,7 @@ from prowler.config.config import banner_color, orange_color, prowler_version, t
 
 
 def print_banner(args):
-    banner = f"""{banner_color}                         _
+    banner = rf"""{banner_color}                         _
  _ __  _ __ _____      _| | ___ _ __
 | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
 | |_) | | | (_) \ V  V /| |  __/ |

prowler/lib/check/check.py

@@ -67,9 +67,9 @@ def bulk_load_compliance_frameworks(provider: str) -> dict:
                         # cis_v1.4_aws.json --> cis_v1.4_aws
                         compliance_framework_name = filename.split(".json")[0]
                         # Store the compliance info
-                        bulk_compliance_frameworks[
-                            compliance_framework_name
-                        ] = load_compliance_framework(file_path)
+                        bulk_compliance_frameworks[compliance_framework_name] = (
+                            load_compliance_framework(file_path)
+                        )
     except Exception as e:
         logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
 
@@ -217,7 +217,7 @@ def print_categories(categories: set):
     singular_string = f"\nThere is {Fore.YELLOW}{categories_num}{Style.RESET_ALL} available category.\n"
 
     message = plural_string if categories_num > 1 else singular_string
-    for category in categories:
+    for category in sorted(categories):
         print(f"- {category}")
 
     print(message)
@@ -246,7 +246,7 @@ def print_compliance_frameworks(
     singular_string = f"\nThere is {Fore.YELLOW}{frameworks_num}{Style.RESET_ALL} available Compliance Framework.\n"
     message = plural_string if frameworks_num > 1 else singular_string
 
-    for framework in bulk_compliance_frameworks.keys():
+    for framework in sorted(bulk_compliance_frameworks.keys()):
         print(f"- {framework}")
 
     print(message)

prowler/lib/check/checks_loader.py

@@ -32,19 +32,26 @@ def load_checks_to_execute(
 
         # First, loop over the bulk_checks_metadata to extract the needed subsets
         for check, metadata in bulk_checks_metadata.items():
-            # Aliases
-            for alias in metadata.CheckAliases:
-                check_aliases[alias] = check
+            try:
+                # Aliases
+                for alias in metadata.CheckAliases:
+                    if alias not in check_aliases:
+                        check_aliases[alias] = []
+                    check_aliases[alias].append(check)
 
-            # Severities
-            if metadata.Severity:
-                check_severities[metadata.Severity].append(check)
+                # Severities
+                if metadata.Severity:
+                    check_severities[metadata.Severity].append(check)
 
-            # Categories
-            for category in metadata.Categories:
-                if category not in check_categories:
-                    check_categories[category] = []
-                check_categories[category].append(check)
+                # Categories
+                for category in metadata.Categories:
+                    if category not in check_categories:
+                        check_categories[category] = []
+                    check_categories[category].append(check)
+            except Exception as error:
+                logger.error(
+                    f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+                )
 
         # Handle if there are checks passed using -c/--checks
         if check_list:
@@ -103,6 +110,7 @@ def load_checks_to_execute(
         logger.error(
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
         )
+        return checks_to_execute
 
 
 def update_checks_to_execute_with_aliases(
@@ -110,15 +118,20 @@ def update_checks_to_execute_with_aliases(
 ) -> set:
     """update_checks_to_execute_with_aliases returns the checks_to_execute updated using the check aliases."""
     # Verify if any input check is an alias of another check
-    for input_check in checks_to_execute:
-        if (
-            input_check in check_aliases
-            and check_aliases[input_check] not in checks_to_execute
-        ):
-            # Remove input check name and add the real one
-            checks_to_execute.remove(input_check)
-            checks_to_execute.add(check_aliases[input_check])
-            print(
-                f"\nUsing alias {Fore.YELLOW}{input_check}{Style.RESET_ALL} for check {Fore.YELLOW}{check_aliases[input_check]}{Style.RESET_ALL}...\n"
-            )
-    return checks_to_execute
+    try:
+        new_checks_to_execute = checks_to_execute.copy()
+        for input_check in checks_to_execute:
+            if input_check in check_aliases:
+                # Remove input check name and add the real one
+                new_checks_to_execute.remove(input_check)
+                for alias in check_aliases[input_check]:
+                    if alias not in new_checks_to_execute:
+                        new_checks_to_execute.add(alias)
+                        print(
+                            f"\nUsing alias {Fore.YELLOW}{input_check}{Style.RESET_ALL} for check {Fore.YELLOW}{alias}{Style.RESET_ALL}..."
+                        )
+        return new_checks_to_execute
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )

prowler/lib/check/compliance.py

@@ -34,6 +34,7 @@ def update_checks_metadata_with_compliance(
             # Save it into the check's metadata
             bulk_checks_metadata[check].Compliance = check_compliance
 
+        check_compliance = []
         # Add requirements of Manual Controls
         for framework in bulk_compliance_frameworks.values():
             for requirement in framework.Requirements:
@@ -53,14 +54,14 @@ def update_checks_metadata_with_compliance(
                     check_compliance.append(compliance)
             # Create metadata for Manual Control
             manual_check_metadata = {
-                "Provider": "aws",
+                "Provider": framework.Provider.lower(),
                 "CheckID": "manual_check",
                 "CheckTitle": "Manual Check",
                 "CheckType": [],
                 "ServiceName": "",
                 "SubServiceName": "",
                 "ResourceIdTemplate": "",
-                "Severity": "",
+                "Severity": "low",
                 "ResourceType": "",
                 "Description": "",
                 "Risk": "",
@@ -70,7 +71,6 @@ def update_checks_metadata_with_compliance(
                     "Recommendation": {"Text": "", "Url": ""},
                 },
                 "Categories": [],
-                "Tags": {},
                 "DependsOn": [],
                 "RelatedTo": [],
                 "Notes": "",

prowler/lib/check/compliance_models.py

@@ -46,18 +46,20 @@ class ENS_Requirement_Attribute(BaseModel):
     Tipo: ENS_Requirement_Attribute_Tipos
     Nivel: ENS_Requirement_Attribute_Nivel
     Dimensiones: list[ENS_Requirement_Attribute_Dimensiones]
+    ModoEjecucion: str
+    Dependencias: list[str]
 
