fix(cloudfront): fix false positive in s3 origins (#6823 )

(cherry picked from commit 914012de2b) # Conflicts: # prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py # tests/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted_test.py
fix(elasticache): InvalidReplicationGroupStateFault error (#6818 )
2026-03-30 03:49:48 +00:00 · 2025-02-05 17:40:09 +00:00 · 2025-02-05 12:38:17 -05:00 · 2025-02-05 10:47:35 -05:00 · 2025-02-05 10:22:53 -05:00 · 2025-02-03 14:17:21 -05:00
669 changed files with 16353 additions and 4793 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1,5 @@
-* @prowler-cloud/prowler-oss
+* @prowler-cloud/sdk @prowler-cloud/detection-and-remediation
+
+# To protect a repository fully against unauthorized changes, you also need to define an owner for the CODEOWNERS file itself.
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection
+/.github/ @prowler-cloud/sdk
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,8 +13,67 @@ updates:
    labels:
      - "dependencies"
      - "pip"
+
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    target-branch: master
+    labels:
+      - "dependencies"
+      - "github_actions"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    target-branch: master
+    labels:
+      - "dependencies"
+      - "npm"
+
+  # v4.6
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "pip"
+      - "v4"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: v4.6
+    labels:
+      - "dependencies"
+      - "github_actions"
+      - "v4"
+
+  # v3
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 10
+    target-branch: v3
+    labels:
+      - "dependencies"
+      - "pip"
+      - "v3"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 10
+    target-branch: v3
+    labels:
+      - "dependencies"
+      - "github_actions"
+      - "v3"
--- a/.github/workflows/build-lint-push-containers.yml
+++ b/.github/workflows/build-lint-push-containers.yml
@@ -43,7 +43,7 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      prowler_version_major: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION_MAJOR }}
-      prowler_version: ${{ steps.update-prowler-version.outputs.PROWLER_VERSION }}
+      prowler_version: ${{ steps.get-prowler-version.outputs.PROWLER_VERSION }}
    env:
      POETRY_VIRTUALENVS_CREATE: "false"

@@ -58,13 +58,15 @@ jobs:

      - name: Install Poetry
        run: |
-          pipx install poetry
+          pipx install poetry==1.8.5
          pipx inject poetry poetry-bumpversion

      - name: Get Prowler version
        id: get-prowler-version
        run: |
          PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
+          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"

          # Store prowler version major just for the release
          PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
@@ -89,15 +91,6 @@ jobs:
              ;;
          esac

-      - name: Update Prowler version (release)
-        id: update-prowler-version
-        if: github.event_name == 'release'
-        run: |
-          PROWLER_VERSION="${{ github.event.release.tag_name }}"
-          poetry version "${PROWLER_VERSION}"
-          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_ENV}"
-          echo "PROWLER_VERSION=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
-          
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
@@ -118,7 +111,7 @@ jobs:

      - name: Build and push container image (latest)
        if: github.event_name == 'push'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          push: true
          tags: |
@@ -130,7 +123,7 @@ jobs:

      - name: Build and push container image (release)
        if: github.event_name == 'release'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          # Use local context to get changes
          # https://github.com/docker/build-push-action#path-context
@@ -160,7 +153,7 @@ jobs:
        run: |
          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            --data '{"event_type":"dispatch","client_payload":{"version":"v3-latest", "tag": "${{ env.LATEST_COMMIT_HASH }}"}}'

@@ -169,6 +162,6 @@ jobs:
        run: |
          curl https://api.github.com/repos/${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}/dispatches \
            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" \
+            -H "Authorization: Bearer ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            --data '{"event_type":"dispatch","client_payload":{"version":"release", "tag":"${{ needs.container-build-push.outputs.prowler_version }}"}}'
--- a/.github/workflows/find-secrets.yml
+++ b/.github/workflows/find-secrets.yml
@@ -11,8 +11,9 @@ jobs:
        with:
          fetch-depth: 0
      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.72.0
+        uses: trufflesecurity/trufflehog@v3.88.4
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: HEAD
+          extra_args: --only-verified
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -20,7 +20,7 @@ jobs:
      - uses: actions/checkout@v4
      - name: Test if changes are in not ignored paths
        id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
        with:
          files: ./**
          files_ignore: |
@@ -33,7 +33,7 @@ jobs:
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
          python -m pip install --upgrade pip
-          pipx install poetry
+          pipx install poetry==1.8.5
      - name: Set up Python ${{ matrix.python-version }}
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        uses: actions/setup-python@v5
@@ -73,7 +73,7 @@ jobs:
      - name: Safety
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
-          poetry run safety check
+          poetry run safety check --ignore 70612
      - name: Vulture
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
@@ -88,6 +88,6 @@ jobs:
          poetry run pytest -n auto --cov=./prowler --cov-report=xml tests
      - name: Upload coverage reports to Codecov
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -8,8 +8,6 @@ env:
  RELEASE_TAG: ${{ github.event.release.tag_name }}
  PYTHON_VERSION: 3.11
  CACHE: "poetry"
-  # TODO: create a bot user for this kind of tasks, like prowler-bot
-  GIT_COMMITTER_EMAIL: "sergio@prowler.com"

 jobs:
  release-prowler-job:
@@ -39,8 +37,7 @@ jobs:

      - name: Install dependencies
        run: |
-          pipx install poetry
-          pipx inject poetry poetry-bumpversion
+          pipx install poetry==1.8.5

      - name: Setup Python
        uses: actions/setup-python@v5
@@ -48,34 +45,6 @@ jobs:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: ${{ env.CACHE }}

-      - name: Update Poetry and config version
-        run: |
-          poetry version ${{ env.RELEASE_TAG }}
-
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-
-      - name: Push updated version to the release tag
-        run: |
-          # Configure Git
-          git config user.name "github-actions"
-          git config user.email "${{ env.GIT_COMMITTER_EMAIL }}"
-
-          # Add the files with the version changed
-          git add prowler/config/config.py pyproject.toml
-          git commit -m "chore(release): ${{ env.RELEASE_TAG }}" --no-verify -S
-
-          # Replace the tag with the version updated
-          git tag -fa ${{ env.RELEASE_TAG }} -m "chore(release): ${{ env.RELEASE_TAG }}" --sign
-
-          # Push the tag
-          git push -f origin ${{ env.RELEASE_TAG }}
-
      - name: Build Prowler package
        run: |
          poetry build
--- a/.github/workflows/refresh_aws_services_regions.yml
+++ b/.github/workflows/refresh_aws_services_regions.yml
@@ -50,7 +50,7 @@ jobs:

      # Create pull request
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ secrets.PROWLER_ACCESS_TOKEN }}
          commit-message: "feat(regions_update): Update regions for AWS services."
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -96,7 +96,7 @@ repos:
      - id: safety
        name: safety
        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        entry: bash -c 'safety check'
+        entry: bash -c 'safety check --ignore 70612'
        language: system

      - id: vulture
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -10,4 +10,4 @@
 Want some swag as appreciation for your contribution?

 # Prowler Developer Guide
-https://docs.prowler.cloud/en/latest/tutorials/developer-guide/
+https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/introduction/
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM python:3.12-alpine
+FROM python:3.12.8-alpine3.20

 LABEL maintainer="https://github.com/prowler-cloud/prowler"

--- a/docs/developer-guide/checks.md
+++ b/docs/developer-guide/checks.md
@@ -230,7 +230,7 @@ Each Prowler check has metadata associated which is stored at the same level of
  # Severity holds the check's severity, always in lowercase (critical, high, medium, low or informational)
  "Severity": "critical",
  # ResourceType only for AWS, holds the type from here
-  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
+  # https://docs.aws.amazon.com/securityhub/latest/userguide/asff-resources.html
  "ResourceType": "Other",
  # Description holds the title of the check, for now is the same as CheckTitle
  "Description": "Ensure there are no EC2 AMIs set as Public.",
@@ -243,11 +243,11 @@ Each Prowler check has metadata associated which is stored at the same level of
    # Code holds different methods to remediate the FAIL finding
    "Code": {
      # CLI holds the command in the provider native CLI to remediate it
-      "CLI": "https://docs.bridgecrew.io/docs/public_8#cli-command",
+      "CLI": "https://docs.prowler.com/checks/public_8#cli-command",
      # NativeIaC holds the native IaC code to remediate it, use "https://docs.bridgecrew.io/docs"
      "NativeIaC": "",
      # Other holds the other commands, scripts or code to remediate it, use "https://www.trendmicro.com/cloudoneconformity"
-      "Other": "https://docs.bridgecrew.io/docs/public_8#aws-console",
+      "Other": "https://docs.prowler.com/checks/public_8#aws-console",
      # Terraform holds the Terraform code to remediate it, use "https://docs.bridgecrew.io/docs"
      "Terraform": ""
    },
--- a/docs/developer-guide/services.md
+++ b/docs/developer-guide/services.md
@@ -175,6 +175,8 @@ class <Service>(ServiceParentClass):
                f"{<item>.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
 ```
+???+note
+    To avoid fake findings, when Prowler can't retrieve the items, because an Access Denied or similar error, we set that items value as `None`.

 ### Service Models

--- a/docs/developer-guide/unit-testing.md
+++ b/docs/developer-guide/unit-testing.md
@@ -509,7 +509,113 @@ class Test_compute_firewall_rdp_access_from_the_internet_allowed:

 ### Services

-Coming soon ...
+For testing Google Cloud Services, we have to follow the same logic as with the Google Cloud checks. We still mocking all API calls, but in this case, every API call to set up an attribute is defined in [fixtures file](https://github.com/prowler-cloud/prowler/blob/master/tests/providers/gcp/gcp_fixtures.py) in `mock_api_client` function. Remember that EVERY method of a service must be tested.
+
+The following code shows a real example of a testing class, but it has more comments than usual for educational purposes.
+
+```python title="BigQuery Service Test"
+# We need to import the unittest.mock.patch to allow us to patch some objects
+# not to use shared ones between test, hence to isolate the test
+from unittest.mock import patch
+# Import the class needed from the service file
+from prowler.providers.gcp.services.bigquery.bigquery_service import BigQuery
+# Necessary constans and functions from fixtures file
+from tests.providers.gcp.gcp_fixtures import (
+    GCP_PROJECT_ID,
+    mock_api_client,
+    mock_is_api_active,
+    set_mocked_gcp_audit_info,
+)
+
+
+class TestBigQueryService:
+    # Only method needed to test full service
+    def test_service(self):
+        # In this case we are mocking the __is_api_active__ to ensure our mocked project is used
+        # And all the client to use our mocked API calls
+        with patch(
+            "prowler.providers.gcp.lib.service.service.GCPService.__is_api_active__",
+            new=mock_is_api_active,
+        ), patch(
+            "prowler.providers.gcp.lib.service.service.GCPService.__generate_client__",
+            new=mock_api_client,
+        ):
+            # Instantiate an object of class with the mocked provider
+            bigquery_client = BigQuery(
+                set_mocked_gcp_audit_info(project_ids=[GCP_PROJECT_ID])
+            )
+            # Check all attributes of the tested class is well set up according API calls mocked from GCP fixture file
+            assert bigquery_client.service == "bigquery"
+            assert bigquery_client.project_ids == [GCP_PROJECT_ID]
+
+            assert len(bigquery_client.datasets) == 2
+
+            assert bigquery_client.datasets[0].name == "unique_dataset1_name"
+            assert bigquery_client.datasets[0].id.__class__.__name__ == "str"
+            assert bigquery_client.datasets[0].region == "US"
+            assert bigquery_client.datasets[0].cmk_encryption
+            assert bigquery_client.datasets[0].public
+            assert bigquery_client.datasets[0].project_id == GCP_PROJECT_ID
+
+            assert bigquery_client.datasets[1].name == "unique_dataset2_name"
+            assert bigquery_client.datasets[1].id.__class__.__name__ == "str"
+            assert bigquery_client.datasets[1].region == "EU"
+            assert not bigquery_client.datasets[1].cmk_encryption
+            assert not bigquery_client.datasets[1].public
+            assert bigquery_client.datasets[1].project_id == GCP_PROJECT_ID
+
+            assert len(bigquery_client.tables) == 2
+
+            assert bigquery_client.tables[0].name == "unique_table1_name"
+            assert bigquery_client.tables[0].id.__class__.__name__ == "str"
+            assert bigquery_client.tables[0].region == "US"
+            assert bigquery_client.tables[0].cmk_encryption
+            assert bigquery_client.tables[0].project_id == GCP_PROJECT_ID
+
+            assert bigquery_client.tables[1].name == "unique_table2_name"
+            assert bigquery_client.tables[1].id.__class__.__name__ == "str"
+            assert bigquery_client.tables[1].region == "US"
+            assert not bigquery_client.tables[1].cmk_encryption
+            assert bigquery_client.tables[1].project_id == GCP_PROJECT_ID
+```
+As it can be confusing where all these values come from, I'll give an example to make this clearer. First we need to check
+what is the API call used to obtain the datasets. In this case if we check the service the call is
+`self.client.datasets().list(projectId=project_id)`.
+
+Now in the fixture file we have to mock this call in our `MagicMock` client in the function `mock_api_client`. The best way to mock
+is following the actual format, add one function where the client is passed to be changed, the format of this function name must be
+`mock_api_<endpoint>_calls` (*endpoint* refers to the first attribute pointed after *client*).
+
+In the example of BigQuery the function is called `mock_api_dataset_calls`. And inside of this function we found an assignation to
+be used in the `__get_datasets__` method in BigQuery class:
+
+```python
+# Mocking datasets
+dataset1_id = str(uuid4())
+dataset2_id = str(uuid4())
+
+client.datasets().list().execute.return_value = {
+    "datasets": [
+        {
+            "datasetReference": {
+                "datasetId": "unique_dataset1_name",
+                "projectId": GCP_PROJECT_ID,
+            },
+            "id": dataset1_id,
+            "location": "US",
+        },
+        {
+            "datasetReference": {
+                "datasetId": "unique_dataset2_name",
+                "projectId": GCP_PROJECT_ID,
+            },
+            "id": dataset2_id,
+            "location": "EU",
+        },
+    ]
+}
+```
+

 ## Azure

--- a/docs/tutorials/aws/v2_to_v3_checks_mapping.md
+++ b/docs/tutorials/aws/v2_to_v3_checks_mapping.md
@@ -95,7 +95,8 @@ checks_v3_to_v2_mapping = {
    "ec2_networkacl_allow_ingress_any_port": "extra7138",
    "ec2_networkacl_allow_ingress_tcp_port_22": "check45",
    "ec2_networkacl_allow_ingress_tcp_port_3389": "check46",
-    "ec2_securitygroup_allow_ingress_from_internet_to_any_port": "extra748",
+    "ec2_securitygroup_allow_ingress_from_internet_to_all_ports": "extra748",
+    "ec2_securitygroup_allow_ingress_from_internet_to_any_port": "extra74",
    "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018": "extra753",
    "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21": "extra7134",
    "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22": "check41",
--- a/docs/tutorials/azure/use-non-default-cloud.md
+++ b/docs/tutorials/azure/use-non-default-cloud.md
@@ -7,7 +7,6 @@ At the time of writing this documentation the available Azure Clouds from differ
 - AzureCloud
 - AzureChinaCloud
 - AzureUSGovernment
- AzureGermanCloud

 If you want to change the default one you must include the flag `--azure-region`, i.e.:

--- a/docs/tutorials/configuration_file.md
+++ b/docs/tutorials/configuration_file.md
@@ -33,6 +33,8 @@ The following list includes all the AWS checks with configurable variables that
 | `drs_job_exist`                                               | `allowlist_non_default_regions`                  | Boolean         |
 | `guardduty_is_enabled`                                        | `allowlist_non_default_regions`                  | Boolean         |
 | `securityhub_enabled`                                         | `allowlist_non_default_regions`                  | Boolean         |
+| `rds_instance_backup_enabled`                                  | `check_rds_instance_replicas`      | Boolean        |
+| `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |

 ## Azure

@@ -59,7 +61,6 @@ The following list includes all the Azure checks with configurable variables tha
 ```yaml title="config.yaml"
 # AWS Configuration
 aws:
-
  # AWS Global Configuration
  # aws.allowlist_non_default_regions --> Allowlist Failed Findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
  allowlist_non_default_regions: False
@@ -72,6 +73,7 @@ aws:

  # AWS EC2 Configuration
  # aws.ec2_elastic_ip_shodan
+  # TODO: create common config
  shodan_api_key: null
  # aws.ec2_securitygroup_with_many_ingress_egress_rules --> by default is 50 rules
  max_security_group_rules: 50
@@ -79,6 +81,7 @@ aws:
  max_ec2_instance_age_in_days: 180

  # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
+  # AWS SSM Configuration (aws.ssm_documents_set_as_public)
  # Single account environment: No action required. The AWS account number will be automatically added by the checks.
  # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
  # trusted_account_ids : ["123456789012", "098765432109", "678901234567"]
@@ -124,33 +127,43 @@ aws:
    ]

  # AWS Organizations
-  # organizations_scp_check_deny_regions
-  # organizations_enabled_regions: [
-  #   'eu-central-1',
-  #   'eu-west-1',
+  # aws.organizations_scp_check_deny_regions
+  # aws.organizations_enabled_regions: [
+  #   "eu-central-1",
+  #   "eu-west-1",
  #   "us-east-1"
  # ]
  organizations_enabled_regions: []
  organizations_trusted_delegated_administrators: []

  # AWS ECR
-  # ecr_repositories_scan_vulnerabilities_in_latest_image
+  # aws.ecr_repositories_scan_vulnerabilities_in_latest_image
  # CRITICAL
  # HIGH
  # MEDIUM
  ecr_repository_vulnerability_minimum_severity: "MEDIUM"

  # AWS Trusted Advisor
-  # trustedadvisor_premium_support_plan_subscribed
+  # aws.trustedadvisor_premium_support_plan_subscribed
  verify_premium_support_plans: True

+  # AWS RDS
+  # aws.rds_instance_backup_enabled
+  # Whether to check RDS instance replicas or not
+  check_rds_instance_replicas: False
+
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
  # Azure Network Configuration
  # azure.network_public_ip_shodan
+  # TODO: create common config
  shodan_api_key: null

-  # Azure App Configuration
+  # Azure App Service
  # azure.app_ensure_php_version_is_latest
  php_latest_version: "8.2"
  # azure.app_ensure_python_version_is_latest
--- a/docs/tutorials/ignore-unused-services.md
+++ b/docs/tutorials/ignore-unused-services.md
@@ -11,6 +11,12 @@ prowler <provider> --ignore-unused-services

 ## Services that can be ignored
 ### AWS
+#### ACM
+You can have certificates in ACM that is not in use by any AWS resource.
+Prowler will check if every certificate is going to expire soon, if this certificate is not in use by default it is not going to be check if it is expired, is going to expire soon or it is good.
+
+- `acm_certificates_expiration_check`
+
 #### Athena
 When you create an AWS Account, Athena will create a default primary workgroup for you.
 Prowler will check if that workgroup is enabled and if it is being used by checking if there were queries in the last 45 days.
@@ -30,9 +36,11 @@ If EBS default encyption is not enabled, sensitive information at rest is not pr

  - `ec2_ebs_default_encryption`

-If your Security groups are not properly configured the attack surface is increased, nonetheless, Prowler will detect those security groups that are being used (they are attached) to only notify those that are being used. This logic applies to the 15 checks related to open ports in security groups.
+If your Security groups are not properly configured the attack surface is increased, nonetheless, Prowler will detect those security groups that are being used (they are attached) to only notify those that are being used. This logic applies to the 15 checks related to open ports in security groups, the check for the default security group and for the security groups that allow ingress and egress traffic.

  - `ec2_securitygroup_allow_ingress_from_internet_to_port_X` (15 checks)
+  - `ec2_securitygroup_default_restrict_traffic`
+  - `ec2_securitygroup_allow_wide_open_public_ipv4`

 Prowler will also check for used Network ACLs to only alerts those with open ports that are being used.

@@ -69,3 +77,15 @@ You should enable Public Access Block at the account level to prevent the exposu
 VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows. Nevertheless, Prowler will only check if the Flow Logs are enabled for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).

  - `vpc_flow_logs_enabled`
+
+VPC subnets must not have public IP addresses by default to prevent the exposure of your resources to the internet. Prowler will only check this configuration for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `vpc_subnet_no_public_ip_by_default`
+
+VPCs should have separate private and public subnets to prevent the exposure of your resources to the internet. Prowler will only check this configuration for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `vpc_subnet_separate_private_public`
+
+VPCs should have subnets in different availability zones to prevent a single point of failure. Prowler will only check this configuration for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
+
+  - `vpc_subnet_different_az`
--- a/docs/tutorials/integrations.md
+++ b/docs/tutorials/integrations.md
@@ -11,7 +11,7 @@ prowler <provider> --slack
 ![Prowler Slack Message](img/slack-prowler-message.png)

 ???+ note
-    Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_ID environment variables.
+    Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_NAME environment variables.

 ### Configuration

@@ -35,4 +35,4 @@ To configure the Slack Integration, follow the next steps:

 4. Set the following environment variables that Prowler will read:
    - `SLACK_API_TOKEN`: the *Slack App OAuth Token* that was previously get.
-    - `SLACK_CHANNEL_ID`: the name of your Slack Channel where Prowler will send the message.
+    - `SLACK_CHANNEL_NAME`: the name of your Slack Channel where Prowler will send the message.
--- a/poetry.lock
+++ b/poetry.lock
--- a/prowler/main.py
+++ b/prowler/main.py
@@ -204,17 +204,23 @@ def prowler():
    stats = extract_findings_statistics(findings)

    if args.slack:
-        if "SLACK_API_TOKEN" in os.environ and "SLACK_CHANNEL_ID" in os.environ:
+        if "SLACK_API_TOKEN" in os.environ and (
+            "SLACK_CHANNEL_NAME" in os.environ or "SLACK_CHANNEL_ID" in os.environ
+        ):
            _ = send_slack_message(
                os.environ["SLACK_API_TOKEN"],
-                os.environ["SLACK_CHANNEL_ID"],
+                (
+                    os.environ["SLACK_CHANNEL_NAME"]
+                    if "SLACK_CHANNEL_NAME" in os.environ
+                    else os.environ["SLACK_CHANNEL_ID"]
+                ),
                stats,
                provider,
                audit_info,
            )
        else:
            logger.critical(
-                "Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_ID environment variables (see more in https://docs.prowler.cloud/en/latest/tutorials/integrations/#slack)."
+                "Slack integration needs SLACK_API_TOKEN and SLACK_CHANNEL_NAME environment variables (see more in https://docs.prowler.cloud/en/latest/tutorials/integrations/#slack)."
            )
            sys.exit(1)