 
 # Generic Compliance Requirement Attribute
 class Generic_Compliance_Requirement_Attribute(BaseModel):
     """Generic Compliance Requirement Attribute"""
 
-    ItemId: str
+    ItemId: Optional[str]
     Section: Optional[str]
     SubSection: Optional[str]
     SubGroup: Optional[str]
-    Service: str
-    Soc_Type: Optional[str]
+    Service: Optional[str]
+    Type: Optional[str]
 
 
 class CIS_Requirement_Attribute_Profile(str):
@@ -87,6 +89,7 @@ class CIS_Requirement_Attribute(BaseModel):
     RemediationProcedure: str
     AuditProcedure: str
     AdditionalInformation: str
+    DefaultValue: Optional[str]
     References: str
 
 
@@ -151,9 +154,9 @@ class Compliance_Requirement(BaseModel):
         Union[
             CIS_Requirement_Attribute,
             ENS_Requirement_Attribute,
-            Generic_Compliance_Requirement_Attribute,
             ISO27001_2013_Requirement_Attribute,
             AWS_Well_Architected_Requirement_Attribute,
+            Generic_Compliance_Requirement_Attribute,
         ]
     ]
     Checks: list[str]

prowler/lib/check/models.py

@@ -1,10 +1,12 @@
 import os
+import re
 import sys
 from abc import ABC, abstractmethod
 from dataclasses import dataclass
 
-from pydantic import BaseModel, ValidationError
+from pydantic import BaseModel, ValidationError, validator
 
+from prowler.config.config import valid_severities
 from prowler.lib.logger import logger
 
 
@@ -56,6 +58,29 @@ class Check_Metadata_Model(BaseModel):
     # store the compliance later if supplied
     Compliance: list = None
 
+    @validator("Categories", each_item=True, pre=True, always=True)
+    def valid_category(value):
+        if not isinstance(value, str):
+            raise ValueError("Categories must be a list of strings")
+        value_lower = value.lower()
+        if not re.match("^[a-z-]+$", value_lower):
+            raise ValueError(
+                f"Invalid category: {value}. Categories can only contain lowercase letters and hyphen '-'"
+            )
+        return value_lower
+
+    @validator("Severity", pre=True, always=True)
+    def severity_to_lower(severity):
+        return severity.lower()
+
+    @validator("Severity")
+    def valid_severity(severity):
+        if severity not in valid_severities:
+            raise ValueError(
+                f"Invalid severity: {severity}. Severity must be one of {', '.join(valid_severities)}"
+            )
+        return severity
+
 
 class Check(ABC, Check_Metadata_Model):
     """Prowler Check"""

prowler/lib/outputs/compliance.py

@@ -11,6 +11,7 @@ from prowler.lib.outputs.models import (
     Check_Output_CSV_AWS_CIS,
     Check_Output_CSV_AWS_ISO27001_2013,
     Check_Output_CSV_AWS_Well_Architected,
+    Check_Output_CSV_AZURE_CIS,
     Check_Output_CSV_ENS_RD2022,
     Check_Output_CSV_GCP_CIS,
     Check_Output_CSV_Generic_Compliance,
@@ -35,6 +36,7 @@ def add_manual_controls(output_options, audit_info, file_descriptors):
             manual_finding.region = ""
             manual_finding.location = ""
             manual_finding.project_id = ""
+            manual_finding.subscription = ""
             fill_compliance(
                 output_options, manual_finding, audit_info, file_descriptors
             )
@@ -82,6 +84,10 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                             Requirements_Attributes_Dimensiones=",".join(
                                 attribute.Dimensiones
                             ),
+                            Requirements_Attributes_ModoEjecucion=attribute.ModoEjecucion,
+                            Requirements_Attributes_Dependencias=",".join(
+                                attribute.Dependencias
+                            ),
                             Status=finding.status,
                             StatusExtended=finding.status_extended,
                             ResourceId=finding.resource_id,
@@ -161,7 +167,36 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                 csv_header = generate_csv_fields(
                                     Check_Output_CSV_GCP_CIS
                                 )
-
+                            elif compliance.Provider == "Azure":
+                                compliance_row = Check_Output_CSV_AZURE_CIS(
+                                    Provider=finding.check_metadata.Provider,
+                                    Description=compliance.Description,
+                                    Subscription=finding.subscription,
+                                    AssessmentDate=outputs_unix_timestamp(
+                                        output_options.unix_timestamp, timestamp
+                                    ),
+                                    Requirements_Id=requirement_id,
+                                    Requirements_Description=requirement_description,
+                                    Requirements_Attributes_Section=attribute.Section,
+                                    Requirements_Attributes_Profile=attribute.Profile,
+                                    Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
+                                    Requirements_Attributes_Description=attribute.Description,
+                                    Requirements_Attributes_RationaleStatement=attribute.RationaleStatement,
+                                    Requirements_Attributes_ImpactStatement=attribute.ImpactStatement,
+                                    Requirements_Attributes_RemediationProcedure=attribute.RemediationProcedure,
+                                    Requirements_Attributes_AuditProcedure=attribute.AuditProcedure,
+                                    Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
+                                    Requirements_Attributes_DefaultValue=attribute.DefaultValue,
+                                    Requirements_Attributes_References=attribute.References,
+                                    Status=finding.status,
+                                    StatusExtended=finding.status_extended,
+                                    ResourceId=finding.resource_id,
+                                    ResourceName=finding.resource_name,
+                                    CheckId=finding.check_metadata.CheckID,
+                                )
+                                csv_header = generate_csv_fields(
+                                    Check_Output_CSV_AZURE_CIS
+                                )
             elif (
                 "AWS-Well-Architected-Framework" in compliance.Framework
                 and compliance.Provider == "AWS"
@@ -269,11 +304,19 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                         attributes_categories = ""
                         attributes_values = ""
                         attributes_comments = ""
-                        for attribute in requirement.Attributes:
-                            attributes_aws_services += attribute.AWSService + "\n"
-                            attributes_categories += attribute.Category + "\n"
-                            attributes_values += attribute.Value + "\n"
-                            attributes_comments += attribute.Comment + "\n"
+                        attributes_aws_services = ", ".join(
+                            attribute.AWSService for attribute in requirement.Attributes
+                        )
+                        attributes_categories = ", ".join(
+                            attribute.Category for attribute in requirement.Attributes
+                        )
+                        attributes_values = ", ".join(
+                            attribute.Value for attribute in requirement.Attributes
+                        )
+                        attributes_comments = ", ".join(
+                            attribute.Comment for attribute in requirement.Attributes
+                        )
+
                         compliance_row = Check_Output_MITRE_ATTACK(
                             Provider=finding.check_metadata.Provider,
                             Description=compliance.Description,
@@ -330,7 +373,7 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                 Requirements_Attributes_SubSection=attribute.SubSection,
                                 Requirements_Attributes_SubGroup=attribute.SubGroup,
                                 Requirements_Attributes_Service=attribute.Service,
-                                Requirements_Attributes_Soc_Type=attribute.Soc_Type,
+                                Requirements_Attributes_Type=attribute.Type,
                                 Status=finding.status,
                                 StatusExtended=finding.status_extended,
                                 ResourceId=finding.resource_id,
@@ -444,8 +487,8 @@ def display_compliance_table(
                 )
                 overview_table = [
                     [
-                        f"{Fore.RED}{round(fail_count/(fail_count+pass_count)*100, 2)}% ({fail_count}) NO CUMPLE{Style.RESET_ALL}",
-                        f"{Fore.GREEN}{round(pass_count/(fail_count+pass_count)*100, 2)}% ({pass_count}) CUMPLE{Style.RESET_ALL}",
+                        f"{Fore.RED}{round(fail_count / (fail_count + pass_count) * 100, 2)}% ({fail_count}) NO CUMPLE{Style.RESET_ALL}",
+                        f"{Fore.GREEN}{round(pass_count / (fail_count + pass_count) * 100, 2)}% ({pass_count}) CUMPLE{Style.RESET_ALL}",
                     ]
                 ]
                 print(tabulate(overview_table, tablefmt="rounded_grid"))
@@ -539,8 +582,8 @@ def display_compliance_table(
                 )
                 overview_table = [
                     [
-                        f"{Fore.RED}{round(fail_count/(fail_count+pass_count)*100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
-                        f"{Fore.GREEN}{round(pass_count/(fail_count+pass_count)*100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
+                        f"{Fore.RED}{round(fail_count / (fail_count + pass_count) * 100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
+                        f"{Fore.GREEN}{round(pass_count / (fail_count + pass_count) * 100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
                     ]
                 ]
                 print(tabulate(overview_table, tablefmt="rounded_grid"))
@@ -610,8 +653,8 @@ def display_compliance_table(
                 )
                 overview_table = [
                     [
-                        f"{Fore.RED}{round(fail_count/(fail_count+pass_count)*100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
-                        f"{Fore.GREEN}{round(pass_count/(fail_count+pass_count)*100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
+                        f"{Fore.RED}{round(fail_count / (fail_count + pass_count) * 100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}",
+                        f"{Fore.GREEN}{round(pass_count / (fail_count + pass_count) * 100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}",
                     ]
                 ]
                 print(tabulate(overview_table, tablefmt="rounded_grid"))