--- a/prowler/compliance/aws/aws_foundational_technical_review_aws.json
+++ b/prowler/compliance/aws/aws_foundational_technical_review_aws.json
@@ -363,7 +363,7 @@
      "Checks": [
        "ec2_ami_public",
        "ec2_instance_public_ip",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
--- a/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json
+++ b/prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json
@@ -719,7 +719,7 @@
        "ec2_networkacl_allow_ingress_any_port",
        "ec2_networkacl_allow_ingress_tcp_port_22",
        "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
--- a/prowler/compliance/aws/cis_1.4_aws.json
+++ b/prowler/compliance/aws/cis_1.4_aws.json
@@ -1168,7 +1168,7 @@
      "Id": "5.2",
      "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
      ],
--- a/prowler/compliance/aws/cis_1.5_aws.json
+++ b/prowler/compliance/aws/cis_1.5_aws.json
@@ -1252,7 +1252,7 @@
      "Id": "5.2",
      "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
      ],
@@ -1275,7 +1275,7 @@
      "Id": "5.3",
      "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
      ],
--- a/prowler/compliance/aws/cis_2.0_aws.json
+++ b/prowler/compliance/aws/cis_2.0_aws.json
@@ -1250,7 +1250,7 @@
      "Id": "5.2",
      "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
      ],
@@ -1273,7 +1273,7 @@
      "Id": "5.3",
      "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
      ],
--- a/prowler/compliance/aws/cis_3.0_aws.json
+++ b/prowler/compliance/aws/cis_3.0_aws.json
@@ -1208,7 +1208,7 @@
      "Id": "5.2",
      "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
      ],
@@ -1231,7 +1231,7 @@
      "Id": "5.3",
      "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
      ],
--- a/prowler/compliance/aws/cisa_aws.json
+++ b/prowler/compliance/aws/cisa_aws.json
@@ -134,7 +134,7 @@
        "vpc_endpoint_connections_trust_boundaries",
        "ec2_securitygroup_default_restrict_traffic",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
      ]
    },
    {
@@ -297,7 +297,7 @@
        "vpc_flow_logs_enabled",
        "ec2_networkacl_allow_ingress_any_port",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
      ]
    },
    {
--- a/prowler/compliance/aws/ens_rd2022_aws.json
+++ b/prowler/compliance/aws/ens_rd2022_aws.json
@@ -2157,7 +2157,7 @@
        }
      ],
      "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
      ]
    },
    {
--- a/prowler/compliance/aws/mitre_attack_aws.json
+++ b/prowler/compliance/aws/mitre_attack_aws.json
@@ -106,7 +106,7 @@
        "ec2_networkacl_allow_ingress_any_port",
        "ec2_networkacl_allow_ingress_tcp_port_22",
        "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1022,7 +1022,7 @@
        "ec2_networkacl_allow_ingress_any_port",
        "ec2_networkacl_allow_ingress_tcp_port_22",
        "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1468,7 +1468,7 @@
        "ec2_networkacl_allow_ingress_any_port",
        "ec2_networkacl_allow_ingress_tcp_port_22",
        "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1648,7 +1648,7 @@
        "ec2_networkacl_allow_ingress_any_port",
        "ec2_networkacl_allow_ingress_tcp_port_22",
        "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1900,7 +1900,7 @@
        "ec2_networkacl_allow_ingress_any_port",
        "ec2_networkacl_allow_ingress_tcp_port_22",
        "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
        "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
        "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
--- a/prowler/compliance/azure/cis_2.1_azure.json
+++ b/prowler/compliance/azure/cis_2.1_azure.json
@@ -3044,7 +3044,7 @@
      "Id": "9.4",
      "Description": "Ensure that Register with Entra ID is enabled on App Service",
      "Checks": [
-        "app_client_certificates_on"
+        ""
      ],
      "Attributes": [
        {
@@ -3066,7 +3066,7 @@
      "Id": "9.5",
      "Description": "Ensure That 'PHP version' is the Latest, If Used to Run the Web App",
      "Checks": [
-        "app_register_with_identity"
+        "app_ensure_php_version_is_latest"
      ],
      "Attributes": [
        {
@@ -3088,7 +3088,7 @@
      "Id": "9.6",
      "Description": "Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App",
      "Checks": [
-        "app_ensure_php_version_is_latest"
+        "app_ensure_python_version_is_latest"
      ],
      "Attributes": [
        {
@@ -3110,7 +3110,7 @@
      "Id": "9.7",
      "Description": "Ensure that 'Java version' is the latest, if used to run the Web App",
      "Checks": [
-        "app_ensure_python_version_is_latest"
+        "app_ensure_java_version_is_latest"
      ],
      "Attributes": [
        {
@@ -3132,7 +3132,7 @@
      "Id": "9.8",
      "Description": "Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App",
      "Checks": [
-        "app_ensure_java_version_is_latest"
+        "app_ensure_using_http20"
      ],
      "Attributes": [
        {
@@ -3154,7 +3154,7 @@
      "Id": "9.9",
      "Description": "Ensure FTP deployments are Disabled",
      "Checks": [
-        "app_ensure_using_http20"
+        "app_ftp_deployment_disabled"
      ],
      "Attributes": [
        {
@@ -3176,7 +3176,7 @@
      "Id": "9.10",
      "Description": "Ensure Azure Key Vaults are Used to Store Secrets",
      "Checks": [
-        "app_ftp_deployment_disabled"
+        ""
      ],
      "Attributes": [
        {
@@ -3213,66 +3213,6 @@
          "References": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks:https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-asset-management#am-4-limit-access-to-asset-management"
        }
      ]
-    },
-    {
-      "Id": "9.10",
-      "Description": "Ensure FTP deployments are Disabled",
-      "Checks": [],
-      "Attributes": [
-        {
-          "Section": "9. AppService",
-          "Profile": "Level 1",
-          "AssessmentStatus": "Automated",
-          "Description": "By default, Azure Functions, Web, and API Services  can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.",
-          "RationaleStatement": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.",
-          "ImpactStatement": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.",
-          "RemediationProcedure": "**From Azure Portal**  1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should be set to `Disabled` or `FTPS Only`  **From Azure CLI**  For each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate:  ``` az webapp config set --resource-group <resource group name> --name <app name> --ftps-state [disabled|FtpsOnly] ```  **From PowerShell**  For each out of compliance application, run the following:  ``` Set-AzWebApp -ResourceGroupName <resource group name> -Name <app name> -FtpsState <Disabled or FtpsOnly> ```",
-          "AuditProcedure": "**From Azure Portal**  1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should not be set to `All allowed`  **From Azure CLI**   List webapps to obtain the ids.  ``` az webapp list ```  List the publish profiles to obtain the username, password and ftp server url.  ``` az webapp deployment list-publishing-profiles --ids <ids> {  publishUrl: <URL_FOR_WEB_APP>,  userName: <USER_NAME>,  userPWD: <USER_PASSWORD>, } ```  **From PowerShell**  List all Web Apps:  ``` Get-AzWebApp ```  For each app:  ``` Get-AzWebApp -ResourceGroupName <resource group name> -Name <app name> | Select-Object -ExpandProperty SiteConfig ```  In the output, look for the value of **FtpsState**. If its value is **AllAllowed** the setting is out of compliance. Any other value is considered in compliance with this check.",
-          "AdditionalInformation": "",
-          "DefaultValue": "[Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp):[Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app-service/overview-security):https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
-          "References": "TA0008, T1570, M1031"
-        }
-      ]
-    },
-    {
-      "Id": "9.11",
-      "Description": "Ensure Azure Key Vaults are Used to Store Secrets",
-      "Checks": [],
-      "Attributes": [
-        {
-          "Section": "9. AppService",
-          "Profile": "Level 2",
-          "AssessmentStatus": "Manual",
-          "Description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.",
-          "RationaleStatement": "The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.",
-          "ImpactStatement": "Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault.",
-          "RemediationProcedure": "Remediation has 2 steps 1. Setup the Key Vault 2. Setup the App Service to use the Key Vault  **Step 1: Set up the Key Vault**  **From Azure CLI**  ``` az keyvault create --name <name> --resource-group <myResourceGroup> --location myLocation ```  **From Powershell**  ``` New-AzKeyvault -name <name> -ResourceGroupName <myResourceGroup> -Location <myLocation> ```  **Step 2: Set up the App Service to use the Key Vault**  Sample JSON Template for App Service Configuration: ``` {  //...  resources: [  {  type: Microsoft.Storage/storageAccounts,  name: [variables('storageAccountName')],  //...  },  {  type: Microsoft.Insights/components,  name: [variables('appInsightsName')],  //...  },  {  type: Microsoft.Web/sites,  name: [variables('functionAppName')],  identity: {  type: SystemAssigned  },  //...  resources: [  {  type: config,  name: appsettings,  //...  dependsOn: [  [resourceId('Microsoft.Web/sites', variables('functionAppName'))],  [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))],  [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))],  [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))]  ],  properties: {  AzureWebJobsStorage: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')],  WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')],  APPINSIGHTS_INSTRUMENTATIONKEY: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appInsightsKeyResourceId')).secretUriWithVersion, ')')],  WEBSITE_ENABLE_SYNC_UPDATE_SITE: true  //...  }  },  {  type: sourcecontrols,  name: web,  //...  dependsOn: [  [resourceId('Microsoft.Web/sites', variables('functionAppName'))],  [resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')]  ],  }  ]  },  {  type: Microsoft.KeyVault/vaults,  name: [variables('keyVaultName')],  //...  dependsOn: [  [resourceId('Microsoft.Web/sites', variables('functionAppName'))]  ],  properties: {  //...  accessPolicies: [  {  tenantId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').tenantId],  objectId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId],  permissions: {  secrets: [ get ]  }  }  ]  },  resources: [  {  type: secrets,  name: [variables('storageConnectionStringName')],  //...  dependsOn: [  [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))],  [resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]  ],  properties: {  value: [concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)]  }  },  {  type: secrets,  name: [variables('appInsightsKeyName')],  //...  dependsOn: [  [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))],  [resourceId('Microsoft.Insights/components', variables('appInsightsName'))]  ],  properties: {  value: [reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]  }  }  ]  }  ] } ```",
-          "AuditProcedure": "**From Azure Portal**  1. Login to Azure Portal 2. In the expandable menu on the left go to `Key Vaults` 3. View the Key Vaults listed.  **From Azure CLI**  To list key vaults within a subscription run the following command:  ``` Get-AzKeyVault ```  To list the secrets within these key vaults run the following command:  ``` Get-AzKeyVaultSecret [-VaultName] <vault name> ```  **From Powershell**  To list key vaults within a subscription run the following command:  ``` Get-AzKeyVault ```  To list all secrets in a key vault run the following command:  ``` Get-AzKeyVaultSecret -VaultName '<vaultName' ```",
-          "AdditionalInformation": "",
-          "DefaultValue": "https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest:https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest",
-          "References": "TA0006, T1552, M1041"
-        }
-      ]
-    },
-    {
-      "Id": "10.1",
-      "Description": "Ensure that Resource Locks are set for Mission-Critical Azure Resources",
-      "Checks": [],
-      "Attributes": [
-        {
-          "Section": "10. Miscellaneous",
-          "Profile": "Level 2",
-          "AssessmentStatus": "Manual",
-          "Description": "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.",
-          "RationaleStatement": "As an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to `CanNotDelete` or `ReadOnly` to achieve this purpose.  - `CanNotDelete` means authorized users can still read and modify a resource, but they cannot delete the resource.  - `ReadOnly` means authorized users can read a resource, but they cannot delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.",
-          "ImpactStatement": "There can be unintended outcomes of locking a resource. Applying a lock to a parent service will cause it to be inherited by all resources within. Conversely, applying a lock to a resource may not apply to connected storage, leaving it unlocked. Please see the documentation for further information.",
-          "RemediationProcedure": "**From Azure Portal**  1. Navigate to the specific Azure Resource or Resource Group 2. For each mission critical resource, click on `Locks` 3. Click `Add` 4. Give the lock a name and a description, then select the type, `Read-only` or `Delete` as appropriate 5. Click OK  **From Azure CLI**  To lock a resource, provide the name of the resource, its resource type, and its resource group name.  ``` az lock create --name <LockName> --lock-type <CanNotDelete/Read-only> --resource-group <resourceGroupName> --resource-name <resourceName> --resource-type <resourceType> ```  **From Powershell**  ``` Get-AzResourceLock -ResourceName <Resource Name> -ResourceType <Resource Type> -ResourceGroupName <Resource Group Name> -Locktype <CanNotDelete/Read-only> ```",
-          "AuditProcedure": "**From Azure Portal**  1. Navigate to the specific Azure Resource or Resource Group 2. Click on `Locks` 3. Ensure the lock is defined with name and description, with type `Read-only` or `Delete` as appropriate.  **From Azure CLI**  Review the list of all locks set currently:  ``` az lock list --resource-group <resourcegroupname> --resource-name <resourcename> --namespace <Namespace> --resource-type <type> --parent  ```  **From Powershell**  Run the following command to list all resources.  ``` Get-AzResource ```  For each resource, run the following command to check for Resource Locks.  ``` Get-AzResourceLock -ResourceName <Resource Name> -ResourceType <Resource Type> -ResourceGroupName <Resource Group Name> ``` Review the output of the `Properties` setting. Compliant settings will have the `CanNotDelete` or `ReadOnly` value.",
-          "AdditionalInformation": "",
-          "DefaultValue": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks:https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-4-limit-access-to-asset-management",
-          "References": ""
-        }
-      ]
    }
  ]
 }
--- a/prowler/config/config.py
+++ b/prowler/config/config.py
@@ -11,7 +11,7 @@ from prowler.lib.logger import logger

 timestamp = datetime.today()
 timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "3.16.1"
+prowler_version = "3.16.18"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
 html_logo_img = "https://user-images.githubusercontent.com/3985464/113734260-7ba06900-96fb-11eb-82bc-d4f68a1e2710.png"
 square_logo_img = "https://user-images.githubusercontent.com/38561120/235905862-9ece5bd7-9aa3-4e48-807a-3a9035eb8bfb.png"
@@ -61,6 +61,7 @@ html_file_suffix = ".html"
 default_config_file_path = (
    f"{pathlib.Path(os.path.dirname(os.path.realpath(__file__)))}/config.yaml"
 )
+encoding_format_utf_8 = "utf-8"


 def check_current_version():
@@ -102,8 +103,7 @@ def load_and_validate_config_file(provider: str, config_file_path: str) -> dict:
    load_and_validate_config_file reads the Prowler config file in YAML format from the default location or the file passed with the --config-file flag
    """
    try:
-        with open(config_file_path) as f:
-            config = {}
+        with open(config_file_path, "r", encoding=encoding_format_utf_8) as f:
            config_file = yaml.safe_load(f)

            # Not to introduce a breaking change we have to allow the old format config file without any provider keys
--- a/prowler/config/config.yaml
+++ b/prowler/config/config.yaml
@@ -31,6 +31,7 @@ aws:
  max_ec2_instance_age_in_days: 180

  # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
+  # AWS SSM Configuration (aws.ssm_documents_set_as_public)
  # Single account environment: No action required. The AWS account number will be automatically added by the checks.
  # Multi account environment: Any additional trusted account number should be added as a space separated list, e.g.
  # trusted_account_ids : ["123456789012", "098765432109", "678901234567"]
@@ -96,6 +97,15 @@ aws:
  # trustedadvisor_premium_support_plan_subscribed
  verify_premium_support_plans: True

+  # AWS RDS
+  # aws.rds_instance_backup_enabled
+  # Whether to check RDS instance replicas or not
+  check_rds_instance_replicas: False
+
+  # AWS ACM Configuration
+  # aws.acm_certificates_expiration_check
+  days_to_expire_threshold: 7
+
 # Azure Configuration
 azure:
  # Azure Network Configuration
--- a/prowler/lib/check/compliance.py
+++ b/prowler/lib/check/compliance.py
@@ -34,6 +34,7 @@ def update_checks_metadata_with_compliance(
            # Save it into the check's metadata
            bulk_checks_metadata[check].Compliance = check_compliance

+        check_compliance = []
        # Add requirements of Manual Controls
        for framework in bulk_compliance_frameworks.values():
            for requirement in framework.Requirements:
@@ -70,7 +71,6 @@ def update_checks_metadata_with_compliance(
                    "Recommendation": {"Text": "", "Url": ""},
                },
                "Categories": [],
-                "Tags": {},
                "DependsOn": [],
                "RelatedTo": [],
                "Notes": "",
--- a/prowler/lib/outputs/html.py
+++ b/prowler/lib/outputs/html.py
@@ -1,3 +1,4 @@
+import html
 import importlib
 import sys
 from os import path
@@ -30,9 +31,9 @@ def add_html_header(file_descriptor, audit_info):
        <!DOCTYPE html>
    <html lang="en">
    <head>
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <!-- Required meta tags -->
-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
    <style>
        .read-more {
            color: #00f;
@@ -48,7 +49,7 @@ def add_html_header(file_descriptor, audit_info):
    </style>
    <!-- Bootstrap CSS -->
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
-        integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous">
+        integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous" />
    <!-- https://datatables.net/download/index with jQuery, DataTables, Buttons, SearchPanes, and Select //-->
    <link rel="stylesheet" type="text/css"
        href="https://cdn.datatables.net/v/dt/jqc-1.12.4/dt-1.10.25/b-1.7.1/sp-1.4.0/sl-1.3.3/datatables.min.css" />
@@ -78,13 +79,13 @@ def add_html_header(file_descriptor, audit_info):
    <div class="container-fluid">
        <div class="row mt-3">
        <div class="col-md-4">
-            <a href="""
+            <a href=\""""
            + html_logo_url
-            + """><img class="float-left card-img-left mt-4 mr-4 ml-4"
-                        src="""
+            + """\"><img class="float-left card-img-left mt-4 mr-4 ml-4"
+                        src=\""""
            + html_logo_img
-            + """
-                        alt="prowler-logo"></a>
+            + """\"
+                        alt="prowler-logo" /></a>
            <div class="card">
            <div class="card-header">
                Report Information
@@ -182,13 +183,13 @@ def fill_html(file_descriptor, finding, output_options):
                    <td>{finding.check_metadata.Severity}</td>
                    <td>{finding.check_metadata.ServiceName}</td>
                    <td>{finding.location.lower() if isinstance(finding, Check_Report_GCP) else finding.region if isinstance(finding, Check_Report_AWS) else ""}</td>
-                    <td>{finding.check_metadata.CheckID.replace("_", "<wbr>_")}</td>
+                    <td>{finding.check_metadata.CheckID.replace("_", "<wbr />_")}</td>
                    <td>{finding.check_metadata.CheckTitle}</td>
-                    <td>{finding.resource_id.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr>_")}</td>
+                    <td>{finding.resource_id.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr />_")}</td>
                    <td>{parse_html_string(unroll_tags(finding.resource_tags))}</td>
-                    <td>{finding.status_extended.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr>_")}</td>
-                    <td><p class="show-read-more">{finding.check_metadata.Risk}</p></td>
-                    <td><p class="show-read-more">{finding.check_metadata.Remediation.Recommendation.Text}</p> <a class="read-more" href="{finding.check_metadata.Remediation.Recommendation.Url}"><i class="fas fa-external-link-alt"></i></a></td>
+                    <td>{finding.status_extended.replace("<", "&lt;").replace(">", "&gt;").replace("_", "<wbr />_")}</td>
+                    <td><p class="show-read-more">{html.escape(finding.check_metadata.Risk)}</p></td>
+                    <td><p class="show-read-more">{html.escape(finding.check_metadata.Remediation.Recommendation.Text)}</p> <a class="read-more" href="{finding.check_metadata.Remediation.Recommendation.Url}"><i class="fas fa-external-link-alt"></i></a></td>
                    <td><p class="show-read-more">{parse_html_string(unroll_dict(get_check_compliance(finding, finding.check_metadata.Provider, output_options)))}</p></td>
                </tr>
                """
@@ -247,8 +248,6 @@ def add_html_footer(output_filename, output_directory):
            </table>
        </div>
    </div>
-    </div>
-    </div>
    <!-- Table search and paginator -->
    <!-- Optional JavaScript -->
    <!-- jQuery first, then Popper.js, then Bootstrap JS -->
--- a/prowler/lib/outputs/models.py
+++ b/prowler/lib/outputs/models.py
@@ -24,7 +24,8 @@ def get_check_compliance(finding, provider, output_options):
                compliance_fw = compliance.Framework
                if compliance.Version:
                    compliance_fw = f"{compliance_fw}-{compliance.Version}"
-                if compliance.Provider == provider.upper():
+                # compliance.Provider == "Azure" or "GCP" or "AWS"
+                if compliance.Provider.upper() == provider.upper():
                    if compliance_fw not in check_compliance:
                        check_compliance[compliance_fw] = []
                    for requirement in compliance.Requirements:
--- a/prowler/lib/outputs/outputs.py
+++ b/prowler/lib/outputs/outputs.py
@@ -67,15 +67,15 @@ def report(check_findings, output_options, audit_info):
                            compliance in output_options.output_modes
                            for compliance in available_compliance_frameworks
                        ):
-                            fill_compliance(
+                            add_manual_controls(
                                output_options,
-                                finding,
                                audit_info,
                                file_descriptors,
                            )

-                            add_manual_controls(
+                            fill_compliance(
                                output_options,
+                                finding,
                                audit_info,
                                file_descriptors,
                            )
--- a/prowler/lib/outputs/summary_table.py
+++ b/prowler/lib/outputs/summary_table.py
@@ -45,6 +45,7 @@ def display_summary_table(
                "Service": "",
                "Provider": "",
                "Total": 0,
+                "Pass": 0,
                "Critical": 0,
                "High": 0,
                "Medium": 0,
@@ -78,6 +79,7 @@ def display_summary_table(
                current["Total"] += 1
                if finding.status == "PASS":
                    pass_count += 1
+                    current["Pass"] += 1
                elif finding.status == "FAIL":
                    fail_count += 1
                    if finding.check_metadata.Severity == "critical":
@@ -157,7 +159,8 @@ def add_service_to_table(findings_table, current):
        )
        current["Status"] = f"{Fore.RED}FAIL ({total_fails}){Style.RESET_ALL}"
    else:
-        current["Status"] = f"{Fore.GREEN}PASS ({current['Total']}){Style.RESET_ALL}"
+        current["Status"] = f"{Fore.GREEN}PASS ({current['Pass']}){Style.RESET_ALL}"
+
    findings_table["Provider"].append(current["Provider"])
    findings_table["Service"].append(current["Service"])
    findings_table["Status"].append(current["Status"])
--- a/prowler/lib/utils/utils.py
+++ b/prowler/lib/utils/utils.py
@@ -12,13 +12,14 @@ from time import mktime
 from detect_secrets import SecretsCollection
 from detect_secrets.settings import default_settings

+from prowler.config.config import encoding_format_utf_8
 from prowler.lib.logger import logger


 def open_file(input_file: str, mode: str = "r") -> TextIOWrapper:
    """open_file returns a handler to the file using the specified mode."""
    try:
-        f = open(input_file, mode)
+        f = open(input_file, mode, encoding=encoding_format_utf_8)
    except OSError as os_error:
        if os_error.strerror == "Too many open files":
            logger.critical(
@@ -66,7 +67,7 @@ def file_exists(filename: str):

 def hash_sha512(string: str) -> str:
    """hash_sha512 returns the first 9 bytes of the SHA512 representation for the given string."""
-    return sha512(string.encode("utf-8")).hexdigest()[0:9]
+    return sha512(string.encode(encoding_format_utf_8)).hexdigest()[0:9]


 def detect_secrets_scan(data):
--- a/prowler/providers/aws/aws_provider.py
+++ b/prowler/providers/aws/aws_provider.py
@@ -1,10 +1,13 @@
 import os
 import pathlib
 import sys
+from datetime import datetime

 from boto3 import client, session
 from botocore.credentials import RefreshableCredentials
 from botocore.session import get_session
+from pytz import utc
+from tzlocal import get_localzone

 from prowler.config.config import aws_services_json_file
 from prowler.lib.check.check import list_modules, recover_checks_from_service
@@ -14,6 +17,7 @@ from prowler.providers.aws.config import (
    AWS_STS_GLOBAL_ENDPOINT_REGION,
    ROLE_SESSION_NAME,
 )
+from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
 from prowler.providers.aws.lib.audit_info.models import AWS_Assume_Role, AWS_Audit_Info
 from prowler.providers.aws.lib.credentials.credentials import create_sts_session

@@ -98,18 +102,30 @@ class AWS_Provider:
    # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L570
    def refresh_credentials(self):
        logger.info("Refreshing assumed credentials...")
-
-        response = assume_role(self.aws_session, self.role_info)
-        refreshed_credentials = dict(
-            # Keys of the dict has to be the same as those that are being searched in the parent class
-            # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L609
-            access_key=response["Credentials"]["AccessKeyId"],
-            secret_key=response["Credentials"]["SecretAccessKey"],
-            token=response["Credentials"]["SessionToken"],
-            expiry_time=response["Credentials"]["Expiration"].isoformat(),
-        )
-        logger.info("Refreshed Credentials:")
-        logger.info(refreshed_credentials)
+        current_credentials = current_audit_info.credentials
+        refreshed_credentials = {
+            "access_key": current_credentials.aws_access_key_id,
+            "secret_key": current_credentials.aws_secret_access_key,
+            "token": current_credentials.aws_session_token,
+            "expiry_time": (
+                current_credentials.expiration.isoformat()
+                if hasattr(current_credentials, "expiration")
+                else current_credentials.expiry_time.isoformat()
+            ),
+        }
+        if datetime.fromisoformat(refreshed_credentials["expiry_time"]) <= datetime.now(
+            get_localzone()
+        ):
+            response = assume_role(self.aws_session, self.role_info)
+            refreshed_credentials = dict(
+                # Keys of the dict has to be the same as those that are being searched in the parent class
+                # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L609
+                access_key=response["Credentials"]["AccessKeyId"],
+                secret_key=response["Credentials"]["SecretAccessKey"],
+                token=response["Credentials"]["SessionToken"],
+                expiry_time=response["Credentials"]["Expiration"].isoformat(),
+            )
+            logger.info("Refreshed Credentials")
        return refreshed_credentials


@@ -146,6 +162,17 @@ def assume_role(

        sts_client = create_sts_session(session, sts_endpoint_region)
        assumed_credentials = sts_client.assume_role(**assume_role_arguments)
+
+        # Convert the UTC datetime object to your local timezone
+        credentials_expiration_local_time = (
+            assumed_credentials["Credentials"]["Expiration"]
+            .replace(tzinfo=utc)
+            .astimezone(get_localzone())
+        )
+        assumed_credentials["Credentials"][
+            "Expiration"
+        ] = credentials_expiration_local_time
+
    except Exception as error:
        logger.critical(
            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
--- a/prowler/providers/aws/aws_regions_by_service.json
+++ b/prowler/providers/aws/aws_regions_by_service.json
--- a/prowler/providers/aws/lib/allowlist/allowlist.py
+++ b/prowler/providers/aws/lib/allowlist/allowlist.py
@@ -118,8 +118,8 @@ def parse_allowlist_file(audit_info, allowlist_file):
 def allowlist_findings(
    allowlist: dict,
    audited_account: str,
-    check_findings: [Any],
-):
+    check_findings: list[Any],
+) -> list[Any]:
    # Check if finding is allowlisted
    for finding in check_findings:
        if is_allowlisted(
@@ -141,7 +141,21 @@ def is_allowlisted(
    finding_region: str,
    finding_resource: str,
    finding_tags,
-):
+) -> bool:
+    """
+    Check if the provided finding is allowlisted for the audited account, check, region, resource and tags.
+
+    Args:
+        mutelist (dict): Dictionary containing information about allowlisted checks for different accounts.
+        audited_account (str): The account being audited.
+        check (str): The check to be evaluated for allowlisting.
+        finding_region (str): The region where the finding occurred.
+        finding_resource (str): The resource related to the finding.
+        finding_tags: The tags associated with the finding.
+
+    Returns:
+        bool: True if the finding is allowlisted for the audited account, check, region, resource and tags., otherwise False.
+    """
    try:
        # By default is not allowlisted
        is_finding_allowlisted = False
@@ -163,10 +177,10 @@ def is_allowlisted(

        return is_finding_allowlisted
    except Exception as error:
-        logger.critical(
+        logger.error(
            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
        )
-        sys.exit(1)
+        return False


 def is_allowlisted_in_check(
@@ -176,7 +190,21 @@ def is_allowlisted_in_check(
    finding_region,
    finding_resource,
    finding_tags,
-):
+) -> bool:
+    """
+    Check if the provided check is allowlisted.
+
+    Args:
+        allowlisted_checks (dict): Dictionary containing information about allowlisted checks.
+        audited_account (str): The account to be audited.
+        check (str): The check to be evaluated for allowlisting.
+        finding_region (str): The region where the finding occurred.
+        finding_resource (str): The resource related to the finding.
+        finding_tags (str): The tags associated with the finding.
+
+    Returns:
+        bool: True if the check is allowlisted, otherwise False.
+    """
    try:
        # Default value is not allowlisted
        is_check_allowlisted = False
@@ -185,14 +213,23 @@ def is_allowlisted_in_check(
            # map lambda to awslambda
            allowlisted_check = re.sub("^lambda", "awslambda", allowlisted_check)

+            check_match = (
+                "*" == allowlisted_check
+                or check == allowlisted_check
+                or re.search(allowlisted_check, check)
+            )
+
            # Check if the finding is excepted
            exceptions = allowlisted_check_info.get("Exceptions")
-            if is_excepted(
-                exceptions,
-                audited_account,
-                finding_region,
-                finding_resource,
-                finding_tags,
+            if (
+                is_excepted(
+                    exceptions,
+                    audited_account,
+                    finding_region,
+                    finding_resource,
+                    finding_tags,
+                )
+                and check_match
            ):
                # Break loop and return default value since is excepted
                break
@@ -205,11 +242,7 @@ def is_allowlisted_in_check(
                allowlisted_tags = "*"

            # If there is a *, it affects to all checks
-            if (
-                "*" == allowlisted_check
-                or check == allowlisted_check
-                or re.search(allowlisted_check, check)
-            ):
+            if check_match:
                allowlisted_in_check = True
                allowlisted_in_region = is_allowlisted_in_region(
                    allowlisted_regions, finding_region
@@ -238,44 +271,74 @@ def is_allowlisted_in_check(

        return is_check_allowlisted
    except Exception as error:
-        logger.critical(
+        logger.error(
            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
        )
-        sys.exit(1)
+        return False


 def is_allowlisted_in_region(
    allowlisted_regions,
    finding_region,
-):
+) -> bool:
+    """
+    Check if the finding_region is present in the allowlisted_regions.
+
+    Args:
+        allowlisted_regions (list): List of regions in the allowlist.
+        finding_region (str): Region to check if it is allowlisted.
+
+    Returns:
+        bool: True if the finding_region is present in any of the allowlisted_regions, otherwise False.
+    """
    try:
        return __is_item_matched__(allowlisted_regions, finding_region)
    except Exception as error:
-        logger.critical(
+        logger.error(
            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
        )
-        sys.exit(1)
+        return False


-def is_allowlisted_in_tags(allowlisted_tags, finding_tags):
+def is_allowlisted_in_tags(allowlisted_tags, finding_tags) -> bool:
+    """
+    Check if any of the allowlisted tags are present in the finding tags.
+
+    Args:
+        allowlisted_tags (list): List of allowlisted tags to be checked.
+        finding_tags (str): String containing tags to search for allowlisted tags.
+
+    Returns:
+        bool: True if any of the allowlisted tags are present in the finding tags, otherwise False.
+    """
    try:
        return __is_item_matched__(allowlisted_tags, finding_tags)
    except Exception as error:
-        logger.critical(
+        logger.error(
            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
        )
-        sys.exit(1)
+        return False


-def is_allowlisted_in_resource(allowlisted_resources, finding_resource):
+def is_allowlisted_in_resource(allowlisted_resources, finding_resource) -> bool:
+    """
+    Check if any of the allowlisted_resources are present in the finding_resource.
+
+    Args:
+        allowlisted_resources (list): List of allowlisted resources to be checked.
+        finding_resource (str): Resource to search for allowlisted resources.
+
+    Returns:
+        bool: True if any of the allowlisted_resources are present in the finding_resource, otherwise False.
+    """
    try:
        return __is_item_matched__(allowlisted_resources, finding_resource)

    except Exception as error:
-        logger.critical(
+        logger.error(
            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
        )
-        sys.exit(1)
+        return False


 def is_excepted(
@@ -284,8 +347,20 @@ def is_excepted(
    finding_region,
    finding_resource,
    finding_tags,
-):
-    """is_excepted returns True if the account, region, resource and tags are excepted"""
+) -> bool:
+    """
+    Check if the provided account, region, resource, and tags are excepted based on the exceptions dictionary.
+
+    Args:
+        exceptions (dict): Dictionary containing exceptions for different attributes like Accounts, Regions, Resources, and Tags.
+        audited_account (str): The account to be audited.
+        finding_region (str): The region where the finding occurred.
+        finding_resource (str): The resource related to the finding.
+        finding_tags (str): The tags associated with the finding.
+
+    Returns:
+        bool: True if the account, region, resource, and tags are excepted based on the exceptions, otherwise False.
+    """
    try:
        excepted = False
        is_account_excepted = False
@@ -325,26 +400,36 @@ def is_excepted(
                excepted = True
        return excepted
    except Exception as error:
-        logger.critical(
+        logger.error(
            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
        )
-        sys.exit(1)
+        return False


 def __is_item_matched__(matched_items, finding_items):
-    """__is_item_matched__ return True if any of the matched_items are present in the finding_items, otherwise returns False."""
+    """
+    Check if any of the items in matched_items are present in finding_items.
+
+    Args:
+        matched_items (list): List of items to be matched.
+        finding_items (str): String to search for matched items.
+
+    Returns:
+        bool: True if any of the matched_items are present in finding_items, otherwise False.
+    """
    try:
        is_item_matched = False
        if matched_items and (finding_items or finding_items == ""):
            for item in matched_items:
-                if item == "*":
-                    item = ".*"
+                if item.startswith("*"):
+                    item = ".*" + item[1:]
                if re.search(item, finding_items):
                    is_item_matched = True
                    break
        return is_item_matched
    except Exception as error:
-        logger.critical(
+        logger.error(
            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
        )
-        sys.exit(1)
+        # If something unexpected happens return not matched, thus False
+        return False
--- a/prowler/providers/aws/lib/arn/arn.py
+++ b/prowler/providers/aws/lib/arn/arn.py
@@ -45,6 +45,8 @@ def parse_iam_credentials_arn(arn: str) -> ARN:
            arn_parsed.resource_type != "role"
            and arn_parsed.resource_type != "user"
            and arn_parsed.resource_type != "assumed-role"
+            and arn_parsed.resource_type != "root"
+            and arn_parsed.resource_type != "federated-user"
        ):
            raise RoleArnParsingInvalidResourceType
        elif arn_parsed.resource == "":
--- a/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py
+++ b/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py
@@ -1,5 +1,7 @@
 def is_condition_block_restrictive(
-    condition_statement: dict, source_account: str, is_cross_account_allowed=False
+    condition_statement: dict,
+    source_account: str,
+    is_cross_account_allowed=False,
 ):
    """
    is_condition_block_restrictive parses the IAM Condition policy block and, by default, returns True if the source_account passed as argument is within, False if not.
@@ -15,6 +17,9 @@ def is_condition_block_restrictive(
        }