prowler/lib/outputs/file_descriptors.py

@@ -15,6 +15,7 @@ from prowler.lib.outputs.models import (
     Check_Output_CSV_AWS_CIS,
     Check_Output_CSV_AWS_ISO27001_2013,
     Check_Output_CSV_AWS_Well_Architected,
+    Check_Output_CSV_AZURE_CIS,
     Check_Output_CSV_ENS_RD2022,
     Check_Output_CSV_GCP_CIS,
     Check_Output_CSV_Generic_Compliance,
@@ -23,6 +24,7 @@ from prowler.lib.outputs.models import (
 )
 from prowler.lib.utils.utils import file_exists, open_file
 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
+from prowler.providers.azure.lib.audit_info.models import Azure_Audit_Info
 from prowler.providers.common.outputs import get_provider_output_model
 from prowler.providers.gcp.lib.audit_info.models import GCP_Audit_Info
 
@@ -107,13 +109,22 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit
                     file_descriptors.update({output_mode: file_descriptor})
 
                 elif isinstance(audit_info, GCP_Audit_Info):
-                    if output_mode == "cis_2.0_gcp":
-                        filename = f"{output_directory}/{output_filename}_cis_2.0_gcp{csv_file_suffix}"
+                    filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}"
+                    if "cis_" in output_mode:
                         file_descriptor = initialize_file_descriptor(
                             filename, output_mode, audit_info, Check_Output_CSV_GCP_CIS
                         )
                         file_descriptors.update({output_mode: file_descriptor})
-
+                elif isinstance(audit_info, Azure_Audit_Info):
+                    filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}"
+                    if "cis_" in output_mode:
+                        file_descriptor = initialize_file_descriptor(
+                            filename,
+                            output_mode,
+                            audit_info,
+                            Check_Output_CSV_AZURE_CIS,
+                        )
+                        file_descriptors.update({output_mode: file_descriptor})
                 elif isinstance(audit_info, AWS_Audit_Info):
                     if output_mode == "json-asff":
                         filename = f"{output_directory}/{output_filename}{json_asff_file_suffix}"
@@ -121,87 +132,62 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit
                             filename, output_mode, audit_info
                         )
                         file_descriptors.update({output_mode: file_descriptor})
-
-                    elif output_mode == "ens_rd2022_aws":
-                        filename = f"{output_directory}/{output_filename}_ens_rd2022_aws{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename,
-                            output_mode,
-                            audit_info,
-                            Check_Output_CSV_ENS_RD2022,
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
-
-                    elif output_mode == "cis_1.5_aws":
-                        filename = f"{output_directory}/{output_filename}_cis_1.5_aws{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename, output_mode, audit_info, Check_Output_CSV_AWS_CIS
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
-
-                    elif output_mode == "cis_1.4_aws":
-                        filename = f"{output_directory}/{output_filename}_cis_1.4_aws{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename, output_mode, audit_info, Check_Output_CSV_AWS_CIS
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
-
-                    elif (
-                        output_mode
-                        == "aws_well_architected_framework_security_pillar_aws"
-                    ):
-                        filename = f"{output_directory}/{output_filename}_aws_well_architected_framework_security_pillar_aws{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename,
-                            output_mode,
-                            audit_info,
-                            Check_Output_CSV_AWS_Well_Architected,
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
-
-                    elif (
-                        output_mode
-                        == "aws_well_architected_framework_reliability_pillar_aws"
-                    ):
-                        filename = f"{output_directory}/{output_filename}_aws_well_architected_framework_reliability_pillar_aws{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename,
-                            output_mode,
-                            audit_info,
-                            Check_Output_CSV_AWS_Well_Architected,
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
-
-                    elif output_mode == "iso27001_2013_aws":
-                        filename = f"{output_directory}/{output_filename}_iso27001_2013_aws{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename,
-                            output_mode,
-                            audit_info,
-                            Check_Output_CSV_AWS_ISO27001_2013,
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
-
-                    elif output_mode == "mitre_attack_aws":
-                        filename = f"{output_directory}/{output_filename}_mitre_attack_aws{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename,
-                            output_mode,
-                            audit_info,
-                            Check_Output_MITRE_ATTACK,
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
-
-                    else:
-                        # Generic Compliance framework
+                    else:  # Compliance frameworks
                         filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}"
-                        file_descriptor = initialize_file_descriptor(
-                            filename,
-                            output_mode,
-                            audit_info,
-                            Check_Output_CSV_Generic_Compliance,
-                        )
-                        file_descriptors.update({output_mode: file_descriptor})
+                        if output_mode == "ens_rd2022_aws":
+                            file_descriptor = initialize_file_descriptor(
+                                filename,
+                                output_mode,
+                                audit_info,
+                                Check_Output_CSV_ENS_RD2022,
+                            )
+                            file_descriptors.update({output_mode: file_descriptor})