    @param source_account: str with a 12-digit AWS Account number, e.g.: 111122223333
+
+    @param is_cross_account_allowed: bool to allow cross-account access, e.g.: True
+
    """
    is_condition_valid = False

@@ -29,6 +34,8 @@ def is_condition_block_restrictive(
            "aws:principalaccount",
            "aws:resourceaccount",
            "aws:sourcearn",
+            "aws:sourcevpc",
+            "aws:sourcevpce",
        ],
        "StringLike": [
            "aws:sourceaccount",
@@ -37,6 +44,8 @@ def is_condition_block_restrictive(
            "aws:principalarn",
            "aws:resourceaccount",
            "aws:principalaccount",
+            "aws:sourcevpc",
+            "aws:sourcevpce",
        ],
        "ArnLike": ["aws:sourcearn", "aws:principalarn"],
        "ArnEquals": ["aws:sourcearn", "aws:principalarn"],
@@ -86,3 +95,63 @@ def is_condition_block_restrictive(
                                is_condition_valid = True

    return is_condition_valid
+
+
+def is_condition_block_restrictive_organization(
+    condition_statement: dict,
+):
+    """
+    is_condition_block_restrictive_organization parses the IAM Condition policy block and returns True if the condition_statement is restrictive for the organization, False if not.
+
+    @param condition_statement: dict with an IAM Condition block, e.g.:
+        {
+            "StringLike": {
+                "AWS:PrincipalOrgID": "o-111122223333"
+            }
+        }
+
+    """
+    is_condition_valid = False
+
+    # The conditions must be defined in lowercase since the context key names are not case-sensitive.
+    # For example, including the aws:PrincipalOrgID context key is equivalent to testing for AWS:PrincipalOrgID
+    # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
+    valid_condition_options = {
+        "StringEquals": [
+            "aws:principalorgid",
+        ],
+        "StringLike": [
+            "aws:principalorgid",
+        ],
+    }
+
+    for condition_operator, condition_operator_key in valid_condition_options.items():
+        if condition_operator in condition_statement:
+            for value in condition_operator_key:
+                # We need to transform the condition_statement into lowercase
+                condition_statement[condition_operator] = {
+                    k.lower(): v
+                    for k, v in condition_statement[condition_operator].items()
+                }
+
+                if value in condition_statement[condition_operator]:
+                    # values are a list
+                    if isinstance(
+                        condition_statement[condition_operator][value],
+                        list,
+                    ):
+                        is_condition_valid = True
+                        for item in condition_statement[condition_operator][value]:
+                            if item == "*":
+                                is_condition_valid = False
+                                break
+
+                    # value is a string
+                    elif isinstance(
+                        condition_statement[condition_operator][value],
+                        str,
+                    ):
+                        if "*" not in condition_statement[condition_operator][value]:
+                            is_condition_valid = True
+
+    return is_condition_valid
--- a/prowler/providers/aws/lib/service/service.py
+++ b/prowler/providers/aws/lib/service/service.py
@@ -19,6 +19,17 @@ class AWSService:
    - Also handles if the AWS Service is Global
    """

+    failed_checks = set()
+
+    @classmethod
+    def set_failed_check(cls, check_id=None, arn=None):
+        if check_id is not None and arn is not None:
+            cls.failed_checks.add((check_id.split(".")[-1], arn))
+
+    @classmethod
+    def is_failed_check(cls, check_id, arn):
+        return (check_id.split(".")[-1], arn) in cls.failed_checks
+
    def __init__(self, service: str, audit_info: AWS_Audit_Info, global_service=False):
        # Audit Information
        self.audit_info = audit_info
--- a/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.metadata.json
+++ b/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.metadata.json
@@ -11,13 +11,13 @@
  "Severity": "medium",
  "ResourceType": "Other",
  "Description": "Maintain current contact details.",
-  "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
+  "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
  "RelatedUrl": "",
  "Remediation": {
    "Code": {
      "CLI": "No command available.",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/iam_18-maintain-contact-details#aws-console",
+      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
      "Terraform": ""
    },
    "Recommendation": {
--- a/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json
+++ b/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json
@@ -11,13 +11,13 @@
  "Severity": "medium",
  "ResourceType": "Other",
  "Description": "Maintain different contact details to security, billing and operations.",
-  "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
+  "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
  "RelatedUrl": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html",
  "Remediation": {
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/iam_18-maintain-contact-details#aws-console",
+      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_18-maintain-contact-details#aws-console",
      "Terraform": ""
    },
    "Recommendation": {
--- a/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py
+++ b/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py
@@ -6,22 +6,26 @@ class account_maintain_different_contact_details_to_security_billing_and_operati
    Check
 ):
    def execute(self):
-        report = Check_Report_AWS(self.metadata())
-        report.region = account_client.region
-        report.resource_id = account_client.audited_account
-        report.resource_arn = account_client.audited_account_arn
+        findings = []
+        if account_client.contact_base:
+            report = Check_Report_AWS(self.metadata())
+            report.region = account_client.region
+            report.resource_id = account_client.audited_account
+            report.resource_arn = account_client.audited_account_arn

-        if (
-            len(account_client.contact_phone_numbers)
-            == account_client.number_of_contacts
-            and len(account_client.contact_names) == account_client.number_of_contacts
-            # This is because the primary contact has no email field
-            and len(account_client.contact_emails)
-            == account_client.number_of_contacts - 1
-        ):
-            report.status = "PASS"
-            report.status_extended = "SECURITY, BILLING and OPERATIONS contacts found and they are different between each other and between ROOT contact."
-        else:
-            report.status = "FAIL"
-            report.status_extended = "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact."
-        return [report]
+            if (
+                len(account_client.contact_phone_numbers)
+                == account_client.number_of_contacts
+                and len(account_client.contact_names)
+                == account_client.number_of_contacts
+                # This is because the primary contact has no email field
+                and len(account_client.contact_emails)
+                == account_client.number_of_contacts - 1
+            ):
+                report.status = "PASS"
+                report.status_extended = "SECURITY, BILLING and OPERATIONS contacts found and they are different between each other and between ROOT contact."
+            else:
+                report.status = "FAIL"
+                report.status_extended = "SECURITY, BILLING and OPERATIONS contacts not found or they are not different between each other and between ROOT contact."
+            findings.append(report)
+        return findings
--- a/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.metadata.json
+++ b/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.metadata.json
@@ -17,7 +17,7 @@
    "Code": {
      "CLI": "No command available.",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/iam_19#aws-console",
+      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_19#aws-console",
      "Terraform": ""
    },
    "Recommendation": {
--- a/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.metadata.json
+++ b/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.metadata.json
@@ -17,7 +17,7 @@
    "Code": {
      "CLI": "No command available.",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/iam_15",
+      "Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_15",
      "Terraform": ""
    },
    "Recommendation": {
--- a/prowler/providers/aws/services/account/account_service.py
+++ b/prowler/providers/aws/services/account/account_service.py
@@ -18,28 +18,29 @@ class Account(AWSService):
        self.contacts_security = self.__get_alternate_contact__("SECURITY")
        self.contacts_operations = self.__get_alternate_contact__("OPERATIONS")

-        # Set of contact phone numbers
-        self.contact_phone_numbers = {
-            self.contact_base.phone_number,
-            self.contacts_billing.phone_number,
-            self.contacts_security.phone_number,
-            self.contacts_operations.phone_number,
-        }
+        if self.contact_base:
+            # Set of contact phone numbers
+            self.contact_phone_numbers = {
+                self.contact_base.phone_number,
+                self.contacts_billing.phone_number,
+                self.contacts_security.phone_number,
+                self.contacts_operations.phone_number,
+            }

-        # Set of contact names
-        self.contact_names = {
-            self.contact_base.name,
-            self.contacts_billing.name,
-            self.contacts_security.name,
-            self.contacts_operations.name,
-        }
+            # Set of contact names
+            self.contact_names = {
+                self.contact_base.name,
+                self.contacts_billing.name,
+                self.contacts_security.name,
+                self.contacts_operations.name,
+            }

-        # Set of contact emails
-        self.contact_emails = {
-            self.contacts_billing.email,
-            self.contacts_security.email,
-            self.contacts_operations.email,
-        }
+            # Set of contact emails
+            self.contact_emails = {
+                self.contacts_billing.email,
+                self.contacts_security.email,
+                self.contacts_operations.email,
+            }

    def __get_contact_information__(self):
        try:
@@ -53,10 +54,16 @@ class Account(AWSService):
                phone_number=primary_account_contact.get("PhoneNumber"),
            )
        except Exception as error:
-            logger.error(
-                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-            return Contact(type="PRIMARY")
+            if error.response["Error"]["Code"] == "AccessDeniedException":
+                logger.error(
+                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+                return None
+            else:
+                logger.error(
+                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+                return Contact(type="PRIMARY")

    def __get_alternate_contact__(self, contact_type: str):
        try:
--- a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.metadata.json
+++ b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.metadata.json
@@ -21,7 +21,7 @@
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check.",
+      "Text": "Monitor certificate expiration and take automated action to renew, replace or remove. Having shorter TTL for any security artifact is a general recommendation, but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check.",
      "Url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
    }
  },
--- a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py
+++ b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py
@@ -1,33 +1,36 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.acm.acm_client import acm_client

-DAYS_TO_EXPIRE_THRESHOLD = 7
-

 class acm_certificates_expiration_check(Check):
    def execute(self):
        findings = []
        for certificate in acm_client.certificates:
-            report = Check_Report_AWS(self.metadata())
-            report.region = certificate.region
-            if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD:
-                report.status = "PASS"
-                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
-            else:
-                report.status = "FAIL"
-                if certificate.expiration_days < 0:
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
+            if certificate.in_use or not acm_client.audit_info.ignore_unused_services:
+                report = Check_Report_AWS(self.metadata())
+                report.region = certificate.region
+                if certificate.expiration_days > acm_client.audit_config.get(
+                    "days_to_expire_threshold", 7
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
+                    report.resource_arn = certificate.arn
+                    report.resource_tags = certificate.tags
                else:
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
+                    report.status = "FAIL"
+                    if certificate.expiration_days < 0:
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
+                        report.check_metadata.Severity = "high"
+                    else:
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
+                        report.check_metadata.Severity = "medium"

-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
+                    report.resource_arn = certificate.arn
+                    report.resource_tags = certificate.tags

-            findings.append(report)
+                findings.append(report)
        return findings
--- a/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py
+++ b/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py
@@ -6,29 +6,30 @@ class acm_certificates_transparency_logs_enabled(Check):
    def execute(self):
        findings = []
        for certificate in acm_client.certificates:
-            report = Check_Report_AWS(self.metadata())
-            report.region = certificate.region
-            if certificate.type == "IMPORTED":
-                report.status = "PASS"
-                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is imported."
-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
-            else:
-                if not certificate.transparency_logging:
-                    report.status = "FAIL"
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging disabled."
+            if certificate.in_use or not acm_client.audit_info.ignore_unused_services:
+                report = Check_Report_AWS(self.metadata())
+                report.region = certificate.region
+                if certificate.type == "IMPORTED":
+                    report.status = "PASS"
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is imported."
                    report.resource_id = certificate.id
                    report.resource_details = certificate.name
                    report.resource_arn = certificate.arn
                    report.resource_tags = certificate.tags
                else:
-                    report.status = "PASS"
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging enabled."
-                    report.resource_id = certificate.id
-                    report.resource_details = certificate.name
-                    report.resource_arn = certificate.arn
-                    report.resource_tags = certificate.tags
-            findings.append(report)
+                    if not certificate.transparency_logging:
+                        report.status = "FAIL"
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging disabled."
+                        report.resource_id = certificate.id
+                        report.resource_details = certificate.name
+                        report.resource_arn = certificate.arn
+                        report.resource_tags = certificate.tags
+                    else:
+                        report.status = "PASS"
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging enabled."
+                        report.resource_id = certificate.id
+                        report.resource_details = certificate.name
+                        report.resource_arn = certificate.arn
+                        report.resource_tags = certificate.tags
+                findings.append(report)
        return findings
--- a/prowler/providers/aws/services/acm/acm_service.py
+++ b/prowler/providers/aws/services/acm/acm_service.py
@@ -50,6 +50,7 @@ class ACM(AWSService):
                                id=certificate["CertificateArn"].split("/")[-1],
                                type=certificate["Type"],
                                expiration_days=certificate_expiration_time,
+                                in_use=certificate.get("InUse", False),
                                transparency_logging=False,
                                region=regional_client.region,
                            )
@@ -99,5 +100,6 @@ class Certificate(BaseModel):
    type: str
    tags: Optional[list] = []
    expiration_days: int
+    in_use: bool
    transparency_logging: Optional[bool]
    region: str
--- a/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json
+++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json
@@ -19,9 +19,9 @@
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/public_6-api-gateway-authorizer-set#cloudformation",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/public-policies/public_6-api-gateway-authorizer-set#cloudformation",
      "Other": "",
-      "Terraform": "https://docs.bridgecrew.io/docs/public_6-api-gateway-authorizer-set#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/public-policies/public_6-api-gateway-authorizer-set#terraform"
    },
    "Recommendation": {
      "Text": "Implement Amazon Cognito or a Lambda function to control access to your API.",
--- a/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json
+++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json
@@ -12,7 +12,7 @@
  "SubServiceName": "rest_api",
  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
  "Severity": "medium",
-  "ResourceType": "AwsApiGatewayStage",
+  "ResourceType": "AwsApiGatewayRestApi",
  "Description": "Check if API Gateway Stage has client certificate enabled to access your backend endpoint.",
  "Risk": "Possible man in the middle attacks and other similar risks.",
  "RelatedUrl": "",
--- a/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json
+++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json
@@ -12,7 +12,7 @@
  "SubServiceName": "rest_api",
  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
  "Severity": "medium",
-  "ResourceType": "AwsApiGatewayStage",
+  "ResourceType": "AwsApiGatewayRestApi",
  "Description": "Check if API Gateway Stage has logging enabled.",
  "Risk": "If not enabled, monitoring of service use is not possible. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.",
  "RelatedUrl": "",
@@ -21,7 +21,7 @@
      "CLI": "",
      "NativeIaC": "",
      "Other": "",
-      "Terraform": "https://docs.bridgecrew.io/docs/ensure-api-gateway-stage-have-logging-level-defined-as-appropiate#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/ensure-api-gateway-stage-have-logging-level-defined-as-appropiate#terraform"
    },
    "Recommendation": {
      "Text": "Monitoring is an important part of maintaining the reliability, availability and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, etc.",
--- a/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json
+++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json
@@ -12,7 +12,7 @@
  "SubServiceName": "rest_api",
  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
  "Severity": "medium",
-  "ResourceType": "AwsApiGatewayStage",
+  "ResourceType": "AwsApiGatewayRestApi",
  "Description": "Check if API Gateway Stage has a WAF ACL attached.",
  "Risk": "Potential attacks and / or abuse of service, more even for even for internet reachable services.",
  "RelatedUrl": "",
--- a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json
+++ b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json
@@ -20,8 +20,8 @@
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/bc_aws_logging_30#aws-console",
-      "Terraform": "https://docs.bridgecrew.io/docs/bc_aws_logging_30#cloudformation"
+      "Other": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_30#aws-console",
+      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_30#cloudformation"
    },
    "Recommendation": {
      "Text": "Monitoring is an important part of maintaining the reliability, availability and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, etc.",
--- a/prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.metadata.json
+++ b/prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.metadata.json
@@ -11,7 +11,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
  "Severity": "medium",
-  "ResourceType": "AppStream",
+  "ResourceType": "Other",
  "Description": "Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked.",
  "Risk": "Default Internet Access from your fleet streaming instances should be controlled using a NAT gateway in the VPC.",
  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
--- a/prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.metadata.json
+++ b/prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.metadata.json
@@ -9,7 +9,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
  "Severity": "medium",
-  "ResourceType": "AppStream",
+  "ResourceType": "Other",
  "Description": "Ensure user maximum session duration is no longer than 10 hours.",
  "Risk": "Having a session duration lasting longer than 10 hours should not be necessary and if running for any malicious reasons provides a greater time for usage than should be allowed.",
  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
--- a/prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.metadata.json
+++ b/prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.metadata.json
@@ -11,7 +11,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
  "Severity": "medium",
-  "ResourceType": "AppStream",
+  "ResourceType": "Other",
  "Description": "Ensure session disconnect timeout is set to 5 minutes or less",
  "Risk": "Disconnect timeout in minutes, is the amount of of time that a streaming session remains active after users disconnect.",
  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
--- a/prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.metadata.json
+++ b/prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.metadata.json
@@ -11,7 +11,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:appstream:region:account-id:fleet/resource-id",
  "Severity": "medium",
-  "ResourceType": "AppStream",
+  "ResourceType": "Other",
  "Description": "Ensure session idle disconnect timeout is set to 10 minutes or less.",
  "Risk": "Idle disconnect timeout in minutes is the amount of time that users can be inactive before they are disconnected from their streaming session and the Disconnect timeout in minutes time begins.",
  "RelatedUrl": "https://docs.aws.amazon.com/appstream2/latest/developerguide/set-up-stacks-fleets.html",
--- a/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.metadata.json
+++ b/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.metadata.json
@@ -9,7 +9,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:athena:region:account-id:workgroup/resource-id",
  "Severity": "medium",
-  "ResourceType": "WorkGroup",
+  "ResourceType": "AwsAthenaWorkGroup",
  "Description": "Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption.",
  "Risk": "If not enabled sensitive information at rest is not protected.",
  "RelatedUrl": "https://docs.aws.amazon.com/athena/latest/ug/encryption.html",
@@ -18,7 +18,7 @@
      "CLI": "aws athena update-work-group --region <REGION> --work-group <workgroup_name> --configuration-updates ResultConfigurationUpdates={EncryptionConfiguration={EncryptionOption=SSE_S3|SSE_KMS|CSE_KMS}}",
      "NativeIaC": "",
      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Athena/encryption-enabled.html",
-      "Terraform": "https://docs.bridgecrew.io/docs/ensure-that-athena-workgroup-is-encrypted#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-athena-workgroup-is-encrypted#terraform"
    },
    "Recommendation": {
      "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.",
--- a/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.metadata.json
+++ b/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.metadata.json
@@ -9,16 +9,16 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:athena:region:account-id:workgroup/resource-id",
  "Severity": "medium",
-  "ResourceType": "WorkGroup",
+  "ResourceType": "AwsAthenaWorkGroup",
  "Description": "Ensure that workgroup configuration is enforced so it cannot be overriden by client-side settings.",
  "Risk": "If workgroup configuration is not enforced security settings like encryption can be overriden by client-side settings.",
  "RelatedUrl": "https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html",
  "Remediation": {
    "Code": {
      "CLI": "aws athena update-work-group --region <REGION> --work-group <workgroup_name> --configuration-updates EnforceWorkGroupConfiguration=True",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_aws_general_33#cloudformation",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_33#cloudformation",
      "Other": "",
-      "Terraform": "https://docs.bridgecrew.io/docs/bc_aws_general_33#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_33#terraform"
    },
    "Recommendation": {
      "Text": "Ensure that workgroup configuration is enforced so it cannot be overriden by client-side settings.",
@@ -29,4 +29,4 @@
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
-}
+}
--- a/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.metadata.json
+++ b/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.metadata.json
@@ -9,7 +9,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:autoscaling:region:account-id:autoScalingGroupName/resource-name",
  "Severity": "critical",
-  "ResourceType": "Other",
+  "ResourceType": "AwsAutoScalingLaunchConfiguration",
  "Description": "Find secrets in EC2 Auto Scaling Launch Configuration",
  "Risk": "The use of a hard-coded password increases the possibility of password guessing.  If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
  "RelatedUrl": "",
--- a/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.py
+++ b/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.py
@@ -6,7 +6,9 @@ from base64 import b64decode
 from detect_secrets import SecretsCollection
 from detect_secrets.settings import default_settings

+from prowler.config.config import encoding_format_utf_8
 from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.lib.logger import logger
 from prowler.providers.aws.services.autoscaling.autoscaling_client import (
    autoscaling_client,
 )
@@ -25,12 +27,23 @@ class autoscaling_find_secrets_ec2_launch_configuration(Check):
                temp_user_data_file = tempfile.NamedTemporaryFile(delete=False)
                user_data = b64decode(configuration.user_data)

-                if user_data[0:2] == b"\x1f\x8b":  # GZIP magic number
-                    user_data = zlib.decompress(user_data, zlib.MAX_WBITS | 32).decode(
-                        "utf-8"
+                try:
+                    if user_data[0:2] == b"\x1f\x8b":  # GZIP magic number
+                        user_data = zlib.decompress(
+                            user_data, zlib.MAX_WBITS | 32
+                        ).decode(encoding_format_utf_8)
+                    else:
+                        user_data = user_data.decode(encoding_format_utf_8)
+                except UnicodeDecodeError as error:
+                    logger.warning(
+                        f"{configuration.region} -- Unable to decode user data in autoscaling launch configuration {configuration.name}: {error}"
                    )
-                else:
-                    user_data = user_data.decode("utf-8")
+                    continue
+                except Exception as error:
+                    logger.warning(
+                        f"{configuration.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
+                    continue

                temp_user_data_file.write(
                    bytes(user_data, encoding="raw_unicode_escape")
--- a/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.metadata.json
+++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.metadata.json
@@ -7,7 +7,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:autoscaling:region:account-id:autoScalingGroupName/resource-name",
  "Severity": "medium",
-  "ResourceType": "Other",
+  "ResourceType": "AwsAutoScalingAutoScalingGroup",
  "Description": "EC2 Auto Scaling Group should use multiple Availability Zones",
  "Risk": "In case of a failure in a single Availability Zone, the Auto Scaling Group will not be able to launch new instances to replace the failed ones.",
  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html",
--- a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.metadata.json
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.metadata.json
@@ -9,7 +9,7 @@
  "Severity": "low",
  "ResourceType": "AwsLambdaFunction",
  "Description": "Check if Lambda functions invoke API operations are being recorded by CloudTrail.",
-  "Risk": "If logs are not enabled; monitoring of service use and threat analysis is not possible.",
+  "Risk": "If logs are not enabled, monitoring of service use and threat analysis is not possible.",
  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html",
  "Remediation": {
    "Code": {
--- a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py
@@ -28,7 +28,8 @@ class awslambda_function_invoke_api_operations_cloudtrail_logging_enabled(Check)
                            for resource in data_event.event_selector["DataResources"]:
                                if resource["Type"] == "AWS::Lambda::Function" and (
                                    function.arn in resource["Values"]
-                                    or "arn:aws:lambda" in resource["Values"]
+                                    or f"arn:{awslambda_client.audited_partition}:lambda"
+                                    in resource["Values"]
                                ):
                                    lambda_recorded_cloudtrail = True
                                    break
--- a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.metadata.json
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.metadata.json
@@ -9,7 +9,7 @@
  "Severity": "critical",
  "ResourceType": "AwsLambdaFunction",
  "Description": "Find secrets in Lambda functions code.",
-  "Risk": "The use of a hard-coded password increases the possibility of password guessing.  If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.",
+  "Risk": "The use of a hard-coded password increases the possibility of password guessing.  If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
  "Remediation": {
    "Code": {
--- a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.metadata.json
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.metadata.json
@@ -9,14 +9,14 @@
  "Severity": "critical",
  "ResourceType": "AwsLambdaFunction",
  "Description": "Find secrets in Lambda functions variables.",
-  "Risk": "The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used; it is possible that malicious users gain access through the account in question.",
+  "Risk": "The use of a hard-coded password increases the possibility of password guessing. If hard-coded passwords are used, it is possible that malicious users gain access through the account in question.",
  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
  "Remediation": {
    "Code": {
-      "CLI": "https://docs.bridgecrew.io/docs/bc_aws_secrets_3#cli-command",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_aws_secrets_3#cloudformation",
+      "CLI": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_3#cli-command",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_3#cloudformation",
      "Other": "",
-      "Terraform": "https://docs.bridgecrew.io/docs/bc_aws_secrets_3#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_3#terraform"
    },
    "Recommendation": {
      "Text": "Use Secrets Manager to securely provide database credentials to Lambda functions and secure the databases as well as use the credentials to connect and query them without hardcoding the secrets in code or passing them through environmental variables.",
--- a/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json
@@ -28,5 +28,5 @@
  ],
  "DependsOn": [],
  "RelatedTo": [],
-  "Notes": ""
+  "Notes": "It gives a false positive if the function is exposed publicly by an other public resource like an ALB or API Gateway in an AWS Account when an AWS account ID is set as the principal of the policy."
 }
--- a/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py
@@ -19,20 +19,30 @@ class awslambda_function_not_publicly_accessible(Check):
            if function.policy:
                for statement in function.policy["Statement"]:
                    # Only check allow statements
-                    if statement["Effect"] == "Allow":
-                        if (
-                            "*" in statement["Principal"]
-                            or (
-                                "AWS" in statement["Principal"]
-                                and "*" in statement["Principal"]["AWS"]
+                    if statement["Effect"] == "Allow" and (
+                        "*" in statement["Principal"]
+                        or (
+                            isinstance(statement["Principal"], dict)
+                            and (
+                                "*" in statement["Principal"].get("AWS", "")
+                                or "*"
+                                in statement["Principal"].get("CanonicalUser", "")
+                                or (  # Check if function can be invoked by other AWS services
+                                    (
+                                        ".amazonaws.com"
+                                        in statement["Principal"].get("Service", "")
+                                    )
+                                    and (
+                                        "*" in statement.get("Action", "")
+                                        or "InvokeFunction"
+                                        in statement.get("Action", "")
+                                    )
+                                )
                            )
-                            or (
-                                "CanonicalUser" in statement["Principal"]
-                                and "*" in statement["Principal"]["CanonicalUser"]
-                            )
-                        ):
-                            public_access = True
-                            break
+                        )
+                    ):
+                        public_access = True
+                        break

            if public_access:
                report.status = "FAIL"
--- a/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json
@@ -9,7 +9,7 @@
  "Severity": "medium",
  "ResourceType": "AwsLambdaFunction",
  "Description": "Find obsolete Lambda runtimes.",
-  "Risk": "If you have functions running on a runtime that will be deprecated in the next 60 days; Lambda notifies you by email that you should prepare by migrating your function to a supported runtime. In some cases; such as security issues that require a backwards-incompatible update; or software that does not support a long-term support (LTS) schedule; advance notice might not be possible. After a runtime is deprecated; Lambda might retire it completely at any time by disabling invocation. Deprecated runtimes are not eligible for security updates or technical support.",
+  "Risk": "If you have functions running on a runtime that will be deprecated in the next 60 days, Lambda notifies you by email that you should prepare by migrating your function to a supported runtime. In some cases, such as security issues that require a backwards-incompatible update, or software that does not support a long-term support (LTS) schedule, advance notice might not be possible. After a runtime is deprecated, Lambda might retire it completely at any time by disabling invocation. Deprecated runtimes are not eligible for security updates or technical support.",
  "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html",
  "Remediation": {
    "Code": {
--- a/prowler/providers/aws/services/awslambda/awslambda_service.py
+++ b/prowler/providers/aws/services/awslambda/awslambda_service.py
@@ -14,7 +14,6 @@ from prowler.lib.scan_filters.scan_filters import is_resource_filtered
 from prowler.providers.aws.lib.service.service import AWSService