+
+                        elif "cis_" in output_mode:
+                            file_descriptor = initialize_file_descriptor(
+                                filename,
+                                output_mode,
+                                audit_info,
+                                Check_Output_CSV_AWS_CIS,
+                            )
+                            file_descriptors.update({output_mode: file_descriptor})
+
+                        elif "aws_well_architected_framework" in output_mode:
+                            file_descriptor = initialize_file_descriptor(
+                                filename,
+                                output_mode,
+                                audit_info,
+                                Check_Output_CSV_AWS_Well_Architected,
+                            )
+                            file_descriptors.update({output_mode: file_descriptor})
+
+                        elif output_mode == "iso27001_2013_aws":
+                            file_descriptor = initialize_file_descriptor(
+                                filename,
+                                output_mode,
+                                audit_info,
+                                Check_Output_CSV_AWS_ISO27001_2013,
+                            )
+                            file_descriptors.update({output_mode: file_descriptor})
+
+                        elif output_mode == "mitre_attack_aws":
+                            file_descriptor = initialize_file_descriptor(
+                                filename,
+                                output_mode,
+                                audit_info,
+                                Check_Output_MITRE_ATTACK,
+                            )
+                            file_descriptors.update({output_mode: file_descriptor})
+
+                        else:
+                            # Generic Compliance framework
+                            file_descriptor = initialize_file_descriptor(
+                                filename,
+                                output_mode,
+                                audit_info,
+                                Check_Output_CSV_Generic_Compliance,
+                            )
+                            file_descriptors.update({output_mode: file_descriptor})
 
     except Exception as error:
         logger.error(

prowler/lib/outputs/html.py

@@ -1,3 +1,4 @@
+import html
 import importlib
 import sys
 from os import path
@@ -30,9 +31,9 @@ def add_html_header(file_descriptor, audit_info):
         <!DOCTYPE html>
     <html lang="en">
     <head>
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
     <!-- Required meta tags -->
-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
     <style>
         .read-more {
             color: #00f;
@@ -48,7 +49,7 @@ def add_html_header(file_descriptor, audit_info):
     </style>
     <!-- Bootstrap CSS -->
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
-        integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous">
+        integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous" />
     <!-- https://datatables.net/download/index with jQuery, DataTables, Buttons, SearchPanes, and Select //-->
     <link rel="stylesheet" type="text/css"
         href="https://cdn.datatables.net/v/dt/jqc-1.12.4/dt-1.10.25/b-1.7.1/sp-1.4.0/sl-1.3.3/datatables.min.css" />
@@ -78,13 +79,13 @@ def add_html_header(file_descriptor, audit_info):
     <div class="container-fluid">
         <div class="row mt-3">
         <div class="col-md-4">
-            <a href="""
+            <a href=\""""
             + html_logo_url
-            + """><img class="float-left card-img-left mt-4 mr-4 ml-4"
-                        src="""
+            + """\"><img class="float-left card-img-left mt-4 mr-4 ml-4"
+                        src=\""""
             + html_logo_img
-            + """
-                        alt="prowler-logo"></a>
+            + """\"
+                        alt="prowler-logo" /></a>
             <div class="card">
             <div class="card-header">
                 Report Information
@@ -182,13 +183,13 @@ def fill_html(file_descriptor, finding, output_options):
                     <td>{finding.check_metadata.Severity}</td>
                     <td>{finding.check_metadata.ServiceName}</td>
                     <td>{finding.location.lower() if isinstance(finding, Check_Report_GCP) else finding.region if isinstance(finding, Check_Report_AWS) else ""}</td>
-                    <td>{finding.check_metadata.CheckID.replace("_", "<wbr>_")}</td>
+                    <td>{finding.check_metadata.CheckID.replace("_", "<wbr />_")}</td>
                     <td>{finding.check_metadata.CheckTitle}</td>
-                    <td>{finding.resource_id.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr>_")}</td>
+                    <td>{finding.resource_id.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr />_")}</td>
                     <td>{parse_html_string(unroll_tags(finding.resource_tags))}</td>
-                    <td>{finding.status_extended.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr>_")}</td>
-                    <td><p class="show-read-more">{finding.check_metadata.Risk}</p></td>
-                    <td><p class="show-read-more">{finding.check_metadata.Remediation.Recommendation.Text}</p> <a class="read-more" href="{finding.check_metadata.Remediation.Recommendation.Url}"><i class="fas fa-external-link-alt"></i></a></td>
+                    <td>{finding.status_extended.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr />_")}</td>
+                    <td><p class="show-read-more">{html.escape(finding.check_metadata.Risk)}</p></td>
+                    <td><p class="show-read-more">{html.escape(finding.check_metadata.Remediation.Recommendation.Text)}</p> <a class="read-more" href="{finding.check_metadata.Remediation.Recommendation.Url}"><i class="fas fa-external-link-alt"></i></a></td>
                     <td><p class="show-read-more">{parse_html_string(unroll_dict(get_check_compliance(finding, finding.check_metadata.Provider, output_options)))}</p></td>
                 </tr>
                 """
@@ -247,8 +248,6 @@ def add_html_footer(output_filename, output_directory):
             </table>
         </div>
     </div>
-    </div>
-    </div>
     <!-- Table search and paginator -->
     <!-- Optional JavaScript -->
     <!-- jQuery first, then Popper.js, then Bootstrap JS -->

prowler/lib/outputs/json.py

@@ -51,9 +51,9 @@ def fill_json_asff(finding_output, audit_info, finding, output_options):
         finding_output.GeneratorId = "prowler-" + finding.check_metadata.CheckID
         finding_output.AwsAccountId = audit_info.audited_account
         finding_output.Types = finding.check_metadata.CheckType
-        finding_output.FirstObservedAt = (
-            finding_output.UpdatedAt
-        ) = finding_output.CreatedAt = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+        finding_output.FirstObservedAt = finding_output.UpdatedAt = (
+            finding_output.CreatedAt
+        ) = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
         finding_output.Severity = Severity(
             Label=finding.check_metadata.Severity.upper()
         )
@@ -100,7 +100,17 @@ def fill_json_asff(finding_output, audit_info, finding, output_options):
         if not finding.check_metadata.Remediation.Recommendation.Url:
             finding.check_metadata.Remediation.Recommendation.Url = "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
         finding_output.Remediation = {
-            "Recommendation": finding.check_metadata.Remediation.Recommendation
+            "Recommendation": {
+                "Text": (
+                    (
+                        finding.check_metadata.Remediation.Recommendation.Text[:509]
+                        + "..."
+                    )
+                    if len(finding.check_metadata.Remediation.Recommendation.Text) > 512
+                    else finding.check_metadata.Remediation.Recommendation.Text
+                ),
+                "Url": finding.check_metadata.Remediation.Recommendation.Url,
+            }
         }
 
         return finding_output

prowler/lib/outputs/models.py

@@ -24,7 +24,8 @@ def get_check_compliance(finding, provider, output_options):
                 compliance_fw = compliance.Framework
                 if compliance.Version:
                     compliance_fw = f"{compliance_fw}-{compliance.Version}"
-                if compliance.Provider == provider.upper():
+                # compliance.Provider == "Azure" or "GCP" or "AWS"
+                if compliance.Provider.upper() == provider.upper():
                     if compliance_fw not in check_compliance:
                         check_compliance[compliance_fw] = []
                     for requirement in compliance.Requirements:
@@ -55,9 +56,9 @@ def generate_provider_output_csv(
             data["resource_name"] = finding.resource_name
             data["subscription"] = finding.subscription
             data["tenant_domain"] = audit_info.identity.domain
-            data[
-                "finding_unique_id"
-            ] = f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.subscription}-{finding.resource_id}"
+            data["finding_unique_id"] = (
+                f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.subscription}-{finding.resource_id}"
+            )
             data["compliance"] = unroll_dict(
                 get_check_compliance(finding, provider, output_options)
             )
@@ -68,9 +69,9 @@ def generate_provider_output_csv(
             data["resource_name"] = finding.resource_name
             data["project_id"] = finding.project_id
             data["location"] = finding.location.lower()
-            data[
-                "finding_unique_id"
-            ] = f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.project_id}-{finding.resource_id}"
+            data["finding_unique_id"] = (
+                f"prowler-{provider}-{finding.check_metadata.CheckID}-{finding.project_id}-{finding.resource_id}"
+            )
             data["compliance"] = unroll_dict(
                 get_check_compliance(finding, provider, output_options)
             )
@@ -82,9 +83,9 @@ def generate_provider_output_csv(
             data["region"] = finding.region
             data["resource_id"] = finding.resource_id
             data["resource_arn"] = finding.resource_arn
-            data[
-                "finding_unique_id"
-            ] = f"prowler-{provider}-{finding.check_metadata.CheckID}-{audit_info.audited_account}-{finding.region}-{finding.resource_id}"
+            data["finding_unique_id"] = (
+                f"prowler-{provider}-{finding.check_metadata.CheckID}-{audit_info.audited_account}-{finding.region}-{finding.resource_id}"
+            )
             data["compliance"] = unroll_dict(
                 get_check_compliance(finding, provider, output_options)
             )
@@ -536,6 +537,8 @@ class Check_Output_CSV_ENS_RD2022(BaseModel):
     Requirements_Attributes_Nivel: str
     Requirements_Attributes_Tipo: str
     Requirements_Attributes_Dimensiones: str
+    Requirements_Attributes_ModoEjecucion: str
+    Requirements_Attributes_Dependencias: Optional[str]
     Status: str
     StatusExtended: str
     ResourceId: str
@@ -599,6 +602,35 @@ class Check_Output_CSV_GCP_CIS(BaseModel):
     CheckId: str
 