-################## Lambda
 class Lambda(AWSService):
    def __init__(self, audit_info):
        # Call AWSService's __init__
--- a/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.metadata.json
+++ b/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.metadata.json
@@ -11,7 +11,7 @@
  "SubServiceName": "",
  "ResourceIdTemplate": "arn:partition:service:region:account-id:backup-report-plan:backup-report-plan-id",
  "Severity": "low",
-  "ResourceType": "Other",
+  "ResourceType": "AwsBackupBackupPlan",
  "Description": "This check ensures that there is at least one backup report plan in place.",
  "Risk": "Without a backup report plan, an organization may lack visibility into the success or failure of backup operations.",
  "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/create-report-plan-console.html",
--- a/prowler/providers/aws/services/backup/backup_service.py
+++ b/prowler/providers/aws/services/backup/backup_service.py
@@ -1,6 +1,7 @@
 from datetime import datetime
 from typing import Optional

+from botocore.client import ClientError
 from pydantic import BaseModel

 from prowler.lib.logger import logger
@@ -37,6 +38,8 @@ class Backup(AWSService):
                            self.audit_resources,
                        )
                    ):
+                        if self.backup_vaults is None:
+                            self.backup_vaults = []
                        self.backup_vaults.append(
                            BackupVault(
                                arn=configuration.get("BackupVaultArn"),
@@ -55,7 +58,13 @@ class Backup(AWSService):
                                ),
                            )
                        )
-
+        except ClientError as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            if error.response["Error"]["Code"] == "AccessDeniedException":
+                if not self.backup_vaults:
+                    self.backup_vaults = None
        except Exception as error:
            logger.error(
                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
--- a/prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.py
+++ b/prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.py
@@ -5,24 +5,24 @@ from prowler.providers.aws.services.backup.backup_client import backup_client
 class backup_vaults_encrypted(Check):
    def execute(self):
        findings = []
-
-        for backup_vault in backup_client.backup_vaults:
-            # By default we assume that the result is fail
-            report = Check_Report_AWS(self.metadata())
-            report.status = "FAIL"
-            report.status_extended = (
-                f"Backup Vault {backup_vault.name} is not encrypted."
-            )
-            report.resource_arn = backup_vault.arn
-            report.resource_id = backup_vault.name
-            report.region = backup_vault.region
-            # if it is encrypted we only change the status and the status extended
-            if backup_vault.encryption:
-                report.status = "PASS"
+        if backup_client.backup_vaults:
+            for backup_vault in backup_client.backup_vaults:
+                # By default we assume that the result is fail
+                report = Check_Report_AWS(self.metadata())
+                report.status = "FAIL"
                report.status_extended = (
-                    f"Backup Vault {backup_vault.name} is encrypted."
+                    f"Backup Vault {backup_vault.name} is not encrypted."
                )
-            # then we store the finding
-            findings.append(report)
+                report.resource_arn = backup_vault.arn
+                report.resource_id = backup_vault.name
+                report.region = backup_vault.region
+                # if it is encrypted we only change the status and the status extended
+                if backup_vault.encryption:
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"Backup Vault {backup_vault.name} is encrypted."
+                    )
+                # then we store the finding
+                findings.append(report)

        return findings
--- a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py
+++ b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py
@@ -5,18 +5,19 @@ from prowler.providers.aws.services.backup.backup_client import backup_client
 class backup_vaults_exist(Check):
    def execute(self):
        findings = []
-        report = Check_Report_AWS(self.metadata())
-        report.status = "FAIL"
-        report.status_extended = "No Backup Vault exist."
-        report.resource_arn = backup_client.backup_vault_arn_template
-        report.resource_id = backup_client.audited_account
-        report.region = backup_client.region
-        if backup_client.backup_vaults:
-            report.status = "PASS"
-            report.status_extended = f"At least one backup vault exists: {backup_client.backup_vaults[0].name}."
-            report.resource_arn = backup_client.backup_vaults[0].arn
-            report.resource_id = backup_client.backup_vaults[0].name
-            report.region = backup_client.backup_vaults[0].region
+        if backup_client.backup_vaults is not None:
+            report = Check_Report_AWS(self.metadata())
+            report.status = "FAIL"
+            report.status_extended = "No Backup Vault exist."
+            report.resource_arn = backup_client.backup_vault_arn_template
+            report.resource_id = backup_client.audited_account
+            report.region = backup_client.region
+            if backup_client.backup_vaults:
+                report.status = "PASS"
+                report.status_extended = f"At least one backup vault exists: {backup_client.backup_vaults[0].name}."
+                report.resource_arn = backup_client.backup_vaults[0].arn
+                report.resource_id = backup_client.backup_vaults[0].name
+                report.region = backup_client.backup_vaults[0].region

-        findings.append(report)
+            findings.append(report)
        return findings
--- a/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.metadata.json
+++ b/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.metadata.json
@@ -10,10 +10,10 @@
  "ResourceType": "AwsCloudFormationStack",
  "Description": "Find secrets in CloudFormation outputs",
  "Risk": "Secrets hardcoded into CloudFormation outputs can be used by malware and bad actors to gain lateral access to other services.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html",
+  "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html",
  "Remediation": {
    "Code": {
-      "CLI": "https://docs.bridgecrew.io/docs/bc_aws_secrets_2#cli-command",
+      "CLI": "https://docs.prowler.com/checks/aws/secrets-policies/bc_aws_secrets_2#cli-command",
      "NativeIaC": "",
      "Other": "",
      "Terraform": ""
--- a/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.py
+++ b/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.py
@@ -29,7 +29,12 @@ class cloudformation_stack_outputs_find_secrets(Check):

                # Store the CloudFormation Stack Outputs into a file
                for output in stack.outputs:
-                    temp_output_file.write(f"{output}".encode())
+                    temp_output_file.write(
+                        bytes(
+                            f"{output}\n",
+                            encoding="raw_unicode_escape",
+                        )
+                    )
                temp_output_file.close()

                # Init detect_secrets
@@ -38,11 +43,17 @@ class cloudformation_stack_outputs_find_secrets(Check):
                with default_settings():
                    secrets.scan_file(temp_output_file.name)

-                if secrets.json():
-                    report.status = "FAIL"
-                    report.status_extended = (
-                        f"Potential secret found in Stack {stack.name} Outputs."
+                detect_secrets_output = secrets.json()
+                # If secrets are found, update the report status
+                if detect_secrets_output:
+                    secrets_string = ", ".join(
+                        [
+                            f"{secret['type']} in Output {int(secret['line_number'])}"
+                            for secret in detect_secrets_output[temp_output_file.name]
+                        ]
                    )
+                    report.status = "FAIL"
+                    report.status_extended = f"Potential secret found in Stack {stack.name} Outputs -> {secrets_string}."

                os.remove(temp_output_file.name)
            else:
--- a/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.metadata.json
@@ -9,7 +9,7 @@
  "Severity": "medium",
  "ResourceType": "AwsCloudFormationStack",
  "Description": "Enable termination protection for Cloudformation Stacks",
-  "Risk": "Without termination protection enabled; a critical cloudformation stack can be accidently deleted.",
+  "Risk": "Without termination protection enabled, a critical cloudformation stack can be accidently deleted.",
  "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html",
  "Remediation": {
    "Code": {
--- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.metadata.json
@@ -9,7 +9,7 @@
  "Severity": "low",
  "ResourceType": "AwsCloudFrontDistribution",
  "Description": "Check if Geo restrictions are enabled in CloudFront distributions.",
-  "Risk": "Consider countries where service should not be accessed; by legal or compliance requirements. Additionally if not restricted the attack vector is increased.",
+  "Risk": "Consider countries where service should not be accessed, by legal or compliance requirements. Additionally if not restricted the attack vector is increased.",
  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html",
  "Remediation": {
    "Code": {
@@ -19,7 +19,7 @@
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "If possible; define and enable Geo restrictions for this service.",
+      "Text": "If possible, define and enable Geo restrictions for this service.",
      "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html"
    }
  },
--- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.metadata.json
@@ -14,9 +14,9 @@
  "Remediation": {
    "Code": {
      "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/security-policy.html",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/networking_32#cloudformation",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/networking-policies/networking_32#cloudformation",
      "Other": "",
-      "Terraform": "https://docs.bridgecrew.io/docs/networking_32#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/networking-policies/networking_32#terraform"
    },
    "Recommendation": {
      "Text": "Use HTTPS everywhere possible. It will enforce privacy and protect against account hijacking and other threats.",
--- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.metadata.json
@@ -13,10 +13,10 @@
  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html",
  "Remediation": {
    "Code": {
-      "CLI": "https://docs.bridgecrew.io/docs/logging_20#cli-command",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/logging_20#cloudformation",
+      "CLI": "https://docs.prowler.com/checks/aws/logging-policies/logging_20#cli-command",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/logging_20#cloudformation",
      "Other": "",
-      "Terraform": "https://docs.bridgecrew.io/docs/logging_20#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/logging_20#terraform"
    },
    "Recommendation": {
      "Text": "Real-time monitoring can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Enable logging for services with defined log rotation. These logs are useful for Incident Response and forensics investigation among other use cases.",
--- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py
+++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py
@@ -0,0 +1,38 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.cloudfront.cloudfront_client import (
+    cloudfront_client,
+)
+
+
+class cloudfront_distributions_origin_traffic_encrypted(Check):
+    def execute(self):
+        findings = []
+        for distribution in cloudfront_client.distributions.values():
+            report = Check_Report_AWS(metadata=self.metadata(), resource=distribution)
+            report.status = "PASS"
+            report.status_extended = f"CloudFront Distribution {distribution.id} does encrypt traffic to custom origins."
+            unencrypted_origins = []
+
+            for origin in distribution.origins:
+                if origin.s3_origin_config:
+                    # For S3, only check the viewer protocol policy
+                    if distribution.viewer_protocol_policy == "allow-all":
+                        unencrypted_origins.append(origin.id)
+                else:
+                    # Regular check for custom origins (ALB, EC2, API Gateway, etc.)
+                    if (
+                        origin.origin_protocol_policy == ""
+                        or origin.origin_protocol_policy == "http-only"
+                    ) or (
+                        origin.origin_protocol_policy == "match-viewer"
+                        and distribution.viewer_protocol_policy == "allow-all"
+                    ):
+                        unencrypted_origins.append(origin.id)
+
+            if unencrypted_origins:
+                report.status = "FAIL"
+                report.status_extended = f"CloudFront Distribution {distribution.id} does not encrypt traffic to custom origins {', '.join(unencrypted_origins)}."
+
+            findings.append(report)
+
+        return findings
--- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.metadata.json
+++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.metadata.json
@@ -13,9 +13,9 @@
  "RelatedUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html",
  "Remediation": {
    "Code": {
-      "CLI": "https://docs.bridgecrew.io/docs/networking_33#cli-command",
+      "CLI": "https://docs.prowler.com/checks/aws/networking-policies/networking_33#cli-command",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/networking_33#aws-cloudfront-console",
+      "Other": "https://docs.prowler.com/checks/aws/networking-policies/networking_33#aws-cloudfront-console",
      "Terraform": ""
    },
    "Recommendation": {
--- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.metadata.json
+++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.metadata.json
@@ -11,17 +11,17 @@
  "Severity": "medium",
  "ResourceType": "AwsCloudFrontDistribution",
  "Description": "Check if CloudFront distributions are using WAF.",
-  "Risk": "Potential attacks and / or abuse of service; more even for even for internet reachable services.",
+  "Risk": "Potential attacks and / or abuse of service, more even for even for internet reachable services.",
  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html",
  "Remediation": {
    "Code": {
      "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-integrated-with-waf.html",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/bc_aws_general_27#cloudformation",
-      "Other": "https://docs.bridgecrew.io/docs/bc_aws_general_27#cloudfront-console",
-      "Terraform": "https://docs.bridgecrew.io/docs/bc_aws_general_27#terraform"
+      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_27#cloudformation",
+      "Other": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_27#cloudfront-console",
+      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_27#terraform"
    },
    "Recommendation": {
-      "Text": "Use AWS WAF to protect your service from common web exploits. These could affect availability and performance; compromise security; or consume excessive resources.",
+      "Text": "Use AWS WAF to protect your service from common web exploits. These could affect availability and performance, compromise security, or consume excessive resources.",
      "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html"
    }
  },
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py
@@ -8,28 +8,29 @@ from prowler.providers.aws.services.s3.s3_client import s3_client
 class cloudtrail_bucket_requires_mfa_delete(Check):
    def execute(self):
        findings = []
-        for trail in cloudtrail_client.trails.values():
-            if trail.is_logging:
-                trail_bucket_is_in_account = False
-                trail_bucket = trail.s3_bucket
-                report = Check_Report_AWS(self.metadata())
-                report.region = trail.region
-                report.resource_id = trail.name
-                report.resource_arn = trail.arn
-                report.resource_tags = trail.tags
-                report.status = "FAIL"
-                report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) does not have MFA delete enabled."
-                for bucket in s3_client.buckets:
-                    if trail_bucket == bucket.name:
-                        trail_bucket_is_in_account = True
-                        if bucket.mfa_delete:
-                            report.status = "PASS"
-                            report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) has MFA delete enabled."
-                # check if trail bucket is a cross account bucket
-                if not trail_bucket_is_in_account:
-                    report.status = "INFO"
-                    report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."
+        if cloudtrail_client.trails is not None:
+            for trail in cloudtrail_client.trails.values():
+                if trail.is_logging:
+                    trail_bucket_is_in_account = False
+                    trail_bucket = trail.s3_bucket
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = trail.home_region
+                    report.resource_id = trail.name
+                    report.resource_arn = trail.arn
+                    report.resource_tags = trail.tags
+                    report.status = "FAIL"
+                    report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) does not have MFA delete enabled."
+                    for bucket in s3_client.buckets:
+                        if trail_bucket == bucket.name:
+                            trail_bucket_is_in_account = True
+                            if bucket.mfa_delete:
+                                report.status = "PASS"
+                                report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) has MFA delete enabled."
+                    # check if trail bucket is a cross account bucket
+                    if not trail_bucket_is_in_account:
+                        report.status = "INFO"
+                        report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."