 
+class Check_Output_CSV_AZURE_CIS(BaseModel):
+    """
+    Check_Output_CSV_CIS generates a finding's output in CSV CIS format.
+    """
+
+    Provider: str
+    Description: str
+    Subscription: str
+    AssessmentDate: str
+    Requirements_Id: str
+    Requirements_Description: str
+    Requirements_Attributes_Section: str
+    Requirements_Attributes_Profile: str
+    Requirements_Attributes_AssessmentStatus: str
+    Requirements_Attributes_Description: str
+    Requirements_Attributes_RationaleStatement: str
+    Requirements_Attributes_ImpactStatement: str
+    Requirements_Attributes_RemediationProcedure: str
+    Requirements_Attributes_AuditProcedure: str
+    Requirements_Attributes_AdditionalInformation: str
+    Requirements_Attributes_DefaultValue: str
+    Requirements_Attributes_References: str
+    Status: str
+    StatusExtended: str
+    ResourceId: str
+    ResourceName: str
+    CheckId: str
+
+
 class Check_Output_CSV_Generic_Compliance(BaseModel):
     """
     Check_Output_CSV_Generic_Compliance generates a finding's output in CSV Generic Compliance format.
@@ -614,8 +646,8 @@ class Check_Output_CSV_Generic_Compliance(BaseModel):
     Requirements_Attributes_Section: Optional[str]
     Requirements_Attributes_SubSection: Optional[str]
     Requirements_Attributes_SubGroup: Optional[str]
-    Requirements_Attributes_Service: str
-    Requirements_Attributes_Soc_Type: Optional[str]
+    Requirements_Attributes_Service: Optional[str]
+    Requirements_Attributes_Type: Optional[str]
     Status: str
     StatusExtended: str
     ResourceId: str

prowler/lib/outputs/outputs.py

@@ -67,15 +67,15 @@ def report(check_findings, output_options, audit_info):
                             compliance in output_options.output_modes
                             for compliance in available_compliance_frameworks
                         ):
-                            fill_compliance(
+                            add_manual_controls(
                                 output_options,
-                                finding,
                                 audit_info,
                                 file_descriptors,
                             )
 
-                            add_manual_controls(
+                            fill_compliance(
                                 output_options,
+                                finding,
                                 audit_info,
                                 file_descriptors,
                             )

prowler/lib/outputs/slack.py

@@ -66,14 +66,14 @@ def create_message_blocks(identity, logo, stats):
                 "type": "section",
                 "text": {
                     "type": "mrkdwn",
-                    "text": f"\n:white_check_mark: *{stats['total_pass']} Passed findings* ({round(stats['total_pass']/stats['findings_count']*100,2)}%)\n",
+                    "text": f"\n:white_check_mark: *{stats['total_pass']} Passed findings* ({round(stats['total_pass'] / stats['findings_count'] * 100 , 2)}%)\n",
                 },
             },
             {
                 "type": "section",
                 "text": {
                     "type": "mrkdwn",
-                    "text": f"\n:x: *{stats['total_fail']} Failed findings* ({round(stats['total_fail']/stats['findings_count']*100,2)}%)\n ",
+                    "text": f"\n:x: *{stats['total_fail']} Failed findings* ({round(stats['total_fail'] / stats['findings_count'] * 100 , 2)}%)\n ",
                 },
             },
             {

prowler/lib/outputs/summary_table.py

@@ -45,6 +45,7 @@ def display_summary_table(
                 "Service": "",
                 "Provider": "",
                 "Total": 0,
+                "Pass": 0,
                 "Critical": 0,
                 "High": 0,
                 "Medium": 0,
@@ -78,6 +79,7 @@ def display_summary_table(
                 current["Total"] += 1
                 if finding.status == "PASS":
                     pass_count += 1
+                    current["Pass"] += 1
                 elif finding.status == "FAIL":
                     fail_count += 1
                     if finding.check_metadata.Severity == "critical":
@@ -96,8 +98,8 @@ def display_summary_table(
             print("\nOverview Results:")
             overview_table = [
                 [
-                    f"{Fore.RED}{round(fail_count/len(findings)*100, 2)}% ({fail_count}) Failed{Style.RESET_ALL}",
-                    f"{Fore.GREEN}{round(pass_count/len(findings)*100, 2)}% ({pass_count}) Passed{Style.RESET_ALL}",
+                    f"{Fore.RED}{round(fail_count / len(findings) * 100, 2)}% ({fail_count}) Failed{Style.RESET_ALL}",
+                    f"{Fore.GREEN}{round(pass_count / len(findings) * 100, 2)}% ({pass_count}) Passed{Style.RESET_ALL}",
                 ]
             ]
             print(tabulate(overview_table, tablefmt="rounded_grid"))
@@ -157,7 +159,8 @@ def add_service_to_table(findings_table, current):
         )
         current["Status"] = f"{Fore.RED}FAIL ({total_fails}){Style.RESET_ALL}"
     else:
-        current["Status"] = f"{Fore.GREEN}PASS ({current['Total']}){Style.RESET_ALL}"
+        current["Status"] = f"{Fore.GREEN}PASS ({current['Pass']}){Style.RESET_ALL}"
+
     findings_table["Provider"].append(current["Provider"])
     findings_table["Service"].append(current["Service"])
     findings_table["Status"].append(current["Status"])

prowler/providers/aws/aws_provider.py

@@ -1,10 +1,13 @@
 import os
 import pathlib
 import sys
+from datetime import datetime
 
 from boto3 import client, session
 from botocore.credentials import RefreshableCredentials
 from botocore.session import get_session
+from pytz import utc
+from tzlocal import get_localzone
 
 from prowler.config.config import aws_services_json_file
 from prowler.lib.check.check import list_modules, recover_checks_from_service
@@ -14,6 +17,7 @@ from prowler.providers.aws.config import (
     AWS_STS_GLOBAL_ENDPOINT_REGION,
     ROLE_SESSION_NAME,
 )
+from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
 from prowler.providers.aws.lib.audit_info.models import AWS_Assume_Role, AWS_Audit_Info
 from prowler.providers.aws.lib.credentials.credentials import create_sts_session
 
@@ -33,6 +37,9 @@ class AWS_Provider:
             # If we receive a credentials object filled is coming form an assumed role, so renewal is needed
             if audit_info.credentials:
                 logger.info("Creating session for assumed role ...")
+                # FIXME: Boto3 returns the timestamp in UTC and the local TZ could be different so the expiration time could not work as expected
+                # PRWLR-3305
+
                 # From botocore we can use RefreshableCredentials class, which has an attribute (refresh_using)
                 # that needs to be a method without arguments that retrieves a new set of fresh credentials
                 # asuming the role again. -> https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L395
@@ -95,18 +102,31 @@ class AWS_Provider:
     # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L570
     def refresh_credentials(self):
         logger.info("Refreshing assumed credentials...")
-
-        response = assume_role(self.aws_session, self.role_info)
-        refreshed_credentials = dict(
-            # Keys of the dict has to be the same as those that are being searched in the parent class
-            # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L609
-            access_key=response["Credentials"]["AccessKeyId"],
-            secret_key=response["Credentials"]["SecretAccessKey"],
-            token=response["Credentials"]["SessionToken"],
-            expiry_time=response["Credentials"]["Expiration"].isoformat(),
-        )
-        logger.info("Refreshed Credentials:")
-        logger.info(refreshed_credentials)
+        current_credentials = current_audit_info.credentials
+        refreshed_credentials = {
+            "access_key": current_credentials.aws_access_key_id,
+            "secret_key": current_credentials.aws_secret_access_key,
+            "token": current_credentials.aws_session_token,
+            "expiry_time": (
+                current_credentials.expiration.isoformat()
+                if hasattr(current_credentials, "expiration")
+                else current_credentials.expiry_time.isoformat()
+            ),
+        }
+        if datetime.fromisoformat(refreshed_credentials["expiry_time"]) <= datetime.now(
+            get_localzone()
+        ):
+            response = assume_role(self.aws_session, self.role_info)
+            refreshed_credentials = dict(
+                # Keys of the dict has to be the same as those that are being searched in the parent class
+                # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L609
+                access_key=response["Credentials"]["AccessKeyId"],
+                secret_key=response["Credentials"]["SecretAccessKey"],
+                token=response["Credentials"]["SessionToken"],
+                expiry_time=response["Credentials"]["Expiration"].isoformat(),
+            )
+            logger.info("Refreshed Credentials:")
+            logger.info(refreshed_credentials)
         return refreshed_credentials
 
 
@@ -143,6 +163,17 @@ def assume_role(
 
         sts_client = create_sts_session(session, sts_endpoint_region)
         assumed_credentials = sts_client.assume_role(**assume_role_arguments)
+
+        # Convert the UTC datetime object to your local timezone
+        credentials_expiration_local_time = (
+            assumed_credentials["Credentials"]["Expiration"]
+            .replace(tzinfo=utc)
+            .astimezone(get_localzone())
+        )
+        assumed_credentials["Credentials"][
+            "Expiration"
+        ] = credentials_expiration_local_time
+
     except Exception as error:
         logger.critical(
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"

prowler/providers/aws/lib/allowlist/allowlist.py

@@ -118,8 +118,8 @@ def parse_allowlist_file(audit_info, allowlist_file):
 def allowlist_findings(
     allowlist: dict,
     audited_account: str,
-    check_findings: [Any],
-):
+    check_findings: list[Any],
+) -> list[Any]:
     # Check if finding is allowlisted
     for finding in check_findings:
         if is_allowlisted(
@@ -141,7 +141,21 @@ def is_allowlisted(
     finding_region: str,
     finding_resource: str,
     finding_tags,
-):
+) -> bool:
+    """
+    Check if the provided finding is allowlisted for the audited account, check, region, resource and tags.
+
+    Args:
+        mutelist (dict): Dictionary containing information about allowlisted checks for different accounts.
+        audited_account (str): The account being audited.
+        check (str): The check to be evaluated for allowlisting.
+        finding_region (str): The region where the finding occurred.
+        finding_resource (str): The resource related to the finding.
+        finding_tags: The tags associated with the finding.
+
+    Returns:
+        bool: True if the finding is allowlisted for the audited account, check, region, resource and tags., otherwise False.
+    """
     try:
         # By default is not allowlisted
         is_finding_allowlisted = False
@@ -163,10 +177,10 @@ def is_allowlisted(
 
         return is_finding_allowlisted
     except Exception as error:
-        logger.critical(
+        logger.error(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
-        sys.exit(1)
+        return False
 
 
 def is_allowlisted_in_check(
@@ -176,7 +190,21 @@ def is_allowlisted_in_check(
     finding_region,
     finding_resource,
     finding_tags,
-):
+) -> bool:
+    """
+    Check if the provided check is allowlisted.
+
+    Args:
+        allowlisted_checks (dict): Dictionary containing information about allowlisted checks.
+        audited_account (str): The account to be audited.
+        check (str): The check to be evaluated for allowlisting.
+        finding_region (str): The region where the finding occurred.
+        finding_resource (str): The resource related to the finding.
+        finding_tags (str): The tags associated with the finding.
+
+    Returns:
+        bool: True if the check is allowlisted, otherwise False.
+    """
     try:
         # Default value is not allowlisted
         is_check_allowlisted = False
@@ -185,27 +213,36 @@ def is_allowlisted_in_check(
             # map lambda to awslambda
             allowlisted_check = re.sub("^lambda", "awslambda", allowlisted_check)
 
+            check_match = (
+                "*" == allowlisted_check
+                or check == allowlisted_check
+                or re.search(allowlisted_check, check)
+            )
+
             # Check if the finding is excepted
             exceptions = allowlisted_check_info.get("Exceptions")
-            if is_excepted(
-                exceptions,
-                audited_account,
-                finding_region,
-                finding_resource,
-                finding_tags,
+            if (
+                is_excepted(
+                    exceptions,
+                    audited_account,
+                    finding_region,
+                    finding_resource,
+                    finding_tags,
+                )
+                and check_match
             ):
                 # Break loop and return default value since is excepted
                 break
 
             allowlisted_regions = allowlisted_check_info.get("Regions")
             allowlisted_resources = allowlisted_check_info.get("Resources")
-            allowlisted_tags = allowlisted_check_info.get("Tags")
+            allowlisted_tags = allowlisted_check_info.get("Tags", "*")
+            # We need to set the allowlisted_tags if None, "" or [], so the falsy helps
+            if not allowlisted_tags:
+                allowlisted_tags = "*"
+
             # If there is a *, it affects to all checks
-            if (
-                "*" == allowlisted_check
-                or check == allowlisted_check
-                or re.search(allowlisted_check, check)
-            ):
+            if check_match:
                 allowlisted_in_check = True
                 allowlisted_in_region = is_allowlisted_in_region(
                     allowlisted_regions, finding_region
@@ -220,56 +257,88 @@ def is_allowlisted_in_check(
                 # For a finding to be allowlisted requires the following set to True:
                 # - allowlisted_in_check -> True
                 # - allowlisted_in_region -> True
-                # - allowlisted_in_tags -> True or allowlisted_in_resource -> True
+                # - allowlisted_in_tags -> True
+                # - allowlisted_in_resource -> True
                 # - excepted -> False
 