-                findings.append(report)
+                    findings.append(report)

        return findings
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.metadata.json
@@ -13,13 +13,13 @@
  "Severity": "low",
  "ResourceType": "AwsCloudTrailTrail",
  "Description": "Ensure CloudTrail trails are integrated with CloudWatch Logs",
-  "Risk": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user; API; resource; and IP address; and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
+  "Risk": "Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.",
  "RelatedUrl": "",
  "Remediation": {
    "Code": {
      "CLI": "aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group- arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/logging_4#aws-console",
+      "Other": "https://docs.prowler.com/checks/aws/logging-policies/logging_4#aws-console",
      "Terraform": ""
    },
    "Recommendation": {
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py
@@ -11,37 +11,38 @@ maximum_time_without_logging = 1
 class cloudtrail_cloudwatch_logging_enabled(Check):
    def execute(self):
        findings = []
-        for trail in cloudtrail_client.trails.values():
-            if trail.name:
-                report = Check_Report_AWS(self.metadata())
-                report.region = trail.region
-                report.resource_id = trail.name
-                report.resource_arn = trail.arn
-                report.resource_tags = trail.tags
-                report.status = "PASS"
-                if trail.is_multiregion:
-                    report.status_extended = (
-                        f"Multiregion trail {trail.name} has been logging the last 24h."
-                    )
-                else:
-                    report.status_extended = f"Single region trail {trail.name} has been logging the last 24h."
-                if trail.latest_cloudwatch_delivery_time:
-                    last_log_delivery = (
-                        datetime.now().replace(tzinfo=timezone.utc)
-                        - trail.latest_cloudwatch_delivery_time
-                    )
-                    if last_log_delivery > timedelta(days=maximum_time_without_logging):
+        if cloudtrail_client.trails is not None:
+            for trail in cloudtrail_client.trails.values():
+                if trail.name:
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = trail.home_region
+                    report.resource_id = trail.name
+                    report.resource_arn = trail.arn
+                    report.resource_tags = trail.tags
+                    report.status = "PASS"
+                    if trail.is_multiregion:
+                        report.status_extended = f"Multiregion trail {trail.name} has been logging the last 24h."
+                    else:
+                        report.status_extended = f"Single region trail {trail.name} has been logging the last 24h."
+                    if trail.latest_cloudwatch_delivery_time:
+                        last_log_delivery = (
+                            datetime.now().replace(tzinfo=timezone.utc)
+                            - trail.latest_cloudwatch_delivery_time
+                        )
+                        if last_log_delivery > timedelta(
+                            days=maximum_time_without_logging
+                        ):
+                            report.status = "FAIL"
+                            if trail.is_multiregion:
+                                report.status_extended = f"Multiregion trail {trail.name} is not logging in the last 24h."
+                            else:
+                                report.status_extended = f"Single region trail {trail.name} is not logging in the last 24h."
+                    else:
                        report.status = "FAIL"
                        if trail.is_multiregion:
-                            report.status_extended = f"Multiregion trail {trail.name} is not logging in the last 24h."
+                            report.status_extended = f"Multiregion trail {trail.name} is not logging in the last 24h or not configured to deliver logs."
                        else:
-                            report.status_extended = f"Single region trail {trail.name} is not logging in the last 24h."
-                else:
-                    report.status = "FAIL"
-                    if trail.is_multiregion:
-                        report.status_extended = f"Multiregion trail {trail.name} is not logging in the last 24h or not configured to deliver logs."
-                    else:
-                        report.status_extended = f"Single region trail {trail.name} is not logging in the last 24h or not configured to deliver logs."
-                findings.append(report)
+                            report.status_extended = f"Single region trail {trail.name} is not logging in the last 24h or not configured to deliver logs."
+                    findings.append(report)

        return findings
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.py
@@ -7,19 +7,18 @@ from prowler.providers.aws.services.cloudtrail.cloudtrail_client import (
 class cloudtrail_insights_exist(Check):
    def execute(self):
        findings = []
-        for trail in cloudtrail_client.trails.values():
-            if trail.is_logging:
-                report = Check_Report_AWS(self.metadata())
-                report.region = trail.region
-                report.resource_id = trail.name
-                report.resource_arn = trail.arn
-                report.resource_tags = trail.tags
-                report.status = "FAIL"
-                report.status_extended = f"Trail {trail.name} does not have insight selectors and it is logging."
-                if trail.has_insight_selectors:
-                    report.status = "PASS"
-                    report.status_extended = (
-                        f"Trail {trail.name} has insight selectors and it is logging."
-                    )
-                findings.append(report)
+        if cloudtrail_client.trails is not None:
+            for trail in cloudtrail_client.trails.values():
+                if trail.is_logging:
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = trail.home_region
+                    report.resource_id = trail.name
+                    report.resource_arn = trail.arn
+                    report.resource_tags = trail.tags
+                    report.status = "FAIL"
+                    report.status_extended = f"Trail {trail.name} does not have insight selectors and it is logging."
+                    if trail.has_insight_selectors:
+                        report.status = "PASS"
+                        report.status_extended = f"Trail {trail.name} has insight selectors and it is logging."
+                    findings.append(report)
        return findings
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.metadata.json
@@ -13,12 +13,12 @@
  "Severity": "medium",
  "ResourceType": "AwsCloudTrailTrail",
  "Description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
-  "Risk": "By default; the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable; you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.",
+  "Risk": "By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.",
  "RelatedUrl": "",
  "Remediation": {
    "Code": {
      "CLI": "aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/logging_7#fix---buildtime",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/logging_7#fix---buildtime",
      "Other": "",
      "Terraform": ""
    },
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.py
@@ -7,32 +7,29 @@ from prowler.providers.aws.services.cloudtrail.cloudtrail_client import (
 class cloudtrail_kms_encryption_enabled(Check):
    def execute(self):
        findings = []
-        for trail in cloudtrail_client.trails.values():
-            if trail.name:
-                report = Check_Report_AWS(self.metadata())
-                report.region = trail.region
-                report.resource_id = trail.name
-                report.resource_arn = trail.arn
-                report.resource_tags = trail.tags
-                report.status = "FAIL"
-                if trail.is_multiregion:
-                    report.status_extended = (
-                        f"Multiregion trail {trail.name} has encryption disabled."
-                    )
-                else:
-                    report.status_extended = (
-                        f"Single region trail {trail.name} has encryption disabled."
-                    )
-                if trail.kms_key:
-                    report.status = "PASS"
+        if cloudtrail_client.trails is not None:
+            for trail in cloudtrail_client.trails.values():
+                if trail.name:
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = trail.home_region
+                    report.resource_id = trail.name
+                    report.resource_arn = trail.arn
+                    report.resource_tags = trail.tags
+                    report.status = "FAIL"
                    if trail.is_multiregion:
                        report.status_extended = (
-                            f"Multiregion trail {trail.name} has encryption enabled."
+                            f"Multiregion trail {trail.name} has encryption disabled."
                        )
                    else:
                        report.status_extended = (
-                            f"Single region trail {trail.name} has encryption enabled."
+                            f"Single region trail {trail.name} has encryption disabled."
                        )
-                findings.append(report)
+                    if trail.kms_key:
+                        report.status = "PASS"
+                        if trail.is_multiregion:
+                            report.status_extended = f"Multiregion trail {trail.name} has encryption enabled."
+                        else:
+                            report.status_extended = f"Single region trail {trail.name} has encryption enabled."
+                    findings.append(report)

        return findings
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.metadata.json
@@ -18,9 +18,9 @@
  "Remediation": {
    "Code": {
      "CLI": "aws cloudtrail update-trail --name <trail_name>  --enable-log-file-validation",
-      "NativeIaC": "https://docs.bridgecrew.io/docs/logging_2#cloudformation",
+      "NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/logging_2#cloudformation",
      "Other": "",
-      "Terraform": "https://docs.bridgecrew.io/docs/logging_2#terraform"
+      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/logging_2#terraform"
    },
    "Recommendation": {
      "Text": "Ensure LogFileValidationEnabled is set to true for each trail.",
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.py
@@ -7,26 +7,25 @@ from prowler.providers.aws.services.cloudtrail.cloudtrail_client import (
 class cloudtrail_log_file_validation_enabled(Check):
    def execute(self):
        findings = []
-        for trail in cloudtrail_client.trails.values():
-            if trail.name:
-                report = Check_Report_AWS(self.metadata())
-                report.region = trail.region
-                report.resource_id = trail.name
-                report.resource_arn = trail.arn
-                report.resource_tags = trail.tags
-                report.status = "FAIL"
-                if trail.is_multiregion:
-                    report.status_extended = (
-                        f"Multiregion trail {trail.name} log file validation disabled."
-                    )
-                else:
-                    report.status_extended = f"Single region trail {trail.name} log file validation disabled."
-                if trail.log_file_validation_enabled:
-                    report.status = "PASS"
+        if cloudtrail_client.trails is not None:
+            for trail in cloudtrail_client.trails.values():
+                if trail.name:
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = trail.home_region
+                    report.resource_id = trail.name
+                    report.resource_arn = trail.arn
+                    report.resource_tags = trail.tags
+                    report.status = "FAIL"
                    if trail.is_multiregion:
-                        report.status_extended = f"Multiregion trail {trail.name} log file validation enabled."
+                        report.status_extended = f"Multiregion trail {trail.name} log file validation disabled."
                    else:
-                        report.status_extended = f"Single region trail {trail.name} log file validation enabled."
-                findings.append(report)
+                        report.status_extended = f"Single region trail {trail.name} log file validation disabled."
+                    if trail.log_file_validation_enabled:
+                        report.status = "PASS"
+                        if trail.is_multiregion:
+                            report.status_extended = f"Multiregion trail {trail.name} log file validation enabled."
+                        else:
+                            report.status_extended = f"Single region trail {trail.name} log file validation enabled."
+                    findings.append(report)

        return findings
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.metadata.json
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.metadata.json
@@ -13,17 +13,17 @@
  "Severity": "medium",
  "ResourceType": "AwsCloudTrailTrail",
  "Description": "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket",
-  "Risk": "Server access logs can assist you in security and access audits; help you learn about your customer base; and understand your Amazon S3 bill.",
+  "Risk": "Server access logs can assist you in security and access audits, help you learn about your customer base, and understand your Amazon S3 bill.",
  "RelatedUrl": "",
  "Remediation": {
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/logging_6#aws-console",
+      "Other": "https://docs.prowler.com/checks/aws/logging-policies/logging_6#aws-console",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case; this finding can be considered a false positive.",
+      "Text": "Ensure that S3 buckets have Logging enabled. CloudTrail data events can be used in place of S3 bucket logging. If that is the case, this finding can be considered a false positive.",
      "Url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html"
    }
  },
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py
@@ -8,35 +8,36 @@ from prowler.providers.aws.services.s3.s3_client import s3_client
 class cloudtrail_logs_s3_bucket_access_logging_enabled(Check):
    def execute(self):
        findings = []
-        for trail in cloudtrail_client.trails.values():
-            if trail.name:
-                trail_bucket_is_in_account = False
-                trail_bucket = trail.s3_bucket
-                report = Check_Report_AWS(self.metadata())
-                report.region = trail.region
-                report.resource_id = trail.name
-                report.resource_arn = trail.arn
-                report.resource_tags = trail.tags
-                report.status = "FAIL"
-                if trail.is_multiregion:
-                    report.status_extended = f"Multiregion Trail {trail.name} S3 bucket access logging is not enabled for bucket {trail_bucket}."
-                else:
-                    report.status_extended = f"Single region Trail {trail.name} S3 bucket access logging is not enabled for bucket {trail_bucket}."
-                for bucket in s3_client.buckets:
-                    if trail_bucket == bucket.name:
-                        trail_bucket_is_in_account = True
-                        if bucket.logging:
-                            report.status = "PASS"
-                            if trail.is_multiregion:
-                                report.status_extended = f"Multiregion trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}."
-                            else:
-                                report.status_extended = f"Single region trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}."
-                        break
+        if cloudtrail_client.trails is not None:
+            for trail in cloudtrail_client.trails.values():
+                if trail.name:
+                    trail_bucket_is_in_account = False
+                    trail_bucket = trail.s3_bucket
+                    report = Check_Report_AWS(self.metadata())
+                    report.region = trail.home_region
+                    report.resource_id = trail.name
+                    report.resource_arn = trail.arn
+                    report.resource_tags = trail.tags
+                    report.status = "FAIL"
+                    if trail.is_multiregion:
+                        report.status_extended = f"Multiregion Trail {trail.name} S3 bucket access logging is not enabled for bucket {trail_bucket}."
+                    else:
+                        report.status_extended = f"Single region Trail {trail.name} S3 bucket access logging is not enabled for bucket {trail_bucket}."
+                    for bucket in s3_client.buckets:
+                        if trail_bucket == bucket.name:
+                            trail_bucket_is_in_account = True
+                            if bucket.logging:
+                                report.status = "PASS"
+                                if trail.is_multiregion:
+                                    report.status_extended = f"Multiregion trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}."
+                                else:
+                                    report.status_extended = f"Single region trail {trail.name} S3 bucket access logging is enabled for bucket {trail_bucket}."
+                            break

-                # check if trail is delivering logs in a cross account bucket
-                if not trail_bucket_is_in_account:
-                    report.status = "INFO"
-                    report.status_extended = f"Trail {trail.name} is delivering logs in a cross-account bucket {trail_bucket} in another account out of Prowler's permissions scope, please check it manually."
-                findings.append(report)
+                    # check if trail is delivering logs in a cross account bucket
+                    if not trail_bucket_is_in_account:
+                        report.status = "INFO"
+                        report.status_extended = f"Trail {trail.name} is delivering logs in a cross-account bucket {trail_bucket} in another account out of Prowler's permissions scope, please check it manually."
+                    findings.append(report)

        return findings
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.metadata.json
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.metadata.json
@@ -19,7 +19,7 @@
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "https://docs.bridgecrew.io/docs/logging_3#aws-console",
+      "Other": "https://docs.prowler.com/checks/aws/logging-policies/logging_3#aws-console",
      "Terraform": ""
    },
    "Recommendation": {
--- a/Show More
+++ b/Show More