                 if (
                     allowlisted_in_check
                     and allowlisted_in_region
-                    and (allowlisted_in_tags or allowlisted_in_resource)
+                    and allowlisted_in_tags
+                    and allowlisted_in_resource
                 ):
                     is_check_allowlisted = True
 
         return is_check_allowlisted
     except Exception as error:
-        logger.critical(
+        logger.error(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
-        sys.exit(1)
+        return False
 
 
 def is_allowlisted_in_region(
     allowlisted_regions,
     finding_region,
-):
+) -> bool:
+    """
+    Check if the finding_region is present in the allowlisted_regions.
+
+    Args:
+        allowlisted_regions (list): List of regions in the allowlist.
+        finding_region (str): Region to check if it is allowlisted.
+
+    Returns:
+        bool: True if the finding_region is present in any of the allowlisted_regions, otherwise False.
+    """
     try:
         return __is_item_matched__(allowlisted_regions, finding_region)
     except Exception as error:
-        logger.critical(
+        logger.error(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
-        sys.exit(1)
+        return False
 
 
-def is_allowlisted_in_tags(allowlisted_tags, finding_tags):
+def is_allowlisted_in_tags(allowlisted_tags, finding_tags) -> bool:
+    """
+    Check if any of the allowlisted tags are present in the finding tags.
+
+    Args:
+        allowlisted_tags (list): List of allowlisted tags to be checked.
+        finding_tags (str): String containing tags to search for allowlisted tags.
+
+    Returns:
+        bool: True if any of the allowlisted tags are present in the finding tags, otherwise False.
+    """
     try:
         return __is_item_matched__(allowlisted_tags, finding_tags)
     except Exception as error:
-        logger.critical(
+        logger.error(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
-        sys.exit(1)
+        return False
 
 
-def is_allowlisted_in_resource(allowlisted_resources, finding_resource):
+def is_allowlisted_in_resource(allowlisted_resources, finding_resource) -> bool:
+    """
+    Check if any of the allowlisted_resources are present in the finding_resource.
+
+    Args:
+        allowlisted_resources (list): List of allowlisted resources to be checked.
+        finding_resource (str): Resource to search for allowlisted resources.
+
+    Returns:
+        bool: True if any of the allowlisted_resources are present in the finding_resource, otherwise False.
+    """
     try:
         return __is_item_matched__(allowlisted_resources, finding_resource)
 
     except Exception as error:
-        logger.critical(
+        logger.error(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
-        sys.exit(1)
+        return False
 
 
 def is_excepted(
@@ -278,8 +347,20 @@ def is_excepted(
     finding_region,
     finding_resource,
     finding_tags,
-):
-    """is_excepted returns True if the account, region, resource and tags are excepted"""
+) -> bool:
+    """
+    Check if the provided account, region, resource, and tags are excepted based on the exceptions dictionary.
+
+    Args:
+        exceptions (dict): Dictionary containing exceptions for different attributes like Accounts, Regions, Resources, and Tags.
+        audited_account (str): The account to be audited.
+        finding_region (str): The region where the finding occurred.
+        finding_resource (str): The resource related to the finding.
+        finding_tags (str): The tags associated with the finding.
+
+    Returns:
+        bool: True if the account, region, resource, and tags are excepted based on the exceptions, otherwise False.
+    """
     try:
         excepted = False
         is_account_excepted = False
@@ -304,6 +385,13 @@ def is_excepted(
             is_tag_excepted = __is_item_matched__(excepted_tags, finding_tags)
 
             if (
+                not is_account_excepted
+                and not is_region_excepted
+                and not is_resource_excepted
+                and not is_tag_excepted
+            ):
+                excepted = False
+            elif (
                 (is_account_excepted or not excepted_accounts)
                 and (is_region_excepted or not excepted_regions)
                 and (is_resource_excepted or not excepted_resources)
@@ -312,26 +400,36 @@ def is_excepted(
                 excepted = True
         return excepted
     except Exception as error:
-        logger.critical(
+        logger.error(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
-        sys.exit(1)
+        return False
 
 
 def __is_item_matched__(matched_items, finding_items):
-    """__is_item_matched__ return True if any of the matched_items are present in the finding_items, otherwise returns False."""
+    """
+    Check if any of the items in matched_items are present in finding_items.
+
+    Args:
+        matched_items (list): List of items to be matched.
+        finding_items (str): String to search for matched items.
+
+    Returns:
+        bool: True if any of the matched_items are present in finding_items, otherwise False.
+    """
     try:
         is_item_matched = False
         if matched_items and (finding_items or finding_items == ""):
             for item in matched_items:
-                if item == "*":
-                    item = ".*"
+                if item.startswith("*"):
+                    item = ".*" + item[1:]
                 if re.search(item, finding_items):
                     is_item_matched = True
                     break
         return is_item_matched
     except Exception as error:
-        logger.critical(
+        logger.error(
             f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
         )
-        sys.exit(1)
+        # If something unexpected happens return not matched, thus False
+        return False

prowler/providers/aws/lib/credentials/credentials.py

@@ -69,6 +69,9 @@ Caller Identity ARN: {Fore.YELLOW}[{audit_info.audited_identity_arn}]{Style.RESE
 def create_sts_session(
     session: session.Session, aws_region: str
 ) -> session.Session.client:
-    return session.client(
-        "sts", aws_region, endpoint_url=f"https://sts.{aws_region}.amazonaws.com"
+    sts_endpoint_url = (
+        f"https://sts.{aws_region}.amazonaws.com"
+        if "cn-" not in aws_region
+        else f"https://sts.{aws_region}.amazonaws.com.cn"
     )
+    return session.client("sts", aws_region, endpoint_url=sts_endpoint_url)